From ekarttun at cs.helsinki.fi Mon Aug 1 15:08:33 2005 From: ekarttun at cs.helsinki.fi (Einar Karttunen) Date: Mon, 01 Aug 2005 16:08:33 +0300 Subject: [Help-gnutls] Order of freing various structures Message-ID: <87br4hhkj2.fsf@yui.aoinet> Hello I am writing a wrapper of GnuTLS in Haskell and the order of freing structures seems quite important. Is one allowed to first free credentials and then deinit a session they were associated with? Or must the credentials be valid when deinit is called on the session? i.e. is the following sequence legal: gnutls_credentials_set(session, cred, ...); gnutls__credentials_free(cred); gnutls_deinit(session); or must deinit allways be called first? May they be called concurrently if gcry_control has been properly initialized for multithreaded operation? - Einar Karttunen From nmav at gnutls.org Mon Aug 1 21:05:12 2005 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 01 Aug 2005 21:05:12 +0200 Subject: [Help-gnutls] Order of freing various structures In-Reply-To: <87br4hhkj2.fsf@yui.aoinet> References: <87br4hhkj2.fsf@yui.aoinet> Message-ID: <42EE7268.1070906@gnutls.org> Einar Karttunen wrote: > Hello > I am writing a wrapper of GnuTLS in Haskell and the order of freing > structures seems quite important. Is one allowed to first free > credentials and then deinit a session they were associated with? Or > must the credentials be valid when deinit is called on the session? Hi, Actually not since they are not used at that point. However you cannot use a session after the credentials are freed. regards, Nikos From jas at extundo.com Wed Aug 3 17:15:28 2005 From: jas at extundo.com (Simon Josefsson) Date: Wed, 03 Aug 2005 17:15:28 +0200 Subject: [Help-gnutls] Re: Order of freing various structures In-Reply-To: <87br4hhkj2.fsf@yui.aoinet> (Einar Karttunen's message of "Mon, 01 Aug 2005 16:08:33 +0300") References: <87br4hhkj2.fsf@yui.aoinet> Message-ID: Einar Karttunen writes: > Hello > > I am writing a wrapper of GnuTLS in Haskell Hello Einar. Wonderful, Haskell is my favorite functional language. :) Do you have an URL for your project? I may add it to gnutls.org, if you want. > and the order of freing > structures seems quite important. Is one allowed to first free > credentials and then deinit a session they were associated with? Or > must the credentials be valid when deinit is called on the session? > > i.e. is the following sequence legal: > gnutls_credentials_set(session, cred, ...); > gnutls__credentials_free(cred); > gnutls_deinit(session); It is OK assuming nothing happens between the credentials_free and deinit call, however, if something happens in the session that require access to the certificates (e.g., a re-handshake initiated by the other side?), things will break. I recommend to free the credentials after the session in which they are used is completely finished and deallocated. It is a better separation of things. > or must deinit allways be called first? Not necessarily. > May they be called concurrently > if gcry_control has been properly initialized for multithreaded operation? Currently yes, but I could only tell by looking at the code. The gnutls_deinit function doesn't access the certificates. If you have suggestions how to better document this to explain things better, please share. Regards, Simon From e_agf at yahoo.es Mon Aug 8 13:39:54 2005 From: e_agf at yahoo.es (Fran) Date: Mon, 08 Aug 2005 13:39:54 +0200 Subject: [Help-gnutls] Really I can not understand nothing of SSL... Message-ID: <1123501195.3307.6.camel@localhost> Hello, Why certtool request for a int number for serial?, if I think that should be >= unsigned long long (64 bit): > int size, serial, client; > > serial = get_serial(); > > int get_serial(void) > { > if (batch) { > if (cfg.serial < 0) > return 0; > return cfg.serial; > } else { > return > read_int("Enter the certificate's serial number (decimal): "); > } > } > > serial = get_serial(); > buffer[3] = serial & 0xff; > buffer[2] = (serial >> 8) & 0xff; > buffer[1] = (serial >> 16) & 0xff; > buffer[0] = 0; > > result = gnutls_x509_crt_set_serial(crt, buffer, 4); > if (result < 0) { > fprintf(stderr, "serial: %s\n", gnutls_strerror(result)); > exit(1); > } > From jas at extundo.com Mon Aug 8 14:34:04 2005 From: jas at extundo.com (Simon Josefsson) Date: Mon, 08 Aug 2005 14:34:04 +0200 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... In-Reply-To: <1123501195.3307.6.camel@localhost> (Fran's message of "Mon, 08 Aug 2005 13:39:54 +0200") References: <1123501195.3307.6.camel@localhost> Message-ID: Fran writes: > Hello, > Why certtool request for a int number for serial?, if I think that > should be >= unsigned long long (64 bit): Hello. 'Unsigned long long' is a non-standard C extension, is it not? We want the code to work with standard compilers. Further, it seems serial's should be allowed to be even longer than 64/128 bits, so I believe the proper solution is to make get_serial support a hex string format too (perhaps recognized through a prefix of '0x'?). If this is important for you, please propose a patch for inclusion. Thanks, Simon > >> int size, serial, client; >> >> serial = get_serial(); >> >> int get_serial(void) >> { >> if (batch) { >> if (cfg.serial < 0) >> return 0; >> return cfg.serial; >> } else { >> return >> read_int("Enter the certificate's serial number (decimal): "); >> } >> } >> >> serial = get_serial(); >> buffer[3] = serial & 0xff; >> buffer[2] = (serial >> 8) & 0xff; >> buffer[1] = (serial >> 16) & 0xff; >> buffer[0] = 0; >> >> result = gnutls_x509_crt_set_serial(crt, buffer, 4); >> if (result < 0) { >> fprintf(stderr, "serial: %s\n", gnutls_strerror(result)); >> exit(1); >> } >> From asuffield at suffields.me.uk Mon Aug 8 15:17:24 2005 From: asuffield at suffields.me.uk (Andrew Suffield) Date: Mon, 8 Aug 2005 14:17:24 +0100 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... In-Reply-To: References: <1123501195.3307.6.camel@localhost> Message-ID: <20050808131724.GA4415@suffields.me.uk> On Mon, Aug 08, 2005 at 02:34:04PM +0200, Simon Josefsson wrote: > > Why certtool request for a int number for serial?, if I think that > > should be >= unsigned long long (64 bit): > > Hello. 'Unsigned long long' is a non-standard C extension, is it not? > We want the code to work with standard compilers. No, it's C99. If you'd rather have POSIX, use uint64_t. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | `. `' | `- -><- | -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From jas at extundo.com Mon Aug 8 15:41:24 2005 From: jas at extundo.com (Simon Josefsson) Date: Mon, 08 Aug 2005 15:41:24 +0200 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... In-Reply-To: <20050808131724.GA4415@suffields.me.uk> (Andrew Suffield's message of "Mon, 8 Aug 2005 14:17:24 +0100") References: <1123501195.3307.6.camel@localhost> <20050808131724.GA4415@suffields.me.uk> Message-ID: Andrew Suffield writes: > On Mon, Aug 08, 2005 at 02:34:04PM +0200, Simon Josefsson wrote: >> > Why certtool request for a int number for serial?, if I think that >> > should be >= unsigned long long (64 bit): >> >> Hello. 'Unsigned long long' is a non-standard C extension, is it not? >> We want the code to work with standard compilers. > > No, it's C99. If you'd rather have POSIX, use uint64_t. I believe the goal is for GnuTLS to work on C89 platforms. 