From simon at josefsson.org Fri Feb 1 17:12:54 2008 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 01 Feb 2008 17:12:54 +0100 Subject: libtasn sparse fixes In-Reply-To: <1201554412.18198.1.camel@conrad.int.rhx> (Michele Baldessari's message of "Mon, 28 Jan 2008 22:06:52 +0100") References: <1201554412.18198.1.camel@conrad.int.rhx> Message-ID: <8763x8mz95.fsf@mocca.josefsson.org> Michele Baldessari writes: > Hi Simon, > > thanks so much for all your GnuTLS work. You rock! Hi Michele. Thanks! :) > I ran libtasn (today's git) under Linus' sparse tool and here are a > couple of warnings removed. I applied the patch for CertificateExample.c and CrlExample.c. The file pkix_asn1_tab.c is a generated file, so instead I patched the code that generated it, so that it prints NULL instead of 0. Expect a libtasn1 1.3 shortly with this and some other fixes. Thanks, Simon From simon at josefsson.org Fri Feb 1 17:56:07 2008 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 01 Feb 2008 17:56:07 +0100 Subject: Libtasn1 1.3 Message-ID: <87zluklioo.fsf@mocca.josefsson.org> Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER/BER encoding and DER/BER decoding. Libtasn1 is used by GnuTLS to manipulate X.509 objects and by Shishi to handle Kerberos V5 packets. Version 1.3 (released 2008-02-01) - Handle 'INTEGER { ... } (a..b)' regression. Revert parts of earlier fix. asn1Parser can now again parse src/pkix.asn1. The ASN1.c file was generated using Bison 2.3. - Move examples from src/ to new directory examples/. - Duplicate copy of divergated pkix.asn removed. - Merge unnecessary lib/defines.h into lib/int.h. - Configure no longer tries to use gcc -pipe. - Update gnulib files. - Fix mem leak in self-test. Commercial support contracts for Libtasn1 are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding Libtasn1 maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use Libtasn1, or want to help others, you are invited to join our help-gnutls mailing list, see: . Homepage: http://josefsson.org/libtasn1/ Manual in many formats: http://josefsson.org/gnutls/manual/libtasn1/ Here are the compressed sources (1.5MB): ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-1.3.tar.gz http://josefsson.org/gnutls/releases/libtasn1/libtasn1-1.3.tar.gz Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-1.3.tar.gz.sig http://josefsson.org/gnutls/releases/libtasn1/libtasn1-1.3.tar.gz.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2008-06-30] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2008-06-30] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 154d79b6e49ec9efeb758ef964c6d23a838da289 libtasn1-1.3.tar.gz 00e700b079903f98707acf521d7d49327cc125097cb389e69a27211c libtasn1-1.3.tar.gz Happy hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From l at lwithers.me.uk Sun Feb 3 22:53:51 2008 From: l at lwithers.me.uk (Laurence Withers) Date: Sun, 3 Feb 2008 21:53:51 +0000 Subject: gnutls_set_priority() does not handle strings starting with "NONE". Message-ID: <200802032153.51998.l@lwithers.me.uk> Hi, In the gnutls function reference, for the function gnutls_set_priority() it is stated: "NONE" nothing is enabled. This disables even protocols and compression methods. and one of the examples: "NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL" However, if you actually try that example, or even the string "NONE" on its own, it doesn't work (it returns GNUTLS_E_INVALID_REQUEST and sets the error location to the start of the string). Tracing this back into the code, the token "NONE" is handled specially before the for loop in gnutls_set_priority() that parses each token. However, the loop itself always parses all tokens and it doesn't know handle "NONE". I attached a patch which causes the first token to be skipped by this loop if it was "NONE". The patch is against 2.2.1 but also applies against 2.3.0. Bye for now, -- Laurence Withers, -- jabber:l at jabber.lwithers.me.uk http://www.lwithers.me.uk/ tel:+447753988197 -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls_priority_init-NONE.patch Type: text/x-diff Size: 579 bytes Desc: not available URL: From nmav at gnutls.org Thu Feb 7 17:17:14 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 7 Feb 2008 18:17:14 +0200 Subject: gnutls_set_priority() does not handle strings starting with "NONE". In-Reply-To: <200802032153.51998.l@lwithers.me.uk> References: <200802032153.51998.l@lwithers.me.uk> Message-ID: <200802071817.15126.nmav@gnutls.org> On Sunday 03 February 2008, Laurence Withers wrote: > Hi, > In the gnutls function reference, for the function gnutls_set_priority() > it is stated: > "NONE" nothing is enabled. This disables even protocols and > compression methods. > and one of the examples: > "NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL" Thank you for the patch and sorry for the late reply. I have just commited this fix in the repository. regards, Nikos From lists at roberthogan.net Fri Feb 8 20:41:43 2008 From: lists at roberthogan.net (Robert Hogan) Date: Fri, 8 Feb 2008 19:41:43 +0000 Subject: Using gnutls_srp_base64_decode to decode something encoded with EVP_Encode* Message-ID: <200802081942.09899.lists@roberthogan.net> Hi there, I have the following string, which has been encoded by openssl's EVP_Encode* function: 8lsjlBTuh2bbNTARRgB6WnmgCm0 I want to decode it with a gnutls function, so I'm guessing gnutls_srp_base64_decode is the one I need. I can decode a result with it, however it is not the same result as if I had used EVP_decode*. Are the two incompatible? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: From hyc at symas.com Sun Feb 10 10:58:37 2008 From: hyc at symas.com (Howard Chu) Date: Sun, 10 Feb 2008 01:58:37 -0800 Subject: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName In-Reply-To: <200802100917.m1A9HkSb015171@boole.openldap.org> References: <200802100917.m1A9HkSb015171@boole.openldap.org> Message-ID: <47AECACD.1080000@symas.com> hyc at symas.com wrote: > Steve Langasek wrote: >> Given that one of the errors >> returned by gnutls_x509_crt_get_subject_alt_name() is >> GNUTLS_E_SHORT_MEMORY_BUFFER, it seems obvious to me that this should use >> semantics for storage size rather than string length, and the only question >> in my mind is whether the trailing NUL is included as part of the internal >> representation of the string. >> >> If this is a behavior change as you say, then I guess we need clarification >> from GnuTLS upstream about whether this is intentional. Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result you're seeing. The change is here: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048 and it is clearly a bug, since subjectAltName's are not necessarily strings. (E.g., they can also be IP addresses, which are just 4 or 16 octets.) If you notice in the diff, they set *name_size = len + 1; and then later name[len] = 0; but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they can cause a write past the end of the supplied buffer. This patch should be reverted, it is clearly wrong. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From hyc at symas.com Sun Feb 10 11:11:51 2008 From: hyc at symas.com (Howard Chu) Date: Sun, 10 Feb 2008 02:11:51 -0800 Subject: [Fwd: Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName] Message-ID: <47AECDE7.1000208@symas.com> For context, the full bug report is here http://www.openldap.org/its/index.cgi/Incoming?id=5361 -------- Original Message -------- Subject: Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName Date: Sun, 10 Feb 2008 09:17:46 GMT From: hyc at symas.com To: openldap-its at openldap.org Steve Langasek wrote: > On Sat, Feb 09, 2008 at 11:04:18PM -0800, Howard Chu wrote: >> I cannot duplicate this error with GnuTLS 1.7.8 or 1.7.9. The altname >> length that is returned just includes the non-NUL characters. Note that >> all of libldap's TLS functionality was tested and working with GnuTLS >> 1.7. What version are you using? > > Reproduced with GnuTLS 2.0.4 and GnuTLS 2.2.1. > >> It seems to me that if your version of GnuTLS is indeed behaving this way, >> then it's a GnuTLS bug, since in C, the length of a string never includes >> the trailing NUL. > > It's true that the /length/ of a string doesn't include the trailing NUL, > but it does have to be included in the storage /size/ of a C string, and > it's debatable which is intended here. Since this is an ASN.1 structure, one would ordinarily not expect any NUL termination in the first place. And since other GnuTLS library functions are returning the raw data size, excluding any trailing NUL, the behavior you're seeing here is pretty suspicious. > Given that one of the errors > returned by gnutls_x509_crt_get_subject_alt_name() is > GNUTLS_E_SHORT_MEMORY_BUFFER, it seems obvious to me that this should use > semantics for storage size rather than string length, and the only question > in my mind is whether the trailing NUL is included as part of the internal > representation of the string. > > If this is a behavior change as you say, then I guess we need clarification > from GnuTLS upstream about whether this is intentional. That sounds like the best step for now. Just to be sure, how was the certificate created? Have you verified that libldap with OpenSSL accepts the certificate correctly? So far it sounds just as likely to me that your subjectAltName actually includes a trailing NUL in its data. ASN.1 structures don't use NUL-terminated strings here, the DER form requires definite lengths to be encoded up front. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From simon at josefsson.org Wed Feb 13 17:13:33 2008 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 13 Feb 2008 17:13:33 +0100 Subject: gnutls_set_priority() does not handle strings starting with "NONE". In-Reply-To: <200802071817.15126.nmav@gnutls.org> (Nikos Mavrogiannopoulos's message of "Thu, 7 Feb 2008 18:17:14 +0200") References: <200802032153.51998.l@lwithers.me.uk> <200802071817.15126.nmav@gnutls.org> Message-ID: <87skzwkf6a.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > On Sunday 03 February 2008, Laurence Withers wrote: >> Hi, >> In the gnutls function reference, for the function gnutls_set_priority() >> it is stated: >> "NONE" nothing is enabled. This disables even protocols and >> compression methods. >> and one of the examples: >> "NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL" > > Thank you for the patch and sorry for the late reply. I have just commited > this fix in the repository. I pushed it to the v2.2 branch as well. /Simon From joe at manyfish.co.uk Thu Feb 14 23:34:50 2008 From: joe at manyfish.co.uk (Joe Orton) Date: Thu, 14 Feb 2008 22:34:50 +0000 Subject: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName In-Reply-To: <47AECACD.1080000@symas.com> References: <200802100917.m1A9HkSb015171@boole.openldap.org> <47AECACD.1080000@symas.com> Message-ID: <20080214223450.GA18786@manyfish.co.uk> On Sun, Feb 10, 2008 at 01:58:37AM -0800, Howard Chu wrote: > Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result > you're seeing. The change is here: > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048 > > and it is clearly a bug, since subjectAltName's are not necessarily > strings. (E.g., they can also be IP addresses, which are just 4 or 16 > octets.) If you notice in the diff, they set > *name_size = len + 1; > and then later > name[len] = 0; > but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they > can cause a write past the end of the supplied buffer. > > This patch should be reverted, it is clearly wrong. FWIW, I agree. neon's test cases for subjectAltName support are breaking with 2.3.0 as well. Reverting the changeset Howard referenced fixes the issues. joe From jorton at redhat.com Thu Feb 14 21:39:32 2008 From: jorton at redhat.com (Joe Orton) Date: Thu, 14 Feb 2008 20:39:32 +0000 Subject: [PATCH] add DN import function Message-ID: <20080214203932.GA13991@redhat.com> The CA dnames passed to the client-cert-retrieve function are raw DER and hence can't be used by gnutls_x509_dn_get_rdn_ava(). This patch adds gnutls_x509_dn_import() which fills that gap, and gnutls_x509_free_dn() which destroys the allocated structures. The naming is slightly awkward because these don't fit the usual init/import/deinit convention used by GnuTLS; let me know if you'd prefer different names. The test case is a big C&P job from test/x509self.c, with a client cert callback, and I added tests for the wait() status value since it wasn't catching failures (or even fatal signals) issued by the forked client process. diff -up ./includes/gnutls/x509.h.rdnfns ./includes/gnutls/x509.h --- ./includes/gnutls/x509.h.rdnfns 2007-12-17 11:12:04.000000000 +0000 +++ ./includes/gnutls/x509.h 2008-02-14 19:57:12.000000000 +0000 @@ -335,6 +335,12 @@ extern "C" int gnutls_x509_dn_get_rdn_ava (gnutls_x509_dn_t dn, int irdn, int iava, gnutls_x509_ava_st *avast); + int gnutls_x509_dn_import (gnutls_x509_dn_t * odn, + const gnutls_datum_t * data); + + void gnutls_x509_free_dn (gnutls_x509_dn_t idn); + + /* CRL handling functions. */ int gnutls_x509_crl_init (gnutls_x509_crl_t * crl); diff -up ./lib/x509/dn.c.rdnfns ./lib/x509/dn.c --- ./lib/x509/dn.c.rdnfns 2008-02-14 19:44:02.000000000 +0000 +++ ./lib/x509/dn.c 2008-02-14 20:00:05.000000000 +0000 @@ -945,6 +945,66 @@ _gnutls_x509_set_dn_oid (ASN1_TYPE asn1_ /** + * gnutls_x509_dn_import: get opaque DN object from DER RDN sequence + * + * @odn: output variable with pointer to opaque DN + * @data: should contain a DER encoded RDN sequence + * + * This function parses an RDN sequence and returns a DN as an opaque + * object type. You may use gnutls_x509_dn_get_rdn_ava() to decode + * the DN. + * + * The object returned must be deallocated using + * gnutls_x509_free_dn() after use. + * + * Returns: 0 on success, or an error code. + **/ +int +gnutls_x509_dn_import (gnutls_x509_dn_t * odn, + const gnutls_datum_t * data) +{ + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + result = asn1_der_decoding (&dn, data->data, data->size, NULL); + if (result != ASN1_SUCCESS) + { + /* couldn't decode DER */ + gnutls_assert (); + asn1_delete_structure (&dn); + return _gnutls_asn2err (result); + } + + *odn = dn; + + return 0; +} + +/** + * gnutls_x509_free_dn: deallocate a DN object + * @idn: a DN opaque object pointer. + * + * This function deallocates the DN object as returned by + * gnutls_x509_dn_import(). + * + **/ +void +gnutls_x509_free_dn (gnutls_x509_dn_t idn) +{ + ASN1_TYPE dn = idn; + + asn1_delete_structure(&dn); +} + +/** * gnutls_x509_rdn_get - This function parses an RDN sequence and returns a string * @idn: should contain a DER encoded RDN sequence * @buf: a pointer to a structure to hold the peer's name diff -up ./tests/x509dn.c.rdnfns ./tests/x509dn.c --- ./tests/x509dn.c.rdnfns 2008-02-14 19:43:13.000000000 +0000 +++ ./tests/x509dn.c 2008-02-14 20:21:48.000000000 +0000 @@ -0,0 +1,567 @@ +/* + * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation + * + * Author: Simon Josefsson + * + * This file is part of GNUTLS. + * + * GNUTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GNUTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GNUTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from GnuTLS example programs. */ + +#if HAVE_CONFIG_H +# include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "utils.h" + +#include "ex-session-info.c" +#include "ex-x509-info.c" + +pid_t child; + +static void +tls_log_func (int level, const char *str) +{ + fprintf (stderr, "%s |<%d>| %s", child ? "server" : "client", level, str); +} + +/* A very basic TLS client, with anonymous authentication. + */ + +#define MAX_BUF 1024 +#define MSG "Hello TLS" + +/* Connects to the peer and returns a socket + * descriptor. + */ +int +tcp_connect (void) +{ + const char *PORT = "5556"; + const char *SERVER = "127.0.0.1"; + int err, sd; + struct sockaddr_in sa; + + /* connects to server + */ + sd = socket (AF_INET, SOCK_STREAM, 0); + + memset (&sa, '\0', sizeof (sa)); + sa.sin_family = AF_INET; + sa.sin_port = htons (atoi (PORT)); + inet_pton (AF_INET, SERVER, &sa.sin_addr); + + err = connect (sd, (struct sockaddr *) &sa, sizeof (sa)); + if (err < 0) + { + fprintf (stderr, "Connect error\n"); + exit (1); + } + + return sd; +} + +/* closes the given socket descriptor. + */ +void +tcp_close (int sd) +{ + shutdown (sd, SHUT_RDWR); /* no more receptions */ + close (sd); +} + +const char ca_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIB5zCCAVKgAwIBAgIERiYdJzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTExWhcNMDgwNDE3MTMyOTExWjAZMRcw\n" + "FQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA\n" + "vuyYeh1vfmslnuggeEKgZAVmQ5ltSdUY7H25WGSygKMUYZ0KT74v8C780qtcNt9T\n" + "7EPH/N6RvB4BprdssgcQLsthR3XKA84jbjjxNCcaGs33lvOz8A1nf8p3hD+cKfRi\n" + "kfYSW2JazLrtCC4yRCas/SPOUxu78of+3HiTfFm/oXUCAwEAAaNDMEEwDwYDVR0T\n" + "AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTpPBz7rZJu5gak\n" + "Viyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAiaIRqGfp1jPpNeVhABK60SU0KIAy\n" + "njuu7kHq5peUgYn8Jd9zNzExBOEp1VOipGsf6G66oQAhDFp2o8zkz7ZH71zR4HEW\n" + "KoX6n5Emn6DvcEH/9pAhnGxNHJAoS7czTKv/JDZJhkqHxyrE1fuLsg5Qv25DTw7+\n" + "PfqUpIhz5Bbm7J4=\n" + "-----END CERTIFICATE-----\n"; +const gnutls_datum_t ca = { ca_pem, sizeof (ca_pem) }; + +const char cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" + "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n" + "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n" + "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n" + "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n" + "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n" + "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n" + "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n" + "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n" + "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" + "dc8Siq5JojruiMizAf0pA7in\n" + "-----END CERTIFICATE-----\n"; +const gnutls_datum_t cert = { cert_pem, sizeof (cert_pem) }; + +const char key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" + "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" + "aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n" + "AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n" + "PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n" + "RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n" + "7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n" + "ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n" + "TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n" + "ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n" + "YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n" + "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" + "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" + "-----END RSA PRIVATE KEY-----\n"; +const gnutls_datum_t key = { key_pem, sizeof (key_pem) }; + +#define EXPECT_RDN0 "GnuTLS test CA" + +static int +cert_callback (gnutls_session session, + const gnutls_datum *req_ca_rdn, int nreqs, + const gnutls_pk_algorithm *sign_algos, + int sign_algos_length, gnutls_retr_st *st) +{ + int result; + gnutls_x509_dn_t dn; + + if (nreqs != 1) + { + fail ("client: invoked to provide client cert, %d CA .\n", nreqs); + return -1; + } + + success ("client: invoked to provide client cert.\n"); + + result = gnutls_x509_dn_import (&dn, req_ca_rdn); + if (result == 0) + { + gnutls_x509_ava_st val; + + success ("client: imported DN.\n"); + + if (gnutls_x509_dn_get_rdn_ava (dn, 0, 0, &val) == 0) + { + success ("client: got RDN 0.\n"); + + if (val.value.size == strlen(EXPECT_RDN0) + && strncmp(val.value.data, EXPECT_RDN0, val.value.size) == 0) + { + success ("client: RND 0 correct.\n"); + } + else + { + fail ("client: RND 0 bad: %.*s\n", + val.value.size, val.value.data); + return -1; + } + } + else + { + fail ("client: could not retrieve RDN 0.\n"); + return -1; + } + + gnutls_x509_free_dn (dn); + } + else + { + fail ("client: failed to parse RDN: %s\n", gnutls_strerror (result)); + } + + return 0; +} + + +void +client (void) +{ + int ret, sd, ii; + gnutls_session_t session; + char buffer[MAX_BUF + 1]; + gnutls_certificate_credentials_t xcred; + + gnutls_global_init (); + + gnutls_global_set_log_function (tls_log_func); + gnutls_global_set_log_level (4711); + + gnutls_certificate_allocate_credentials (&xcred); + + /* sets the trusted cas file + */ + gnutls_certificate_set_x509_trust_mem (xcred, &ca, GNUTLS_X509_FMT_PEM); + + gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); + + /* Initialize TLS session + */ + gnutls_init (&session, GNUTLS_CLIENT); + + /* Use default priorities */ + gnutls_set_default_priority (session); + + /* put the x509 credentials to the current session + */ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + /* connect to the peer + */ + sd = tcp_connect (); + + gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); + + /* Perform the TLS handshake + */ + ret = gnutls_handshake (session); + + if (ret < 0) + { + fail ("client: Handshake failed\n"); + gnutls_perror (ret); + goto end; + } + else + { + success ("client: Handshake was completed\n"); + } + + success ("client: TLS version is: %s\n", + gnutls_protocol_get_name (gnutls_protocol_get_version (session))); + + /* see the Getting peer's information example */ + print_info(session); + + gnutls_record_send (session, MSG, strlen (MSG)); + + ret = gnutls_record_recv (session, buffer, MAX_BUF); + if (ret == 0) + { + success ("client: Peer has closed the TLS connection\n"); + goto end; + } + else if (ret < 0) + { + fail ("client: Error: %s\n", gnutls_strerror (ret)); + goto end; + } + + printf ("- Received %d bytes: ", ret); + for (ii = 0; ii < ret; ii++) + { + fputc (buffer[ii], stdout); + } + fputs ("\n", stdout); + + gnutls_bye (session, GNUTLS_SHUT_RDWR); + +end: + + tcp_close (sd); + + gnutls_deinit (session); + + gnutls_certificate_free_credentials (xcred); + + gnutls_global_deinit (); +} + +/* This is a sample TLS 1.0 echo server, using X.509 authentication. + */ + +#define SA struct sockaddr +#define MAX_BUF 1024 +#define PORT 5556 /* listen to 5556 port */ +#define DH_BITS 1024 + +/* These are global */ +gnutls_certificate_credentials_t x509_cred; + +gnutls_session_t +initialize_tls_session (void) +{ + gnutls_session_t session; + + gnutls_init (&session, GNUTLS_SERVER); + + /* avoid calling all the priority functions, since the defaults + * are adequate. + */ + gnutls_set_default_priority (session); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); + + /* request client certificate if any. + */ + gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); + + gnutls_dh_set_prime_bits (session, DH_BITS); + + return session; +} + +static gnutls_dh_params_t dh_params; + +static int +generate_dh_params (void) +{ + const gnutls_datum_t p3 = { pkcs3, strlen (pkcs3) }; + /* Generate Diffie Hellman parameters - for use with DHE + * kx algorithms. These should be discarded and regenerated + * once a day, once a week or once a month. Depending on the + * security requirements. + */ + gnutls_dh_params_init (&dh_params); + return gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); +} + +int err, listen_sd, i; +int sd, ret; +struct sockaddr_in sa_serv; +struct sockaddr_in sa_cli; +int client_len; +char topbuf[512]; +gnutls_session_t session; +char buffer[MAX_BUF + 1]; +int optval = 1; + + +const char server_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" + "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" + "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" + "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" + "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" + "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" + "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" + "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" + "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" + "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" + "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" + "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" + "-----END CERTIFICATE-----\n"; + +const gnutls_datum_t server_cert = { server_cert_pem, + sizeof (server_cert_pem) }; + +const char server_key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" + "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" + "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" + "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" + "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" + "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" + "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" + "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" + "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" + "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" + "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" + "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" + "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" + "-----END RSA PRIVATE KEY-----\n"; + +const gnutls_datum_t server_key = { server_key_pem, + sizeof (server_key_pem) }; + +void +server_start (void) +{ + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_global_set_log_function (tls_log_func); + gnutls_global_set_log_level (4711); + + gnutls_certificate_allocate_credentials (&x509_cred); + gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); + + gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, + GNUTLS_X509_FMT_PEM); + + success ("Launched, generating DH parameters...\n"); + + generate_dh_params (); + + gnutls_certificate_set_dh_params (x509_cred, dh_params); + + /* Socket operations + */ + listen_sd = socket (AF_INET, SOCK_STREAM, 0); + if (err == -1) + { + perror ("socket"); + fail ("server: socket failed\n"); + return; + } + + memset (&sa_serv, '\0', sizeof (sa_serv)); + sa_serv.sin_family = AF_INET; + sa_serv.sin_addr.s_addr = INADDR_ANY; + sa_serv.sin_port = htons (PORT); /* Server Port number */ + + setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int)); + + err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); + if (err == -1) + { + perror ("bind"); + fail ("server: bind failed\n"); + return; + } + + err = listen (listen_sd, 1024); + if (err == -1) + { + perror ("listen"); + fail ("server: listen failed\n"); + return; + } + + success ("server: ready. Listening to port '%d'.\n", PORT); +} + +void +server (void) +{ + client_len = sizeof (sa_cli); + + session = initialize_tls_session (); + + sd = accept (listen_sd, (SA *) & sa_cli, &client_len); + + success ("server: connection from %s, port %d\n", + inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, + sizeof (topbuf)), ntohs (sa_cli.sin_port)); + + gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); + ret = gnutls_handshake (session); + if (ret < 0) + { + close (sd); + gnutls_deinit (session); + fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret)); + return; + } + success ("server: Handshake was completed\n"); + + success ("server: TLS version is: %s\n", + gnutls_protocol_get_name (gnutls_protocol_get_version (session))); + + /* see the Getting peer's information example */ + print_info(session); + + i = 0; + for (;;) + { + bzero (buffer, MAX_BUF + 1); + ret = gnutls_record_recv (session, buffer, MAX_BUF); + + if (ret == 0) + { + success ("server: Peer has closed the GNUTLS connection\n"); + break; + } + else if (ret < 0) + { + fail ("server: Received corrupted data(%d). Closing...