From jas at extundo.com Tue Jun 1 08:38:47 2004 From: jas at extundo.com (Simon Josefsson) Date: Tue, 01 Jun 2004 08:38:47 +0200 Subject: [Help-gnutls] Re: Default cipher priority in `gnutls-cli'? References: <200405312313.32965.nmav@gnutls.org> Message-ID: Nikos Mavroyanopoulos writes: > On Monday 31 May 2004 21:53, Simon Josefsson wrote: > >> I just installed GNUTLS support for STARTTLS in Emacs, via gnutls-cli. >> When doing so, and personally moving away from the OpenSSL based >> 'starttls' tool to gnutls-cli, I noticed gnutls-cli default to RC4: >> starttls: TLSv1 with cipher RC4-SHA (128/128 bits new) no authentication >> Whereas OpenSSL's default was AES-256. >> Looking at the code, the current default priority list appear to be: >> >> RC4-128, AES-128, 3DES, AES-256, RC4-40 >> Is there some motivation for that priority order? >> IMHO, I find a list like the following would be easier to motivate: >> AES-256, AES-128, 3DES, RC4-128, RC4-40 >> Where the motivation would be: first use strongest standardized cipher >> (AES-256/128), followed by strongest historical cipher (3DES), >> followed by interop ciphers. > As far as I remember speed was the motivation, Ah, then the list makes more sense to me. > but you are right, the cipher strength should be the sorting > key. I'll update the client soon. Thanks, Simon From trener at hotbox.ru Mon Jun 7 14:05:37 2004 From: trener at hotbox.ru (Alexei Boyarchenko) Date: Mon, 7 Jun 2004 16:05:37 +0400 (MSD) Subject: [Help-gnutls] Problem with anonymous authentication Message-ID: <200406071205.i57C5b5G056507@www5.hotbox.ru> Sorry for my bad English! I am trying to make server with anonymous authentication: gnutls_anon_server_credentials anon_serv_cred; static gnutls_dh_params dh_params; gnutls_session initialize_tls_session() { int ret = 0; gnutls_session session; ret = gnutls_init(&session, GNUTLS_SERVER); ret = gnutls_set_default_priority( session); const int KX_PRIOR[] = {GNUTLS_KX_ANON_DH,0}; ret = gnutls_kx_set_priority(session,KX_PRIOR); ret = gnutls_credentials_set(session, GNUTLS_CRD_ANON,&anon_serv_cred); gnutls_certificate_server_set_request( session, GNUTLS_CERT_IGNORE); gnutls_dh_set_prime_bits( session, DH_BITS); return session; } static int generate_dh_params(void) { /* Generate Diffie Hellman parameters - for use with DHE * kx algorithms. These should be discarded and regenerated * once a day, once a week or once a month. Depending on the * security requirements. */ gnutls_dh_params_init( &dh_params); gnutls_dh_params_generate2( dh_params, DH_BITS); return 0; } int main() { int err, listen_sd, i; int sd, ret; struct sockaddr_in sa_serv; struct sockaddr_in sa_cli; int client_len; char topbuf[512]; gnutls_session session; char buffer[MAX_BUF + 1]; const char optval = 1; /* this must be called once in the program */ gnutls_global_init(); ret = gnutls_anon_allocate_server_credentials(&anon_serv_cred); // ret = 0 ret = generate_dh_params(); // ret = 0 gnutls_anon_set_server_dh_params (anon_serv_cred,dh_params); // anon_serv_cred->dh_params ara set and not NULL both /* Socket operations */ ........................................ */ printf("Server ready. Listening to port '%d'.\n\n", PORT); client_len = sizeof(sa_cli); for (;;) { session = initialize_tls_session(); sd = accept(listen_sd, (SA *) & sa_cli, &client_len); printf("- connection from %s, port %d\n", inet_ntoa(sa_cli.sin_addr), ntohs(sa_cli.sin_port)); gnutls_transport_set_ptr( session, (gnutls_transport_ptr)sd); ret = gnutls_handshake( session); if (ret < 0) { // ret = -21 closesocket(sd); gnutls_deinit(session); fprintf(stderr, "*** Handshake has failed (%s)\n\n", gnutls_strerror(ret)); continue; } gnutls_bye( session, GNUTLS_SHUT_WR); //do not wait for // the peer to close the connection. close(sd); gnutls_deinit(session); } closesocket(listen_sd); gnutls_anon_free_server_credentials(anon_serv_cred); gnutls_global_deinit(); return 0; } While testing I got mistake -"Could not negotiate a supported cipher suite" When I tryed to debug server i've found that handshaking failed because of all ciphersuites was removed during _gnutls_remove_unwanted_ciphersuites function in gnutls_handshake.c Ciphersuits was removed because check_server_params failed . ........... else if ( cred_type == GNUTLS_CRD_ANON) { anon_cred = _gnutls_get_cred(session->key, cred_type, NULL); if (anon_cred != NULL) { dh_params = anon_cred->dh_params; } } else return 0; /* no need for params */ /* If the key exchange method needs RSA or DH params, * but they are not set then remove it. */ if (_gnutls_kx_needs_rsa_params( kx) != 0) { /* needs rsa params. */ if (_gnutls_get_rsa_params( rsa_params)==NULL) return 1; } if (_gnutls_kx_needs_dh_params( kx) != 0) { /* needs DH params. */ if (_gnutls_get_dh_params( dh_params)==NULL) return 1; } .......... I got _gnutls_get_dh_params( dh_params) = NULL (dh_params != NULL ,dh_params->params[0] != NULL but dh_params->params[1] = 0) and all ciphersuites was removed. (((:::: After I call gnutls_anon_set_server_dh_params(anon_serv_cred,dh_params) anon_serv_cred->dh_params->params[0] != NULL