[gnutls-devel] gnutls 3.5.5

Andreas Metzler ametzler at bebt.de
Sat Oct 22 11:58:03 CEST 2016 

On 2016-10-22 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On Fri, 2016-10-21 at 20:08 +0200, Stefan Bühler wrote:

> > I'd like to point out that gnutls_certificate_set_key* had an API
> > incompatible change: they now might return integers > 0 when
> > successful,
> > which breaks previously documented behaviour of always returning
> > GNUTLS_E_SUCCESS (i.e. 0).

[...]
> My expectation was that few software will check for equality with zero,
> mainly due to the examples which use the <0 pattern, and that even if
> they did, the fact that the first certificate index would be zero, will
> mitigate any issue (most applications load a single certificate).

> Do you think this is going to cause issues? Most likely we can still
> revert the change by introducing a flag in
> gnutls_certificate_set_flags() which can enable the behavior of
> returning indexes, instead of returning them by default.

Hello,

I have just started browsing over
<https://codesearch.debian.net/search?q=gnutls_certificate_set_%5B%5E+%5D*key>.

While checking for ret < 0 is common some software does not:

exim:
#define exim_gnutls_err_check(Label) do { \
  if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
[...]
  rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
      CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
      GNUTLS_X509_FMT_PEM);
  exim_gnutls_err_check(
      string_sprintf("cert/key setup: cert=%s key=%s",
        state->exp_tls_certificate, state->exp_tls_privatekey));


samba:
ret = gnutls_certificate_set_x509_key_file(tlsp->x509_cred,
						   cert_file, key_file,
						   GNUTLS_X509_FMT_PEM);
	if (ret != GNUTLS_E_SUCCESS) {
		DEBUG(0,("TLS failed to initialise certfile %s and keyfile %s - %s\n",
			 cert_file, key_file, gnutls_strerror(ret)));
		talloc_free(tlsp);
		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
	}

cups:
    status = gnutls_certificate_set_x509_key_file(*credentials, crtfile, keyfile, GNUTLS_X509_FMT_PEM);
  }

  if (!status)
    status = gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);

I have no idea whether these support loading multiple certificates.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-devel mailing list