\n", ret); + break; + } + else if (ret > 0) + { + /* echo data back to the client + */ + gnutls_record_send (session, buffer, strlen (buffer)); + } + } + /* do not wait for the peer to close the connection. + */ + gnutls_bye (session, GNUTLS_SHUT_WR); + + close (sd); + gnutls_deinit (session); + + close (listen_sd); + + gnutls_certificate_free_credentials (x509_cred); + + gnutls_global_deinit (); + + success ("server: finished\n"); +} + + +void +doit (void) +{ + server_start (); + if (error_count) + return; + + child = fork (); + if (child < 0) + { + perror ("fork"); + fail ("fork"); + return; + } + + if (child) + { + int status; + /* parent */ + server (); + wait (&status); + +#if defined(WIFEXITED) && defined(WEXITSTATUS) + if (WIFEXITED (status) && WEXITSTATUS (status)) + { + fail ("server: client failed with exit status %d\n", WEXITSTATUS (status)); + } +#endif +#if defined(WIFSIGNALED) && defined(WTERMSIG) + if (WIFSIGNALED (status)) + { + fail ("server: client failed with fatal signal %d\n", WTERMSIG (status)); + } +#endif + + } + else + client (); +} diff -up ./tests/Makefile.am.rdnfns ./tests/Makefile.am --- ./tests/Makefile.am.rdnfns 2007-12-17 11:12:04.000000000 +0000 +++ ./tests/Makefile.am 2008-02-14 18:23:21.000000000 +0000 @@ -40,7 +40,7 @@ ctests = simple openssl gc set_pkcs12_cr certificate_set_x509_crl dn parse_ca openssl_LDADD = $(LDADD) ../libextra/libgnutls-openssl.la if HAVE_FORK -ctests += x509self x509signself anonself pskself dhepskself tlsia resume +ctests += x509self x509signself x509dn anonself pskself dhepskself tlsia resume tlsia_LDADD = ../libextra/libgnutls-extra.la $(LDADD) @LTLIBREADLINE@ endif if ENABLE_OPRFI From jorton at redhat.com Fri Feb 15 11:21:50 2008 From: jorton at redhat.com (Joe Orton) Date: Fri, 15 Feb 2008 10:21:50 +0000 Subject: [PATCH] add gnutls_certificate_find_issuer Message-ID: <20080215102150.GA30014@redhat.com> This patch adds a function which finds the issuer of a given certificate within a credentials structure. This is useful so that clients can easily recreate the complete server cert chain given only the single cert returned by the peer. (e.g. in the case where gnutls_certificate_set_x509_trust_file() is used, the client doesn't have the individual issuer cert structures to compare against directly.) This and the previously submitted patch allow the two remaining failures in neon's SSL test suite to be fixed :) diff -up ./includes/gnutls/gnutls.h.findissuer ./includes/gnutls/gnutls.h --- ./includes/gnutls/gnutls.h.findissuer 2008-02-15 10:06:48.000000000 +0000 +++ ./includes/gnutls/gnutls.h 2008-02-15 09:39:56.000000000 +0000 @@ -717,6 +717,10 @@ extern "C" gnutls_x509_crl_t * crl_list, int crl_list_size); + gnutls_x509_crt_t + gnutls_certificate_find_issuer (gnutls_certificate_credentials_t cred, + gnutls_x509_crt_t crt); + /* global state functions */ int gnutls_global_init (void); diff -up ./lib/gnutls_cert.c.findissuer ./lib/gnutls_cert.c --- ./lib/gnutls_cert.c.findissuer 2007-12-17 11:12:04.000000000 +0000 +++ ./lib/gnutls_cert.c 2008-02-15 10:09:04.000000000 +0000 @@ -593,6 +593,31 @@ gnutls_certificate_verify_peers (gnutls_ } /** + * gnutls_certificate_find_issuer - This function finds an issuer certificate + * @sc: is an #gnutls_certificate_credentials_t structure. + * @cert: should contain a #gnutls_x509_crt_t structure + * + * This function returns the issuer certificate of @cert, if it can + * be found in the listed of trusted X.509 certificates in @cred. + * If no issuer is found, then NULL is returned. + * + **/ +gnutls_x509_crt_t +gnutls_certificate_find_issuer (gnutls_certificate_credentials_t cred, + gnutls_x509_crt_t cert) +{ + unsigned n; + + for (n = 0; n < cred->x509_ncas; n++) + { + if (gnutls_x509_crt_check_issuer (crt, cred->x509_ca_list[n]) == 1) + return cred->x509_ca_list[n]; + } + + return NULL; +} + +/** * gnutls_certificate_expiration_time_peers - This function returns the peer's certificate expiration time * @session: is a gnutls session * From inger at altlinux.org Fri Feb 15 12:14:07 2008 From: inger at altlinux.org (Stanislav Ievlev) Date: Fri, 15 Feb 2008 14:14:07 +0300 Subject: gnutls-serv doesn't work with popular web browsers Message-ID: <20080215111407.GA6141@imap.altlinux.org> Greetings! Your library ( tested with gnutls-serv --http) cannot work with Internet Explorer 5 and Internet Exporer 7. This bug is reprodusable with your public test server (test.gnutls.org:5556) In some cases there also impossible to establish SSL connection with Firefox 2. -- With best regards Stanislav Ievlev. From n.mavrogiannopoulos at gmail.com Fri Feb 15 15:58:46 2008 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Fri, 15 Feb 2008 16:58:46 +0200 Subject: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName In-Reply-To: <20080214223450.GA18786@manyfish.co.uk> References: <200802100917.m1A9HkSb015171@boole.openldap.org> <47AECACD.1080000@symas.com> <20080214223450.GA18786@manyfish.co.uk> Message-ID: Indeed I'll try to improve this patch to work only for formats known to be text. On Fri, Feb 15, 2008 at 12:34 AM, Joe Orton wrote: > On Sun, Feb 10, 2008 at 01:58:37AM -0800, Howard Chu wrote: > > Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result > > you're seeing. The change is here: > > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048 > > > > and it is clearly a bug, since subjectAltName's are not necessarily > > strings. (E.g., they can also be IP addresses, which are just 4 or 16 > > octets.) If you notice in the diff, they set > > *name_size = len + 1; > > and then later > > name[len] = 0; > > but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they > > can cause a write past the end of the supplied buffer. > > > > This patch should be reverted, it is clearly wrong. > > FWIW, I agree. neon's test cases for subjectAltName support are > breaking with 2.3.0 as well. Reverting the changeset Howard referenced > fixes the issues. > > joe > > > > > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at gnu.org > http://lists.gnu.org/mailman/listinfo/gnutls-devel > From n.mavrogiannopoulos at gmail.com Fri Feb 15 16:03:19 2008 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Fri, 15 Feb 2008 17:03:19 +0200 Subject: gnutls-serv doesn't work with popular web browsers In-Reply-To: <20080215111407.GA6141@imap.altlinux.org> References: <20080215111407.GA6141@imap.altlinux.org> Message-ID: On Fri, Feb 15, 2008 at 1:14 PM, Stanislav Ievlev wrote: > Greetings! > > Your library ( tested with gnutls-serv --http) cannot work with Internet > Explorer 5 and Internet Exporer 7. > > This bug is reprodusable with your public test server (test.gnutls.org:5556) > > In some cases there also impossible to establish SSL connection with > Firefox 2. This is mostly a test server for developers. Currently there are also https://test1.gnutls.org https://test2.gnutls.org https://test3.gnutls.org that are based on apache. regards, Nikos From inger at altlinux.org Fri Feb 15 19:47:58 2008 From: inger at altlinux.org (Stanislav Ievlev) Date: Fri, 15 Feb 2008 21:47:58 +0300 Subject: gnutls-serv doesn't work with popular web browsers In-Reply-To: References: <20080215111407.GA6141@imap.altlinux.org> Message-ID: <20080215184758.GA3896@imap.altlinux.org> On Fri, Feb 15, 2008 at 05:03:19PM +0200, Nikos Mavrogiannopoulos wrote: > On Fri, Feb 15, 2008 at 1:14 PM, Stanislav Ievlev wrote: > > Greetings! > > > > Your library ( tested with gnutls-serv --http) cannot work with Internet > > Explorer 5 and Internet Exporer 7. > > > > This bug is reprodusable with your public test server (test.gnutls.org:5556) > > > > In some cases there also impossible to establish SSL connection with > > Firefox 2. > > This is mostly a test server for developers. Currently there are also > https://test1.gnutls.org > https://test2.gnutls.org > https://test3.gnutls.org > > that are based on apache. I want to write an own small http server with TLS support, but I cannot use gnutls for it, because it has problems with IE :( From inger at altlinux.org Fri Feb 15 19:58:06 2008 From: inger at altlinux.org (Stanislav Ievlev) Date: Fri, 15 Feb 2008 21:58:06 +0300 Subject: gnutls-serv doesn't work with popular web browsers In-Reply-To: References: <20080215111407.GA6141@imap.altlinux.org> Message-ID: <20080215185806.GC5327@imap.altlinux.org> On Fri, Feb 15, 2008 at 05:03:19PM +0200, Nikos Mavrogiannopoulos wrote: > On Fri, Feb 15, 2008 at 1:14 PM, Stanislav Ievlev wrote: > > Greetings! > > > > Your library ( tested with gnutls-serv --http) cannot work with Internet > > Explorer 5 and Internet Exporer 7. > > > > This bug is reprodusable with your public test server (test.gnutls.org:5556) > > > > In some cases there also impossible to establish SSL connection with > > Firefox 2. > > This is mostly a test server for developers. Currently there are also > https://test1.gnutls.org > https://test2.gnutls.org > https://test3.gnutls.org > > that are based on apache. All of them doesn't work with my old IE5 ;) > > regards, > Nikos From nmav at gnutls.org Fri Feb 15 20:44:07 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 15 Feb 2008 21:44:07 +0200 Subject: gnutls-serv doesn't work with popular web browsers In-Reply-To: <20080215185806.GC5327@imap.altlinux.org> References: <20080215111407.GA6141@imap.altlinux.org> <20080215185806.GC5327@imap.altlinux.org> Message-ID: <200802152144.08027.nmav@gnutls.org> On Friday 15 February 2008, Stanislav Ievlev wrote: > > This is mostly a test server for developers. Currently there are also > > https://test1.gnutls.org > > https://test2.gnutls.org > > https://test3.gnutls.org > > > > that are based on apache. > > All of them doesn't work with my old IE5 ;) Probably. You could help us by sending some tcpdump captures or and ssldump. I do not own such systems to test against. regards, Nikos From nmav at gnutls.org Fri Feb 15 21:16:24 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 15 Feb 2008 22:16:24 +0200 Subject: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName In-Reply-To: <47B5E28E.3030101@symas.com> References: <200802100917.m1A9HkSb015171@boole.openldap.org> <47B5E28E.3030101@symas.com> Message-ID: <200802152216.25025.nmav@gnutls.org> On Friday 15 February 2008, Howard Chu wrote: > Nikos Mavrogiannopoulos wrote: > > Indeed I'll try to improve this patch to work only for formats known > > to be text. > > The code was perfectly correct before this patch. Why do you want to change > anything here at all? I looked in the gnutls-devel archives and couldn't > find any discussion of this change. It would be nice to understand what > you're trying to accomplish here, given that there are large bodies of code > already written that expect the existing behavior of GnuTLS 2.1.7 and > older. Well, it depends on the definition of correct. It didn't null terminate printable strings, and this was so correct for me. Anyway, does the attached patch solve your problem? regards, Nikos -------------- next part -------------- diff --git a/lib/x509/x509.c b/lib/x509/x509.c index f1dd604..9713a97 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -888,6 +888,15 @@ gnutls_x509_crt_get_pk_algorithm (gnutls_x509_crt_t cert, unsigned int *bits) } +inline static int is_type_printable(int type) +{ + if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME || + type == GNUTLS_SAN_URI) + return 1; + else + return 0; +} + #define XMPP_OID "1.3.6.1.5.5.7.8.5" /* returns the type and the name on success. @@ -1030,18 +1039,29 @@ parse_general_name (ASN1_TYPE src, const char *src_name, len = *name_size; result = asn1_read_value (src, nptr, name, &len); - *name_size = len + 1; - if (result == ASN1_MEM_ERROR) - return GNUTLS_E_SHORT_MEMORY_BUFFER; - + if (is_type_printable(type)) + len++; + + if (result == ASN1_MEM_ERROR || len > *name_size) + { + *name_size = len; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + *name_size = len; + if (result != ASN1_SUCCESS) { gnutls_assert (); return _gnutls_asn2err (result); } - ((char*)name)[len] = 0; + if (is_type_printable(type)) + { /* null terminate it */ + ((char*)name)[*name_size] = 0; + } + } return type; From nmav at gnutls.org Fri Feb 15 22:11:32 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 15 Feb 2008 23:11:32 +0200 Subject: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName In-Reply-To: <47B5F843.8080503@symas.com> References: <200802100917.m1A9HkSb015171@boole.openldap.org> <200802152216.25025.nmav@gnutls.org> <47B5F843.8080503@symas.com> Message-ID: <200802152311.32695.nmav@gnutls.org> On Friday 15 February 2008, Howard Chu wrote: > > Anyway, does the attached > > patch solve your problem? > > Not really. It still returns a size one byte larger than expected for the > strings. Even in languages where NUL-terminated strings are the norm, the > terminating byte is not included in the length. > > The point is, we expect this API to return exactly the data that was in the > certificate. If the caller wants to treat the data as a string, they can > NUL-terminate it themselves. The manpage only says that the data will be > returned, it does not say that it will be altered in any way. Actually you are right. The return value shouldn't be increased (this also happens in the other similar functions). I've corrected the patch and commited at: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=4cc3c6b6ed00660e55559bab148021fc077da21f regards, Nikos From hyc at symas.com Fri Feb 15 20:05:50 2008 From: hyc at symas.com (Howard Chu) Date: Fri, 15 Feb 2008 11:05:50 -0800 Subject: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName In-Reply-To: References: <200802100917.m1A9HkSb015171@boole.openldap.org> <47AECACD.1080000@symas.com> <20080214223450.GA18786@manyfish.co.uk> Message-ID: <47B5E28E.3030101@symas.com> Nikos Mavrogiannopoulos wrote: > Indeed I'll try to improve this patch to work only for formats known > to be text. The code was perfectly correct before this patch. Why do you want to change anything here at all? I looked in the gnutls-devel archives and couldn't find any discussion of this change. It would be nice to understand what you're trying to accomplish here, given that there are large bodies of code already written that expect the existing behavior of GnuTLS 2.1.7 and older. > On Fri, Feb 15, 2008 at 12:34 AM, Joe Orton wrote: >> On Sun, Feb 10, 2008 at 01:58:37AM -0800, Howard Chu wrote: >> > Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result >> > you're seeing. The change is here: >> > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048 >> > >> > and it is clearly a bug, since subjectAltName's are not necessarily >> > strings. (E.g., they can also be IP addresses, which are just 4 or 16 >> > octets.) If you notice in the diff, they set >> > *name_size = len + 1; >> > and then later >> > name[len] = 0; >> > but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they >> > can cause a write past the end of the supplied buffer. >> > >> > This patch should be reverted, it is clearly wrong. >> >> FWIW, I agree. neon's test cases for subjectAltName support are >> breaking with 2.3.0 as well. Reverting the changeset Howard referenced >> fixes the issues. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From hyc at symas.com Fri Feb 15 21:38:27 2008 From: hyc at symas.com (Howard Chu) Date: Fri, 15 Feb 2008 12:38:27 -0800 Subject: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName In-Reply-To: <200802152216.25025.nmav@gnutls.org> References: <200802100917.m1A9HkSb015171@boole.openldap.org> <47B5E28E.3030101@symas.com> <200802152216.25025.nmav@gnutls.org> Message-ID: <47B5F843.8080503@symas.com> Nikos Mavrogiannopoulos wrote: > On Friday 15 February 2008, Howard Chu wrote: >> Nikos Mavrogiannopoulos wrote: >>> Indeed I'll try to improve this patch to work only for formats known >>> to be text. >> The code was perfectly correct before this patch. Why do you want to change >> anything here at all? I looked in the gnutls-devel archives and couldn't >> find any discussion of this change. It would be nice to understand what >> you're trying to accomplish here, given that there are large bodies of code >> already written that expect the existing behavior of GnuTLS 2.1.7 and >> older. > > Well, it depends on the definition of correct. It didn't null terminate > printable strings, and this was so correct for me. Fair enough, that's your definition. Most people coding for X.509 understand that it's ASN.1/DER and as such, they're accustomed to the fact that strings use counted lengths, not NUL terminators. As such, the old behavior was normal and expected. Also, the behavior you introduce here makes this particular API behave differently from every other API that extracts strings from certificates. Note - this is not a suggestion to you to now go and change all those other APIs. > Anyway, does the attached > patch solve your problem? Not really. It still returns a size one byte larger than expected for the strings. Even in languages where NUL-terminated strings are the norm, the terminating byte is not included in the length. The point is, we expect this API to return exactly the data that was in the certificate. If the caller wants to treat the data as a string, they can NUL-terminate it themselves. The manpage only says that the data will be returned, it does not say that it will be altered in any way. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From nmav at gnutls.org Sat Feb 16 10:25:38 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 16 Feb 2008 11:25:38 +0200 Subject: [PATCH] add DN import function In-Reply-To: <20080214203932.GA13991@redhat.com> References: <20080214203932.GA13991@redhat.com> Message-ID: <200802161125.39339.nmav@gnutls.org> On Thursday 14 February 2008, Joe Orton wrote: > The CA dnames passed to the client-cert-retrieve function are raw DER > and hence can't be used by gnutls_x509_dn_get_rdn_ava(). > > This patch adds gnutls_x509_dn_import() which fills that gap, and > gnutls_x509_free_dn() which destroys the allocated structures. > > The naming is slightly awkward because these don't fit the usual > init/import/deinit convention used by GnuTLS; let me know if you'd > prefer different names. This is a nice addition, thank you. About the nameing I think gnutls_x509_free_dn should be better named gnutls_x509_dn_deinit to be more consistent with the other deinitialization functions. Would this be ok with you? regards, Nikos From hyc at symas.com Sat Feb 16 21:25:34 2008 From: hyc at symas.com (Howard Chu) Date: Sat, 16 Feb 2008 12:25:34 -0800 Subject: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName In-Reply-To: <200802152311.32695.nmav@gnutls.org> References: <200802100917.m1A9HkSb015171@boole.openldap.org> <200802152216.25025.nmav@gnutls.org> <47B5F843.8080503@symas.com> <200802152311.32695.nmav@gnutls.org> Message-ID: <47B746BE.3080507@symas.com> Nikos Mavrogiannopoulos wrote: > On Friday 15 February 2008, Howard Chu wrote: > >>> Anyway, does the attached >>> patch solve your problem? >> Not really. It still returns a size one byte larger than expected for the >> strings. Even in languages where NUL-terminated strings are the norm, the >> terminating byte is not included in the length. >> >> The point is, we expect this API to return exactly the data that was in the >> certificate. If the caller wants to treat the data as a string, they can >> NUL-terminate it themselves. The manpage only says that the data will be >> returned, it does not say that it will be altered in any way. > > Actually you are right. The return value shouldn't be increased (this also > happens in the other similar functions). I've corrected the patch and > commited at: > > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=4cc3c6b6ed00660e55559bab148021fc077da21f Thanks. That looks ok to me. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From ametzler at downhill.at.eu.org Sun Feb 17 18:12:17 2008 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sun, 17 Feb 2008 18:12:17 +0100 Subject: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName In-Reply-To: <200802152311.32695.nmav@gnutls.org> References: <200802100917.m1A9HkSb015171@boole.openldap.org> <200802152216.25025.nmav@gnutls.org> <47B5F843.8080503@symas.com> <200802152311.32695.nmav@gnutls.org> Message-ID: <20080217171217.GC5965@downhill.g.la> On 2008-02-15 Nikos Mavrogiannopoulos wrote: [...] > Actually you are right. The return value shouldn't be increased (this also > happens in the other similar functions). I've corrected the patch and > commited at: > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=4cc3c6b6ed00660e55559bab148021fc077da21f Nice to ses that this is applied in origin/gnutls_2_2_x, too. However now there is a failure in the tests/pathlen. certtool fails on no-ca-or-pathlen.pem error: get_crl_dist_points2: The given memory buffer is too short to hold parameters. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Sun Feb 17 19:38:40 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 17 Feb 2008 20:38:40 +0200 Subject: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName In-Reply-To: <20080217171217.GC5965@downhill.g.la> References: <200802100917.m1A9HkSb015171@boole.openldap.org> <200802152216.25025.nmav@gnutls.org> <47B5F843.8080503@symas.com> <200802152311.32695.nmav@gnutls.org> <20080217171217.GC5965@downhill.g.la> Message-ID: <47B87F30.2030404@gnutls.org> > On 2008-02-15 Nikos Mavrogiannopoulos wrote: > [...] >> Actually you are right. The return value shouldn't be increased (this also >> happens in the other similar functions). I've corrected the patch and >> commited at: > >> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=4cc3c6b6ed00660e55559bab148021fc077da21f > > Nice to ses that this is applied in origin/gnutls_2_2_x, too. However > now there is a failure in the tests/pathlen. certtool fails on > no-ca-or-pathlen.pem > > error: get_crl_dist_points2: The given memory buffer is too short to hold > parameters. Thank you! I've just corrected it! regards, Nikos From simon at josefsson.org Mon Feb 18 23:48:43 2008 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 18 Feb 2008 23:48:43 +0100 Subject: gnutls & TLS1.1 In-Reply-To: (Simon Josefsson's message of "Thu, 31 Jan 2008 22:29:42 +0100") References: <8dba3c070801311316v6122e233h744f7edf1b0a1835@mail.gmail.com> Message-ID: <87y79hrid0.fsf@mocca.josefsson.org> Simon Josefsson writes: >> I also attempted to download and install gnutls-2.3.0.tar.bz2 , >> however, the README for that file says that it only supports SSLv3 >> and TLSv1.0 (although I suppose that the README has not yet been >> updated if this is the newest version of mod_gnutls). > > Oops! I'll fix the README tomorrow, it is probably better if it > doesn't say anything about version numbers at all. I've fixed that and a few other things now. http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=3dd93628b41f15b11564b94c9170e1622ae63fc5 /Simon From jorton at redhat.com Tue Feb 19 09:31:17 2008 From: jorton at redhat.com (Joe Orton) Date: Tue, 19 Feb 2008 08:31:17 +0000 Subject: [PATCH] add DN import function In-Reply-To: <200802161125.39339.nmav@gnutls.org> References: <20080214203932.GA13991@redhat.com> <200802161125.39339.nmav@gnutls.org> Message-ID: <20080219083117.GA4142@redhat.com> On Sat, Feb 16, 2008 at 11:25:38AM +0200, Nikos Mavrogiannopoulos wrote: > On Thursday 14 February 2008, Joe Orton wrote: > > The CA dnames passed to the client-cert-retrieve function are raw DER > > and hence can't be used by gnutls_x509_dn_get_rdn_ava(). > > > > This patch adds gnutls_x509_dn_import() which fills that gap, and > > gnutls_x509_free_dn() which destroys the allocated structures. > > > > The naming is slightly awkward because these don't fit the usual > > init/import/deinit convention used by GnuTLS; let me know if you'd > > prefer different names. > > This is a nice addition, thank you. About the nameing I think > gnutls_x509_free_dn should be better named gnutls_x509_dn_deinit to be more > consistent with the other deinitialization functions. Would this be ok with > you? Sure, no problem. Here's an updated patch: diff -up ./includes/gnutls/x509.h.rdnfns ./includes/gnutls/x509.h --- ./includes/gnutls/x509.h.rdnfns 2007-12-17 11:12:04.000000000 +0000 +++ ./includes/gnutls/x509.h 2008-02-14 19:57:12.000000000 +0000 @@ -335,6 +335,12 @@ extern "C" int gnutls_x509_dn_get_rdn_ava (gnutls_x509_dn_t dn, int irdn, int iava, gnutls_x509_ava_st *avast); + int gnutls_x509_dn_import (gnutls_x509_dn_t * odn, + const gnutls_datum_t * data); + + void gnutls_x509_dn_deinit (gnutls_x509_dn_t idn); + + /* CRL handling functions. */ int gnutls_x509_crl_init (gnutls_x509_crl_t * crl); diff -up ./lib/x509/dn.c.rdnfns ./lib/x509/dn.c --- ./lib/x509/dn.c.rdnfns 2008-02-14 19:44:02.000000000 +0000 +++ ./lib/x509/dn.c 2008-02-14 20:00:05.000000000 +0000 @@ -945,6 +945,66 @@ _gnutls_x509_set_dn_oid (ASN1_TYPE asn1_ /** + * gnutls_x509_dn_import: get opaque DN object from DER RDN sequence + * + * @odn: output variable with pointer to opaque DN + * @data: should contain a DER encoded RDN sequence + * + * This function parses an RDN sequence and returns a DN as an opaque + * object type. You may use gnutls_x509_dn_get_rdn_ava() to decode + * the DN. + * + * The object returned must be deallocated using + * gnutls_x509_dn_deinit() after use. + * + * Returns: 0 on success, or an error code. + **/ +int +gnutls_x509_dn_import (gnutls_x509_dn_t * odn, + const gnutls_datum_t * data) +{ + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; + + if ((result = + asn1_create_element (_gnutls_get_pkix (), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) + { + gnutls_assert (); + return _gnutls_asn2err (result); + } + + result = asn1_der_decoding (&dn, data->data, data->size, NULL); + if (result != ASN1_SUCCESS) + { + /* couldn't decode DER */ + gnutls_assert (); + asn1_delete_structure (&dn); + return _gnutls_asn2err (result); + } + + *odn = dn; + + return 0; +} + +/** + * gnutls_x509_dn_deinit: deallocate a DN object + * @idn: a DN opaque object pointer. + * + * This function deallocates the DN object as returned by + * gnutls_x509_dn_import(). + * + **/ +void +gnutls_x509_dn_deinit (gnutls_x509_dn_t idn) +{ + ASN1_TYPE dn = idn; + + asn1_delete_structure(&dn); +} + +/** * gnutls_x509_rdn_get - This function parses an RDN sequence and returns a string * @idn: should contain a DER encoded RDN sequence * @buf: a pointer to a structure to hold the peer's name diff -up ./tests/x509dn.c.rdnfns ./tests/x509dn.c --- ./tests/x509dn.c.rdnfns 2008-02-14 19:43:13.000000000 +0000 +++ ./tests/x509dn.c 2008-02-14 20:21:48.000000000 +0000 @@ -0,0 +1,567 @@ +/* + * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation + * + * Author: Simon Josefsson + * + * This file is part of GNUTLS. + * + * GNUTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GNUTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GNUTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from GnuTLS example programs. */ + +#if HAVE_CONFIG_H +# include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "utils.h" + +#include "ex-session-info.c" +#include "ex-x509-info.c" + +pid_t child; + +static void +tls_log_func (int level, const char *str) +{ + fprintf (stderr, "%s |<%d>| %s", child ? "server" : "client", level, str); +} + +/* A very basic TLS client, with anonymous authentication. + */ + +#define MAX_BUF 1024 +#define MSG "Hello TLS" + +/* Connects to the peer and returns a socket + * descriptor. + */ +int +tcp_connect (void) +{ + const char *PORT = "5556"; + const char *SERVER = "127.0.0.1"; + int err, sd; + struct sockaddr_in sa; + + /* connects to server + */ + sd = socket (AF_INET, SOCK_STREAM, 0); + + memset (&sa, '\0', sizeof (sa)); + sa.sin_family = AF_INET; + sa.sin_port = htons (atoi (PORT)); + inet_pton (AF_INET, SERVER, &sa.sin_addr); + + err = connect (sd, (struct sockaddr *) &sa, sizeof (sa)); + if (err < 0) + { + fprintf (stderr, "Connect error\n"); + exit (1); + } + + return sd; +} + +/* closes the given socket descriptor. + */ +void +tcp_close (int sd) +{ + shutdown (sd, SHUT_RDWR); /* no more receptions */ + close (sd); +} + +const char ca_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIB5zCCAVKgAwIBAgIERiYdJzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTExWhcNMDgwNDE3MTMyOTExWjAZMRcw\n" + "FQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA\n" + "vuyYeh1vfmslnuggeEKgZAVmQ5ltSdUY7H25WGSygKMUYZ0KT74v8C780qtcNt9T\n" + "7EPH/N6RvB4BprdssgcQLsthR3XKA84jbjjxNCcaGs33lvOz8A1nf8p3hD+cKfRi\n" + "kfYSW2JazLrtCC4yRCas/SPOUxu78of+3HiTfFm/oXUCAwEAAaNDMEEwDwYDVR0T\n" + "AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTpPBz7rZJu5gak\n" + "Viyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAiaIRqGfp1jPpNeVhABK60SU0KIAy\n" + "njuu7kHq5peUgYn8Jd9zNzExBOEp1VOipGsf6G66oQAhDFp2o8zkz7ZH71zR4HEW\n" + "KoX6n5Emn6DvcEH/9pAhnGxNHJAoS7czTKv/JDZJhkqHxyrE1fuLsg5Qv25DTw7+\n" + "PfqUpIhz5Bbm7J4=\n" + "-----END CERTIFICATE-----\n"; +const gnutls_datum_t ca = { ca_pem, sizeof (ca_pem) }; + +const char cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" + "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n" + "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n" + "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n" + "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n" + "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n" + "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n" + "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n" + "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n" + "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" + "dc8Siq5JojruiMizAf0pA7in\n" + "-----END CERTIFICATE-----\n"; +const gnutls_datum_t cert = { cert_pem, sizeof (cert_pem) }; + +const char key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" + "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" + "aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n" + "AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n" + "PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n" + "RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n" + "7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n" + "ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n" + "TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n" + "ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n" + "YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n" + "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" + "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" + "-----END RSA PRIVATE KEY-----\n"; +const gnutls_datum_t key = { key_pem, sizeof (key_pem) }; + +#define EXPECT_RDN0 "GnuTLS test CA" + +static int +cert_callback (gnutls_session session, + const gnutls_datum *req_ca_rdn, int nreqs, + const gnutls_pk_algorithm *sign_algos, + int sign_algos_length, gnutls_retr_st *st) +{ + int result; + gnutls_x509_dn_t dn; + + if (nreqs != 1) + { + fail ("client: invoked to provide client cert, %d CA .