'long long' isn't used by GnuTLS today. Further, according to: http://www.opengroup.org/onlinepubs/009695399/basedefs/stdint.h.html uint64_t is not required by POSIX, it is optional. uint64_t is also not used by GnuTLS today. So I don't think neither is a good solution here. X.509 serials are frequently larger than 64 and even 128 bits, so the real solution would be to make get_serial return a hex string instead. Then we won't have arbitrary limits, be them 32, 64 or 128 bits. Fixing that look rather simple; patches welcome. Regards, Simon From e_agf at yahoo.es Tue Aug 9 00:44:27 2005 From: e_agf at yahoo.es (Fran) Date: Tue, 09 Aug 2005 00:44:27 +0200 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... Message-ID: <1123541068.3982.19.camel@localhost> I am not a hacker of gnutls, I'm not a hacker of unix, I'm not a hacker of C What need a stupid programmer like me here? It's easy: - Extract the visible parameters, like serial, CN, Issuer, etc... (real world) Why? Common name and serial identify a certificate ->> Identify an user. Which is the problem?, if I make a struct to store visible parameters, I do not known sizeof(serial). Could be store in hexadecimal number, but hexadecimal number is very difficult to manage. (The limit is in the sky) > gnutls_x509_crt_get_serial (cert, serial, &serial_size) >= 0) Isn't hexadecimal, decimal. 1,844674407 E19 /* puuufff */ X509_useful.serial = strtoll (raw_to_string (serial, serial_size), NULL, 10); /* bug, bug,bug, if expected size > 2^64 */ > >Why certtool request for a int number for serial?, if I think that >should be >= unsigned long long (64 bit): > Hello. 'Unsigned long long' is a non-standard C extension, is it not? ? > We want the code to work with standard compilers. Yes "int" can be -1,..., tralala, tralala,0,..., I think that from "int" you can not use a number larger that 2^32 (u int). how to extract number larger than "int"? > >> int size, serial, client; > >> > >> serial = get_serial(); > >> > >> "int" get_serial(void) > >> { > >> if (batch) { > >> if (cfg.serial < 0) > >> return 0; > >> return cfg.serial; > >> } else { > >> return > >> read_int("Enter the certificate's serial number > (decimal): "); > >> } > >> } > > I believe the proper solution is to make get_serial > support a hex string format too (perhaps recognized through a >prefix of '0x'?). Ok, get_serial should support a hex string or decimal bigger number. >If this is important for you, please propose a patch for > inclusion. Time ago I sent you some ideas, about other things >> trash. > get_serial return a hex string instead. > Then we won't have arbitrary limits, be them 32, 64 or 128 bits. > Fixing that look rather simple; patches welcome. I can not help you, sorry. who have certificates? >How much time a certificate could be valid, 1 year,two year, >100year :) >How much users can be CA certificate ?9E9?, 0ne certificate per hour >for each user: >8760 hours per year >7.884E13 crt per year >2^64 / 7.884E13 = 233976.9669 years. >In my opinion when serial >= limit should be reset to another CA >name .(my opinion >> trash). >Support Verisig.n enterprise ....... years? The problem is easy "manage and store certificate information" (user level). Here is the problem: -compatibility (all systems) or -efficiency How to solve the problem? Put a config flag, verify all times if serial < 64 bits, transform every time to hexadecimal number, or functions should return hexadecimal? Thanks, for your time; sorry for my English. On Lun, 2005-08-08 at 15:41 +0200, Simon Josefsson wrote: > Andrew Suffield writes: > > > On Mon, Aug 08, 2005 at 02:34:04PM +0200, Simon Josefsson wrote: > >> > Why certtool request for a int number for serial?, if I think that > >> > should be >= unsigned long long (64 bit): > >> > >> Hello. 'Unsigned long long' is a non-standard C extension, is it not? > >> We want the code to work with standard compilers. > > > > No, it's C99. If you'd rather have POSIX, use uint64_t. > > I believe the goal is for GnuTLS to work on C89 platforms. 