and anon_serv_cred->dh_params->params[1] != NULL Please help me find my mistake!!!!!!!!!!!!!! From nmav at gnutls.org Mon Jun 7 22:43:49 2004 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Mon, 07 Jun 2004 23:43:49 +0300 Subject: [Help-gnutls] Problem with anonymous authentication In-Reply-To: <200406071205.i57C5b5G056507@www5.hotbox.ru> References: <200406071205.i57C5b5G056507@www5.hotbox.ru> Message-ID: <200406072343.49009.nmav@gnutls.org> On Monday 07 June 2004 15:05, Alexei Boyarchenko wrote: > I am trying to make server with anonymous authentication: There procedure looks good, however I cannot verify anything since I cannot run it. gnutls-serv works for me fine for anonymous authentication. Does the above problem apply to gnutls-serv as well? > I got _gnutls_get_dh_params( dh_params) = NULL > (dh_params != NULL ,dh_params->params[0] != NULL but dh_params->params[1] > = 0) and all ciphersuites was removed. (((:::: > After I call gnutls_anon_set_server_dh_params(anon_serv_cred,dh_params) > anon_serv_cred->dh_params->params[0] != NULL and > anon_serv_cred->dh_params->params[1] != NULL This shouldn't have happened. Could you trace where this happens? -- Nikos Mavroyanopoulos From trener at hotbox.ru Tue Jun 8 12:59:46 2004 From: trener at hotbox.ru (Alexei Boyarchenko) Date: Tue, 8 Jun 2004 14:59:46 +0400 (MSD) Subject: [Help-gnutls] Problem with anonymous authentication Message-ID: <200406081059.i58AxkQf064470@www3.hotbox.ru> > This shouldn't have happened. Could you trace where this happens? Sorry for my bad English again!!!! I think i've found a bug! (maybe i am right maybe not :) ) Version: gnutls-1.0.9 Look! if after initialisation we have: &anon_serv_cred = 0x0053a754 and at that adress we have 0x00935610 -- adress of anon_serv_cred anon_serv_cred = 0x00935610 and at that adress we have 0x00935420 -- adress of global_dh_params 0x00000000 -- NULL !!!!!!!!!! global_dh_params = 0x00935420 and at that adress we have 0x00935420 -- not NULL! adress of global_dh_params->params[0] 0x00952620 -- not NULL! adress of global_dh_params->params[1] when we call function check_server_params in gnutls_handshake.c ....... else if ( cred_type == GNUTLS_CRD_ANON) { anon_cred = _gnutls_get_cred(session->key, cred_type, NULL); //!!!!! if (anon_cred != NULL) { dh_params = anon_cred->dh_params; //!! } } else return 0; /* no need for params */ /* If the key exchange method needs RSA or DH params, * but they are not set then remove it. */ if (_gnutls_kx_needs_rsa_params( kx) != 0) { /* needs rsa params. */ if (_gnutls_get_rsa_params( rsa_params)==NULL) return 1; } if (_gnutls_kx_needs_dh_params( kx) != 0) { /* needs DH params. */ if (_gnutls_get_dh_params( dh_params)==NULL) return 1; } ..... we get anon_cred = &anon_serv_cred = 0x0053a754 and at that adress we have 0x00935610 adress of anon_serv_cred (but not global_dh_params!!!) so when we do if (anon_cred != NULL) { dh_params = anon_cred->dh_params; //!! } dh_params = 0x00935610 but this is adress of anon_serv_cred and not adress of global_dh_params !!!! And we get dh_params = anon_serv_cred = 0x00935610 at that adress we have 0x00935420 -- adress of global_dh_params 0x00000000 -- NULL !!!!!!!!!! So we get _gnutls_get_dh_params( dh_params)==NULL !!!!!!!!! I changed this code in this way: void** MyTmp; ..... else if ( cred_type == GNUTLS_CRD_ANON) { MyTmp = _gnutls_get_cred(session->key, cred_type, NULL); if (MyTmp != NULL) { anon_cred = *MyTmp; dh_params = anon_cred->dh_params; } } else return 0; /* no need for params */ /* If the key exchange method needs RSA or DH params, * but they are not set then remove it. */ if (_gnutls_kx_needs_rsa_params( kx) != 0) { /* needs rsa params. */ if (_gnutls_get_rsa_params( rsa_params)==NULL) return 1; } if (_gnutls_kx_needs_dh_params( kx) != 0) { /* needs DH params. */ if (_gnutls_get_dh_params( dh_params)==NULL) return 1; } ...... and it works fine!!! Also i had to correct function gen_anon_server_kx in anon_auth.c : .... gnutls_dh_params dh_params; const gnutls_anon_server_credentials cred; void** MyTmp; MyTmp = _gnutls_get_cred(session->key, GNUTLS_CRD_ANON, NULL); if (MyTmp == NULL) { gnutls_assert(); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } cred = *MyTmp; dh_params = _gnutls_anon_get_dh_params( cred, session); .... And eventually I recieved completely working server with anonymous authentication. From nmav at gnutls.org Tue Jun 8 13:29:21 2004 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Tue, 08 Jun 2004 14:29:21 +0300 Subject: [Help-gnutls] Problem with anonymous authentication Message-ID: <200406081429.21524.nmav@gnutls.org> On Tuesday 08 June 2004 13:59, you wrote: > > This shouldn't have happened. Could you trace where this happens? > > Sorry for my bad English again!!!! > I think i've found a bug! (maybe i am right maybe not :) ) > Version: gnutls-1.0.9 This is not the latest released gnutls. You should try the latest (1.0.13), which should have fixed this issue. > Look! -- Nikos Mavroyanopoulos