\n", nreqs); + return -1; + } + + success ("client: invoked to provide client cert.\n"); + + result = gnutls_x509_dn_import (&dn, req_ca_rdn); + if (result == 0) + { + gnutls_x509_ava_st val; + + success ("client: imported DN.\n"); + + if (gnutls_x509_dn_get_rdn_ava (dn, 0, 0, &val) == 0) + { + success ("client: got RDN 0.\n"); + + if (val.value.size == strlen(EXPECT_RDN0) + && strncmp(val.value.data, EXPECT_RDN0, val.value.size) == 0) + { + success ("client: RND 0 correct.\n"); + } + else + { + fail ("client: RND 0 bad: %.*s\n", + val.value.size, val.value.data); + return -1; + } + } + else + { + fail ("client: could not retrieve RDN 0.\n"); + return -1; + } + + gnutls_x509_dn_deinit (dn); + } + else + { + fail ("client: failed to parse RDN: %s\n", gnutls_strerror (result)); + } + + return 0; +} + + +void +client (void) +{ + int ret, sd, ii; + gnutls_session_t session; + char buffer[MAX_BUF + 1]; + gnutls_certificate_credentials_t xcred; + + gnutls_global_init (); + + gnutls_global_set_log_function (tls_log_func); + gnutls_global_set_log_level (4711); + + gnutls_certificate_allocate_credentials (&xcred); + + /* sets the trusted cas file + */ + gnutls_certificate_set_x509_trust_mem (xcred, &ca, GNUTLS_X509_FMT_PEM); + + gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); + + /* Initialize TLS session + */ + gnutls_init (&session, GNUTLS_CLIENT); + + /* Use default priorities */ + gnutls_set_default_priority (session); + + /* put the x509 credentials to the current session + */ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + /* connect to the peer + */ + sd = tcp_connect (); + + gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); + + /* Perform the TLS handshake + */ + ret = gnutls_handshake (session); + + if (ret < 0) + { + fail ("client: Handshake failed\n"); + gnutls_perror (ret); + goto end; + } + else + { + success ("client: Handshake was completed\n"); + } + + success ("client: TLS version is: %s\n", + gnutls_protocol_get_name (gnutls_protocol_get_version (session))); + + /* see the Getting peer's information example */ + print_info(session); + + gnutls_record_send (session, MSG, strlen (MSG)); + + ret = gnutls_record_recv (session, buffer, MAX_BUF); + if (ret == 0) + { + success ("client: Peer has closed the TLS connection\n"); + goto end; + } + else if (ret < 0) + { + fail ("client: Error: %s\n", gnutls_strerror (ret)); + goto end; + } + + printf ("- Received %d bytes: ", ret); + for (ii = 0; ii < ret; ii++) + { + fputc (buffer[ii], stdout); + } + fputs ("\n", stdout); + + gnutls_bye (session, GNUTLS_SHUT_RDWR); + +end: + + tcp_close (sd); + + gnutls_deinit (session); + + gnutls_certificate_free_credentials (xcred); + + gnutls_global_deinit (); +} + +/* This is a sample TLS 1.0 echo server, using X.509 authentication. + */ + +#define SA struct sockaddr +#define MAX_BUF 1024 +#define PORT 5556 /* listen to 5556 port */ +#define DH_BITS 1024 + +/* These are global */ +gnutls_certificate_credentials_t x509_cred; + +gnutls_session_t +initialize_tls_session (void) +{ + gnutls_session_t session; + + gnutls_init (&session, GNUTLS_SERVER); + + /* avoid calling all the priority functions, since the defaults + * are adequate. + */ + gnutls_set_default_priority (session); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); + + /* request client certificate if any. + */ + gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); + + gnutls_dh_set_prime_bits (session, DH_BITS); + + return session; +} + +static gnutls_dh_params_t dh_params; + +static int +generate_dh_params (void) +{ + const gnutls_datum_t p3 = { pkcs3, strlen (pkcs3) }; + /* Generate Diffie Hellman parameters - for use with DHE + * kx algorithms. These should be discarded and regenerated + * once a day, once a week or once a month. Depending on the + * security requirements. + */ + gnutls_dh_params_init (&dh_params); + return gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); +} + +int err, listen_sd, i; +int sd, ret; +struct sockaddr_in sa_serv; +struct sockaddr_in sa_cli; +int client_len; +char topbuf[512]; +gnutls_session_t session; +char buffer[MAX_BUF + 1]; +int optval = 1; + + +const char server_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" + "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" + "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" + "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" + "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" + "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" + "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" + "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" + "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" + "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" + "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" + "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" + "-----END CERTIFICATE-----\n"; + +const gnutls_datum_t server_cert = { server_cert_pem, + sizeof (server_cert_pem) }; + +const char server_key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" + "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" + "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" + "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" + "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" + "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" + "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" + "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" + "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" + "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" + "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" + "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" + "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" + "-----END RSA PRIVATE KEY-----\n"; + +const gnutls_datum_t server_key = { server_key_pem, + sizeof (server_key_pem) }; + +void +server_start (void) +{ + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_global_set_log_function (tls_log_func); + gnutls_global_set_log_level (4711); + + gnutls_certificate_allocate_credentials (&x509_cred); + gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); + + gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, + GNUTLS_X509_FMT_PEM); + + success ("Launched, generating DH parameters...\n"); + + generate_dh_params (); + + gnutls_certificate_set_dh_params (x509_cred, dh_params); + + /* Socket operations + */ + listen_sd = socket (AF_INET, SOCK_STREAM, 0); + if (err == -1) + { + perror ("socket"); + fail ("server: socket failed\n"); + return; + } + + memset (&sa_serv, '\0', sizeof (sa_serv)); + sa_serv.sin_family = AF_INET; + sa_serv.sin_addr.s_addr = INADDR_ANY; + sa_serv.sin_port = htons (PORT); /* Server Port number */ + + setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int)); + + err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); + if (err == -1) + { + perror ("bind"); + fail ("server: bind failed\n"); + return; + } + + err = listen (listen_sd, 1024); + if (err == -1) + { + perror ("listen"); + fail ("server: listen failed\n"); + return; + } + + success ("server: ready. Listening to port '%d'.\n", PORT); +} + +void +server (void) +{ + client_len = sizeof (sa_cli); + + session = initialize_tls_session (); + + sd = accept (listen_sd, (SA *) & sa_cli, &client_len); + + success ("server: connection from %s, port %d\n", + inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, + sizeof (topbuf)), ntohs (sa_cli.sin_port)); + + gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); + ret = gnutls_handshake (session); + if (ret < 0) + { + close (sd); + gnutls_deinit (session); + fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret)); + return; + } + success ("server: Handshake was completed\n"); + + success ("server: TLS version is: %s\n", + gnutls_protocol_get_name (gnutls_protocol_get_version (session))); + + /* see the Getting peer's information example */ + print_info(session); + + i = 0; + for (;;) + { + bzero (buffer, MAX_BUF + 1); + ret = gnutls_record_recv (session, buffer, MAX_BUF); + + if (ret == 0) + { + success ("server: Peer has closed the GNUTLS connection\n"); + break; + } + else if (ret < 0) + { + fail ("server: Received corrupted data(%d). Closing...\n", ret); + break; + } + else if (ret > 0) + { + /* echo data back to the client + */ + gnutls_record_send (session, buffer, strlen (buffer)); + } + } + /* do not wait for the peer to close the connection. + */ + gnutls_bye (session, GNUTLS_SHUT_WR); + + close (sd); + gnutls_deinit (session); + + close (listen_sd); + + gnutls_certificate_free_credentials (x509_cred); + + gnutls_global_deinit (); + + success ("server: finished\n"); +} + + +void +doit (void) +{ + server_start (); + if (error_count) + return; + + child = fork (); + if (child < 0) + { + perror ("fork"); + fail ("fork"); + return; + } + + if (child) + { + int status; + /* parent */ + server (); + wait (&status); + +#if defined(WIFEXITED) && defined(WEXITSTATUS) + if (WIFEXITED (status) && WEXITSTATUS (status)) + { + fail ("server: client failed with exit status %d\n", WEXITSTATUS (status)); + } +#endif +#if defined(WIFSIGNALED) && defined(WTERMSIG) + if (WIFSIGNALED (status)) + { + fail ("server: client failed with fatal signal %d\n", WTERMSIG (status)); + } +#endif + + } + else + client (); +} diff -up ./tests/Makefile.am.rdnfns ./tests/Makefile.am --- ./tests/Makefile.am.rdnfns 2007-12-17 11:12:04.000000000 +0000 +++ ./tests/Makefile.am 2008-02-14 18:23:21.000000000 +0000 @@ -1,5 +1,5 @@ ## Process this file with automake to produce Makefile.in -# Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation +# Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation # # Author: Simon Josefsson # @@ -40,7 +40,7 @@ ctests = simple openssl gc set_pkcs12_cr certificate_set_x509_crl dn parse_ca openssl_LDADD = $(LDADD) ../libextra/libgnutls-openssl.la if HAVE_FORK -ctests += x509self x509signself anonself pskself dhepskself tlsia resume +ctests += x509self x509signself x509dn anonself pskself dhepskself tlsia resume tlsia_LDADD = ../libextra/libgnutls-extra.la $(LDADD) @LTLIBREADLINE@ endif if ENABLE_OPRFI From nmav at gnutls.org Tue Feb 19 21:26:40 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 19 Feb 2008 22:26:40 +0200 Subject: [PATCH] add DN import function In-Reply-To: <20080219083117.GA4142@redhat.com> References: <20080214203932.GA13991@redhat.com> <200802161125.39339.nmav@gnutls.org> <20080219083117.GA4142@redhat.com> Message-ID: <47BB3B80.8010809@gnutls.org> Joe Orton wrote: > On Sat, Feb 16, 2008 at 11:25:38AM +0200, Nikos Mavrogiannopoulos wrote: >> On Thursday 14 February 2008, Joe Orton wrote: >>> The CA dnames passed to the client-cert-retrieve function are raw DER >>> and hence can't be used by gnutls_x509_dn_get_rdn_ava(). >>> >>> This patch adds gnutls_x509_dn_import() which fills that gap, and >>> gnutls_x509_free_dn() which destroys the allocated structures. >>> >>> The naming is slightly awkward because these don't fit the usual >>> init/import/deinit convention used by GnuTLS; let me know if you'd >>> prefer different names. >> This is a nice addition, thank you. About the nameing I think >> gnutls_x509_free_dn should be better named gnutls_x509_dn_deinit to be more >> consistent with the other deinitialization functions. Would this be ok with >> you? > > Sure, no problem. Here's an updated patch: Thank you Joe. I've just added the patch in the development branch. I've also added gnutls_x509_dn_init function if this is ok with you. The commitdiff is: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9969955bec0da9ce2eff00504156223130e6cb9c regards, Nikos From jorton at redhat.com Tue Feb 19 21:53:58 2008 From: jorton at redhat.com (Joe Orton) Date: Tue, 19 Feb 2008 20:53:58 +0000 Subject: [PATCH] add DN import function In-Reply-To: <47BB3B80.8010809@gnutls.org> References: <20080214203932.GA13991@redhat.com> <200802161125.39339.nmav@gnutls.org> <20080219083117.GA4142@redhat.com> <47BB3B80.8010809@gnutls.org> Message-ID: <20080219205358.GA15854@redhat.com> On Tue, Feb 19, 2008 at 10:26:40PM +0200, Nikos Mavrogiannopoulos wrote: > Thank you Joe. I've just added the patch in the development branch. I've > also added gnutls_x509_dn_init function if this is ok with you. > > The commitdiff is: > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9969955bec0da9ce2eff00504156223130e6cb9c Looks good, thanks a lot. joe From jorton at redhat.com Tue Feb 19 21:56:55 2008 From: jorton at redhat.com (Joe Orton) Date: Tue, 19 Feb 2008 20:56:55 +0000 Subject: [PATCH] add gnutls_certificate_find_issuer In-Reply-To: <20080215102150.GA30014@redhat.com> References: <20080215102150.GA30014@redhat.com> Message-ID: <20080219205655.GA12341@redhat.com> On Fri, Feb 15, 2008 at 10:21:50AM +0000, Joe Orton wrote: > This patch adds a function which finds the issuer of a given certificate > within a credentials structure. This is useful so that clients can > easily recreate the complete server cert chain given only the single > cert returned by the peer. > > (e.g. in the case where gnutls_certificate_set_x509_trust_file() is > used, the client doesn't have the individual issuer cert structures to > compare against directly.) > > This and the previously submitted patch allow the two remaining failures > in neon's SSL test suite to be fixed :) The patch submitted for this had a typo and wouldn't compile; here's an updated version: diff -up ./includes/gnutls/gnutls.h.findissuer ./includes/gnutls/gnutls.h --- ./includes/gnutls/gnutls.h.findissuer +++ ./includes/gnutls/gnutls.h @@ -717,6 +717,10 @@ extern "C" gnutls_x509_crl_t * crl_list, int crl_list_size); + gnutls_x509_crt_t + gnutls_certificate_find_issuer (gnutls_certificate_credentials_t cred, + gnutls_x509_crt_t cert); + /* global state functions */ int gnutls_global_init (void); diff -up ./lib/gnutls_cert.c.findissuer ./lib/gnutls_cert.c --- ./lib/gnutls_cert.c.findissuer +++ ./lib/gnutls_cert.c @@ -593,6 +593,31 @@ gnutls_certificate_verify_peers (gnutls_ } /** + * gnutls_certificate_find_issuer - This function finds an issuer certificate + * @sc: is an #gnutls_certificate_credentials_t structure. + * @cert: should contain a gnutls_x509_crt_t structure + * + * This function returns the issuer certificate of @cert, if it can + * be found in the listed of trusted X.509 certificates in @cred. + * If no issuer is found, then NULL is returned. + * + **/ +gnutls_x509_crt_t +gnutls_certificate_find_issuer (gnutls_certificate_credentials_t cred, + gnutls_x509_crt_t cert) +{ + unsigned n; + + for (n = 0; n < cred->x509_ncas; n++) + { + if (gnutls_x509_crt_check_issuer (cert, cred->x509_ca_list[n]) == 1) + return cred->x509_ca_list[n]; + } + + return NULL; +} + +/** * gnutls_certificate_expiration_time_peers - This function returns the peer's certificate expiration time * @session: is a gnutls session * From nmav at gnutls.org Tue Feb 19 22:14:39 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 19 Feb 2008 23:14:39 +0200 Subject: [PATCH] add gnutls_certificate_find_issuer In-Reply-To: <20080219205655.GA12341@redhat.com> References: <20080215102150.GA30014@redhat.com> <20080219205655.GA12341@redhat.com> Message-ID: <47BB46BF.3070504@gnutls.org> Joe Orton wrote: > On Fri, Feb 15, 2008 at 10:21:50AM +0000, Joe Orton wrote: >> This patch adds a function which finds the issuer of a given certificate >> within a credentials structure. This is useful so that clients can >> easily recreate the complete server cert chain given only the single >> cert returned by the peer. >> >> (e.g. in the case where gnutls_certificate_set_x509_trust_file() is >> used, the client doesn't have the individual issuer cert structures to >> compare against directly.) >> >> This and the previously submitted patch allow the two remaining failures >> in neon's SSL test suite to be fixed :) > > The patch submitted for this had a typo and wouldn't compile; here's an > updated version: Hello Joe, In which case is a function like this needed? I'm thinking maybe exporting the included structures that would need, would better than having functions to perform operations on them. regards, Nikos From jorton at redhat.com Tue Feb 19 22:33:05 2008 From: jorton at redhat.com (Joe Orton) Date: Tue, 19 Feb 2008 21:33:05 +0000 Subject: [PATCH] add gnutls_certificate_find_issuer In-Reply-To: <47BB46BF.3070504@gnutls.org> References: <20080215102150.GA30014@redhat.com> <20080219205655.GA12341@redhat.com> <47BB46BF.3070504@gnutls.org> Message-ID: <20080219213305.GA18904@redhat.com> Hi Nikos, On Tue, Feb 19, 2008 at 11:14:39PM +0200, Nikos Mavrogiannopoulos wrote: > Joe Orton wrote: >> On Fri, Feb 15, 2008 at 10:21:50AM +0000, Joe Orton wrote: >>> This patch adds a function which finds the issuer of a given certificate >>> within a credentials structure. This is useful so that clients can >>> easily recreate the complete server cert chain given only the single cert >>> returned by the peer. ... > In which case is a function like this needed? I'm thinking maybe exporting > the included structures that would need, would better than having functions > to perform operations on them. neon uses a gnutls_certificate_credentials structure and exposes functions which allow applications based on neon to configure specific CA certs as trusted using gnutls_certificate_set_x509_trust* in various ways. neon doesn't otherwise examine or store those certs; indeed, when using gnutls_certificate_set_x509_trust_file() to load a CA root bundle in PEM format, there is not really any way to do so. When an SSL handshake takes place and a server cert cannot be verified for some reason (commonName mismatch, for example), the neon API then needs to expose the whole server cert chain to the application, so that it can be presented to a user for manual verification. gnutls_certificate_get_peers() will not necessarily return that whole chain, so neon needs some way to recreate the chain based on the configured set of trusted certs. That is what gnutls_certificate_find_issuer() is for. Does that make sense? With respect to exposing structure contents directly, I would generally advocate exposing functions instead where possible, since structures bring restrictive ABI constraints. Regards, joe From simon at josefsson.org Tue Feb 19 23:36:41 2008 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 19 Feb 2008 23:36:41 +0100 Subject: [PATCH] add DN import function In-Reply-To: <20080219205358.GA15854@redhat.com> (Joe Orton's message of "Tue, 19 Feb 2008 20:53:58 +0000") References: <20080214203932.GA13991@redhat.com> <200802161125.39339.nmav@gnutls.org> <20080219083117.GA4142@redhat.com> <47BB3B80.8010809@gnutls.org> <20080219205358.GA15854@redhat.com> Message-ID: <87ejb8y3nq.fsf@mocca.josefsson.org> Joe Orton writes: > On Tue, Feb 19, 2008 at 10:26:40PM +0200, Nikos Mavrogiannopoulos wrote: >> Thank you Joe. I've just added the patch in the development branch. I've >> also added gnutls_x509_dn_init function if this is ok with you. >> >> The commitdiff is: >> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9969955bec0da9ce2eff00504156223130e6cb9c > > Looks good, thanks a lot. I believe we need copyright papers signed to be able to accept such a large patch (even if some of it was cut'n'paste). I couldn't find any papers for you on file. Is this OK with you? I can send you the form privately. /Simon From jorton at redhat.com Wed Feb 20 11:33:06 2008 From: jorton at redhat.com (Joe Orton) Date: Wed, 20 Feb 2008 10:33:06 +0000 Subject: [PATCH] add DN import function In-Reply-To: <87ejb8y3nq.fsf@mocca.josefsson.org> References: <20080214203932.GA13991@redhat.com> <200802161125.39339.nmav@gnutls.org> <20080219083117.GA4142@redhat.com> <47BB3B80.8010809@gnutls.org> <20080219205358.GA15854@redhat.com> <87ejb8y3nq.fsf@mocca.josefsson.org> Message-ID: <20080220103306.GA4953@redhat.com> On Tue, Feb 19, 2008 at 11:36:41PM +0100, Simon Josefsson wrote: > Joe Orton writes: > > > On Tue, Feb 19, 2008 at 10:26:40PM +0200, Nikos Mavrogiannopoulos wrote: > >> Thank you Joe. I've just added the patch in the development branch. I've > >> also added gnutls_x509_dn_init function if this is ok with you. > >> > >> The commitdiff is: > >> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9969955bec0da9ce2eff00504156223130e6cb9c > > > > Looks good, thanks a lot. > > I believe we need copyright papers signed to be able to accept such a > large patch (even if some of it was cut'n'paste). I couldn't find any > papers for you on file. Is this OK with you? I can send you the form > privately. This was 99% copied so I wouldn't claim there was any "original work" in there, but in any case - Red Hat have a corporate assignment with the FSF :) joe From nmav at gnutls.org Wed Feb 20 13:52:54 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 20 Feb 2008 14:52:54 +0200 Subject: [PATCH] add gnutls_certificate_find_issuer In-Reply-To: <20080219213305.GA18904@redhat.com> References: <20080215102150.GA30014@redhat.com> <20080219205655.GA12341@redhat.com> <47BB46BF.3070504@gnutls.org> <20080219213305.GA18904@redhat.com> Message-ID: On Feb 19, 2008 11:33 PM, Joe Orton wrote: > When an SSL handshake takes place and a server cert cannot be verified > for some reason (commonName mismatch, for example), the neon API then > needs to expose the whole server cert chain to the application, so that > it can be presented to a user for manual verification. > > gnutls_certificate_get_peers() will not necessarily return that whole > chain, so neon needs some way to recreate the chain based on the > configured set of trusted certs. That is what > gnutls_certificate_find_issuer() is for. > Does that make sense? > With respect to exposing structure contents directly, I would generally > advocate exposing functions instead where possible, since structures > bring restrictive ABI constraints. Indeed but I'm thinking that someone might do more than check a single issuer. He might want to print the whole imported list. In that case I'd use something like gnutls_certificate_export_x509_cas() that will return the whole list of issuers, and your check can be done at the application level. Would something like this suit you? regards, Nikos From jorton at redhat.com Wed Feb 20 14:32:31 2008 From: jorton at redhat.com (Joe Orton) Date: Wed, 20 Feb 2008 13:32:31 +0000 Subject: [PATCH] add gnutls_certificate_find_issuer In-Reply-To: References: <20080215102150.GA30014@redhat.com> <20080219205655.GA12341@redhat.com> <47BB46BF.3070504@gnutls.org> <20080219213305.GA18904@redhat.com> Message-ID: <20080220133230.GA30083@redhat.com> On Wed, Feb 20, 2008 at 02:52:54PM +0200, Nikos Mavrogiannopoulos wrote: > On Feb 19, 2008 11:33 PM, Joe Orton wrote: > > With respect to exposing structure contents directly, I would generally > > advocate exposing functions instead where possible, since structures > > bring restrictive ABI constraints. > > Indeed but I'm thinking that someone might do more than check a single > issuer. He might want to print the whole imported list. In that case > I'd use something like gnutls_certificate_export_x509_cas() that will > return the whole list of issuers, and your check can be done at the > application level. Would something like this suit you? Yes, that certainly sounds fine too. joe From nmav at gnutls.org Wed Feb 20 20:30:32 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 20 Feb 2008 21:30:32 +0200 Subject: [PATCH] add gnutls_certificate_find_issuer In-Reply-To: <20080220133230.GA30083@redhat.com> References: <20080215102150.GA30014@redhat.com> <20080219205655.GA12341@redhat.com> <47BB46BF.3070504@gnutls.org> <20080219213305.GA18904@redhat.com> <20080220133230.GA30083@redhat.com> Message-ID: <47BC7FD8.2030104@gnutls.org> Joe Orton wrote: > On Wed, Feb 20, 2008 at 02:52:54PM +0200, Nikos Mavrogiannopoulos wrote: >> On Feb 19, 2008 11:33 PM, Joe Orton wrote: >>> With respect to exposing structure contents directly, I would generally >>> advocate exposing functions instead where possible, since structures >>> bring restrictive ABI constraints. >> Indeed but I'm thinking that someone might do more than check a single >> issuer. He might want to print the whole imported list. In that case >> I'd use something like gnutls_certificate_export_x509_cas() that will >> return the whole list of issuers, and your check can be done at the >> application level. Would something like this suit you? > > Yes, that certainly sounds fine too. I've done a commit at: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=a259726327bf193e9c83f7473d517502ba8a879b However these functions will restrict us on a rewrite of certificate_credentials... but it doesn't seem likely. regards, Nikos From simon at josefsson.org Thu Feb 21 10:00:29 2008 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 21 Feb 2008 10:00:29 +0100 Subject: GnuTLS 2.2.2 Message-ID: <87ve4ivg42.fsf@mocca.josefsson.org> We are pleased to announce a new stable GnuTLS release: Version 2.2.2. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The core GnuTLS library is distribute under the terms of the GNU Lesser General Public License version 2.1 (or later). The "extra" GnuTLS libraries -- which contains OpenPGP and TLS/IA support, LZO compression, the OpenSSL compatibility library -- and the self tests and command line tools are distributed under the GNU General Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.2 (or later). The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ What's New ========== * Version 2.2.2 (released 2008-02-21) ** Cipher priority string handling now handle strings that starts with NULL. Thanks to Laurence Withers . ** Corrected memory leaks in session resuming and DHE ciphersuites. Reported by Daniel Stenberg. ** Increased the default certificate verification chain limits and allowed for checks without limitation. ** Corrected the behaviour of gnutls_x509_crt_get_subject_alt_name() and gnutls_x509_crt_get_subject_alt_name() to not null terminate binary strings and return the proper size. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded from one of the mirror sites or direct from . The list of mirrors can be found at . Note, that GnuPG is not available at ftp.gnu.org. Here are the BZIP2 compressed sources (4.8MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-2.2.2.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-2.2.2.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-2.2.2.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-2.2.2.tar.bz2.sig Note, that we don't distribute gzip compressed tarballs. In order to check that the version of GnuTLS which you are going to install is an original and unmodified one, you should verify the OpenPGP signature. You can use the command gpg --verify gnutls-2.2.2.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. The signing key can be identified with the following information: pub 1280R/B565716F 2002-05-05 [expires: 2008-06-30] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2008-06-30] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Alternatively, after successfully verifying the OpenPGP signature of this announcement, you could verify that the files match the following checksum values. The values are for SHA-1 and SHA-224 respectively: 6b9586083c6460b0efa73959d86036ecb0a6acf8 gnutls-2.2.2.tar.bz2 555e6a6a8d24f3b2ab6607f3c3e6c864fdd17b41fcb438426ff9d855 gnutls-2.2.2.tar.bz2 Documentation ============= The manual is available online at: http://www.gnu.org/software/gnutls/documentation.html In particular the following formats are available: HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf For developers there is a GnuTLS API reference manual formatted using the GTK-DOC tools: http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-devel mailing list, see: . Windows installer ================= GnuTLS has been ported to the Windows operating system, and a binary installer is available. The installer contains DLLs for application development, manuals, examples, and source code. The installer consists of libgpg-error 1.6, libgcrypt 1.4.0, libtasn1 1.3, opencdk 0.6.6, and GnuTLS 2.2.2. For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and OpenPGP signature: http://josefsson.org/gnutls4win/gnutls-2.2.2.exe (14MB) http://josefsson.org/gnutls4win/gnutls-2.2.2.exe.sig The checksum values for SHA-1 and SHA-224 are: 0f33050ae3f0ab202474c5c8b35c39126b23ec45 gnutls-2.2.2.exe 2408638f2a7456ec62a97d8ae7af312262a25b1303b7c74264b0ee83 gnutls-2.2.2.exe Internationalization ==================== GnuTLS messages have been translated into Dutch, German, Malay, Polish and Swedish. We welcome the addition of more translations. Support ======= Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. The GnuTLS service directory is available at: http://www.gnu.org/software/gnutls/commercial.html Happy Hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Thu Feb 21 11:12:35 2008 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 21 Feb 2008 11:12:35 +0100 Subject: [PATCH] add gnutls_certificate_find_issuer In-Reply-To: <47BC7FD8.2030104@gnutls.org> (Nikos Mavrogiannopoulos's message of "Wed, 20 Feb 2008 21:30:32 +0200") References: <20080215102150.GA30014@redhat.com> <20080219205655.GA12341@redhat.com> <47BB46BF.3070504@gnutls.org> <20080219213305.GA18904@redhat.com> <20080220133230.GA30083@redhat.com> <47BC7FD8.2030104@gnutls.org> Message-ID: <8763wipqi4.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > Joe Orton wrote: >> On Wed, Feb 20, 2008 at 02:52:54PM +0200, Nikos Mavrogiannopoulos wrote: >>> On Feb 19, 2008 11:33 PM, Joe Orton wrote: >>>> With respect to exposing structure contents directly, I would generally >>>> advocate exposing functions instead where possible, since structures >>>> bring restrictive ABI constraints. >>> Indeed but I'm thinking that someone might do more than check a single >>> issuer. He might want to print the whole imported list. In that case >>> I'd use something like gnutls_certificate_export_x509_cas() that will >>> return the whole list of issuers, and your check can be done at the >>> application level. Would something like this suit you? >> >> Yes, that certainly sounds fine too. > > I've done a commit at: > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=a259726327bf193e9c83f7473d517502ba8a879b Seems useful. But what about using *_get_* instead of *_export_* in the function names? The few functions with _export_ in the names appear to extract (i.e. copy) the values, but these functions appear to just export pointers. There is also the confusion with export restrictions, which some function names with _export_ in them refer to. So _get_ might be more appropriate. What do you think? Hm. Some function names use *_trust* rather than *_cas* too. Should gnutls_certificate_export_x509_cas be gnutls_certificate_get_x509_trust? There is a lack of plural there, and we already have one function with _cas in it -- gnutls_certificate_free_cas -- so maybe gnutls_certificate_get_x509_cas is simpler. > However these functions will restrict us on a rewrite of > certificate_credentials... but it doesn't seem likely. That is too late anyway, there is gnutls_certificate_set_x509_key and friends... /Simon From jorton at redhat.com Thu Feb 21 12:39:17 2008 From: jorton at redhat.com (Joe Orton) Date: Thu, 21 Feb 2008 11:39:17 +0000 Subject: [PATCH] Add gnutls_x509_dn_export. Message-ID: <20080221113917.GA31744@redhat.com> This adds another DN function, to export a DN object back to DER. (I only really need a DER export; the value of exporting a DN to PEM format is certainly questionable, but this is allowed for consistency with the other _foo_export functions) --- doc/manpages/Makefile.am | 2 +- includes/gnutls/x509.h | 4 ++++ lib/x509/dn.c | 38 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 1 deletions(-) diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am index 16bff3e..c185259 100644 --- a/doc/manpages/Makefile.am +++ b/doc/manpages/Makefile.am @@ -26,7 +26,7 @@ if ENABLE_SRP dist_man_MANS += srptool.1 endif -APIMANS = gnutls_oprfi_enable_client.3 gnutls_oprfi_enable_server.3 gnutls_server_name_get.3 gnutls_server_name_set.3 gnutls_alert_get_name.3 gnutls_alert_send.3 gnutls_error_to_alert.3 gnutls_alert_send_appropriate.3 gnutls_alert_get.3 gnutls_mac_get_name.3 gnutls_mac_get_id.3 gnutls_mac_get_key_size.3 gnutls_mac_list.3 gnutls_compression_get_name.3 gnutls_compression_get_id.3 gnutls_compression_list.3 gnutls_cipher_get_key_size.3 gnutls_cipher_get_name.3 gnutls_cipher_get_id.3 gnutls_cipher_list.3 gnutls_kx_get_name.3 gnutls_kx_get_id.3 gnutls_kx_list.3 gnutls_protocol_get_name.3 gnutls_protocol_get_id.3 gnutls_protocol_list.3 gnutls_cipher_suite_get_name.3 gnutls_cipher_suite_info.3 gnutls_certificate_type_get_name.3 gnutls_certificate_type_get_id.3 gnutls_certificate_type_list.3 gnutls_sign_algorithm_get_name.3 gnutls_pk_algorithm_get_name.3 gnutls_anon_free_server_credentials.3 gnutls_anon_allocate_server_credentials.3 gnutls_anon_free_client_credentials.3 gnutls_anon_allocate_client_credentials.3 gnutls_anon_set_server_dh_params.3 gnutls_anon_set_server_params_function.3 gnutls_credentials_clear.3 gnutls_credentials_set.3 gnutls_auth_get_type.3 gnutls_auth_server_get_type.3 gnutls_auth_client_get_type.3 gnutls_transport_set_errno.3 gnutls_transport_set_global_errno.3 gnutls_record_check_pending.3 gnutls_certificate_free_keys.3 gnutls_certificate_free_cas.3 gnutls_certificate_free_ca_names.3 gnutls_certificate_free_credentials.3 gnutls_certificate_allocate_credentials.3 gnutls_certificate_server_set_request.3 gnutls_certificate_client_set_retrieve_function.3 gnutls_certificate_server_set_retrieve_function.3 gnutls_certificate_verify_peers2.3 gnutls_certificate_verify_peers.3 gnutls_certificate_expiration_time_peers.3 gnutls_certificate_activation_time_peers.3 gnutls_sign_callback_set.3 gnutls_sign_callback_get.3 gnutls_db_set_retrieve_function.3 gnutls_db_set_remove_function.3 gnutls_db_set_store_function.3 gnutls_db_set_ptr.3 gnutls_db_get_ptr.3 gnutls_db_set_cache_expiration.3 gnutls_db_check_entry.3 gnutls_db_remove_session.3 gnutls_dh_params_import_raw.3 gnutls_dh_params_init.3 gnutls_dh_params_deinit.3 gnutls_dh_params_cpy.3 gnutls_dh_params_generate2.3 gnutls_dh_params_import_pkcs3.3 gnutls_dh_params_export_pkcs3.3 gnutls_dh_params_export_raw.3 gnutls_error_is_fatal.3 gnutls_perror.3 gnutls_strerror.3 gnutls_global_set_log_function.3 gnutls_global_set_log_level.3 gnutls_global_set_mem_functions.3 gnutls_global_init.3 gnutls_global_deinit.3 gnutls_transport_set_pull_function.3 gnutls_transport_set_push_function.3 gnutls_check_version.3 gnutls_rehandshake.3 gnutls_handshake.3 gnutls_handshake_set_max_packet_length.3 gnutls_handshake_get_last_in.3 gnutls_handshake_get_last_out.3 gnutls_malloc.3 gnutls_free.3 gnutls_certificate_set_openpgp_key.3 gnutls_certificate_set_openpgp_key_mem.3 gnutls_certificate_set_openpgp_key_file.3 gnutls_certificate_set_openpgp_keyring_file.3 gnutls_certificate_set_openpgp_keyring_mem.3 gnutls_openpgp_set_recv_key_function.3 gnutls_openpgp_privkey_sign_hash.3 gnutls_cipher_set_priority.3 gnutls_kx_set_priority.3 gnutls_mac_set_priority.3 gnutls_compression_set_priority.3 gnutls_protocol_set_priority.3 gnutls_certificate_type_set_priority.3 gnutls_priority_set.3 gnutls_priority_init.3 gnutls_priority_deinit.3 gnutls_priority_set_direct.3 gnutls_set_default_priority.3 gnutls_set_default_export_priority.3 gnutls_psk_free_client_credentials.3 gnutls_psk_allocate_client_credentials.3 gnutls_psk_set_client_credentials.3 gnutls_psk_free_server_credentials.3 gnutls_psk_allocate_server_credentials.3 gnutls_psk_set_server_credentials_file.3 gnutls_psk_set_server_credentials_function.3 gnutls_psk_set_client_credentials_function.3 gnutls_psk_server_get_username.3 gnutls_hex_decode.3 gnutls_hex_encode.3 gnutls_psk_set_server_dh_params.3 gnutls_psk_set_server_params_function.3 gnutls_protocol_get_version.3 gnutls_transport_set_lowat.3 gnutls_record_disable_padding.3 gnutls_transport_set_ptr.3 gnutls_transport_set_ptr2.3 gnutls_transport_get_ptr.3 gnutls_transport_get_ptr2.3 gnutls_bye.3 gnutls_record_send.3 gnutls_record_recv.3 gnutls_record_get_max_size.3 gnutls_record_set_max_size.3 gnutls_rsa_params_import_raw.3 gnutls_rsa_params_init.3 gnutls_rsa_params_deinit.3 gnutls_rsa_params_cpy.3 gnutls_rsa_params_generate2.3 gnutls_rsa_params_import_pkcs1.3 gnutls_rsa_params_export_pkcs1.3 gnutls_rsa_params_export_raw.3 gnutls_session_get_data.3 gnutls_session_get_data2.3 gnutls_session_get_id.3 gnutls_session_set_data.3 gnutls_cipher_get.3 gnutls_certificate_type_get.3 gnutls_kx_get.3 gnutls_mac_get.3 gnutls_compression_get.3 gnutls_init.3 gnutls_deinit.3 gnutls_openpgp_send_cert.3 gnutls_certificate_send_x509_rdn_sequence.3 gnutls_handshake_set_private_extensions.3 gnutls_prf_raw.3 gnutls_prf.3 gnutls_session_get_client_random.3 gnutls_session_get_server_random.3 gnutls_session_get_master_secret.3 gnutls_session_is_resumed.3 gnutls_session_get_ptr.3 gnutls_session_set_ptr.3 gnutls_record_get_direction.3 gnutls_handshake_set_post_client_hello_function.3 gnutls_session_enable_compatibility_mode.3 gnutls_dh_set_prime_bits.3 gnutls_dh_get_group.3 gnutls_dh_get_pubkey.3 gnutls_rsa_export_get_pubkey.3 gnutls_dh_get_secret_bits.3 gnutls_dh_get_prime_bits.3 gnutls_rsa_export_get_modulus_bits.3 gnutls_dh_get_peers_public_bits.3 gnutls_certificate_get_ours.3 gnutls_certificate_get_peers.3 gnutls_certificate_client_get_request_status.3 gnutls_fingerprint.3 gnutls_certificate_set_dh_params.3 gnutls_certificate_set_params_function.3 gnutls_certificate_set_verify_flags.3 gnutls_certificate_set_verify_limits.3 gnutls_certificate_set_rsa_export_params.3 gnutls_psk_set_params_function.3 gnutls_anon_set_params_function.3 gnutls_certificate_set_x509_key_mem.3 gnutls_certificate_set_x509_key.3 gnutls_certificate_set_x509_key_file.3 gnutls_certificate_set_x509_trust_mem.3 gnutls_certificate_set_x509_trust.3 gnutls_certificate_set_x509_trust_file.3 gnutls_certificate_set_x509_crl_mem.3 gnutls_certificate_set_x509_crl.3 gnutls_certificate_set_x509_crl_file.3 gnutls_certificate_set_x509_simple_pkcs12_file.3 gnutls_certificate_free_crls.3 gnutls_pem_base64_encode.3 gnutls_pem_base64_encode_alloc.3 gnutls_pem_base64_decode.3 gnutls_pem_base64_decode_alloc.3 gnutls_global_init_extra.3 gnutls_extra_check_version.3 gnutls_ia_permute_inner_secret.3 gnutls_ia_generate_challenge.3 gnutls_ia_extract_inner_secret.3 gnutls_ia_endphase_send.3 gnutls_ia_verify_endphase.3 gnutls_ia_send.3 gnutls_ia_recv.3 gnutls_ia_handshake_p.3 gnutls_ia_handshake.3 gnutls_ia_allocate_client_credentials.3 gnutls_ia_free_client_credentials.3 gnutls_ia_set_client_avp_function.3 gnutls_ia_set_client_avp_ptr.3 gnutls_ia_get_client_avp_ptr.3 gnutls_ia_allocate_server_credentials.3 gnutls_ia_free_server_credentials.3 gnutls_ia_set_server_avp_function.3 gnutls_ia_set_server_avp_ptr.3 gnutls_ia_get_server_avp_ptr.3 gnutls_ia_enable.3 gnutls_x509_dn_oid_known.3 gnutls_x509_crl_init.3 gnutls_x509_crl_deinit.3 gnutls_x509_crl_import.3 gnutls_x509_crl_get_issuer_dn.3 gnutls_x509_crl_get_issuer_dn_by_oid.3 gnutls_x509_crl_get_dn_oid.3 gnutls_x509_crl_get_signature_algorithm.3 gnutls_x509_crl_get_signature.3 gnutls_x509_crl_get_version.3 gnutls_x509_crl_get_this_update.3 gnutls_x509_crl_get_next_update.3 gnutls_x509_crl_get_crt_count.3 gnutls_x509_crl_get_crt_serial.3 gnutls_x509_crl_export.3 gnutls_x509_crl_set_version.3 gnutls_x509_crl_sign2.3 gnutls_x509_crl_sign.3 gnutls_x509_crl_set_this_update.3 gnutls_x509_crl_set_next_update.3 gnutls_x509_crl_set_crt_serial.3 gnutls_x509_crl_set_crt.3 gnutls_x509_crq_init.3 gnutls_x509_crq_deinit.3 gnutls_x509_crq_import.3 gnutls_x509_crq_get_dn.3 gnutls_x509_crq_get_dn_by_oid.3 gnutls_x509_crq_get_dn_oid.3 gnutls_x509_crq_get_challenge_password.3 gnutls_x509_crq_set_attribute_by_oid.3 gnutls_x509_crq_get_attribute_by_oid.3 gnutls_x509_crq_set_dn_by_oid.3 gnutls_x509_crq_set_version.3 gnutls_x509_crq_get_version.3 gnutls_x509_crq_set_key.3 gnutls_x509_crq_set_challenge_password.3 gnutls_x509_crq_sign2.3 gnutls_x509_crq_sign.3 gnutls_x509_crq_export.3 gnutls_x509_crq_get_pk_algorithm.3 gnutls_x509_rdn_get.3 gnutls_x509_rdn_get_by_oid.3 gnutls_x509_rdn_get_oid.3 gnutls_x509_crt_print.3 gnutls_x509_crl_print.3 gnutls_pkcs12_bag_init.3 gnutls_pkcs12_bag_deinit.3 gnutls_pkcs12_bag_get_type.3 gnutls_pkcs12_bag_get_count.3 gnutls_pkcs12_bag_get_data.3 gnutls_pkcs12_bag_set_data.3 gnutls_pkcs12_bag_set_crt.3 gnutls_pkcs12_bag_set_crl.3 gnutls_pkcs12_bag_set_key_id.3 gnutls_pkcs12_bag_get_key_id.3 gnutls_pkcs12_bag_get_friendly_name.3 gnutls_pkcs12_bag_set_friendly_name.3 gnutls_pkcs12_bag_decrypt.3 gnutls_pkcs12_bag_encrypt.3 gnutls_pkcs12_init.3 gnutls_pkcs12_deinit.3 gnutls_pkcs12_import.3 gnutls_pkcs12_export.3 gnutls_pkcs12_get_bag.3 gnutls_pkcs12_set_bag.3 gnutls_pkcs12_generate_mac.3 gnutls_pkcs12_verify_mac.3 gnutls_pkcs7_init.3 gnutls_pkcs7_deinit.3 gnutls_pkcs7_import.3 gnutls_pkcs7_get_crt_raw.3 gnutls_pkcs7_get_crt_count.3 gnutls_pkcs7_export.3 gnutls_pkcs7_set_crt_raw.3 gnutls_pkcs7_set_crt.3 gnutls_pkcs7_delete_crt.3 gnutls_pkcs7_get_crl_raw.3 gnutls_pkcs7_get_crl_count.3 gnutls_pkcs7_set_crl_raw.3 gnutls_pkcs7_set_crl.3 gnutls_pkcs7_delete_crl.3 gnutls_x509_privkey_init.3 gnutls_x509_privkey_deinit.3 gnutls_x509_privkey_cpy.3 gnutls_x509_privkey_import.3 gnutls_x509_privkey_import_rsa_raw.3 gnutls_x509_privkey_import_dsa_raw.3 gnutls_x509_privkey_get_pk_algorithm.3 gnutls_x509_privkey_export.3 gnutls_x509_privkey_export_rsa_raw.3 gnutls_x509_privkey_export_dsa_raw.3 gnutls_x509_privkey_generate.3 gnutls_x509_privkey_get_key_id.3 gnutls_x509_privkey_sign_data.3 gnutls_x509_privkey_sign_hash.3 gnutls_x509_privkey_verify_data.3 gnutls_x509_privkey_fix.3 gnutls_x509_privkey_export_pkcs8.3 gnutls_x509_privkey_import_pkcs8.3 gnutls_x509_crt_check_hostname.3 gnutls_x509_crt_check_issuer.3 gnutls_x509_crt_list_verify.3 gnutls_x509_crt_verify.3 gnutls_x509_crl_check_issuer.3 gnutls_x509_crl_verify.3 gnutls_x509_crt_init.3 gnutls_x509_crt_deinit.3 gnutls_x509_crt_import.3 gnutls_x509_crt_get_issuer_dn.3 gnutls_x509_crt_get_issuer_dn_by_oid.3 gnutls_x509_crt_get_issuer_dn_oid.3 gnutls_x509_crt_get_dn.3 gnutls_x509_crt_get_dn_by_oid.3 gnutls_x509_crt_get_dn_oid.3 gnutls_x509_crt_get_signature_algorithm.3 gnutls_x509_crt_get_signature.3 gnutls_x509_crt_get_version.3 gnutls_x509_crt_get_activation_time.3 gnutls_x509_crt_get_expiration_time.3 gnutls_x509_crt_get_serial.3 gnutls_x509_crt_get_subject_key_id.3 gnutls_x509_crt_get_authority_key_id.3 gnutls_x509_crt_get_pk_algorithm.3 gnutls_x509_crt_get_subject_alt_name.3 gnutls_x509_crt_get_subject_alt_name2.3 gnutls_x509_crt_get_subject_alt_othername_oid.3 gnutls_x509_crt_get_basic_constraints.3 gnutls_x509_crt_get_ca_status.3 gnutls_x509_crt_get_key_usage.3 gnutls_x509_crt_get_proxy.3 gnutls_x509_crt_get_extension_by_oid.3 gnutls_x509_crt_get_extension_oid.3 gnutls_x509_crt_get_extension_info.3 gnutls_x509_crt_get_extension_data.3 gnutls_x509_crt_get_raw_issuer_dn.3 gnutls_x509_crt_get_raw_dn.3 gnutls_x509_crt_get_subject.3 gnutls_x509_crt_get_issuer.3 gnutls_x509_dn_get_rdn_ava.3 gnutls_x509_crt_get_fingerprint.3 gnutls_x509_crt_export.3 gnutls_x509_crt_get_key_id.3 gnutls_x509_crt_check_revocation.3 gnutls_x509_crt_verify_data.3 gnutls_x509_crt_get_crl_dist_points.3 gnutls_x509_crt_get_key_purpose_oid.3 gnutls_x509_crt_get_pk_rsa_raw.3 gnutls_x509_crt_get_pk_dsa_raw.3 gnutls_x509_crt_list_import.3 gnutls_x509_crt_set_dn_by_oid.3 gnutls_x509_crt_set_issuer_dn_by_oid.3 gnutls_x509_crt_set_proxy_dn.3 gnutls_x509_crt_set_version.3 gnutls_x509_crt_set_key.3 gnutls_x509_crt_set_crq.3 gnutls_x509_crt_set_extension_by_oid.3 gnutls_x509_crt_set_basic_constraints.3 gnutls_x509_crt_set_ca_status.3 gnutls_x509_crt_set_key_usage.3 gnutls_x509_crt_set_subject_alternative_name.3 gnutls_x509_crt_set_proxy.3 gnutls_x509_crt_sign2.3 gnutls_x509_crt_sign.3 gnutls_x509_crt_set_activation_time.3 gnutls_x509_crt_set_expiration_time.3 gnutls_x509_crt_set_serial.3 gnutls_x509_crt_set_crl_dist_points.3 gnutls_x509_crt_cpy_crl_dist_points.3 gnutls_x509_crt_set_subject_key_id.3 gnutls_x509_crt_set_authority_key_id.3 gnutls_x509_crt_set_key_purpose_oid.3 gnutls_openpgp_keyring_init.3 gnutls_openpgp_keyring_deinit.3 gnutls_openpgp_keyring_check_id.3 gnutls_openpgp_keyring_import.3 gnutls_openpgp_crt_print.3 gnutls_openpgp_crt_init.3 gnutls_openpgp_crt_deinit.3 gnutls_openpgp_crt_import.3 gnutls_openpgp_crt_export.3 gnutls_openpgp_crt_get_fingerprint.3 gnutls_openpgp_crt_get_name.3 gnutls_openpgp_crt_get_pk_algorithm.3 gnutls_openpgp_crt_get_version.3 gnutls_openpgp_crt_get_creation_time.3 gnutls_openpgp_crt_get_expiration_time.3 gnutls_openpgp_crt_get_key_id.3 gnutls_openpgp_crt_get_revoked_status.3 gnutls_openpgp_crt_check_hostname.3 gnutls_openpgp_crt_get_key_usage.3 gnutls_openpgp_crt_get_subkey_count.3 gnutls_openpgp_crt_get_subkey_revoked_status.3 gnutls_openpgp_crt_get_subkey_pk_algorithm.3 gnutls_openpgp_crt_get_subkey_creation_time.3 gnutls_openpgp_crt_get_subkey_expiration_time.3 gnutls_openpgp_crt_get_subkey_id.3 gnutls_openpgp_crt_get_subkey_idx.3 gnutls_openpgp_crt_get_subkey_usage.3 gnutls_openpgp_crt_get_pk_rsa_raw.3 gnutls_openpgp_crt_get_pk_dsa_raw.3 gnutls_openpgp_crt_get_subkey_pk_rsa_raw.3 gnutls_openpgp_crt_get_subkey_pk_dsa_raw.3 gnutls_openpgp_crt_verify_ring.3 gnutls_openpgp_crt_verify_self.3 gnutls_openpgp_privkey_init.3 gnutls_openpgp_privkey_deinit.3 gnutls_openpgp_privkey_import.3 gnutls_openpgp_privkey_export.3 gnutls_openpgp_privkey_get_pk_algorithm.3 gnutls_openpgp_privkey_get_revoked_status.3 gnutls_openpgp_privkey_get_fingerprint.3 gnutls_openpgp_privkey_get_key_id.3 gnutls_openpgp_privkey_get_subkey_count.3 gnutls_openpgp_privkey_get_subkey_revoked_status.3 gnutls_openpgp_privkey_get_subkey_pk_algorithm.3 gnutls_openpgp_privkey_get_subkey_idx.3 gnutls_openpgp_privkey_get_subkey_creation_time.3 gnutls_openpgp_privkey_get_subkey_expiration_time.3 gnutls_openpgp_privkey_get_subkey_id.3 gnutls_openpgp_privkey_export_rsa_raw.3 gnutls_openpgp_privkey_export_dsa_raw.3 gnutls_openpgp_privkey_export_subkey_rsa_raw.3 gnutls_openpgp_privkey_export_subkey_dsa_raw.3 +APIMANS = gnutls_oprfi_enable_client.3 gnutls_oprfi_enable_server.3 gnutls_server_name_get.3 gnutls_server_name_set.3 gnutls_alert_get_name.3 gnutls_alert_send.3 gnutls_error_to_alert.3 gnutls_alert_send_appropriate.3 gnutls_alert_get.3 gnutls_mac_get_name.3 gnutls_mac_get_id.3 gnutls_mac_get_key_size.3 gnutls_mac_list.3 gnutls_compression_get_name.3 gnutls_compression_get_id.3 gnutls_compression_list.3 gnutls_cipher_get_key_size.3 gnutls_cipher_get_name.3 gnutls_cipher_get_id.3 gnutls_cipher_list.3 gnutls_kx_get_name.3 gnutls_kx_get_id.3 gnutls_kx_list.3 gnutls_protocol_get_name.3 gnutls_protocol_get_id.3 gnutls_protocol_list.3 gnutls_cipher_suite_get_name.3 gnutls_cipher_suite_info.3 gnutls_certificate_type_get_name.3 gnutls_certificate_type_get_id.3 gnutls_certificate_type_list.3 gnutls_sign_algorithm_get_name.3 gnutls_pk_algorithm_get_name.3 gnutls_anon_free_server_credentials.3 gnutls_anon_allocate_server_credentials.3 gnutls_anon_free_client_credentials.3 gnutls_anon_allocate_client_credentials.3 gnutls_anon_set_server_dh_params.3 gnutls_anon_set_server_params_function.3 gnutls_credentials_clear.3 gnutls_credentials_set.3 gnutls_auth_get_type.3 gnutls_auth_server_get_type.3 gnutls_auth_client_get_type.3 gnutls_transport_set_errno.3 gnutls_transport_set_global_errno.3 gnutls_record_check_pending.3 gnutls_certificate_free_keys.3 gnutls_certificate_free_cas.3 gnutls_certificate_export_x509_cas.3 gnutls_certificate_export_x509_crls.3 gnutls_certificate_export_openpgp_keyring.3 gnutls_certificate_free_ca_names.3 gnutls_certificate_free_credentials.3 gnutls_certificate_allocate_credentials.3 gnutls_certificate_server_set_request.3 gnutls_certificate_client_set_retrieve_function.3 gnutls_certificate_server_set_retrieve_function.3 gnutls_certificate_verify_peers2.3 gnutls_certificate_verify_peers.3 gnutls_certificate_expiration_time_peers.3 gnutls_certificate_activation_time_peers.3 gnutls_sign_callback_set.3 gnutls_sign_callback_get.3 gnutls_db_set_retrieve_function.3 gnutls_db_set_remove_function.3 gnutls_db_set_store_function.3 gnutls_db_set_ptr.3 gnutls_db_get_ptr.3 gnutls_db_set_cache_expiration.3 gnutls_db_check_entry.3 gnutls_db_remove_session.3 gnutls_dh_params_import_raw.3 gnutls_dh_params_init.3 gnutls_dh_params_deinit.3 gnutls_dh_params_cpy.3 gnutls_dh_params_generate2.3 gnutls_dh_params_import_pkcs3.3 gnutls_dh_params_export_pkcs3.3 gnutls_dh_params_export_raw.3 gnutls_error_is_fatal.3 gnutls_perror.3 gnutls_strerror.3 gnutls_global_set_log_function.3 gnutls_global_set_log_level.3 gnutls_global_set_mem_functions.3 gnutls_global_init.3 gnutls_global_deinit.3 gnutls_transport_set_pull_function.3 gnutls_transport_set_push_function.3 gnutls_check_version.3 gnutls_rehandshake.3 gnutls_handshake.3 gnutls_handshake_set_max_packet_length.3 gnutls_handshake_get_last_in.3 gnutls_handshake_get_last_out.3 gnutls_malloc.3 gnutls_free.3 gnutls_certificate_set_openpgp_key.3 gnutls_certificate_set_openpgp_key_mem.3 gnutls_certificate_set_openpgp_key_file.3 gnutls_certificate_set_openpgp_key_mem2.3 gnutls_certificate_set_openpgp_key_file2.3 gnutls_certificate_set_openpgp_keyring_file.3 gnutls_certificate_set_openpgp_keyring_mem.3 gnutls_openpgp_set_recv_key_function.3 gnutls_openpgp_privkey_sign_hash.3 gnutls_cipher_set_priority.3 gnutls_kx_set_priority.3 gnutls_mac_set_priority.3 gnutls_compression_set_priority.3 gnutls_protocol_set_priority.3 gnutls_certificate_type_set_priority.3 gnutls_priority_set.3 gnutls_priority_init.3 gnutls_priority_deinit.3 gnutls_priority_set_direct.3 gnutls_set_default_priority.3 gnutls_set_default_export_priority.3 gnutls_psk_free_client_credentials.3 gnutls_psk_allocate_client_credentials.3 gnutls_psk_set_client_credentials.3 gnutls_psk_free_server_credentials.3 gnutls_psk_allocate_server_credentials.3 gnutls_psk_set_server_credentials_file.3 gnutls_psk_set_server_credentials_function.3 gnutls_psk_set_client_credentials_function.3 gnutls_psk_server_get_username.3 gnutls_hex_decode.3 gnutls_hex_encode.3 gnutls_psk_set_server_dh_params.3 gnutls_psk_set_server_params_function.3 gnutls_protocol_get_version.3 gnutls_transport_set_lowat.3 gnutls_record_disable_padding.3 gnutls_transport_set_ptr.3 gnutls_transport_set_ptr2.3 gnutls_transport_get_ptr.3 gnutls_transport_get_ptr2.3 gnutls_bye.3 gnutls_record_send.3 gnutls_record_recv.3 gnutls_record_get_max_size.3 gnutls_record_set_max_size.3 gnutls_rsa_params_import_raw.3 gnutls_rsa_params_init.3 gnutls_rsa_params_deinit.3 gnutls_rsa_params_cpy.3 gnutls_rsa_params_generate2.3 gnutls_rsa_params_import_pkcs1.3 gnutls_rsa_params_export_pkcs1.3 gnutls_rsa_params_export_raw.3 gnutls_session_get_data.3 gnutls_session_get_data2.3 gnutls_session_get_id.3 gnutls_session_set_data.3 gnutls_cipher_get.3 gnutls_certificate_type_get.3 gnutls_kx_get.3 gnutls_mac_get.3 gnutls_compression_get.3 gnutls_init.3 gnutls_deinit.3 gnutls_openpgp_send_cert.3 gnutls_certificate_send_x509_rdn_sequence.3 gnutls_handshake_set_private_extensions.3 gnutls_prf_raw.3 gnutls_prf.3 gnutls_session_get_client_random.3 