'long > long' isn't used by GnuTLS today. Further, according to: > > http://www.opengroup.org/onlinepubs/009695399/basedefs/stdint.h.html > > uint64_t is not required by POSIX, it is optional. uint64_t is also > not used by GnuTLS today. So I don't think neither is a good solution > here. > > X.509 serials are frequently larger than 64 and even 128 bits, so the > real solution would be to make get_serial return a hex string instead. > Then we won't have arbitrary limits, be them 32, 64 or 128 bits. > Fixing that look rather simple; patches welcome. > > Regards, > Simon > > > _______________________________________________ > Help-gnutls mailing list > From jas at extundo.com Tue Aug 9 13:13:19 2005 From: jas at extundo.com (Simon Josefsson) Date: Tue, 09 Aug 2005 13:13:19 +0200 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... In-Reply-To: <1123541068.3982.19.camel@localhost> (Fran's message of "Tue, 09 Aug 2005 00:44:27 +0200") References: <1123541068.3982.19.camel@localhost> Message-ID: Fran writes: > What need a stupid programmer like me here? > It's easy: > - Extract the visible parameters, like serial, CN, Issuer, etc... (real > world) > Why? > Common name and serial identify a certificate ->> Identify an user. > > Which is the problem?, if I make a struct to store visible parameters, I > do not known sizeof(serial). Could be store in hexadecimal number, but > hexadecimal number is very difficult to manage. (The limit is in the > sky) There are many options, but the most flexible is probably to use a real bignum library. There is one in libgcrypt, which GnuTLS uses. >> gnutls_x509_crt_get_serial (cert, serial, &serial_size) >= 0) > > Isn't hexadecimal, decimal. > > 1,844674407 E19 /* puuufff */ > X509_useful.serial = strtoll (raw_to_string (serial, serial_size), NULL, > 10); /* bug, bug,bug, if expected size > 2^64 */ Right, strtoll will only work for small integers. >>If this is important for you, please propose a patch for >> inclusion. > > Time ago I sent you some ideas, about other things >> trash. If I don't have time to implement ideas, I try to write them down into TODO. Are your ideas in there? Code, on the other hand, doesn't write itself... Cheers, Simon From e_agf at yahoo.es Tue Aug 9 17:50:37 2005 From: e_agf at yahoo.es (Fran) Date: Tue, 09 Aug 2005 17:50:37 +0200 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... In-Reply-To: References: <1123541068.3982.19.camel@localhost> Message-ID: <1123602637.3199.35.camel@localhost> > There are many options, but the most flexible is probably to use a > real bignum library. There is one in libgcrypt, which GnuTLS uses. Thanks, seems good choice; but I think (in my opinion) that serial number should be unique (not int here and BIGNUM there). > Right, strtoll will only work for small integers. Right > If I don't have time to implement ideas, I try to write them down into > TODO. Are your ideas in there? Code, on the other hand, doesn't > write itself... Ideas = tar.gz archive with C code (as well I can). Skeleton of interface + Makefile for examples/doc Another thing, in 1.2.4 one certificate dn_size for gnutls_x509_crt_get_dn -> 111 bytes gnutls_x509_crt_get_issuer_dn -> 98 bytes now, the same certificate, in 1.2.6 - 110 bytes and 97bytes ?It is ok? And I can not copy (I can print it) issuer_dn with strncpy, snprintf or memcpy (segfault), only with (dn_size - 40); store size 256 > 97 ?returned size is correct?, seems to be bigger. > dn_size = sizeof (dn); > ret = gnutls_x509_crt_get_dn (cert, dn, &dn_size); > if (ret >= 0) > { > ..."Saving to Useful:sizeof store %u, %s (%u bytes)", sizeof(X509_useful.issuer_client),dn, dn_size); > snprintf (X509_useful.issuer_client, 254, "%s", dn); /*Work ok*/ > ..."Printing; %s (%u bytes)", dn, dn_size); > > ..."Subject: %s", X509_useful.issuer_client); > } > else > { > ..."get_dn: %s", gnutls_strerror (ret)); > }; > /* Issuer > */ > ret = gnutls_x509_crt_get_issuer_dn (cert, dn, &dn_size); > if (ret >= 0) > { > ..."Saving to Useful: sizeof store %u, %s (%u bytes) to copy %u", sizeof(r->X509_useful.issuer_ca),dn, d > /*snprintf ()*/ > /* strncpy (r->X509_useful.issuer_ca, dn, dn_size - 10 );*/ > memcpy (r->X509_useful.issuer_ca, dn, dn_size - 10 );/*Do not work*/ > ..."Printing; %s (%u bytes) to copy %u", dn, dn_size, dn_size - 10 ); > ..."Issuer: %s", X509_useful.issuer_ca); > } > else > { > ..."get_issuer_dn: %s", gnutls_strerror (ret)); > }; > ------------------ > if (cbuf == NULL) > *sizeof_buf = 0; > > > len = *sizeof_buf; > result = > asn1_read_value(asn1_struct, tmpbuffer3, buf, &len);<------------ > > if (result != ASN1_SUCCESS) { > gnutls_assert(); > if (result==ASN1_MEM_ERROR) > ------->*sizeof_buf = len; > result = _gnutls_asn2err(result); > goto cleanup; > } > > if (raw_flag != 0) { > if ((uint) len > *sizeof_buf) { > -----> *sizeof_buf = len; > result = GNUTLS_E_SHORT_MEMORY_BUFFER; > goto cleanup; > } > -------->*sizeof_buf = len; > > return 0; > > } else { /* parse data. raw_flag == 0 */ > printable = _gnutls_x509_oid_data_printable(oid); > if (printable == 1) > result = > _gnutls_x509_oid_data2string(oid, buf, len, > cbuf, sizeof_buf); > else > result = > _gnutls_x509_data2hex(buf, len, cbuf, > sizeof_buf); > > if (result < 0) { > gnutls_assert(); > goto cleanup; > } > > return 0; > Regards, From e_agf at yahoo.es Tue Aug 9 23:27:27 2005 From: e_agf at yahoo.es (Fran) Date: Tue, 09 Aug 2005 23:27:27 +0200 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... In-Reply-To: <1123602637.3199.35.camel@localhost> References: <1123541068.3982.19.camel@localhost> <1123602637.3199.35.camel@localhost> Message-ID: <1123622847.8304.10.camel@localhost> Do not read my last message all is false. Hey, I wrote the last message too fast. Sorry (This is not spam) > Another thing, in 1.2.4 one certificate dn_size for > gnutls_x509_crt_get_dn -> 111 bytes > gnutls_x509_crt_get_issuer_dn -> 98 bytes > now, the same certificate, in 1.2.6 > - 110 bytes and 97bytes > ?It is ok? No, no, isn?t true > And I can not copy (I can print it) issuer_dn with strncpy, snprintf or > memcpy (segfault), only with (dn_size - 40); store size 256 > 97 > ?returned size is correct?, seems to be bigger. Is not a gnutls problem; (really I do not where is the problem same size of store a,b and store in a work in b not- I think that is a red demon :) ) Sorry again, Regards, F. J. From jas at extundo.com Wed Aug 10 11:15:12 2005 From: jas at extundo.com (Simon Josefsson) Date: Wed, 10 Aug 2005 11:15:12 +0200 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... In-Reply-To: <1123602637.3199.35.camel@localhost> (Fran's message of "Tue, 09 Aug 2005 17:50:37 +0200") References: <1123541068.3982.19.camel@localhost> <1123602637.3199.35.camel@localhost> Message-ID: Fran writes: >> There are many options, but the most flexible is probably to use a >> real bignum library. There is one in libgcrypt, which GnuTLS uses. > Thanks, seems good choice; but I think (in my opinion) that serial > number should be unique (not int here and BIGNUM there). Agreed, but the GnuTLS API never uses int for X.509 serials. The tool does, but it has to convert it to a printable format somehow. Arguable it should use libgcrypt.. >> Right, strtoll will only work for small integers. > Right >> If I don't have time to implement ideas, I try to write them down into >> TODO. Are your ideas in there? Code, on the other hand, doesn't >> write itself... > Ideas = tar.gz archive with C code (as well I can). Skeleton of interface + Makefile for examples/doc I fixed the examples now, they should be built during a normal build, so any problems should be spotted easily. I don't recall the other matters, do you have a message-id or something? > Another thing, in 1.2.4 one certificate dn_size for > gnutls_x509_crt_get_dn -> 111 bytes > gnutls_x509_crt_get_issuer_dn -> 98 bytes > now, the same certificate, in 1.2.6 > - 110 bytes and 97bytes > ?It is ok? Yes, see NEWS: - Fixed off-by-one bug in the size parameter of gnutls_x509_crt_get*_dn, reported by Adam Langley . Cheers, Simon From mario.lists at gmail.com Thu Aug 11 04:10:57 2005 From: mario.lists at gmail.com (Mario