gnutls_session_get_server_random.3 gnutls_session_get_master_secret.3 gnutls_session_is_resumed.3 gnutls_session_get_ptr.3 gnutls_session_set_ptr.3 gnutls_record_get_direction.3 gnutls_handshake_set_post_client_hello_function.3 gnutls_session_enable_compatibility_mode.3 gnutls_dh_set_prime_bits.3 gnutls_dh_get_group.3 gnutls_dh_get_pubkey.3 gnutls_rsa_export_get_pubkey.3 gnutls_dh_get_secret_bits.3 gnutls_dh_get_prime_bits.3 gnutls_rsa_export_get_modulus_bits.3 gnutls_dh_get_peers_public_bits.3 gnutls_certificate_get_ours.3 gnutls_certificate_get_peers.3 gnutls_certificate_client_get_request_status.3 gnutls_fingerprint.3 gnutls_certificate_set_dh_params.3 gnutls_certificate_set_params_function.3 gnutls_certificate_set_verify_flags.3 gnutls_certificate_set_verify_limits.3 gnutls_certificate_set_rsa_export_params.3 gnutls_psk_set_params_function.3 gnutls_anon_set_params_function.3 gnutls_certificate_set_x509_key_mem.3 gnutls_certificate_set_x509_key.3 gnutls_certificate_set_x509_key_file.3 gnutls_certificate_set_x509_trust_mem.3 gnutls_certificate_set_x509_trust.3 gnutls_certificate_set_x509_trust_file.3 gnutls_certificate_set_x509_crl_mem.3 gnutls_certificate_set_x509_crl.3 gnutls_certificate_set_x509_crl_file.3 gnutls_certificate_set_x509_simple_pkcs12_file.3 gnutls_certificate_free_crls.3 gnutls_pem_base64_encode.3 gnutls_pem_base64_encode_alloc.3 gnutls_pem_base64_decode.3 gnutls_pem_base64_decode_alloc.3 gnutls_global_init_extra.3 gnutls_extra_check_version.3 gnutls_ia_permute_inner_secret.3 gnutls_ia_generate_challenge.3 gnutls_ia_extract_inner_secret.3 gnutls_ia_endphase_send.3 gnutls_ia_verify_endphase.3 gnutls_ia_send.3 gnutls_ia_recv.3 gnutls_ia_handshake_p.3 gnutls_ia_handshake.3 gnutls_ia_allocate_client_credentials.3 gnutls_ia_free_client_credentials.3 gnutls_ia_set_client_avp_function.3 gnutls_ia_set_client_avp_ptr.3 gnutls_ia_get_client_avp_ptr.3 gnutls_ia_allocate_server_credentials.3 gnutls_ia_free_server_credentials.3 gnutls_ia_set_server_avp_function.3 gnutls_ia_set_server_avp_ptr.3 gnutls_ia_get_server_avp_ptr.3 gnutls_ia_enable.3 gnutls_x509_dn_oid_known.3 gnutls_x509_crl_init.3 gnutls_x509_crl_deinit.3 gnutls_x509_crl_import.3 gnutls_x509_crl_get_issuer_dn.3 gnutls_x509_crl_get_issuer_dn_by_oid.3 gnutls_x509_crl_get_dn_oid.3 gnutls_x509_crl_get_signature_algorithm.3 gnutls_x509_crl_get_signature.3 gnutls_x509_crl_get_version.3 gnutls_x509_crl_get_this_update.3 gnutls_x509_crl_get_next_update.3 gnutls_x509_crl_get_crt_count.3 gnutls_x509_crl_get_crt_serial.3 gnutls_x509_crl_export.3 gnutls_x509_crl_set_version.3 gnutls_x509_crl_sign2.3 gnutls_x509_crl_sign.3 gnutls_x509_crl_set_this_update.3 gnutls_x509_crl_set_next_update.3 gnutls_x509_crl_set_crt_serial.3 gnutls_x509_crl_set_crt.3 gnutls_x509_crq_init.3 gnutls_x509_crq_deinit.3 gnutls_x509_crq_import.3 gnutls_x509_crq_get_dn.3 gnutls_x509_crq_get_dn_by_oid.3 gnutls_x509_crq_get_dn_oid.3 gnutls_x509_crq_get_challenge_password.3 gnutls_x509_crq_set_attribute_by_oid.3 gnutls_x509_crq_get_attribute_by_oid.3 gnutls_x509_crq_set_dn_by_oid.3 gnutls_x509_crq_set_version.3 gnutls_x509_crq_get_version.3 gnutls_x509_crq_set_key.3 gnutls_x509_crq_set_challenge_password.3 gnutls_x509_crq_sign2.3 gnutls_x509_crq_sign.3 gnutls_x509_crq_export.3 gnutls_x509_crq_get_pk_algorithm.3 gnutls_x509_dn_init.3 gnutls_x509_dn_import.3 gnutls_x509_dn_deinit.3 gnutls_x509_rdn_get.3 gnutls_x509_rdn_get_by_oid.3 gnutls_x509_rdn_get_oid.3 gnutls_x509_crt_print.3 gnutls_x509_crl_print.3 gnutls_pkcs12_init.3 gnutls_pkcs12_deinit.3 gnutls_pkcs12_import.3 gnutls_pkcs12_export.3 gnutls_pkcs12_get_bag.3 gnutls_pkcs12_set_bag.3 gnutls_pkcs12_generate_mac.3 gnutls_pkcs12_verify_mac.3 gnutls_pkcs12_bag_init.3 gnutls_pkcs12_bag_deinit.3 gnutls_pkcs12_bag_get_type.3 gnutls_pkcs12_bag_get_count.3 gnutls_pkcs12_bag_get_data.3 gnutls_pkcs12_bag_set_data.3 gnutls_pkcs12_bag_set_crt.3 gnutls_pkcs12_bag_set_crl.3 gnutls_pkcs12_bag_set_key_id.3 gnutls_pkcs12_bag_get_key_id.3 gnutls_pkcs12_bag_get_friendly_name.3 gnutls_pkcs12_bag_set_friendly_name.3 gnutls_pkcs12_bag_decrypt.3 gnutls_pkcs12_bag_encrypt.3 gnutls_pkcs7_init.3 gnutls_pkcs7_deinit.3 gnutls_pkcs7_import.3 gnutls_pkcs7_get_crt_raw.3 gnutls_pkcs7_get_crt_count.3 gnutls_pkcs7_export.3 gnutls_pkcs7_set_crt_raw.3 gnutls_pkcs7_set_crt.3 gnutls_pkcs7_delete_crt.3 gnutls_pkcs7_get_crl_raw.3 gnutls_pkcs7_get_crl_count.3 gnutls_pkcs7_set_crl_raw.3 gnutls_pkcs7_set_crl.3 gnutls_pkcs7_delete_crl.3 gnutls_x509_privkey_init.3 gnutls_x509_privkey_deinit.3 gnutls_x509_privkey_cpy.3 gnutls_x509_privkey_import.3 gnutls_x509_privkey_import_rsa_raw.3 gnutls_x509_privkey_import_dsa_raw.3 gnutls_x509_privkey_get_pk_algorithm.3 gnutls_x509_privkey_export.3 gnutls_x509_privkey_export_rsa_raw.3 gnutls_x509_privkey_export_dsa_raw.3 gnutls_x509_privkey_generate.3 gnutls_x509_privkey_get_key_id.3 gnutls_x509_privkey_sign_data.3 gnutls_x509_privkey_sign_hash.3 gnutls_x509_privkey_verify_data.3 gnutls_x509_privkey_fix.3 gnutls_x509_privkey_export_pkcs8.3 gnutls_x509_privkey_import_pkcs8.3 gnutls_x509_crt_check_hostname.3 gnutls_x509_crt_check_issuer.3 gnutls_x509_crt_list_verify.3 gnutls_x509_crt_verify.3 gnutls_x509_crl_check_issuer.3 gnutls_x509_crl_verify.3 gnutls_x509_crt_init.3 gnutls_x509_crt_deinit.3 gnutls_x509_crt_import.3 gnutls_x509_crt_get_issuer_dn.3 gnutls_x509_crt_get_issuer_dn_by_oid.3 gnutls_x509_crt_get_issuer_dn_oid.3 gnutls_x509_crt_get_dn.3 gnutls_x509_crt_get_dn_by_oid.3 gnutls_x509_crt_get_dn_oid.3 gnutls_x509_crt_get_signature_algorithm.3 gnutls_x509_crt_get_signature.3 gnutls_x509_crt_get_version.3 gnutls_x509_crt_get_activation_time.3 gnutls_x509_crt_get_expiration_time.3 gnutls_x509_crt_get_serial.3 gnutls_x509_crt_get_subject_key_id.3 gnutls_x509_crt_get_authority_key_id.3 gnutls_x509_crt_get_pk_algorithm.3 gnutls_x509_crt_get_subject_alt_name.3 gnutls_x509_crt_get_subject_alt_name2.3 gnutls_x509_crt_get_subject_alt_othername_oid.3 gnutls_x509_crt_get_basic_constraints.3 gnutls_x509_crt_get_ca_status.3 gnutls_x509_crt_get_key_usage.3 gnutls_x509_crt_get_proxy.3 gnutls_x509_crt_get_extension_by_oid.3 gnutls_x509_crt_get_extension_oid.3 gnutls_x509_crt_get_extension_info.3 gnutls_x509_crt_get_extension_data.3 gnutls_x509_crt_get_raw_issuer_dn.3 gnutls_x509_crt_get_raw_dn.3 gnutls_x509_crt_get_subject.3 gnutls_x509_crt_get_issuer.3 gnutls_x509_dn_get_rdn_ava.3 gnutls_x509_crt_get_fingerprint.3 gnutls_x509_crt_export.3 gnutls_x509_crt_get_key_id.3 gnutls_x509_crt_check_revocation.3 gnutls_x509_crt_verify_data.3 gnutls_x509_crt_get_crl_dist_points.3 gnutls_x509_crt_get_key_purpose_oid.3 gnutls_x509_crt_get_pk_rsa_raw.3 gnutls_x509_crt_get_pk_dsa_raw.3 gnutls_x509_crt_list_import.3 gnutls_x509_crt_set_dn_by_oid.3 gnutls_x509_crt_set_issuer_dn_by_oid.3 gnutls_x509_crt_set_proxy_dn.3 gnutls_x509_crt_set_version.3 gnutls_x509_crt_set_key.3 gnutls_x509_crt_set_crq.3 gnutls_x509_crt_set_extension_by_oid.3 gnutls_x509_crt_set_basic_constraints.3 gnutls_x509_crt_set_ca_status.3 gnutls_x509_crt_set_key_usage.3 gnutls_x509_crt_set_subject_alternative_name.3 gnutls_x509_crt_set_proxy.3 gnutls_x509_crt_sign2.3 gnutls_x509_crt_sign.3 gnutls_x509_crt_set_activation_time.3 gnutls_x509_crt_set_expiration_time.3 gnutls_x509_crt_set_serial.3 gnutls_x509_crt_set_crl_dist_points.3 gnutls_x509_crt_cpy_crl_dist_points.3 gnutls_x509_crt_set_subject_key_id.3 gnutls_x509_crt_set_authority_key_id.3 gnutls_x509_crt_set_key_purpose_oid.3 gnutls_openpgp_keyring_init.3 gnutls_openpgp_keyring_deinit.3 gnutls_openpgp_keyring_check_id.3 gnutls_openpgp_keyring_import.3 gnutls_openpgp_keyring_get_crt_count.3 gnutls_openpgp_keyring_get_crt.3 gnutls_openpgp_crt_print.3 gnutls_openpgp_crt_init.3 gnutls_openpgp_crt_deinit.3 gnutls_openpgp_crt_import.3 gnutls_openpgp_crt_export.3 gnutls_openpgp_crt_get_fingerprint.3 gnutls_openpgp_crt_get_name.3 gnutls_openpgp_crt_get_pk_algorithm.3 gnutls_openpgp_crt_get_version.3 gnutls_openpgp_crt_get_creation_time.3 gnutls_openpgp_crt_get_expiration_time.3 gnutls_openpgp_crt_get_key_id.3 gnutls_openpgp_crt_get_revoked_status.3 gnutls_openpgp_crt_check_hostname.3 gnutls_openpgp_crt_get_key_usage.3 gnutls_openpgp_crt_get_subkey_count.3 gnutls_openpgp_crt_get_subkey_revoked_status.3 gnutls_openpgp_crt_get_subkey_pk_algorithm.3 gnutls_openpgp_crt_get_subkey_creation_time.3 gnutls_openpgp_crt_get_subkey_expiration_time.3 gnutls_openpgp_crt_get_subkey_id.3 gnutls_openpgp_crt_get_subkey_idx.3 gnutls_openpgp_crt_get_subkey_usage.3 gnutls_openpgp_crt_get_pk_rsa_raw.3 gnutls_openpgp_crt_get_pk_dsa_raw.3 gnutls_openpgp_crt_get_subkey_pk_rsa_raw.3 gnutls_openpgp_crt_get_subkey_pk_dsa_raw.3 gnutls_openpgp_crt_get_preferred_key_id.3 gnutls_openpgp_crt_set_preferred_key_id.3 gnutls_openpgp_crt_get_auth_subkey.3 gnutls_openpgp_crt_verify_ring.3 gnutls_openpgp_crt_verify_self.3 gnutls_openpgp_privkey_init.3 gnutls_openpgp_privkey_deinit.3 gnutls_openpgp_privkey_import.3 gnutls_openpgp_privkey_export.3 gnutls_openpgp_privkey_get_pk_algorithm.3 gnutls_openpgp_privkey_get_revoked_status.3 gnutls_openpgp_privkey_get_fingerprint.3 gnutls_openpgp_privkey_get_key_id.3 gnutls_openpgp_privkey_get_subkey_count.3 gnutls_openpgp_privkey_get_subkey_revoked_status.3 gnutls_openpgp_privkey_get_subkey_pk_algorithm.3 gnutls_openpgp_privkey_get_subkey_idx.3 gnutls_openpgp_privkey_get_subkey_creation_time.3 gnutls_openpgp_privkey_get_subkey_expiration_time.3 gnutls_openpgp_privkey_get_subkey_id.3 gnutls_openpgp_privkey_export_rsa_raw.3 gnutls_openpgp_privkey_export_dsa_raw.3 gnutls_openpgp_privkey_export_subkey_rsa_raw.3 gnutls_openpgp_privkey_export_subkey_dsa_raw.3 gnutls_openpgp_privkey_get_preferred_key_id.3 gnutls_openpgp_privkey_set_preferred_key_id.3 SRPMANS = gnutls_srp_base64_encode.3 gnutls_srp_base64_encode_alloc.3 gnutls_srp_base64_decode.3 gnutls_srp_base64_decode_alloc.3 gnutls_srp_free_client_credentials.3 gnutls_srp_allocate_client_credentials.3 gnutls_srp_set_client_credentials.3 gnutls_srp_free_server_credentials.3 gnutls_srp_allocate_server_credentials.3 gnutls_srp_set_server_credentials_file.3 gnutls_srp_set_server_credentials_function.3 gnutls_srp_set_client_credentials_function.3 gnutls_srp_server_get_username.3 gnutls_srp_verifier.3 diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h index 4b700f4..136d690 100644 --- a/includes/gnutls/x509.h +++ b/includes/gnutls/x509.h @@ -333,6 +333,10 @@ extern "C" int gnutls_x509_dn_import (gnutls_x509_dn_t odn, const gnutls_datum_t * data); + int gnutls_x509_dn_export (gnutls_x509_dn_t dn, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) + void gnutls_x509_dn_deinit (gnutls_x509_dn_t idn); diff --git a/lib/x509/dn.c b/lib/x509/dn.c index 8b84de2..9281d17 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -1211,3 +1211,41 @@ _gnutls_x509_compare_raw_dn (const gnutls_datum_t * dn1, } return 1; /* they match */ } + +/** + * gnutls_x509_dn_export - This function will export the DN + * @dn: Holds the opaque DN object + * @format: the format of output params. One of PEM or DER. + * @output_data: will contain a DN PEM or DER encoded + * @output_data_size: holds the size of output_data (and will be + * replaced by the actual size of parameters) + * + * This function will export the DN to DER or PEM format. + * + * If the buffer provided is not long enough to hold the output, then + * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will + * be returned. + * + * If the structure is PEM encoded, it will have a header + * of "BEGIN NAME". + * + * Return value: In case of failure a negative value will be + * returned, and 0 on success. + **/ +int +gnutls_x509_dn_export (gnutls_x509_dn_t dn, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) +{ + ASN1_TYPE asn1 = dn; + + if (asn1 == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_export_int (asn1, format, "NAME", + output_data, + output_data_size); +} -- 1.5.3.8 From simon at josefsson.org Thu Feb 21 12:42:30 2008 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 21 Feb 2008 12:42:30 +0100 Subject: GnuTLS 2.3.1 Message-ID: <87r6f6o7rt.fsf@mocca.josefsson.org> The GnuTLS 2.3.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. I tried to make sure there are no ABI/ABI modifications/deletions in this compared to v2.2.x, but as the changes have been quite large, I may have missed something. Note that we don't guarantee ABI compatibility during development releases, so if there are ABI breaks in this release, we'll consider those bugs and revert them, rather than bumping the ABI. Also, we need to figure out how opencdk is going to be included -- right now there is no non-gnutls opencdk under LGPL, but we need one. There is only the opencdk included in this release. While releasing this, I noticed that the openpgpself test fails... but that can wait for the next release. News in this release: * Version 2.3.1 (released 2008-02-21) ** OpenPGP support merged into libgnutls and is now licensed under LGPL. The included copy of OpenCDK has been stripped down and re-licensed under the LGPL. ** Cipher priority string handling now handle strings that starts with NULL. Thanks to Laurence Withers . ** gnutls-cli: When -d is used, also prints RNG information from libgcrypt. ** Corrected memory leaks in session resuming and DHE ciphersuites. Reported by Daniel Stenberg. ** Increased the default certificate verification chain limits and allowed for checks without limitation. ** Corrected the behaviour of gnutls_x509_crt_get_subject_alt_name() and gnutls_x509_crt_get_subject_alt_name() to not null terminate binary strings and return the proper size. ** Add section 'On Record Padding' to the manual. This collects all problems related to record padding with Nokia/Sony-Ericsson phones that we know about. ** Several improvements in the OpenPGP authentication. Now subkeys can be used for authentication, according to draft-mavrogiannopoulos-rfc5081bis-00.txt. ** certtool can print information on OpenPGP certificates and keys. ** Added gnutls_x509_dn_import/init/deinit() to access raw DER DN. Patch by Joe Orton. ** Added gnutls_certificate_export_x509_cas and other functions to export elements from the certificate credentials structure. Based on suggestion from Joe Orton. ** Doc fixes. Clarify that srp_base64 is not the same as normal base64. ** Fix non-portable use of brace expansion in makefiles. ** API and ABI modifications: gnutls_certificate_export_x509_cas: ADDED gnutls_certificate_export_x509_crls: ADDED gnutls_certificate_export_openpgp_keyring: ADDED gnutls_openpgp_keyid_t: ADDED, instead of hard-coded 'unsigned char[8]'. gnutls_openpgp_crt_get_key_id: ADDED, obsoletes gnutls_openpgp_crt_get_id. gnutls_openpgp_crt_get_revoked_status: ADDED gnutls_openpgp_crt_get_subkey_count: ADDED gnutls_openpgp_crt_get_subkey_idx: ADDED gnutls_openpgp_crt_get_subkey_revoked_status: ADDED gnutls_openpgp_crt_get_subkey_pk_algorithm: ADDED gnutls_openpgp_crt_get_subkey_creation_time: ADDED gnutls_openpgp_crt_get_subkey_expiration_time: ADDED gnutls_openpgp_crt_get_subkey_id: ADDED gnutls_openpgp_crt_get_subkey_usage: ADDED gnutls_openpgp_privkey_get_fingerprint: ADDED gnutls_openpgp_privkey_get_key_id: ADDED gnutls_openpgp_privkey_get_subkey_count: ADDED gnutls_openpgp_privkey_get_subkey_idx: ADDED gnutls_openpgp_privkey_get_subkey_revoked_status: ADDED gnutls_openpgp_privkey_get_revoked_status: ADDED gnutls_openpgp_privkey_get_subkey_pk_algorithm: ADDED gnutls_openpgp_privkey_get_subkey_expiration_time: ADDED gnutls_openpgp_privkey_get_subkey_id: ADDED gnutls_openpgp_privkey_get_subkey_creation_time: ADDED gnutls_openpgp_crt_get_subkey_pk_dsa_raw: ADDED gnutls_openpgp_crt_get_subkey_pk_rsa_raw: ADDED gnutls_openpgp_crt_get_pk_dsa_raw: ADDED gnutls_openpgp_crt_get_pk_rsa_raw: ADDED gnutls_openpgp_privkey_export_subkey_dsa_raw: ADDED gnutls_openpgp_privkey_export_subkey_rsa_raw: ADDED gnutls_openpgp_privkey_export_dsa_raw: ADDED gnutls_openpgp_privkey_export_rsa_raw: ADDED gnutls_openpgp_privkey_export: ADDED gnutls_certificate_set_openpgp_key_file2: ADDED gnutls_certificate_set_openpgp_key_mem2: ADDED gnutls_x509_dn_init: ADDED gnutls_x509_dn_import: ADDED gnutls_x509_dn_deinit: ADDED GNUTLS_E_OPENPGP_SUBKEY_ERROR: ADDED gnutls_hex2bin: ADDED GNUTLS_CRT_PRINT_FULL: ADDED, same as old GNUTLS_X509_CRT_FULL. GNUTLS_CRT_PRINT_ONELINE: ADDED, same as old GNUTLS_X509_CRT_ONELINE. GNUTLS_CRT_PRINT_UNSIGNED_FULL: ADDED, same as old GNUTLS_X509_CRT_UNSIGNED_FULL. The goals for the 2.3.x branch are tracked at: http://trac.gnutls.org/cgi-bin/trac.cgi/milestone/gnutls-2.4 More ideas are welcome, just create a new ticket. Here are the compressed sources: ftp://ftp.gnutls.org/pub/gnutls/gnutls-2.3.1.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-2.3.1.tar.bz2 Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From jorton at redhat.com Thu Feb 21 14:20:12 2008 From: jorton at redhat.com (Joe Orton) Date: Thu, 21 Feb 2008 13:20:12 +0000 Subject: [PATCH] Add gnutls_x509_dn_export. In-Reply-To: <20080221113917.GA31744@redhat.com> References: <20080221113917.GA31744@redhat.com> Message-ID: <20080221132012.GA4920@redhat.com> On Thu, Feb 21, 2008 at 11:39:17AM +0000, Joe Orton wrote: > This adds another DN function, to export a DN object back to DER. (I > only really need a DER export; the value of exporting a DN to PEM format > is certainly questionable, but this is allowed for consistency with the > other _foo_export functions) Hmmm, that didn't actually work, and I don't really understand why. Can anyone help? This is rather beyond my understanding of ASN.1/libtasn1! The asn1_der_coding(asn1_data, "") call was failing with the error ASN1_ELEMENT_NOT_FOUND in _gnutls_x509_export_int. Is that call not supposed to provide the DER coding for the entire node? If I change it as below, to pass "rdnSequence" rather than "", it does work; there's a test case in here too. diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am index 16bff3e..c185259 100644 --- a/doc/manpages/Makefile.am +++ b/doc/manpages/Makefile.am @@ -26,7 +26,7 @@ if ENABLE_SRP dist_man_MANS += srptool.1 endif -APIMANS = gnutls_oprfi_enable_client.3 gnutls_oprfi_enable_server.3 gnutls_server_name_get.3 gnutls_server_name_set.3 gnutls_alert_get_name.3 gnutls_alert_send.3 gnutls_error_to_alert.3 gnutls_alert_send_appropriate.3 gnutls_alert_get.3 gnutls_mac_get_name.3 gnutls_mac_get_id.3 gnutls_mac_get_key_size.3 gnutls_mac_list.3 gnutls_compression_get_name.3 gnutls_compression_get_id.3 gnutls_compression_list.3 gnutls_cipher_get_key_size.3 gnutls_cipher_get_name.3 gnutls_cipher_get_id.3 gnutls_cipher_list.3 gnutls_kx_get_name.3 gnutls_kx_get_id.3 gnutls_kx_list.3 gnutls_protocol_get_name.3 gnutls_protocol_get_id.3 gnutls_protocol_list.3 gnutls_cipher_suite_get_name.3 gnutls_cipher_suite_info.3 gnutls_certificate_type_get_name.3 gnutls_certificate_type_get_id.3 gnutls_certificate_type_list.3 gnutls_sign_algorithm_get_name.3 gnutls_pk_algorithm_get_name.3 gnutls_anon_free_server_credentials.3 gnutls_anon_allocate_server_credentials.3 gnutls_anon_free_client_credentials.3 gnutls_anon_allocate_client_credentials.3 gnutls_anon_set_server_dh_params.3 gnutls_anon_set_server_params_function.3 gnutls_credentials_clear.3 gnutls_credentials_set.3 gnutls_auth_get_type.3 gnutls_auth_server_get_type.3 gnutls_auth_client_get_type.3 gnutls_transport_set_errno.3 gnutls_transport_set_global_errno.3 gnutls_record_check_pending.3 gnutls_certificate_free_keys.3 gnutls_certificate_free_cas.3 gnutls_certificate_free_ca_names.3 gnutls_certificate_free_credentials.3 gnutls_certificate_allocate_credentials.3 gnutls_certificate_server_set_request.3 gnutls_certificate_client_set_retrieve_function.3 gnutls_certificate_server_set_retrieve_function.3 gnutls_certificate_verify_peers2.3 gnutls_certificate_verify_peers.3 gnutls_certificate_expiration_time_peers.3 gnutls_certificate_activation_time_peers.3 gnutls_sign_callback_set.3 gnutls_sign_callback_get.3 gnutls_db_set_retrieve_function.3 gnutls_db_set_remove_function.3 gnutls_db_set_store_function.3 gnutls_db_set_ptr.3 gnutls_db_get_ptr.3 gnutls_db_set_cache_expiration.3 gnutls_db_check_entry.3 gnutls_db_remove_session.3 gnutls_dh_params_import_raw.3 gnutls_dh_params_init.3 gnutls_dh_params_deinit.3 gnutls_dh_params_cpy.3 gnutls_dh_params_generate2.3 gnutls_dh_params_import_pkcs3.3 gnutls_dh_params_export_pkcs3.3 gnutls_dh_params_export_raw.3 gnutls_error_is_fatal.3 gnutls_perror.3 gnutls_strerror.3 gnutls_global_set_log_function.3 gnutls_global_set_log_level.3 gnutls_global_set_mem_functions.3 gnutls_global_init.3 gnutls_global_deinit.3 gnutls_transport_set_pull_function.3 gnutls_transport_set_push_function.3 gnutls_check_version.3 gnutls_rehandshake.3 gnutls_handshake.3 gnutls_handshake_set_max_packet_length.3 gnutls_handshake_get_last_in.3 gnutls_handshake_get_last_out.3 gnutls_malloc.3 gnutls_free.3 gnutls_certificate_set_openpgp_key.3 gnutls_certificate_set_openpgp_key_mem.3 gnutls_certificate_set_openpgp_key_file.3 gnutls_certificate_set_openpgp_keyring_file.3 gnutls_certificate_set_openpgp_keyring_mem.3 gnutls_openpgp_set_recv_key_function.3 gnutls_openpgp_privkey_sign_hash.3 gnutls_cipher_set_priority.3 gnutls_kx_set_priority.3 gnutls_mac_set_priority.3 gnutls_compression_set_priority.3 gnutls_protocol_set_priority.3 gnutls_certificate_type_set_priority.3 gnutls_priority_set.3 gnutls_priority_init.3 gnutls_priority_deinit.3 gnutls_priority_set_direct.3 gnutls_set_default_priority.3 gnutls_set_default_export_priority.3 gnutls_psk_free_client_credentials.3 gnutls_psk_allocate_client_credentials.3 gnutls_psk_set_client_credentials.3 gnutls_psk_free_server_credentials.3 gnutls_psk_allocate_server_credentials.3 gnutls_psk_set_server_credentials_file.3 gnutls_psk_set_server_credentials_function.3 gnutls_psk_set_client_credentials_function.3 gnutls_psk_server_get_username.3 gnutls_hex_decode.3 gnutls_hex_encode.3 gnutls_psk_set_server_dh_params.3 gnutls_psk_set_server_params_function.3 gnutls_protocol_get_version.3 gnutls_transport_set_lowat.3 gnutls_record_disable_padding.3 gnutls_transport_set_ptr.3 gnutls_transport_set_ptr2.3 gnutls_transport_get_ptr.3 gnutls_transport_get_ptr2.3 gnutls_bye.3 gnutls_record_send.3 gnutls_record_recv.3 gnutls_record_get_max_size.3 gnutls_record_set_max_size.3 gnutls_rsa_params_import_raw.3 gnutls_rsa_params_init.3 gnutls_rsa_params_deinit.3 gnutls_rsa_params_cpy.3 gnutls_rsa_params_generate2.3 gnutls_rsa_params_import_pkcs1.3 gnutls_rsa_params_export_pkcs1.3 gnutls_rsa_params_export_raw.3 gnutls_session_get_data.3 gnutls_session_get_data2.3 gnutls_session_get_id.3 gnutls_session_set_data.3 gnutls_cipher_get.3 gnutls_certificate_type_get.3 gnutls_kx_get.3 gnutls_mac_get.3 gnutls_compression_get.3 gnutls_init.3 gnutls_deinit.3 gnutls_openpgp_send_cert.3 gnutls_certificate_send_x509_rdn_sequence.3 gnutls_handshake_set_private_extensions.3 gnutls_prf_raw.3 gnutls_prf.3 gnutls_session_get_client_random.3 gnutls_session_get_server_random.3 gnutls_session_get_master_secret.3 gnutls_session_is_resumed.3 gnutls_session_get_ptr.3 gnutls_session_set_ptr.3 gnutls_record_get_direction.3 gnutls_handshake_set_post_client_hello_function.3 gnutls_session_enable_compatibility_mode.3 gnutls_dh_set_prime_bits.3 gnutls_dh_get_group.3 gnutls_dh_get_pubkey.3 gnutls_rsa_export_get_pubkey.3 gnutls_dh_get_secret_bits.3 gnutls_dh_get_prime_bits.3 gnutls_rsa_export_get_modulus_bits.3 gnutls_dh_get_peers_public_bits.3 gnutls_certificate_get_ours.3 gnutls_certificate_get_peers.3 gnutls_certificate_client_get_request_status.3 gnutls_fingerprint.3 gnutls_certificate_set_dh_params.3 gnutls_certificate_set_params_function.3 gnutls_certificate_set_verify_flags.3 gnutls_certificate_set_verify_limits.3 gnutls_certificate_set_rsa_export_params.3 gnutls_psk_set_params_function.3 gnutls_anon_set_params_function.3 gnutls_certificate_set_x509_key_mem.3 gnutls_certificate_set_x509_key.3 gnutls_certificate_set_x509_key_file.3 gnutls_certificate_set_x509_trust_mem.3 gnutls_certificate_set_x509_trust.3 gnutls_certificate_set_x509_trust_file.3 gnutls_certificate_set_x509_crl_mem.3 gnutls_certificate_set_x509_crl.3 gnutls_certificate_set_x509_crl_file.3 gnutls_certificate_set_x509_simple_pkcs12_file.3 gnutls_certificate_free_crls.3 gnutls_pem_base64_encode.3 gnutls_pem_base64_encode_alloc.3 gnutls_pem_base64_decode.3 gnutls_pem_base64_decode_alloc.3 gnutls_global_init_extra.3 gnutls_extra_check_version.3 gnutls_ia_permute_inner_secret.3 gnutls_ia_generate_challenge.3 gnutls_ia_extract_inner_secret.3 gnutls_ia_endphase_send.3 gnutls_ia_verify_endphase.3 gnutls_ia_send.3 gnutls_ia_recv.3 gnutls_ia_handshake_p.3 gnutls_ia_handshake.3 gnutls_ia_allocate_client_credentials.3 gnutls_ia_free_client_credentials.3 gnutls_ia_set_client_avp_function.3 gnutls_ia_set_client_avp_ptr.3 gnutls_ia_get_client_avp_ptr.3 gnutls_ia_allocate_server_credentials.3 gnutls_ia_free_server_credentials.3 gnutls_ia_set_server_avp_function.3 gnutls_ia_set_server_avp_ptr.3 gnutls_ia_get_server_avp_ptr.3 gnutls_ia_enable.3 gnutls_x509_dn_oid_known.3 gnutls_x509_crl_init.3 gnutls_x509_crl_deinit.3 gnutls_x509_crl_import.3 gnutls_x509_crl_get_issuer_dn.3 gnutls_x509_crl_get_issuer_dn_by_oid.3 gnutls_x509_crl_get_dn_oid.3 gnutls_x509_crl_get_signature_algorithm.3 gnutls_x509_crl_get_signature.3 gnutls_x509_crl_get_version.3 gnutls_x509_crl_get_this_update.3 gnutls_x509_crl_get_next_update.3 gnutls_x509_crl_get_crt_count.3 gnutls_x509_crl_get_crt_serial.3 gnutls_x509_crl_export.3 gnutls_x509_crl_set_version.3 gnutls_x509_crl_sign2.3 gnutls_x509_crl_sign.3 gnutls_x509_crl_set_this_update.3 gnutls_x509_crl_set_next_update.3 gnutls_x509_crl_set_crt_serial.3 gnutls_x509_crl_set_crt.3 gnutls_x509_crq_init.3 gnutls_x509_crq_deinit.3 gnutls_x509_crq_import.3 gnutls_x509_crq_get_dn.3 gnutls_x509_crq_get_dn_by_oid.3 gnutls_x509_crq_get_dn_oid.3 gnutls_x509_crq_get_challenge_password.3 gnutls_x509_crq_set_attribute_by_oid.3 gnutls_x509_crq_get_attribute_by_oid.3 gnutls_x509_crq_set_dn_by_oid.3 gnutls_x509_crq_set_version.3 gnutls_x509_crq_get_version.3 gnutls_x509_crq_set_key.3 gnutls_x509_crq_set_challenge_password.3 gnutls_x509_crq_sign2.3 gnutls_x509_crq_sign.3 gnutls_x509_crq_export.3 gnutls_x509_crq_get_pk_algorithm.3 gnutls_x509_rdn_get.3 gnutls_x509_rdn_get_by_oid.3 gnutls_x509_rdn_get_oid.3 gnutls_x509_crt_print.3 gnutls_x509_crl_print.3 gnutls_pkcs12_bag_init.3 gnutls_pkcs12_bag_deinit.3 gnutls_pkcs12_bag_get_type.3 gnutls_pkcs12_bag_get_count.3 gnutls_pkcs12_bag_get_data.3 gnutls_pkcs12_bag_set_data.3 gnutls_pkcs12_bag_set_crt.3 gnutls_pkcs12_bag_set_crl.3 gnutls_pkcs12_bag_set_key_id.3 gnutls_pkcs12_bag_get_key_id.3 gnutls_pkcs12_bag_get_friendly_name.3 gnutls_pkcs12_bag_set_friendly_name.3 gnutls_pkcs12_bag_decrypt.3 gnutls_pkcs12_bag_encrypt.3 gnutls_pkcs12_init.3 gnutls_pkcs12_deinit.3 gnutls_pkcs12_import.3 gnutls_pkcs12_export.3 gnutls_pkcs12_get_bag.3 gnutls_pkcs12_set_bag.3 gnutls_pkcs12_generate_mac.3 gnutls_pkcs12_verify_mac.3 gnutls_pkcs7_init.3 gnutls_pkcs7_deinit.3 gnutls_pkcs7_import.3 gnutls_pkcs7_get_crt_raw.3 gnutls_pkcs7_get_crt_count.3 gnutls_pkcs7_export.3 gnutls_pkcs7_set_crt_raw.3 gnutls_pkcs7_set_crt.3 gnutls_pkcs7_delete_crt.3 gnutls_pkcs7_get_crl_raw.3 gnutls_pkcs7_get_crl_count.3 gnutls_pkcs7_set_crl_raw.3 gnutls_pkcs7_set_crl.3 gnutls_pkcs7_delete_crl.3 gnutls_x509_privkey_init.3 gnutls_x509_privkey_deinit.3 gnutls_x509_privkey_cpy.3 gnutls_x509_privkey_import.3 gnutls_x509_privkey_import_rsa_raw.3 gnutls_x509_privkey_import_dsa_raw.3 