Fuentes) Date: Wed, 10 Aug 2005 22:10:57 -0400 Subject: [Help-gnutls] Asynchronous Connections Message-ID: Hello! I'm working on the support of secure connections in Gyrus, a Cyrus IMAPd administrator. Reading the GNUtls documentation I don't found information about Asynchronous connections, I will be very happy if any can help me :> Sorry my precary english. Mario From jas at extundo.com Thu Aug 11 11:16:18 2005 From: jas at extundo.com (Simon Josefsson) Date: Thu, 11 Aug 2005 11:16:18 +0200 Subject: [Help-gnutls] Re: Asynchronous Connections In-Reply-To: (Mario Fuentes's message of "Wed, 10 Aug 2005 22:10:57 -0400") References: Message-ID: Mario Fuentes writes: > Hello! > > I'm working on the support of secure connections in Gyrus, a Cyrus > IMAPd administrator. Reading the GNUtls documentation I don't found > information about Asynchronous connections, I will be very happy if > any can help me :> Hi! Exactly what do you mean? Non-hanging read/write? The standard select() mechanism should work. Perhaps you can explain more what you want to do. Cheers, Simon From mario.lists at gmail.com Thu Aug 11 17:32:52 2005 From: mario.lists at gmail.com (Mario Fuentes) Date: Thu, 11 Aug 2005 11:32:52 -0400 Subject: [Help-gnutls] Re: Re: Asynchronous Connections In-Reply-To: References: Message-ID: Hola :) ! 2005/8/11, Simon Josefsson : > Mario Fuentes writes: > > > Hello! > > > > I'm working on the support of secure connections in Gyrus, a Cyrus > > IMAPd administrator. Reading the GNUtls documentation I don't found > > information about Asynchronous connections, I will be very happy if > > any can help me :> > > Hi! Exactly what do you mean? Non-hanging read/write? The standard > select() mechanism should work. Perhaps you can explain more what you > want to do. > > Cheers, > Simon > Gyrus uses the GNET library for the comunication, it provide a function to create a connection with a callback called when the transmision finish. We uses this because Gyrus can manage multi-sessions and the GUI not will can freeze. In the GNUtls documentation/examples the functions gnu_record_[send|recv] are used to send/recv data in the channel... I'm confused ?:| Sorry my newbie confusion :( bye, Mario From cascardo at minaslivre.org Thu Aug 11 17:58:52 2005 From: cascardo at minaslivre.org (cascardo at minaslivre.org) Date: Thu, 11 Aug 2005 12:58:52 -0300 Subject: [Help-gnutls] Re: Re: Asynchronous Connections In-Reply-To: References: Message-ID: <20050811155851.GW8010@cascardo.localdomain> I also use GNET in my libtc library. I have some special modules for the connection. Check the libconn directory in the package. It's available on jabberstudio.org. If you wish, I may send only the required files to you in private mail. The files are licensed under LGPL. Regards, Thadeu Cascardo. On Thu, Aug 11, 2005 at 11:32:52AM -0400, Mario Fuentes wrote: > Hola :) ! > > 2005/8/11, Simon Josefsson : > > Mario Fuentes writes: > > > > > Hello! > > > > > > I'm working on the support of secure connections in Gyrus, a Cyrus > > > IMAPd administrator. Reading the GNUtls documentation I don't found > > > information about Asynchronous connections, I will be very happy if > > > any can help me :> > > > > Hi! Exactly what do you mean? Non-hanging read/write? The standard > > select() mechanism should work. Perhaps you can explain more what you > > want to do. > > > > Cheers, > > Simon > > > > Gyrus uses the GNET library for the comunication, it provide a > function to create a connection with a callback called when the > transmision finish. We uses this because Gyrus can manage > multi-sessions and the GUI not will can freeze. > > In the GNUtls documentation/examples the functions > gnu_record_[send|recv] are used to send/recv data in the channel... > I'm confused ?:| > > Sorry my newbie confusion :( > > bye, > Mario > > > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > http://lists.gnu.org/mailman/listinfo/help-gnutls -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From e_agf at yahoo.es Fri Aug 12 21:14:41 2005 From: e_agf at yahoo.es (Fran) Date: Fri, 12 Aug 2005 21:14:41 +0200 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... For the moment to avoid confusion... Message-ID: <1123874082.10421.25.camel@localhost> Fran