gnutls_x509_privkey_get_pk_algorithm.3 gnutls_x509_privkey_export.3 gnutls_x509_privkey_export_rsa_raw.3 gnutls_x509_privkey_export_dsa_raw.3 gnutls_x509_privkey_generate.3 gnutls_x509_privkey_get_key_id.3 gnutls_x509_privkey_sign_data.3 gnutls_x509_privkey_sign_hash.3 gnutls_x509_privkey_verify_data.3 gnutls_x509_privkey_fix.3 gnutls_x509_privkey_export_pkcs8.3 gnutls_x509_privkey_import_pkcs8.3 gnutls_x509_crt_check_hostname.3 gnutls_x509_crt_check_issuer.3 gnutls_x509_crt_list_verify.3 gnutls_x509_crt_verify.3 gnutls_x509_crl_check_issuer.3 gnutls_x509_crl_verify.3 gnutls_x509_crt_init.3 gnutls_x509_crt_deinit.3 gnutls_x509_crt_import.3 gnutls_x509_crt_get_issuer_dn.3 gnutls_x509_crt_get_issuer_dn_by_oid.3 gnutls_x509_crt_get_issuer_dn_oid.3 gnutls_x509_crt_get_dn.3 gnutls_x509_crt_get_dn_by_oid.3 gnutls_x509_crt_get_dn_oid.3 gnutls_x509_crt_get_signature_algorithm.3 gnutls_x509_crt_get_signature.3 gnutls_x509_crt_get_version.3 gnutls_x509_crt_get_activation_time.3 gnutls_x509_crt_get_expiration_time.3 gnutls_x509_crt_get_serial.3 gnutls_x509_crt_get_subject_key_id.3 gnutls_x509_crt_get_authority_key_id.3 gnutls_x509_crt_get_pk_algorithm.3 gnutls_x509_crt_get_subject_alt_name.3 gnutls_x509_crt_get_subject_alt_name2.3 gnutls_x509_crt_get_subject_alt_othername_oid.3 gnutls_x509_crt_get_basic_constraints.3 gnutls_x509_crt_get_ca_status.3 gnutls_x509_crt_get_key_usage.3 gnutls_x509_crt_get_proxy.3 gnutls_x509_crt_get_extension_by_oid.3 gnutls_x509_crt_get_extension_oid.3 gnutls_x509_crt_get_extension_info.3 gnutls_x509_crt_get_extension_data.3 gnutls_x509_crt_get_raw_issuer_dn.3 gnutls_x509_crt_get_raw_dn.3 gnutls_x509_crt_get_subject.3 gnutls_x509_crt_get_issuer.3 gnutls_x509_dn_get_rdn_ava.3 gnutls_x509_crt_get_fingerprint.3 gnutls_x509_crt_export.3 gnutls_x509_crt_get_key_id.3 gnutls_x509_crt_check_revocation.3 gnutls_x509_crt_verify_data.3 gnutls_x509_crt_get_crl_dist_points.3 gnutls_x509_crt_get_key_purpose_oid.3 gnutls_x509_crt_get_pk_rsa_raw.3 gnutls_x509_crt_get_pk_dsa_raw.3 gnutls_x509_crt_list_import.3 gnutls_x509_crt_set_dn_by_oid.3 gnutls_x509_crt_set_issuer_dn_by_oid.3 gnutls_x509_crt_set_proxy_dn.3 gnutls_x509_crt_set_version.3 gnutls_x509_crt_set_key.3 gnutls_x509_crt_set_crq.3 gnutls_x509_crt_set_extension_by_oid.3 gnutls_x509_crt_set_basic_constraints.3 gnutls_x509_crt_set_ca_status.3 gnutls_x509_crt_set_key_usage.3 gnutls_x509_crt_set_subject_alternative_name.3 gnutls_x509_crt_set_proxy.3 gnutls_x509_crt_sign2.3 gnutls_x509_crt_sign.3 gnutls_x509_crt_set_activation_time.3 gnutls_x509_crt_set_expiration_time.3 gnutls_x509_crt_set_serial.3 gnutls_x509_crt_set_crl_dist_points.3 gnutls_x509_crt_cpy_crl_dist_points.3 gnutls_x509_crt_set_subject_key_id.3 gnutls_x509_crt_set_authority_key_id.3 gnutls_x509_crt_set_key_purpose_oid.3 gnutls_openpgp_keyring_init.3 gnutls_openpgp_keyring_deinit.3 gnutls_openpgp_keyring_check_id.3 gnutls_openpgp_keyring_import.3 gnutls_openpgp_crt_print.3 gnutls_openpgp_crt_init.3 gnutls_openpgp_crt_deinit.3 gnutls_openpgp_crt_import.3 gnutls_openpgp_crt_export.3 gnutls_openpgp_crt_get_fingerprint.3 gnutls_openpgp_crt_get_name.3 gnutls_openpgp_crt_get_pk_algorithm.3 gnutls_openpgp_crt_get_version.3 gnutls_openpgp_crt_get_creation_time.3 gnutls_openpgp_crt_get_expiration_time.3 gnutls_openpgp_crt_get_key_id.3 gnutls_openpgp_crt_get_revoked_status.3 gnutls_openpgp_crt_check_hostname.3 gnutls_openpgp_crt_get_key_usage.3 gnutls_openpgp_crt_get_subkey_count.3 gnutls_openpgp_crt_get_subkey_revoked_status.3 gnutls_openpgp_crt_get_subkey_pk_algorithm.3 gnutls_openpgp_crt_get_subkey_creation_time.3 gnutls_openpgp_crt_get_subkey_expiration_time.3 gnutls_openpgp_crt_get_subkey_id.3 gnutls_openpgp_crt_get_subkey_idx.3 gnutls_openpgp_crt_get_subkey_usage.3 gnutls_openpgp_crt_get_pk_rsa_raw.3 gnutls_openpgp_crt_get_pk_dsa_raw.3 gnutls_openpgp_crt_get_subkey_pk_rsa_raw.3 gnutls_openpgp_crt_get_subkey_pk_dsa_raw.3 gnutls_openpgp_crt_verify_ring.3 gnutls_openpgp_crt_verify_self.3 gnutls_openpgp_privkey_init.3 gnutls_openpgp_privkey_deinit.3 gnutls_openpgp_privkey_import.3 gnutls_openpgp_privkey_export.3 gnutls_openpgp_privkey_get_pk_algorithm.3 gnutls_openpgp_privkey_get_revoked_status.3 gnutls_openpgp_privkey_get_fingerprint.3 gnutls_openpgp_privkey_get_key_id.3 gnutls_openpgp_privkey_get_subkey_count.3 gnutls_openpgp_privkey_get_subkey_revoked_status.3 gnutls_openpgp_privkey_get_subkey_pk_algorithm.3 gnutls_openpgp_privkey_get_subkey_idx.3 gnutls_openpgp_privkey_get_subkey_creation_time.3 gnutls_openpgp_privkey_get_subkey_expiration_time.3 gnutls_openpgp_privkey_get_subkey_id.3 gnutls_openpgp_privkey_export_rsa_raw.3 gnutls_openpgp_privkey_export_dsa_raw.3 gnutls_openpgp_privkey_export_subkey_rsa_raw.3 gnutls_openpgp_privkey_export_subkey_dsa_raw.3 +APIMANS = gnutls_oprfi_enable_client.3 gnutls_oprfi_enable_server.3 gnutls_server_name_get.3 gnutls_server_name_set.3 gnutls_alert_get_name.3 gnutls_alert_send.3 gnutls_error_to_alert.3 gnutls_alert_send_appropriate.3 gnutls_alert_get.3 gnutls_mac_get_name.3 gnutls_mac_get_id.3 gnutls_mac_get_key_size.3 gnutls_mac_list.3 gnutls_compression_get_name.3 gnutls_compression_get_id.3 gnutls_compression_list.3 gnutls_cipher_get_key_size.3 gnutls_cipher_get_name.3 gnutls_cipher_get_id.3 gnutls_cipher_list.3 gnutls_kx_get_name.3 gnutls_kx_get_id.3 gnutls_kx_list.3 gnutls_protocol_get_name.3 gnutls_protocol_get_id.3 gnutls_protocol_list.3 gnutls_cipher_suite_get_name.3 gnutls_cipher_suite_info.3 gnutls_certificate_type_get_name.3 gnutls_certificate_type_get_id.3 gnutls_certificate_type_list.3 gnutls_sign_algorithm_get_name.3 gnutls_pk_algorithm_get_name.3 gnutls_anon_free_server_credentials.3 gnutls_anon_allocate_server_credentials.3 gnutls_anon_free_client_credentials.3 gnutls_anon_allocate_client_credentials.3 gnutls_anon_set_server_dh_params.3 gnutls_anon_set_server_params_function.3 gnutls_credentials_clear.3 gnutls_credentials_set.3 gnutls_auth_get_type.3 gnutls_auth_server_get_type.3 gnutls_auth_client_get_type.3 gnutls_transport_set_errno.3 gnutls_transport_set_global_errno.3 gnutls_record_check_pending.3 gnutls_certificate_free_keys.3 gnutls_certificate_free_cas.3 gnutls_certificate_export_x509_cas.3 gnutls_certificate_export_x509_crls.3 gnutls_certificate_export_openpgp_keyring.3 gnutls_certificate_free_ca_names.3 gnutls_certificate_free_credentials.3 gnutls_certificate_allocate_credentials.3 gnutls_certificate_server_set_request.3 gnutls_certificate_client_set_retrieve_function.3 gnutls_certificate_server_set_retrieve_function.3 gnutls_certificate_verify_peers2.3 gnutls_certificate_verify_peers.3 gnutls_certificate_expiration_time_peers.3 gnutls_certificate_activation_time_peers.3 gnutls_sign_callback_set.3 gnutls_sign_callback_get.3 gnutls_db_set_retrieve_function.3 gnutls_db_set_remove_function.3 gnutls_db_set_store_function.3 gnutls_db_set_ptr.3 gnutls_db_get_ptr.3 gnutls_db_set_cache_expiration.3 gnutls_db_check_entry.3 gnutls_db_remove_session.3 gnutls_dh_params_import_raw.3 gnutls_dh_params_init.3 gnutls_dh_params_deinit.3 gnutls_dh_params_cpy.3 gnutls_dh_params_generate2.3 gnutls_dh_params_import_pkcs3.3 gnutls_dh_params_export_pkcs3.3 gnutls_dh_params_export_raw.3 gnutls_error_is_fatal.3 gnutls_perror.3 gnutls_strerror.3 gnutls_global_set_log_function.3 gnutls_global_set_log_level.3 gnutls_global_set_mem_functions.3 gnutls_global_init.3 gnutls_global_deinit.3 gnutls_transport_set_pull_function.3 gnutls_transport_set_push_function.3 gnutls_check_version.3 gnutls_rehandshake.3 gnutls_handshake.3 gnutls_handshake_set_max_packet_length.3 gnutls_handshake_get_last_in.3 gnutls_handshake_get_last_out.3 gnutls_malloc.3 gnutls_free.3 gnutls_certificate_set_openpgp_key.3 gnutls_certificate_set_openpgp_key_mem.3 gnutls_certificate_set_openpgp_key_file.3 gnutls_certificate_set_openpgp_key_mem2.3 gnutls_certificate_set_openpgp_key_file2.3 gnutls_certificate_set_openpgp_keyring_file.3 gnutls_certificate_set_openpgp_keyring_mem.3 gnutls_openpgp_set_recv_key_function.3 gnutls_openpgp_privkey_sign_hash.3 gnutls_cipher_set_priority.3 gnutls_kx_set_priority.3 gnutls_mac_set_priority.3 gnutls_compression_set_priority.3 gnutls_protocol_set_priority.3 gnutls_certificate_type_set_priority.3 gnutls_priority_set.3 gnutls_priority_init.3 gnutls_priority_deinit.3 gnutls_priority_set_direct.3 gnutls_set_default_priority.3 gnutls_set_default_export_priority.3 gnutls_psk_free_client_credentials.3 gnutls_psk_allocate_client_credentials.3 gnutls_psk_set_client_credentials.3 gnutls_psk_free_server_credentials.3 gnutls_psk_allocate_server_credentials.3 gnutls_psk_set_server_credentials_file.3 gnutls_psk_set_server_credentials_function.3 gnutls_psk_set_client_credentials_function.3 gnutls_psk_server_get_username.3 gnutls_hex_decode.3 gnutls_hex_encode.3 gnutls_psk_set_server_dh_params.3 gnutls_psk_set_server_params_function.3 gnutls_protocol_get_version.3 gnutls_transport_set_lowat.3 gnutls_record_disable_padding.3 gnutls_transport_set_ptr.3 gnutls_transport_set_ptr2.3 gnutls_transport_get_ptr.3 gnutls_transport_get_ptr2.3 gnutls_bye.3 gnutls_record_send.3 gnutls_record_recv.3 gnutls_record_get_max_size.3 gnutls_record_set_max_size.3 gnutls_rsa_params_import_raw.3 gnutls_rsa_params_init.3 gnutls_rsa_params_deinit.3 gnutls_rsa_params_cpy.3 gnutls_rsa_params_generate2.3 gnutls_rsa_params_import_pkcs1.3 gnutls_rsa_params_export_pkcs1.3 gnutls_rsa_params_export_raw.3 gnutls_session_get_data.3 gnutls_session_get_data2.3 gnutls_session_get_id.3 gnutls_session_set_data.3 gnutls_cipher_get.3 gnutls_certificate_type_get.3 gnutls_kx_get.3 gnutls_mac_get.3 gnutls_compression_get.3 gnutls_init.3 gnutls_deinit.3 gnutls_openpgp_send_cert.3 gnutls_certificate_send_x509_rdn_sequence.3 gnutls_handshake_set_private_extensions.3 gnutls_prf_raw.3 gnutls_prf.3 gnutls_session_get_client_random.3 gnutls_session_get_server_random.3 gnutls_session_get_master_secret.3 gnutls_session_is_resumed.3 gnutls_session_get_ptr.3 gnutls_session_set_ptr.3 gnutls_record_get_direction.3 gnutls_handshake_set_post_client_hello_function.3 gnutls_session_enable_compatibility_mode.3 gnutls_dh_set_prime_bits.3 gnutls_dh_get_group.3 gnutls_dh_get_pubkey.3 gnutls_rsa_export_get_pubkey.3 gnutls_dh_get_secret_bits.3 gnutls_dh_get_prime_bits.3 gnutls_rsa_export_get_modulus_bits.3 gnutls_dh_get_peers_public_bits.3 gnutls_certificate_get_ours.3 gnutls_certificate_get_peers.3 gnutls_certificate_client_get_request_status.3 gnutls_fingerprint.3 gnutls_certificate_set_dh_params.3 gnutls_certificate_set_params_function.3 gnutls_certificate_set_verify_flags.3 gnutls_certificate_set_verify_limits.3 gnutls_certificate_set_rsa_export_params.3 gnutls_psk_set_params_function.3 gnutls_anon_set_params_function.3 gnutls_certificate_set_x509_key_mem.3 gnutls_certificate_set_x509_key.3 gnutls_certificate_set_x509_key_file.3 gnutls_certificate_set_x509_trust_mem.3 gnutls_certificate_set_x509_trust.3 gnutls_certificate_set_x509_trust_file.3 gnutls_certificate_set_x509_crl_mem.3 gnutls_certificate_set_x509_crl.3 gnutls_certificate_set_x509_crl_file.3 gnutls_certificate_set_x509_simple_pkcs12_file.3 gnutls_certificate_free_crls.3 gnutls_pem_base64_encode.3 gnutls_pem_base64_encode_alloc.3 gnutls_pem_base64_decode.3 gnutls_pem_base64_decode_alloc.3 gnutls_global_init_extra.3 gnutls_extra_check_version.3 gnutls_ia_permute_inner_secret.3 gnutls_ia_generate_challenge.3 gnutls_ia_extract_inner_secret.3 gnutls_ia_endphase_send.3 gnutls_ia_verify_endphase.3 gnutls_ia_send.3 gnutls_ia_recv.3 gnutls_ia_handshake_p.3 gnutls_ia_handshake.3 gnutls_ia_allocate_client_credentials.3 gnutls_ia_free_client_credentials.3 gnutls_ia_set_client_avp_function.3 gnutls_ia_set_client_avp_ptr.3 gnutls_ia_get_client_avp_ptr.3 gnutls_ia_allocate_server_credentials.3 gnutls_ia_free_server_credentials.3 gnutls_ia_set_server_avp_function.3 gnutls_ia_set_server_avp_ptr.3 gnutls_ia_get_server_avp_ptr.3 gnutls_ia_enable.3 gnutls_x509_dn_oid_known.3 gnutls_x509_crl_init.3 gnutls_x509_crl_deinit.3 gnutls_x509_crl_import.3 gnutls_x509_crl_get_issuer_dn.3 gnutls_x509_crl_get_issuer_dn_by_oid.3 gnutls_x509_crl_get_dn_oid.3 gnutls_x509_crl_get_signature_algorithm.3 gnutls_x509_crl_get_signature.3 gnutls_x509_crl_get_version.3 gnutls_x509_crl_get_this_update.3 gnutls_x509_crl_get_next_update.3 gnutls_x509_crl_get_crt_count.3 gnutls_x509_crl_get_crt_serial.3 gnutls_x509_crl_export.3 gnutls_x509_crl_set_version.3 gnutls_x509_crl_sign2.3 gnutls_x509_crl_sign.3 gnutls_x509_crl_set_this_update.3 gnutls_x509_crl_set_next_update.3 gnutls_x509_crl_set_crt_serial.3 gnutls_x509_crl_set_crt.3 gnutls_x509_crq_init.3 gnutls_x509_crq_deinit.3 gnutls_x509_crq_import.3 gnutls_x509_crq_get_dn.3 gnutls_x509_crq_get_dn_by_oid.3 gnutls_x509_crq_get_dn_oid.3 gnutls_x509_crq_get_challenge_password.3 gnutls_x509_crq_set_attribute_by_oid.3 gnutls_x509_crq_get_attribute_by_oid.3 gnutls_x509_crq_set_dn_by_oid.3 gnutls_x509_crq_set_version.3 gnutls_x509_crq_get_version.3 gnutls_x509_crq_set_key.3 gnutls_x509_crq_set_challenge_password.3 gnutls_x509_crq_sign2.3 gnutls_x509_crq_sign.3 gnutls_x509_crq_export.3 gnutls_x509_crq_get_pk_algorithm.3 gnutls_x509_dn_init.3 gnutls_x509_dn_import.3 gnutls_x509_dn_deinit.3 gnutls_x509_rdn_get.3 gnutls_x509_rdn_get_by_oid.3 gnutls_x509_rdn_get_oid.3 gnutls_x509_crt_print.3 gnutls_x509_crl_print.3 gnutls_pkcs12_init.3 gnutls_pkcs12_deinit.3 gnutls_pkcs12_import.3 gnutls_pkcs12_export.3 gnutls_pkcs12_get_bag.3 gnutls_pkcs12_set_bag.3 gnutls_pkcs12_generate_mac.3 gnutls_pkcs12_verify_mac.3 gnutls_pkcs12_bag_init.3 gnutls_pkcs12_bag_deinit.3 gnutls_pkcs12_bag_get_type.3 gnutls_pkcs12_bag_get_count.3 gnutls_pkcs12_bag_get_data.3 gnutls_pkcs12_bag_set_data.3 gnutls_pkcs12_bag_set_crt.3 gnutls_pkcs12_bag_set_crl.3 gnutls_pkcs12_bag_set_key_id.3 gnutls_pkcs12_bag_get_key_id.3 gnutls_pkcs12_bag_get_friendly_name.3 gnutls_pkcs12_bag_set_friendly_name.3 gnutls_pkcs12_bag_decrypt.3 gnutls_pkcs12_bag_encrypt.3 gnutls_pkcs7_init.3 gnutls_pkcs7_deinit.3 gnutls_pkcs7_import.3 gnutls_pkcs7_get_crt_raw.3 gnutls_pkcs7_get_crt_count.3 gnutls_pkcs7_export.3 gnutls_pkcs7_set_crt_raw.3 gnutls_pkcs7_set_crt.3 gnutls_pkcs7_delete_crt.3 gnutls_pkcs7_get_crl_raw.3 gnutls_pkcs7_get_crl_count.3 gnutls_pkcs7_set_crl_raw.3 gnutls_pkcs7_set_crl.3 gnutls_pkcs7_delete_crl.3 gnutls_x509_privkey_init.3 gnutls_x509_privkey_deinit.3 gnutls_x509_privkey_cpy.3 gnutls_x509_privkey_import.3 gnutls_x509_privkey_import_rsa_raw.3 gnutls_x509_privkey_import_dsa_raw.3 gnutls_x509_privkey_get_pk_algorithm.3 gnutls_x509_privkey_export.3 gnutls_x509_privkey_export_rsa_raw.3 gnutls_x509_privkey_export_dsa_raw.3 gnutls_x509_privkey_generate.3 gnutls_x509_privkey_get_key_id.3 gnutls_x509_privkey_sign_data.3 gnutls_x509_privkey_sign_hash.3 gnutls_x509_privkey_verify_data.3 gnutls_x509_privkey_fix.3 gnutls_x509_privkey_export_pkcs8.3 gnutls_x509_privkey_import_pkcs8.3 gnutls_x509_crt_check_hostname.3 gnutls_x509_crt_check_issuer.3 gnutls_x509_crt_list_verify.3 gnutls_x509_crt_verify.3 gnutls_x509_crl_check_issuer.3 gnutls_x509_crl_verify.3 gnutls_x509_crt_init.3 gnutls_x509_crt_deinit.3 gnutls_x509_crt_import.3 gnutls_x509_crt_get_issuer_dn.3 gnutls_x509_crt_get_issuer_dn_by_oid.3 gnutls_x509_crt_get_issuer_dn_oid.3 gnutls_x509_crt_get_dn.3 gnutls_x509_crt_get_dn_by_oid.3 gnutls_x509_crt_get_dn_oid.3 gnutls_x509_crt_get_signature_algorithm.3 gnutls_x509_crt_get_signature.3 gnutls_x509_crt_get_version.3 gnutls_x509_crt_get_activation_time.3 gnutls_x509_crt_get_expiration_time.3 gnutls_x509_crt_get_serial.3 gnutls_x509_crt_get_subject_key_id.3 gnutls_x509_crt_get_authority_key_id.3 gnutls_x509_crt_get_pk_algorithm.3 gnutls_x509_crt_get_subject_alt_name.3 gnutls_x509_crt_get_subject_alt_name2.3 gnutls_x509_crt_get_subject_alt_othername_oid.3 gnutls_x509_crt_get_basic_constraints.3 gnutls_x509_crt_get_ca_status.3 gnutls_x509_crt_get_key_usage.3 gnutls_x509_crt_get_proxy.3 gnutls_x509_crt_get_extension_by_oid.3 gnutls_x509_crt_get_extension_oid.3 gnutls_x509_crt_get_extension_info.3 gnutls_x509_crt_get_extension_data.3 gnutls_x509_crt_get_raw_issuer_dn.3 gnutls_x509_crt_get_raw_dn.3 gnutls_x509_crt_get_subject.3 gnutls_x509_crt_get_issuer.3 gnutls_x509_dn_get_rdn_ava.3 gnutls_x509_crt_get_fingerprint.3 gnutls_x509_crt_export.3 gnutls_x509_crt_get_key_id.3 gnutls_x509_crt_check_revocation.3 gnutls_x509_crt_verify_data.3 gnutls_x509_crt_get_crl_dist_points.3 gnutls_x509_crt_get_key_purpose_oid.3 gnutls_x509_crt_get_pk_rsa_raw.3 gnutls_x509_crt_get_pk_dsa_raw.3 gnutls_x509_crt_list_import.3 gnutls_x509_crt_set_dn_by_oid.3 gnutls_x509_crt_set_issuer_dn_by_oid.3 gnutls_x509_crt_set_proxy_dn.3 gnutls_x509_crt_set_version.3 gnutls_x509_crt_set_key.3 gnutls_x509_crt_set_crq.3 gnutls_x509_crt_set_extension_by_oid.3 gnutls_x509_crt_set_basic_constraints.3 gnutls_x509_crt_set_ca_status.3 gnutls_x509_crt_set_key_usage.3 gnutls_x509_crt_set_subject_alternative_name.3 gnutls_x509_crt_set_proxy.3 gnutls_x509_crt_sign2.3 gnutls_x509_crt_sign.3 gnutls_x509_crt_set_activation_time.3 gnutls_x509_crt_set_expiration_time.3 gnutls_x509_crt_set_serial.3 gnutls_x509_crt_set_crl_dist_points.3 gnutls_x509_crt_cpy_crl_dist_points.3 gnutls_x509_crt_set_subject_key_id.3 gnutls_x509_crt_set_authority_key_id.3 gnutls_x509_crt_set_key_purpose_oid.3 gnutls_openpgp_keyring_init.3 gnutls_openpgp_keyring_deinit.3 gnutls_openpgp_keyring_check_id.3 gnutls_openpgp_keyring_import.3 gnutls_openpgp_keyring_get_crt_count.3 gnutls_openpgp_keyring_get_crt.3 gnutls_openpgp_crt_print.3 gnutls_openpgp_crt_init.3 gnutls_openpgp_crt_deinit.3 gnutls_openpgp_crt_import.3 gnutls_openpgp_crt_export.3 gnutls_openpgp_crt_get_fingerprint.3 gnutls_openpgp_crt_get_name.3 gnutls_openpgp_crt_get_pk_algorithm.3 gnutls_openpgp_crt_get_version.3 gnutls_openpgp_crt_get_creation_time.3 gnutls_openpgp_crt_get_expiration_time.3 gnutls_openpgp_crt_get_key_id.3 gnutls_openpgp_crt_get_revoked_status.3 gnutls_openpgp_crt_check_hostname.3 gnutls_openpgp_crt_get_key_usage.3 gnutls_openpgp_crt_get_subkey_count.3 gnutls_openpgp_crt_get_subkey_revoked_status.3 gnutls_openpgp_crt_get_subkey_pk_algorithm.3 gnutls_openpgp_crt_get_subkey_creation_time.3 gnutls_openpgp_crt_get_subkey_expiration_time.3 gnutls_openpgp_crt_get_subkey_id.3 gnutls_openpgp_crt_get_subkey_idx.3 gnutls_openpgp_crt_get_subkey_usage.3 gnutls_openpgp_crt_get_pk_rsa_raw.3 gnutls_openpgp_crt_get_pk_dsa_raw.3 gnutls_openpgp_crt_get_subkey_pk_rsa_raw.3 gnutls_openpgp_crt_get_subkey_pk_dsa_raw.3 gnutls_openpgp_crt_get_preferred_key_id.3 gnutls_openpgp_crt_set_preferred_key_id.3 gnutls_openpgp_crt_get_auth_subkey.3 gnutls_openpgp_crt_verify_ring.3 gnutls_openpgp_crt_verify_self.3 gnutls_openpgp_privkey_init.3 gnutls_openpgp_privkey_deinit.3 gnutls_openpgp_privkey_import.3 gnutls_openpgp_privkey_export.3 gnutls_openpgp_privkey_get_pk_algorithm.3 gnutls_openpgp_privkey_get_revoked_status.3 gnutls_openpgp_privkey_get_fingerprint.3 gnutls_openpgp_privkey_get_key_id.3 gnutls_openpgp_privkey_get_subkey_count.3 gnutls_openpgp_privkey_get_subkey_revoked_status.3 gnutls_openpgp_privkey_get_subkey_pk_algorithm.3 gnutls_openpgp_privkey_get_subkey_idx.3 gnutls_openpgp_privkey_get_subkey_creation_time.3 gnutls_openpgp_privkey_get_subkey_expiration_time.3 gnutls_openpgp_privkey_get_subkey_id.3 gnutls_openpgp_privkey_export_rsa_raw.3 gnutls_openpgp_privkey_export_dsa_raw.3 gnutls_openpgp_privkey_export_subkey_rsa_raw.3 gnutls_openpgp_privkey_export_subkey_dsa_raw.3 gnutls_openpgp_privkey_get_preferred_key_id.3 gnutls_openpgp_privkey_set_preferred_key_id.3 SRPMANS = gnutls_srp_base64_encode.3 gnutls_srp_base64_encode_alloc.3 gnutls_srp_base64_decode.3 gnutls_srp_base64_decode_alloc.3 gnutls_srp_free_client_credentials.3 gnutls_srp_allocate_client_credentials.3 gnutls_srp_set_client_credentials.3 gnutls_srp_free_server_credentials.3 gnutls_srp_allocate_server_credentials.3 gnutls_srp_set_server_credentials_file.3 gnutls_srp_set_server_credentials_function.3 gnutls_srp_set_client_credentials_function.3 gnutls_srp_server_get_username.3 gnutls_srp_verifier.3 diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h index 4b700f4..98d54c7 100644 --- a/includes/gnutls/x509.h +++ b/includes/gnutls/x509.h @@ -333,6 +333,10 @@ extern "C" int gnutls_x509_dn_import (gnutls_x509_dn_t odn, const gnutls_datum_t * data); + int gnutls_x509_dn_export (gnutls_x509_dn_t dn, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size); + void gnutls_x509_dn_deinit (gnutls_x509_dn_t idn); diff --git a/lib/x509/common.c b/lib/x509/common.c index 44fda11..0eeb034 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -710,9 +710,9 @@ _gnutls_x509_san_find_type (char *str_type) * to PEM or DER raw data. */ int -_gnutls_x509_export_int (ASN1_TYPE asn1_data, - gnutls_x509_crt_fmt_t format, char *pem_header, - unsigned char *output_data, size_t * output_data_size) +_gnutls_x509_export_int_named (ASN1_TYPE asn1_data, const char *name, + gnutls_x509_crt_fmt_t format, char *pem_header, + unsigned char *output_data, size_t * output_data_size) { int result, len; @@ -725,7 +725,7 @@ _gnutls_x509_export_int (ASN1_TYPE asn1_data, len = *output_data_size; if ((result = - asn1_der_coding (asn1_data, "", output_data, &len, + asn1_der_coding (asn1_data, name, output_data, &len, NULL)) != ASN1_SUCCESS) { *output_data_size = len; @@ -745,7 +745,7 @@ _gnutls_x509_export_int (ASN1_TYPE asn1_data, opaque *out; gnutls_datum tmp; - result = _gnutls_x509_der_encode( asn1_data, "", &tmp, 0); + result = _gnutls_x509_der_encode( asn1_data, name, &tmp, 0); if (result < 0) { gnutls_assert(); @@ -793,6 +793,16 @@ _gnutls_x509_export_int (ASN1_TYPE asn1_data, return 0; } +int +_gnutls_x509_export_int (ASN1_TYPE asn1_data, + gnutls_x509_crt_fmt_t format, char *pem_header, + unsigned char *output_data, size_t * output_data_size) +{ + return _gnutls_x509_export_int_named (asn1_data, "", + format, pem_header, output_data, + output_data_size); +} + /* Decodes an octet string. Leave string_type null for a normal * octet string. Otherwise put something like BMPString, PrintableString * etc. diff --git a/lib/x509/common.h b/lib/x509/common.h index c619fc0..ffc3545 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -90,6 +90,11 @@ int _gnutls_x509_export_int (ASN1_TYPE asn1_data, unsigned char *output_data, size_t * output_data_size); +int _gnutls_x509_export_int_named (ASN1_TYPE asn1_data, const char *name, + gnutls_x509_crt_fmt_t format, char *pem_header, + unsigned char *output_data, + size_t * output_data_size); + int _gnutls_x509_read_value (ASN1_TYPE c, const char *root, gnutls_datum_t * ret, int str); int _gnutls_x509_write_value (ASN1_TYPE c, const char *root, diff --git a/lib/x509/dn.c b/lib/x509/dn.c index 8b84de2..9c94cd5 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -1211,3 +1211,42 @@ _gnutls_x509_compare_raw_dn (const gnutls_datum_t * dn1, } return 1; /* they match */ } + +/** + * gnutls_x509_dn_export - This function will export the DN + * @dn: Holds the opaque DN object + * @format: the format of output params. One of PEM or DER. + * @output_data: will contain a DN PEM or DER encoded + * @output_data_size: holds the size of output_data (and will be + * replaced by the actual size of parameters) + * + * This function will export the DN to DER or PEM format. + * + * If the buffer provided is not long enough to hold the output, then + * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will + * be returned. + * + * If the structure is PEM encoded, it will have a header + * of "BEGIN NAME". + * + * Return value: In case of failure a negative value will be + * returned, and 0 on success. + **/ +int +gnutls_x509_dn_export (gnutls_x509_dn_t dn, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) +{ + ASN1_TYPE asn1 = dn; + + if (asn1 == NULL) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_export_int_named (asn1, "rdnSequence", + format, "NAME", + output_data, + output_data_size); +} diff --git a/tests/Makefile.am b/tests/Makefile.am index dc03c1b..7fb1fff 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -37,7 +37,7 @@ noinst_LTLIBRARIES = libutils.la libutils_la_SOURCES = utils.h utils.c ctests = simple openssl gc set_pkcs12_cred certder \ - certificate_set_x509_crl dn parse_ca + certificate_set_x509_crl dn parse_ca moredn openssl_LDADD = $(LDADD) ../libextra/libgnutls-openssl.la if HAVE_FORK ctests += openpgpself x509self x509signself x509dn anonself pskself dhepskself tlsia resume diff --git a/tests/moredn.c b/tests/moredn.c new file mode 100644 index 0000000..25fc068 --- /dev/null +++ b/tests/moredn.c @@ -0,0 +1,122 @@ +/* + * Copyright (C) 2008 Free Software Foundation + * + * Author: Joe Orton + * + * This file is part of GNUTLS. + * + * GNUTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GNUTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GNUTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from GnuTLS example programs. */ + +#if HAVE_CONFIG_H +# include +#endif + +#include +#include +#include +#include +#include + +#include +#include + +#include "utils.h" + +static const char cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" + "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n" + "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n" + "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n" + "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n" + "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n" + "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n" + "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n" + "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n" + "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" + "dc8Siq5JojruiMizAf0pA7in\n" + "-----END CERTIFICATE-----\n"; +static const gnutls_datum_t cert_datum = { (char *)cert_pem, sizeof (cert_pem) }; + +void +doit (void) +{ + + gnutls_global_init (); + gnutls_x509_crt_t cert; + gnutls_x509_dn_t sdn, dn2; + unsigned char buf[8192], buf2[8192]; + size_t buflen, buf2len; + gnutls_datum_t datum; + int rv; + + if (gnutls_x509_crt_init(&cert) == 0) + success ("success: cert init\n"); + else + fail ("cert init failure\n"); + + if (gnutls_x509_crt_import (cert, &cert_datum, GNUTLS_X509_FMT_PEM) == 0) + success ("success: imported PEM cert\n"); + else + fail ("FAIL: could not import PEM cert\n"); + + if (gnutls_x509_crt_get_subject (cert, &sdn) == 0) + success ("success: got subject DN.\n"); + else + fail ("FAIL: could not get subject DN.\n"); + + buflen = sizeof buf; + rv = gnutls_x509_dn_export (sdn, GNUTLS_X509_FMT_DER, buf, &buflen); + if (rv == 0) + success ("success: exported subject DN.\n"); + else + fail ("FAIL: could not export subject DN: %s\n", + gnutls_strerror (rv)); + + if (gnutls_x509_dn_init (&dn2) == 0) + success ("success: init DN.\n"); + else + fail ("FAIL: DN init.\n"); + + datum.data = buf; + datum.size = buflen; + + if (gnutls_x509_dn_import (dn2, &datum) == 0) + success ("success: re-import subject DN.\n"); + else + fail ("FAIL: re-import subject DN.\n"); + + buf2len = sizeof buf2; + rv = gnutls_x509_dn_export (dn2, GNUTLS_X509_FMT_DER, buf2, &buf2len); + if (rv == 0) + success ("success: exported subject DN.\n"); + else + fail ("FAIL: could not export subject DN: %s\n", + gnutls_strerror (rv)); + + if (buflen == buf2len && memcmp (buf, buf2, buflen) == 0) + success ("success: export/import/export match.\n"); + else + fail ("FAIL: export/import/export differ.\n"); + + gnutls_x509_dn_deinit (dn2); + + gnutls_x509_crt_deinit (cert); + +} From nmav at gnutls.org Thu Feb 21 18:32:47 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 21 Feb 2008 19:32:47 +0200 Subject: [PATCH] add gnutls_certificate_find_issuer In-Reply-To: <8763wipqi4.fsf@mocca.josefsson.org> References: <20080215102150.GA30014@redhat.com> <20080219205655.GA12341@redhat.com> <47BB46BF.3070504@gnutls.org> <20080219213305.GA18904@redhat.com> <20080220133230.GA30083@redhat.com> <47BC7FD8.2030104@gnutls.org> <8763wipqi4.fsf@mocca.josefsson.org> Message-ID: <47BDB5BF.8010704@gnutls.org> Simon Josefsson wrote: > Seems useful. But what about using *_get_* instead of *_export_* in the > function names? The few functions with _export_ in the names appear to > extract (i.e. copy) the values, but these functions appear to just > export pointers. There is also the confusion with export restrictions, > which some function names with _export_ in them refer to. So _get_ > might be more appropriate. What do you think? > > Hm. Some function names use *_trust* rather than *_cas* too. Should > gnutls_certificate_export_x509_cas be gnutls_certificate_get_x509_trust? > There is a lack of plural there, and we already have one function with > _cas in it -- gnutls_certificate_free_cas -- so maybe > gnutls_certificate_get_x509_cas is simpler. Yes, I also think it is better. I've renamed the _export_ -> _get_. However it seems we already have a release with the _export_ names... regards, Nikos From simon at josefsson.org Thu Feb 21 22:56:05 2008 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 21 Feb 2008 22:56:05 +0100 Subject: [PATCH] add gnutls_certificate_find_issuer In-Reply-To: <47BDB5BF.8010704@gnutls.org> References: <20080215102150.GA30014@redhat.com> <20080219205655.GA12341@redhat.com> <47BB46BF.3070504@gnutls.org> <20080219213305.GA18904@redhat.com> <20080220133230.GA30083@redhat.com> <47BC7FD8.2030104@gnutls.org> <8763wipqi4.fsf@mocca.josefsson.org> <47BDB5BF.8010704@gnutls.org> Message-ID: <139BD3F1-1079-4D12-AB85-B0886DF5CAA7@josefsson.org> On 21 feb 2008, at 18.32, Nikos Mavrogiannopoulos wrote: > Simon Josefsson wrote: > >> Seems useful. But what about using *_get_* instead of *_export_* >> in the >> function names? The few functions with _export_ in the names >> appear to >> extract (i.e. copy) the values, but these functions appear to just >> export pointers. There is also the confusion with export >> restrictions, >> which some function names with _export_ in them refer to. So _get_ >> might be more appropriate. What do you think? >> Hm. Some function names use *_trust* rather than *_cas* too. Should >> gnutls_certificate_export_x509_cas be >> gnutls_certificate_get_x509_trust? >> There is a lack of plural there, and we already have one function >> with >> _cas in it -- gnutls_certificate_free_cas -- so maybe >> gnutls_certificate_get_x509_cas is simpler. > > Yes, I also think it is better. I've renamed the _export_ -> _get_. > However it seems we already have a release with the _export_ names... Thanks. I don't think renaming the functions should be a problem even if we have a (devel) release - we only guarantee ABI compatibility between stable releases. Otherwise we can't make any mistakes on the devel branch, which seems unfair. Generally, these considerations should probably be documented better though, right now they are just my opinions. /Simon From mh+gnutls-devel at zugschlus.de Sat Feb 23 10:47:35 2008 From: mh+gnutls-devel at zugschlus.de (Marc Haber) Date: Sat, 23 Feb 2008 10:47:35 +0100 Subject: Interoperability issues (Debian Bug #348046) In-Reply-To: <87tzltbxri.fsf@mocca.josefsson.org> References: <20080103003901.GA14027@torres.zugschlus.de> <87tzltbxri.fsf@mocca.josefsson.org> Message-ID: <20080223094735.GA3944@torres.zugschlus.de> On Fri, Jan 04, 2008 at 01:06:41PM +0100, Simon Josefsson wrote: > Marc Haber writes: > > Simon Josefsson has suggested to me (a member of the maintainer team > > for Exim's packages for the Debian Operating System) that it might be > > a good idea to move a technical debate from our blogs > > (http://blog.zugschlus.de/archives/585-exim4-vs.-OpenSSL-vs.-GnuTLS.html, > > http://blog.josefsson.org/2007/11/09/response-to-gnutls-in-exim-debate/) > > to gnutls-devel as this list is a better medium for archived discussion. > > > > I'll send a dedicated mail for each of Debian's bug reports, so that > > the threads are not going to intermix. > > > > Debian Bug #348046, http://bugs.debian.org/348046 > > ================================================= > > > > Simon writes: > > (C) Ian Zimmerman trying to debug issue (B) but having trouble with > > gnutls-cli (Message 58) > > Ian's initial problem (in 58) appear to be with 'openssl s_client'. The > problem with gnutls-cli-debug in message 63 was a user error, > gnutls-cli-debug doesn't work with TLS over SMTP, but you figured that > out. In message 98 gnutls appears to work fine, but openssl s_client > does not seem to work, which was Ian's initial concern. > > The reason the openssl command doesn't work is explained by adding > 'debug' to the command line: > > yxa-iv:~# openssl s_client -connect kniv.josefsson.org:25 -starttls smtp -debug > CONNECTED(00000003) > read from 080B1BB0 [080AC740] (8192 bytes => 72 (0x48)) > 0000 - 32 32 30 20 6b 6e 69 76-2e 6a 6f 73 65 66 73 73 220 kniv.josefss > 0010 - 6f 6e 2e 6f 72 67 20 45-53 4d 54 50 20 45 78 69 on.org ESMTP Exi > 0020 - 6d 20 34 2e 36 33 20 46-72 69 2c 20 30 34 20 4a m 4.63 Fri, 04 J > 0030 - 61 6e 20 32 30 30 38 20-31 32 3a 33 39 3a 31 36 an 2008 12:39:16 > 0040 - 20 2b 30 31 30 30 0d 0a- +0100.. > write to 080B1BB0 [BF816D80] (10 bytes => 10 (0xA)) > 0000 - 53 54 41 52 54 54 4c 53-0d 0a STARTTLS.. > read from 080B1BB0 [080AA738] (8192 bytes => 47 (0x2F)) > 0000 - 35 30 33 20 53 54 41 52-54 54 4c 53 20 63 6f 6d 503 STARTTLS com > 0010 - 6d 61 6e 64 20 75 73 65-64 20 77 68 65 6e 20 6e mand used when n > 0020 - 6f 74 20 61 64 76 65 72-74 69 73 65 64 0d 0a ot advertised.. > write to 080B1BB0 [080B1BF8] (142 bytes => 142 (0x8E)) > 0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c... ..9.. > 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ > 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 ..3..2../.....f. > 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 .............c.. > 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 b..a...........@ > 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 ..e..d..`....... > 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 84 0f ................ > 0070 - d2 b8 0b 21 74 5f 8a 9d-d5 42 3e 74 a0 63 5d 05 ...!t_...B>t.c]. > 0080 - b7 4d e1 8e 79 c5 52 1b-de 71 39 b4 3e cd .M..y.R..q9.>. > read from 080B1BB0 [080B7158] (7 bytes => 7 (0x7)) > 0000 - 35 30 31 20 4e 55 4c 501 NUL > 12040:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:478: > yxa-iv:~# > > In other words, openssl doesn't implement the TLS over SMTP protocol > properly, and exim4 rejects the connection. This is clearly an openssl > bug and has nothing to do with gnutls. Agreed, and fixed in Debian sid. > > (D) gnutls-cli-debug not having an --starttls option (is this a bug in > > gnutls-cli-debug? What is gnutls-cli-debug's Differnence from > > gnutls-cli in the first place?) > > Right, gnutls-cli-debug doesn't support starttls. If someone wants to > work on providing that capability, feel free to submit patches... I > note that openssl doesn't have any similar tool with starttls support > either. This is now Debian Bug #467022 > The difference between gnutls-cli and gnutls-cli-debug is that the > former is a simple interactive TLS client (with some starttls support) > and the latter is a non-interactive debug tool. But it is obviously needed sometimes to debug an application. > > (F) Vincent Lefevre saying (Message 130), that outgoign messages also > > reduce entropy. > > Which may be true. It is true, but can be remedied by having exim save the random seed to a file. However, Andreas' patch makes exim segfault occasionally, and I have therefore backed out the patch for the time being. > > (G) Andrew McGlashan finding it impossible to connect to gnutls-serv > > with incredimail (giving debug output in Message 224). That one is Debian Bug #459323 and has been pinned down to incredimail being unable to handle client certificate requests. This can be worked around by exim configuration and is clearly brokenness on incredimail's part. Additionally, this incredimail issue also happens when exim (in Debian's default configuration which requests client ceritificates, but does not act on them by default) is compiled against OpenSSL and also explains why Postfix works. > > I think this is a good case to show what happens when the error > > messages are too simple. This bug report is a mess of different issues > > since GnuTLS obviously returns the same, quite generic, error message > > text for a number of different issues. People look into the BTS for > > their error message and attach their issue to the existing bug report, > > leading to the horrible mess this bug report is. I'd like to use this > > opportunity to pledge for more distinctive error messages. > > Before we know exactly what is the cause for the various problem, we > can't know what a better error message would be. I think that if the error message would indicate at which stage of negotiation the failure occurred it would be great. For example, the incredimail issue would have been more easily pinned down if the error message logged on the server would have been something like "A TLS packet with an unexpected length was received in response to our client certificate request", or the random MAC padding by "Connection was dropped by the remote side after we announced that we would like to do random MAC padding". > Reporting very narrow error messages is known to lead to security > problems, where the other side can use different behaviour based on > different error messages to attack the server. So some caution to > be very verbose in error message is warranted for security > applications. Agreed, but it doesn't hurt to be a little more verbose in the local logs. > I'm not sure if this message will help much to move things further. > There are simply too many completely different problems in this bug > report, and the original submitter stopped responding long time ago. > But I tried to answer the questions you raised at least. I really appreciate that and will try to dissect the bug into its sub-problems in dedicated BTS entries in the near future. I will also try to comment on the things that I have snipped in this message in due time. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From mh+gnutls-devel at zugschlus.de Sat Feb 23 22:37:36 2008 From: mh+gnutls-devel at zugschlus.de (Marc Haber) Date: Sat, 23 Feb 2008 22:37:36 +0100 Subject: Interoperability issues (Debian Bug #348046) In-Reply-To: <87tzltbxri.fsf@mocca.josefsson.org> References: <20080103003901.GA14027@torres.zugschlus.de> <87tzltbxri.fsf@mocca.josefsson.org> Message-ID: <20080223213736.GA18175@torres.zugschlus.de> On Fri, Jan 04, 2008 at 01:06:41PM +0100, Simon Josefsson wrote: > Marc Haber writes: > > Debian Bug #348046, http://bugs.debian.org/348046 > > ================================================= This bug report has been dissected into different bug reports, a few of the issues are solved in the mean time. The submitters of the still open issues have been pinged whether they can still reproduce the issues at hand with current software. This dissection has been a major effort, phew, done. There is no need for the GnuTLS developers to take any more action, Debian will now wait for the submitters to reply. > > To me, after cursory inspection, this looks like: > > (A) Original bug submitter complaining about "A TLS packet with > > unexpected length was received" when the local Exim is a _client_ > > (Message 5). This is now #467137, http://bugs.debian.org/467137, submitter pinged > > (B) jarek saying "me too", but saying that his local Exim says > > "A TLS packet with unexpected length was received" while his Exim > > is a _server_ (Message 45) This is now #467151, http://bugs.debian.org/467151, submitter pinged > > (C) Ian Zimmerman trying to debug issue (B) but having trouble with > > gnutls-cli (Message 58) That is actually OpenSSL bug #221689, http://bugs.debian.org/221689. Now issue 467138, http://bugs.debian.org/467138, submitter pinged. > > (E) Marc F .Clemente saying "me too" to (B) (Message 110) #467152, http://bugs.debian.org/467152. Closed. > (EE) Vincent Lefevre says (Message 120) that the first message each > morning fails with this error message too. > > One theory here could be some firewall acting up the first time every > morning, what do you think? As Andreas Metzler says in message 125, > there is nothing in the entropy code that could explain this. The error > message is also not entropy related. This is #467158, http://bugs.debian.org/467158 This is interesting since it is the only issue in this report where the exim giving the error message is the _client_. My guess is that the gnutls-params file was just removed and the first sending exim tried to re-generate the gnutls-params, which is a blocking operation. This has been mitigrated in a later Debian exim package by (a) disabling the RSAEXPORT ciphers and (b) doing the recalculation of the gnutls-params asynchronously and only replacing the old file with the new after the params were fully calculated. Submitter pined. > > (F) Vincent Lefevre saying (Message 130), that outgoign messages also > > reduce entropy. > > Which may be true. Which _is_ true. Is that also addressed by saving the random seed? > I'd add another item here too: > > (FF) Ronny Adsetts reports a problem with a different error message 'A > record packet with illegal version was received.' and > '(gnutls_handshake): timed out'. > > To me this looks like a connection problem. The first error typically > happens on data corruption (possibly caused by incorrect STARTTLS > negotiation) or implementation problems. Ronny Adsett's issue is #467136, http://bugs.debian.org/467136. He is reporting this against the ancient version in Debian sarge. I have pinged him and asked him whether this still happens with any more current version. > > (G) Andrew McGlashan finding it impossible to connect to gnutls-serv > > with incredimail (giving debug output in Message 224). Incredimail issue, it cannot handle a client certificate request. Can be remedied by disabling client certificates in exim. Same issue happens of course when exim is compiled against OpenSSL, definetely not a GnuTLS issue. > First, Andrews' configuration seems confusing. He's using > tls_on_connect_ports on ports 587? No wonder OE doesn't work. I don't > really understand what's not working and what he wants to do. Incredimail cannot do STARTTLS and would be better configured to use port 467. His setup of having 587 as tls_on_connect_port is likely to break conforming clients, but incredimail doesn't care. Not our issue here. > Without more help from the IM community, I'd be inclined to sign this is > off as a IM problem. It definetely is. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From nmav at gnutls.org Sun Feb 24 09:49:53 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 24 Feb 2008 10:49:53 +0200 Subject: [PATCH] Add gnutls_x509_dn_export. In-Reply-To: <20080221132012.GA4920@redhat.com> References: <20080221113917.GA31744@redhat.com> <20080221132012.GA4920@redhat.com> Message-ID: <47C12FB1.9090101@gnutls.org> Joe Orton wrote: > On Thu, Feb 21, 2008 at 11:39:17AM +0000, Joe Orton wrote: >> This adds another DN function, to export a DN object back to DER. (I >> only really need a DER export; the value of exporting a DN to PEM format >> is certainly questionable, but this is allowed for consistency with the >> other _foo_export functions) > > Hmmm, that didn't actually work, and I don't really understand why. Can > anyone help? This is rather beyond my understanding of ASN.1/libtasn1! > > The asn1_der_coding(asn1_data, "") call was failing with the error > ASN1_ELEMENT_NOT_FOUND in _gnutls_x509_export_int. Is that call not > supposed to provide the DER coding for the entire node? I suppose that this has to do with the fact that the type of the element is CHOICE. Some quirk of the encoder probably. regards, Nikos From simon at josefsson.org Tue Feb 26 10:22:45 2008 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 Feb 2008 10:22:45 +0100 Subject: [PATCH] add DN import function In-Reply-To: <20080220103306.GA4953@redhat.com> (Joe Orton's message of "Wed, 20 Feb 2008 10:33:06 +0000") References: <20080214203932.GA13991@redhat.com> <200802161125.39339.nmav@gnutls.org> <20080219083117.GA4142@redhat.com> <47BB3B80.8010809@gnutls.org> <20080219205358.GA15854@redhat.com> <87ejb8y3nq.fsf@mocca.josefsson.org> <20080220103306.GA4953@redhat.com> Message-ID: <87lk58138a.fsf@mocca.josefsson.org> Joe Orton writes: > On Tue, Feb 19, 2008 at 11:36:41PM +0100, Simon Josefsson wrote: >> Joe Orton writes: >> >> > On Tue, Feb 19, 2008 at 10:26:40PM +0200, Nikos Mavrogiannopoulos wrote: >> >> Thank you Joe. I've just added the patch in the development branch. I've >> >> also added gnutls_x509_dn_init function if this is ok with you. >> >> >> >> The commitdiff is: >> >> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9969955bec0da9ce2eff00504156223130e6cb9c >> > >> > Looks good, thanks a lot. >> >> I believe we need copyright papers signed to be able to accept such a >> large patch (even if some of it was cut'n'paste). I couldn't find any >> papers for you on file. Is this OK with you? I can send you the form >> privately. > > This was 99% copied so I wouldn't claim there was any "original work" in > there, but in any case - Red Hat have a corporate assignment with the > FSF :) Ah, I found the assignment now (it was stored under 'Red Hat' not 'RedHat'...). However, it seems that it is required to ask whether this was contributed as part of your job function? Same goes for the gnutls_x509_dn_export function. Thanks and sorry for the hassle, /Simon From simon at josefsson.org Tue Feb 26 10:34:44 2008 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 Feb 2008 10:34:44 +0100 Subject: openpgpself In-Reply-To: <96AB0FE3-672D-4AED-99DE-DD076F7FCF89@josefsson.org> (Simon Josefsson's message of "Thu, 21 Feb 2008 22:57:54 +0100") References: <87r6f6o7rt.fsf@mocca.josefsson.org> <87ir0io70l.fsf@mocca.josefsson.org> <47BDB725.3030401@gmail.com> <96AB0FE3-672D-4AED-99DE-DD076F7FCF89@josefsson.org> Message-ID: <877igs12ob.fsf@mocca.josefsson.org> Simon Josefsson writes: >> On 21 feb 2008, at 18.38, Nikos Mavrogiannopoulos wrote: >>> Simon Josefsson wrote: >>>> Hi! I noticed that the openpgpself test failed. I thought it was >>>> because of using credentials from files, and fixed that (pushed in >>>> git). >>>> However, it still doesn't work... ideas? >>> It works in my system both make check and run it by hand... My >>> output is attached. If it still has the same problem could you >>> send me the failed output? > > Interesting, I still had the same problem, I'll check it more > tomorrow. Maybe it was picking up the wrong libgnutls.so from the > installed path, instead of the one from the build tree... I recall > similar problems before. It still fails for me. I checked that it is using the newly built libgnutls.so. Here is the output. Does this happen for anyone else? Cc'ing gnutls-devel. /Simon client |<2>| Importing Openpgp key and using openpgp sub key: 837b6fb490ad0608 client |<2>| ASSERT: pgp.c:722 client |<2>| ASSERT: privkey.c:459 client |<2>| ASSERT: gnutls_openpgp.c:777 client |<2>| ASSERT: gnutls_openpgp.c:166 client |<2>| ASSERT: privkey.c:982 client |<2>| Importing Openpgp key and using main openpgp key. client |<2>| ASSERT: pgp.c:1383 client |<2>| Importing Openpgp cert and using main openpgp key client |<2>| ASSERT: pgp.c:133 client |<3>| HSK[806afe8]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 client |<3>| HSK[806afe8]: Keeping ciphersuite: RSA_ARCFOUR_MD5 client |<3>| HSK[806afe8]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 client |<3>| HSK[806afe8]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 client |<2>| EXT[806afe8]: Sending extension CERT_TYPE client |<3>| HSK[806afe8]: CLIENT HELLO was send [88 bytes] client |<6>| BUF[HSK]: Peeked 0 bytes of Data client |<6>| BUF[HSK]: Emptied buffer client |<4>| REC[806afe8]: Sending Packet[0] Handshake(22) with length: 88 client |<7>| WRITE: Will write 93 bytes to 5. client |<7>| WRITE: wrote 93 bytes to 5. Left 0 bytes. Total 93 bytes. client |<7>| 0000 - 16 03 02 00 58 01 00 00 54 03 02 47 c3 dc db 8f client |<7>| 0001 - ff 83 ba 01 b8 17 33 ad 35 46 87 85 fb 98 22 d7 client |<7>| 0002 - 6d 11 53 84 a6 e1 0f d1 07 79 82 00 00 24 00 33 client |<7>| 0003 - 00 45 00 39 00 88 00 16 00 32 00 44 00 38 00 87 client |<7>| 0004 - 00 13 00 66 00 2f 00 41 00 35 00 84 00 0a 00 05 client |<7>| 0005 - 00 04 01 00 00 07 00 09 00 03 02 00 01 client |<4>| REC[806afe8]: Sent Packet[1] Handshake(22) with length: 93 server |<7>| READ: Got 5 bytes from 5 server |<7>| READ: read 5 bytes from 5 server |<7>| 0000 - 16 03 02 00 58 server |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. server |<7>| RB: Requested 5 bytes server |<4>| REC[806adb8]: Expected Packet[0] Handshake(22) with length: 1 server |<4>| REC[806adb8]: Received Packet[0] Handshake(22) with length: 88 server |<7>| READ: Got 88 bytes from 5 server |<7>| READ: read 88 bytes from 5 server |<7>| 0000 - 01 00 00 54 03 02 47 c3 dc db 8f ff 83 ba 01 b8 server |<7>| 0001 - 17 33 ad 35 46 87 85 fb 98 22 d7 6d 11 53 84 a6 server |<7>| 0002 - e1 0f d1 07 79 82 00 00 24 00 33 00 45 00 39 00 server |<7>| 0003 - 88 00 16 00 32 00 44 00 38 00 87 00 13 00 66 00 server |<7>| 0004 - 2f 00 41 00 35 00 84 00 0a 00 05 00 04 01 00 00 server |<7>| 0005 - 07 00 09 00 03 02 00 01 server |<7>| RB: Have 5 bytes into buffer. Adding 88 bytes. server |<7>| RB: Requested 93 bytes server |<4>| REC[806adb8]: Decrypted Packet[0] Handshake(22) with length: 88 server |<6>| BUF[HSK]: Inserted 88 bytes of Data(22) server |<6>| BUF[REC][HD]: Read 1 bytes of Data(22) server |<6>| BUF[REC][HD]: Read 3 bytes of Data(22) server |<3>| HSK[806adb8]: CLIENT HELLO was received [88 bytes] server |<6>| BUF[REC][HD]: Read 84 bytes of Data(22) server |<6>| BUF[HSK]: Peeked 0 bytes of Data server |<6>| BUF[HSK]: Emptied buffer server |<6>| BUF[HSK]: Inserted 4 bytes of Data server |<6>| BUF[HSK]: Inserted 84 bytes of Data server |<3>| HSK[806adb8]: Client's version: 3.2 server |<2>| ASSERT: gnutls_db.c:239 server |<2>| EXT[806adb8]: Received extension 'CERT_TYPE/9' server |<2>| EXT[806adb8]: Received extension 'CERT_TYPE/9' server |<2>| ASSERT: ext_cert_type.c:106 server |<2>| ASSERT: ext_cert_type.c:106 server |<2>| ASSERT: ext_cert_type.c:123 server |<2>| ASSERT: gnutls_handshake.c:2865 server |<1>| Could not find an appropriate certificate: Insufficient credentials for that request. server |<3>| HSK[806adb8]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_DSS_ARCFOUR_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_RSA_AES_256_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: RSA_ARCFOUR_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: RSA_ARCFOUR_MD5 server |<3>| HSK[806adb8]: Removing ciphersuite: RSA_3DES_EDE_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: RSA_AES_128_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: RSA_AES_256_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 server |<3>| HSK[806adb8]: Removing ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 server |<2>| ASSERT: gnutls_handshake.c:704 server |<2>| ASSERT: gnutls_handshake.c:462 server |<2>| ASSERT: gnutls_handshake.c:2014 server |<2>| ASSERT: gnutls_handshake.c:2542 server |<6>| BUF[HSK]: Cleared Data from buffer client |<7>| READ: Got 0 bytes from 5 client |<7>| READ: read 0 bytes from 5 client |<7>| 0000 - client |<2>| ASSERT: gnutls_buffers.c:638 client |<2>| ASSERT: gnutls_record.c:907 client |<2>| ASSERT: gnutls_buffers.c:1152 client |<2>| ASSERT: gnutls_handshake.c:1021 client |<2>| ASSERT: gnutls_handshake.c:2322 client |<6>| BUF[HSK]: Cleared Data from buffer client: Handshake failed GNUTLS ERROR: A TLS packet with unexpected length was received. Launched, setting DH parameters... server: ready. Listening to port '5556'. Setting key files... Connecting... Self test `./openpgpself' finished with 1 errors Launched, setting DH parameters... server: ready. Listening to port '5556'. server: connection from 127.0.0.1, port 48576 Self test `./openpgpself' finished with 1 errors From simon at josefsson.org Tue Feb 26 13:19:42 2008 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 Feb 2008 13:19:42 +0100 Subject: GnuTLS 2.3.2 Message-ID: <87r6ezq59d.fsf@mocca.josefsson.org> The GnuTLS 2.3.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. I tried to make sure there are no ABI/ABI modifications/deletions in this compared to v2.2.x, but as the changes have been quite large, I may have missed something. Note that we don't guarantee ABI compatibility during development releases, so if there are ABI breaks in this release, we'll consider those bugs and revert them, rather than bumping the ABI. Also, we need to figure out how the LGPL opencdk should be handled. The only LGPL'ed opencdk is the one included in this release. There should probably be an external release of this code. News in this release: * Version 2.3.2 (released 2008-02-26) ** Fix srcdir!=objdir failure in openpgpself test. ** Improved API documentation output from GTK-DOC. ** Added gnutls_x509_dn_export(). Patch by Joe Orton. ** Renamed gnutls_certificate_export_x509_cas and friends. See . ** Internal header files cleanup. ** API and ABI modifications: gnutls_certificate_export_x509_cas: RENAMED to gnutls_certificate_get_x509_cas gnutls_certificate_export_x509_crls: RENAMED to gnutls_certificate_get_x509_crls gnutls_certificate_export_openpgp_keyring: RENAMED to gnutls_certificate_get_openpgp_keyring gnutls_x509_dn_export: ADDED The goals for the 2.3.x branch are tracked at: http://trac.gnutls.org/cgi-bin/trac.cgi/milestone/gnutls-2.4 More ideas are welcome, just create a new ticket. Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.3.2.tar.gz ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.3.2.tar.gz Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Tue Feb 26 16:05:41 2008 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 Feb 2008 16:05:41 +0100 Subject: Google Summer of Code 2008 Message-ID: <8763wb7o6y.fsf@mocca.josefsson.org> All, It is likely that GnuTLS will participate in the Google Summer of Code. The application process isn't open yet, but I created a wiki page where you can suggest things to do as a GSOC project. If you are interested in participating, let me know! http://trac.gnutls.org/cgi-bin/trac.cgi/wiki/SoC2008 /Simon From simon at josefsson.org Tue Feb 26 17:59:22 2008 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 Feb 2008 17:59:22 +0100 Subject: Interoperability issues (Debian Bug #348046) In-Reply-To: <20080223094735.GA3944@torres.zugschlus.de> (Marc Haber's message of "Sat, 23 Feb 2008 10:47:35 +0100") References: <20080103003901.GA14027@torres.zugschlus.de> <87tzltbxri.fsf@mocca.josefsson.org> <20080223094735.GA3944@torres.zugschlus.de> Message-ID: <878x17zmad.fsf@mocca.josefsson.org> Marc Haber writes: >> In other words, openssl doesn't implement the TLS over SMTP protocol >> properly, and exim4 rejects the connection. This is clearly an openssl >> bug and has nothing to do with gnutls. > > Agreed, and fixed in Debian sid. Great. >> > (D) gnutls-cli-debug not having an --starttls option (is this a bug in >> > gnutls-cli-debug? What is gnutls-cli-debug's Differnence from >> > gnutls-cli in the first place?) >> >> Right, gnutls-cli-debug doesn't support starttls. If someone wants to >> work on providing that capability, feel free to submit patches... I >> note that openssl doesn't have any similar tool with starttls support >> either. > > This is now Debian Bug #467022 Thanks. >> The difference between gnutls-cli and gnutls-cli-debug is that the >> former is a simple interactive TLS client (with some starttls support) >> and the latter is a non-interactive debug tool. > > But it is obviously needed sometimes to debug an application. Yeah. It may be simpler to merge the gnutls-cli-debug functionality into gnutls-cli -- the gnutls-cli-debug tool is quite limited and doesn't handle certificates or anything. The report is also rather incorrect in some situations. >> > (F) Vincent Lefevre saying (Message 130), that outgoign messages also >> > reduce entropy. >> >> Which may be true. > > It is true, but can be remedied by having exim save the random seed to > a file. However, Andreas' patch makes exim segfault occasionally, and > I have therefore backed out the patch for the time being. Ok. I think a random seed is the right solution here. >> > (G) Andrew McGlashan finding it impossible to connect to gnutls-serv >> > with incredimail (giving debug output in Message 224). > > That one is Debian Bug #459323 and has been pinned down to incredimail > being unable to handle client certificate requests. This can be worked > around by exim configuration and is clearly brokenness on > incredimail's part. Additionally, this incredimail issue also happens > when exim (in Debian's default configuration which requests client > ceritificates, but does not act on them by default) is compiled > against OpenSSL and also explains why Postfix works. Interesting. Maybe some documentation on this issue is warranted, especially if it affects other implementations than incredimail as well. >> > I think this is a good case to show what happens when the error >> > messages are too simple. This bug report is a mess of different issues >> > since GnuTLS obviously returns the same, quite generic, error message >> > text for a number of different issues. People look into the BTS for >> > their error message and attach their issue to the existing bug report, >> > leading to the horrible mess this bug report is. I'd like to use this >> > opportunity to pledge for more distinctive error messages. >> >> Before we know exactly what is the cause for the various problem, we >> can't know what a better error message would be. > > I think that if the error message would indicate at which stage of > negotiation the failure occurred it would be great. > > For example, the incredimail issue would have been more easily pinned > down if the error message logged on the server would have been > something like "A TLS packet with an unexpected length was received in > response to our client certificate request", or the random MAC padding > by "Connection was dropped by the remote side after we announced that > we would like to do random MAC padding". One "problem" with TLS is that each packet contains many requests so it can be difficult to know what triggered the problem. The handshake is typically just two round trips. However, to be able to improve the error messages here, I need to know where in gnutls the error code was generated. A debug log containing the gnutls_assert() outputs from where the error code is generated is needed. >> Reporting very narrow error messages is known to lead to security >> problems, where the other side can use different behaviour based on >> different error messages to attack the server. So some caution to >> be very verbose in error message is warranted for security >> applications. > > Agreed, but it doesn't hurt to be a little more verbose in the local > logs. Sure. >> I'm not sure if this message will help much to move things further. >> There are simply too many completely different problems in this bug >> report, and the original submitter stopped responding long time ago. >> But I tried to answer the questions you raised at least. > > I really appreciate that and will try to dissect the bug into its > sub-problems in dedicated BTS entries in the near future. I will also > try to comment on the things that I have snipped in this message in > due time. Many thanks for your diligent work! /Simon From simon at josefsson.org Tue Feb 26 18:09:28 2008 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 Feb 2008 18:09:28 +0100 Subject: Interoperability issues (Debian Bug #348046) In-Reply-To: <20080223213736.GA18175@torres.zugschlus.de> (Marc Haber's message of "Sat, 23 Feb 2008 22:37:36 +0100") References: <20080103003901.GA14027@torres.zugschlus.de> <87tzltbxri.fsf@mocca.josefsson.org> <20080223213736.GA18175@torres.zugschlus.de> Message-ID: <874pbvzltj.fsf@mocca.josefsson.org> Marc Haber writes: >> (EE) Vincent Lefevre says (Message 120) that the first message each >> morning fails with this error message too. >> >> One theory here could be some firewall acting up the first time every >> morning, what do you think? As Andreas Metzler says in message 125, >> there is nothing in the entropy code that could explain this. The error >> message is also not entropy related. > > This is #467158, http://bugs.debian.org/467158 > > This is interesting since it is the only issue in this report where > the exim giving the error message is the _client_. My guess is that > the gnutls-params file was just removed and the first sending exim > tried to re-generate the gnutls-params, which is a blocking operation. > > This has been mitigrated in a later Debian exim package by (a) > disabling the RSAEXPORT ciphers and (b) doing the recalculation of the > gnutls-params asynchronously and only replacing the old file with the > new after the params were fully calculated. Submitter pined. Generally, I am curious what the justification of re-generating the gnutls-params are in the first place? Doesn't "gnutls-params" refer to the diffie-hellman parameters? I recall that some people say you never need to regenerate them at all, and I haven't seen anyone recommend that you do regenerate them. I haven't seen any other gnutls application servers generate diffie-hellman parameters. >> > (F) Vincent Lefevre saying (Message 130), that outgoign messages also >> > reduce entropy. >> >> Which may be true. > > Which _is_ true. Is that also addressed by saving the random seed? Yes. Each encryption of application data needs one byte of random (urandom quality) data, for random message length padding. >> > (G) Andrew McGlashan finding it impossible to connect to gnutls-serv >> > with incredimail (giving debug output in Message 224). > > Incredimail issue, it cannot handle a client certificate request. Can > be remedied by disabling client certificates in exim. Same issue > happens of course when exim is compiled against OpenSSL, definetely > not a GnuTLS issue. Btw, how do you disable client certificate requests in exim? Is it possible without recompilation? /Simon From simon at josefsson.org Tue Feb 26 18:14:43 2008 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 Feb 2008 18:14:43 +0100 Subject: gnutls with pkcs In-Reply-To: <20080128172003.GG27218@cryo.net.ru> (Pavlov Konstantin's message of "Mon, 28 Jan 2008 20:20:03 +0300") References: <20080128172003.GG27218@cryo.net.ru> Message-ID: <87zltny70c.fsf@mocca.josefsson.org> Pavlov Konstantin writes: > Hello, what's the current status of PKCS support in GnuTLS? > > 1.7 branch > (http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=shortlog;h=gnutls_1_7_14_with_pkcs11) > seems being abandoned. The following APIs where pulled into the stable release based on that branch: typedef int (*gnutls_sign_func) (gnutls_session_t session, void *userdata, gnutls_certificate_type_t cert_type, const gnutls_datum_t * cert, const gnutls_datum_t * hash, gnutls_datum_t * signature); void gnutls_sign_callback_set (gnutls_session_t session, gnutls_sign_func sign_func, void *userdata); gnutls_sign_func gnutls_sign_callback_get (gnutls_session_t session, void **userdata); Those API allows you to connect GnuTLS with any PKCS#11 mechanism, but you need to do the PKCS11 glue work. The gnutls-pkcs11 library that did the glue work is not included with GnuTLS today. The reason is that libgnutls-pkcs11 is linked to Scute at compile-time. That works fine if you want to use OpenPGP cards, but if you want to use another PKCS#11 mechanism, you have to recompile the library. That wasn't very flexible, and it didn't feel finished enough to include in the stable branch. Possibly the library could use dlopen instead, opening a library requested by the application. Does this answer the question? Are you interested in seeing the gnutls-pkcs11 library merged? We could look into what it would take to dlopen some library that the application requested. /Simon From simon at josefsson.org Tue Feb 26 18:17:44 2008 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 Feb 2008 18:17:44 +0100 Subject: openpgp + subkeys In-Reply-To: <200801161906.15588.nmav@gnutls.org> (Nikos Mavrogiannopoulos's message of "Wed, 16 Jan 2008 19:06:15 +0200") References: <200801161906.15588.nmav@gnutls.org> Message-ID: <87ve4by6vb.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > I've been working a bit lately on the openpgp support of gnutls. The planned > changes are: > 1. To handle subkeys > 2. To list/generate keyrings using certtool > 3. To list openpgp certificates/keys using certtool > > The first is partially completed. However I've come across a limitation of the > current protocol for openpgp keys (rfc5081). It seems currently there is no > way to indicate to the peer which subkey to use, thus always the primary key > has to be used. :-( > Moreover it states that the key has to be marked for authentication, but it > seems there is no way to arbitrarily mark a public key with gpg (or I > couldn't find it). Is this a gnupg problem? I assume the OpenPGP spec allows it. I recall GnuPG asked me about authentication/encryption/etc keys when I used a smart card with GnuPG. So maybe it is possible. Ask on the gnupg list? > For this reason now on the stable release we always use the primary key and > ignore the flags of the public keys. Ok. > On the development release I plan to implement a subkey negotiation -by > sending a keyid at the initial hello messages to indicate the (sub)key that > will be used during this handshake. This is finished now, right? > I was also investigating to using the first subkey with authentication flag > set, but it seems this approach is not that optimal. Other subkeys might be > present and the selection of the first seems arbitrary. Thus I'm most in > favour of the first solution. > > What do you think? Any other ideas or comments? Is there any recommendations from the openpgp spec? It seems the question of which subkey to use would come up for every openpgp implementation. /Simon From alon.barlev at gmail.com Tue Feb 26 19:58:41 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Tue, 26 Feb 2008 20:58:41 +0200 Subject: gnutls with pkcs In-Reply-To: <87zltny70c.fsf@mocca.josefsson.org> References: <20080128172003.GG27218@cryo.net.ru> <87zltny70c.fsf@mocca.josefsson.org> Message-ID: <9e0cf0bf0802261058j5f2dd192m2b92d0f00fbe4db9@mail.gmail.com> On 2/26/08, Simon Josefsson wrote: > Possibly the library could use dlopen instead, opening a library > requested by the application. Note that it should also determine the use or sign verify or sign, handle session expiration, token removal, token re-insert, more than one object with same authentication, more than one token at the same time, bugs of many providers and more... Regards, Alon. From nmav at gnutls.org Tue Feb 26 21:24:23 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 26 Feb 2008 22:24:23 +0200 Subject: openpgp + subkeys In-Reply-To: <87ve4by6vb.fsf@mocca.josefsson.org> References: <200801161906.15588.nmav@gnutls.org> <87ve4by6vb.fsf@mocca.josefsson.org> Message-ID: <47C47577.9090509@gnutls.org> Simon Josefsson wrote: > Nikos Mavrogiannopoulos writes: > >> I've been working a bit lately on the openpgp support of gnutls. The planned >> changes are: >> 1. To handle subkeys >> 2. To list/generate keyrings using certtool >> 3. To list openpgp certificates/keys using certtool >> >> The first is partially completed. However I've come across a limitation of the >> current protocol for openpgp keys (rfc5081). It seems currently there is no >> way to indicate to the peer which subkey to use, thus always the primary key >> has to be used. > > :-( I've already issued a fixed rfc5081bis that is used in the released code (devel). > Is this a gnupg problem? I assume the OpenPGP spec allows it. > I recall GnuPG asked me about authentication/encryption/etc keys when I > used a smart card with GnuPG. So maybe it is possible. Ask on the > gnupg list? I seems I should... >> On the development release I plan to implement a subkey negotiation -by >> sending a keyid at the initial hello messages to indicate the (sub)key that >> will be used during this handshake. > This is finished now, right? indeed. > Is there any recommendations from the openpgp spec? It seems the > question of which subkey to use would come up for every openpgp > implementation. No unfortunately not. regards, Nikos From mh+gnutls-devel at zugschlus.de Tue Feb 26 23:27:39 2008 From: mh+gnutls-devel at zugschlus.de (Marc Haber) Date: Tue, 26 Feb 2008 23:27:39 +0100 Subject: Interoperability issues (Debian Bug #348046) In-Reply-To: <878x17zmad.fsf@mocca.josefsson.org> References: <20080103003901.GA14027@torres.zugschlus.de> <87tzltbxri.fsf@mocca.josefsson.org> <20080223094735.GA3944@torres.zugschlus.de> <878x17zmad.fsf@mocca.josefsson.org> Message-ID: <20080226222739.GD1918@torres.zugschlus.de> On Tue, Feb 26, 2008 at 05:59:22PM +0100, Simon Josefsson wrote: > Marc Haber writes: > >> > (G) Andrew McGlashan finding it impossible to connect to gnutls-serv > >> > with incredimail (giving debug output in Message 224). > > > > That one is Debian Bug #459323 and has been pinned down to incredimail > > being unable to handle client certificate requests. This can be worked > > around by exim configuration and is clearly brokenness on > > incredimail's part. Additionally, this incredimail issue also happens > > when exim (in Debian's default configuration which requests client > > ceritificates, but does not act on them by default) is compiled > > against OpenSSL and also explains why Postfix works. > > Interesting. Maybe some documentation on this issue is warranted, > especially if it affects other implementations than incredimail as well. I have documented this in Debian exim4's README.Debian. > > For example, the incredimail issue would have been more easily pinned > > down if the error message logged on the server would have been > > something like "A TLS packet with an unexpected length was received in > > response to our client certificate request", or the random MAC padding > > by "Connection was dropped by the remote side after we announced that > > we would like to do random MAC padding". > > One "problem" with TLS is that each packet contains many requests so it > can be difficult to know what triggered the problem. The handshake is > typically just two round trips. Is it possible to stretch the handshake for debugging purposes to obtain more accurate errors in a lab setup? > However, to be able to improve the error messages here, I need to know > where in gnutls the error code was generated. A debug log containing > the gnutls_assert() outputs from where the error code is generated is > needed. I have the lab setup still available. Do I need to recompile GnuTLS (and libgcrypt?) in order to obtain the gnutls_assert() outputs? What do I do to do this? > Many thanks for your diligent work! You're welcome. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From mh+gnutls-devel at zugschlus.de Tue Feb 26 23:33:21 2008 From: mh+gnutls-devel at zugschlus.de (Marc Haber) Date: Tue, 26 Feb 2008 23:33:21 +0100 Subject: Interoperability issues (Debian Bug #348046) In-Reply-To: <874pbvzltj.fsf@mocca.josefsson.org> References: <20080103003901.GA14027@torres.zugschlus.de> <87tzltbxri.fsf@mocca.josefsson.org> <20080223213736.GA18175@torres.zugschlus.de> <874pbvzltj.fsf@mocca.josefsson.org> Message-ID: <20080226223321.GE1918@torres.zugschlus.de> On Tue, Feb 26, 2008 at 06:09:28PM +0100, Simon Josefsson wrote: > Marc Haber writes: > >> (EE) Vincent Lefevre says (Message 120) that the first message each > >> morning fails with this error message too. > >> > >> One theory here could be some firewall acting up the first time every > >> morning, what do you think? As Andreas Metzler says in message 125, > >> there is nothing in the entropy code that could explain this. The error > >> message is also not entropy related. > > > > This is #467158, http://bugs.debian.org/467158 > > > > This is interesting since it is the only issue in this report where > > the exim giving the error message is the _client_. My guess is that > > the gnutls-params file was just removed and the first sending exim > > tried to re-generate the gnutls-params, which is a blocking operation. > > > > This has been mitigrated in a later Debian exim package by (a) > > disabling the RSAEXPORT ciphers and (b) doing the recalculation of the > > gnutls-params asynchronously and only replacing the old file with the > > new after the params were fully calculated. Submitter pined. > > Generally, I am curious what the justification of re-generating the > gnutls-params are in the first place? Exim upstream recommends this, and since Philip often claims that he knows little about TLS, he must have read this in some docs. This is documented in exim's spec.txt chapter 39.3. > Doesn't "gnutls-params" refer to the diffie-hellman parameters? The gnutls-params file used to contain diffie-hellman parameters and some parameters necessary for RSAEXPORT, the latter having been removed by Florian Weimer's patch a few months ago. > >> > (G) Andrew McGlashan finding it impossible to connect to gnutls-serv > >> > with incredimail (giving debug output in Message 224). > > > > Incredimail issue, it cannot handle a client certificate request. Can > > be remedied by disabling client certificates in exim. Same issue > > happens of course when exim is compiled against OpenSSL, definetely > > not a GnuTLS issue. > > Btw, how do you disable client certificate requests in exim? Is it > possible without recompilation? Yes, that's a run-time configuration. The global tls_try_verify_hosts option (which is by default unset) has a host list, and if a connecting host is listed in this host list, exim requests a certificate, checks it against the CA certificates configured, logs the result, but does not abort the connection if the presented certificate is "invalid". Debian's exim4 packages set this to "*", enabling the certificate request globally, but offer an easy method to override this. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From simon at josefsson.org Wed Feb 27 00:35:25 2008 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 27 Feb 2008 00:35:25 +0100 Subject: optimization of reading many CA certificates Message-ID: <8763wbxpdu.fsf@mocca.josefsson.org> In case anyone find these kind of things interesting, I debugged an inefficiency in gnutls wrt importing many CA certificates, and blogged how I did it: http://blog.josefsson.org/2008/02/27/real-world-performance-tuning-with-callgrind/ /Simon From n.mavrogiannopoulos at gmail.com Wed Feb 27 10:34:29 2008 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Wed, 27 Feb 2008 11:34:29 +0200 Subject: optimization of reading many CA certificates In-Reply-To: <8763wbxpdu.fsf@mocca.josefsson.org> References: <8763wbxpdu.fsf@mocca.josefsson.org> Message-ID: On Wed, Feb 27, 2008 at 1:35 AM, Simon Josefsson wrote: > In case anyone find these kind of things interesting, I debugged an > inefficiency in gnutls wrt importing many CA certificates, and blogged > how I did it: > > http://blog.josefsson.org/2008/02/27/real-world-performance-tuning-with-callgrind/ Very nice work! From n.mavrogiannopoulos at gmail.com Wed Feb 27 22:07:02 2008 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Wed, 27 Feb 2008 23:07:02 +0200 Subject: Problems with specific certificate/key (Debian Bug #426013) In-Reply-To: <20080227174940.GA1479@campbell-lange.net> References: <20080227174940.GA1479@campbell-lange.net> Message-ID: <47C5D0F6.2060506@gmail.com> Mark Adams wrote: > On Jan 3, 2008 2:36 AM, Marc Haber wrote: > I'm using gnutls 2.0.4 at present (this is the current debian testing > version). Is it possibly a known issue with this version? I can not > install the new version at present, as this is a production server. I > will be able to test this if you think it will correct the issue. > > For reference, gnutls-serv and gnutl-client work with this cert/key > pair. I can run the server fine using; > > gnutls-serv --debug 5 --x509keyfile myhost_net.key --x509certfile myhost_net.crt > > And the client can connect using; > > gnutls-cli -p 5556 mail.myhost.net > > however, when using certtool -i < my key file failes with the base 64 > decoding error. This is normal. The -i parameter only reads certificates. You should use the -k option to parse the key. Do you use the same file to hold the key and the certificate? Also in your tests please use the -d 2 parameter to output more verbose information. regards, Nikos From mark at campbell-lange.net Wed Feb 27 18:49:40 2008 From: mark at campbell-lange.net (Mark Adams) Date: Wed, 27 Feb 2008 17:49:40 +0000 Subject: Problems with specific certificate/key (Debian Bug #426013) Message-ID: <20080227174940.GA1479@campbell-lange.net> On Jan 3, 2008 2:36 AM, Marc Haber wrote: > Hi, > > Simon writes: > > Appears to be an unreprodicible problem with a specific > > certificate/key which the user cannot reveal. Another > > certificate/key > > from the same CA works fine. Theory: could it be CRLF problems? > > Other > > non-ASCII characters in the file? Nothing indicates a real GnuTLS > > problem here. > > Conclusion: Likely not a GnuTLS problem. > > I think that this conclusion was built too fast, but we do not have > sufficient information to know this. > > The original reporter has said in the mean time that there are no > non-ascii chars in the file and that there are no CRLF issues here. > Currently, it is suspected that GnuTLS has issues with the fact that > the certificate is a wildcard certificate. >By reading this report, I'm really curious which gnutls version is used, >and > >whether the gnutls-serv and exim are linked on the same version of >gnutls. >Does this occur if exim is linked on gnutls 2.2? > I'm using gnutls 2.0.4 at present (this is the current debian testing version). Is it possibly a known issue with this version? I can not install the new version at present, as this is a production server. I will be able to test this if you think it will correct the issue. For reference, gnutls-serv and gnutl-client work with this cert/key pair. I can run the server fine using; gnutls-serv --debug 5 --x509keyfile myhost_net.key --x509certfile myhost_net.crt And the client can connect using; gnutls-cli -p 5556 mail.myhost.net however, when using certtool -i < my key file failes with the base 64 decoding error. certtool: Import error: Base64 decoding error. > >regards, >Nikos Thanks for your interest, Regards Mark From mark at campbell-lange.net Thu Feb 28 13:51:46 2008 From: mark at campbell-lange.net (Mark Adams) Date: Thu, 28 Feb 2008 12:51:46 +0000 Subject: Problems with specific certificate/key (Debian Bug #426013) In-Reply-To: <47C5D0F6.2060506@gmail.com> References: <20080227174940.GA1479@campbell-lange.net> <47C5D0F6.2060506@gmail.com> Message-ID: <20080228125146.GA12714@campbell-lange.net> On Wed, Feb 27, 2008 at 11:07:02PM +0200, Nikos Mavrogiannopoulos wrote: > Mark Adams wrote: >> On Jan 3, 2008 2:36 AM, Marc Haber wrote: > >> I'm using gnutls 2.0.4 at present (this is the current debian testing >> version). Is it possibly a known issue with this version? I can not >> install the new version at present, as this is a production server. I >> will be able to test this if you think it will correct the issue. >> >> For reference, gnutls-serv and gnutl-client work with this cert/key >> pair. I can run the server fine using; >> >> gnutls-serv --debug 5 --x509keyfile myhost_net.key --x509certfile myhost_net.crt >> >> And the client can connect using; >> >> gnutls-cli -p 5556 mail.myhost.net >> >> however, when using certtool -i < my key file failes with the base 64 >> decoding error. > > This is normal. The -i parameter only reads certificates. You should use > the -k option to parse the key. Do you use the same file to hold the key > and the certificate? Also in your tests please use the -d 2 parameter to > output more verbose information. > > regards, > Nikos Hi, I have run this and all appears fine, please advise what output you require. Please also advise what other tests I can run Regards Mark From mark at campbell-lange.net Thu Feb 28 14:26:42 2008 From: mark at campbell-lange.net (Mark Adams) Date: Thu, 28 Feb 2008 13:26:42 +0000 Subject: Problems with specific certificate/key (Debian Bug #426013) In-Reply-To: <20080228125146.GA12714@campbell-lange.net> References: <20080227174940.GA1479@campbell-lange.net> <47C5D0F6.2060506@gmail.com> <20080228125146.GA12714@campbell-lange.net> Message-ID: <20080228132642.GA15966@campbell-lange.net> On Thu, Feb 28, 2008 at 12:51:46PM +0000, Mark Adams wrote: > On Wed, Feb 27, 2008 at 11:07:02PM +0200, Nikos Mavrogiannopoulos wrote: > > Mark Adams wrote: > >> On Jan 3, 2008 2:36 AM, Marc Haber wrote: > > > >> I'm using gnutls 2.0.4 at present (this is the current debian testing > >> version). Is it possibly a known issue with this version? I can not > >> install the new version at present, as this is a production server. I > >> will be able to test this if you think it will correct the issue. > >> > >> For reference, gnutls-serv and gnutl-client work with this cert/key > >> pair. I can run the server fine using; > >> > >> gnutls-serv --debug 5 --x509keyfile myhost_net.key --x509certfile myhost_net.crt > >> > >> And the client can connect using; > >> > >> gnutls-cli -p 5556 mail.myhost.net > >> > >> however, when using certtool -i < my key file failes with the base 64 > >> decoding error. > > > > This is normal. The -i parameter only reads certificates. You should use > > the -k option to parse the key. Do you use the same file to hold the key > > and the certificate? Also in your tests please use the -d 2 parameter to > > output more verbose information. > > > > regards, > > Nikos > > Hi, I have run this and all appears fine, please advise what output you > require. > > Please also advise what other tests I can run > > Regards > Mark I can confirm that it is the right format from this test; Public Key Info: Public Key Algorithm: RSA Mark