writes: > Agreed, but the GnuTLS API never uses int for X.509 serials. The tool > does, but it has to convert it to a printable format somehow. > Arguable it should use libgcrypt.. I suggest this modifications for certtoll-cfg.c function read_int(), for the moment: Something like this: Line 32: > #include Line 224: > if (atoll (input) > INT_MAX) /*Could be other condition*/ > { > fprintf (stderr, "Sorry certtool still not support numbers larger that: %u\n", INT_MAX); > return 0; > }; >I fixed the examples now, they should be built during a normal build, >so any problems should be spotted easily. I don't recall the other >matters, do you have a message-id or something? Isn't important. But if you want study if you have a problem with your mail (could be my mail): > Jul 28 17:05:09 mydomain sendmail[3623]: j6SF54Og003623: from=javi at mydomain.com, size=17662, class=0, nrcpts=1, msgid=<1122563102.3429.36.camel at localhost>, relay=javi at localhost > Jul 28 17:05:14 mydomain sendmail[3624]: j6SF59N6003624: from=, size=17810, class=0, nrcpts=1, msgid=<1122563102.3429.36.camel at localhost>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1] > Jul 28 17:05:14 mydomain sendmail[3623]: j6SF54Og003623: to=jas at yourdomain.com, ctladdr=javi at mydomain.com (501/501), delay=00:00:10, xdelay=00:00:05, mailer=relay, pri=relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (j6SF59N6003624 Message accepted for delivery) > Jul 28 17:05:24 mydomain sendmail[3627]: STARTTLS=client, relay=yxa.extundo.com., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256 > Jul 28 17:05:45 mydomain sendmail[3627]: j6SF59N6003624: to=, ctladdr= (501/501), delay=00:00:31, xdelay=00:00:31, mailer=esmtp, pri=137810, relay=yxa.extundo.com. [217.13.230.178], dsn=2.0.0, stat=Sent (j6SF52Is029265 Message accepted for delivery) > Regards, From jas at extundo.com Fri Aug 12 23:54:29 2005 From: jas at extundo.com (Simon Josefsson) Date: Fri, 12 Aug 2005 23:54:29 +0200 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... For the moment to avoid confusion... In-Reply-To: <1123874082.10421.25.camel@localhost> (Fran's message of "Fri, 12 Aug 2005 21:14:41 +0200") References: <1123874082.10421.25.camel@localhost> Message-ID: Fran writes: > Fran

writes: >> Agreed, but the GnuTLS API never uses int for X.509 serials. The tool >> does, but it has to convert it to a printable format somehow. >> Arguable it should use libgcrypt.. > > I suggest this modifications for certtoll-cfg.c function read_int(), for > the moment: > Something like this: > Line 32: >> #include > Line 224: >> if (atoll (input) > INT_MAX) /*Could be other condition*/ >> { >> fprintf (stderr, "Sorry certtool still not support numbers larger that: %u\n", INT_MAX); >> return 0; >> }; atoll isn't available on C89 platforms.. >>I fixed the examples now, they should be built during a normal build, >>so any problems should be spotted easily. I don't recall the other >>matters, do you have a message-id or something? > > Isn't important. But if you want study if you have a problem with your mail (could be my mail): I'll try to find it and have a look see. /Simon From e_agf at yahoo.es Sat Aug 13 13:57:28 2005 From: e_agf at yahoo.es (Fran) Date: Sat, 13 Aug 2005 13:57:28 +0200 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... For the moment to avoid confusion... In-Reply-To: References: <1123874082.10421.25.camel@localhost> Message-ID: <1123934249.11533.17.camel@localhost> > > I suggest this modifications for certtoll-cfg.c function read_int(), for > > the moment: > > Something like this: > > Line 32: > >> #include > > Line 224: > >> if (atoll (input) > INT_MAX) /*Could be other condition*/ > >> { > >> fprintf (stderr, "Sorry certtool still not support numbers larger that: %u\n", INT_MAX); > >> return 0; > >> }; > > atoll isn't available on C89 platforms.. Right, atoi (obsolete) , and atoll (C99 and obsolete),but "something like" this is not "this". What about this? > > #include > #include > > int > read_int (const char *input_str) > { > char input[128]; > > unsigned char buf[512]; /* I don' t known max size of errors returned */ > int err; > unsigned char cond = 1; > > while (cond) > { > fputs (input_str, stderr); > fgets (input, sizeof (input), stdin); > > cond = (((err = strtol (input, NULL, 10)) >= INT_MAX) || (err == EINVAL) || (err == ERANGE) || (strlen (input) == 1) || (err == 0)); > /*last value not permited INT_MAX -1, zero I think that should not be used, ERANGE not used */ > if (cond) > { > if ((err == EINVAL) || (err == ERANGE)) > { > strerror_r (err, buf, sizeof (buf)); /* It's C89 ? */ > fprintf (stderr, "Error : Function fail to get int value: %s", buf); > } > else > { > fprintf (stderr, "Error : Number is too big for certtool, zero or invalid\n"); > }; > /* return 0;*/ > } > else > { > fprintf (stderr, "Value set to: %u", err); > }; > }; > > return atoi (input); > } I think that certool should not caught values that can not process. That's all. Regards, From daniel at haxx.se Sat Aug 13 22:08:31 2005 From: daniel at haxx.se (Daniel Stenberg) Date: Sat, 13 Aug 2005 22:08:31 +0200 (CEST) Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... For the moment to avoid confusion... In-Reply-To: <1123934249.11533.17.camel@localhost> References: <1123874082.10421.25.camel@localhost> <1123934249.11533.17.camel@localhost> Message-ID: On Sat, 13 Aug 2005, Fran wrote: >> atoll isn't available on C89 platforms.. > > Right, atoi (obsolete) , and atoll (C99 and obsolete),but "something > like" this is not "this". Many platforms have strtoll() or strtointmax(). Windows MSVC has _strtoi64(). >> strerror_r (err, buf, sizeof (buf)); /* It's C89 ? */ It is POSIX, but for some reason does glibc has its own version of it which differs slightly. -- -=- Daniel Stenberg -=- http://daniel.haxx.se -=- ech`echo xiun|tr nu oc|sed 'sx$[sx]$$[xoi]$xo un\2\1 is xg'`ol From jas at extundo.com Mon Aug 15 12:17:43 2005 From: jas at extundo.com (Simon Josefsson) Date: Mon, 15 Aug 2005 12:17:43 +0200 Subject: [Help-gnutls] Re: Really I can not understand nothing of SSL... For the moment to avoid confusion... In-Reply-To: <1123934249.11533.17.camel@localhost> (Fran's message of "Sat, 13 Aug 2005 13:57:28 +0200") References: <1123874082.10421.25.camel@localhost> <1123934249.11533.17.camel@localhost> Message-ID: Fran writes: >> > I suggest this modifications for certtoll-cfg.c function read_int(), for >> > the moment: >> > Something like this: >> > Line 32: >> >> #include >> > Line 224: >> >> if (atoll (input) > INT_MAX) /*Could be other condition*/ >> >> { >> >> fprintf (stderr, "Sorry certtool still not support numbers larger that: %u\n", INT_MAX); >> >> return 0; >> >> }; >> >> atoll isn't available on C89 platforms.. > > Right, atoi (obsolete) , and atoll (C99 and obsolete),but "something > like" this is not "this". > What about this? It looked rather unreadable to me. I installed the following instead. As a bonus, you get line editing capabilities if you have libreadline installed, and it will accept non-decimal input too. Index: src/certtool-cfg.c =================================================================== RCS file: /cvs/gnutls/gnutls/src/certtool-cfg.c,v retrieving revision 2.11 diff -u -p -r2.11 certtool-cfg.c --- src/certtool-cfg.c 26 May 2005 15:27:30 -0000 2.11 +++ src/certtool-cfg.c 15 Aug 2005 10:08:10 -0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004 Free Software Foundation + * Copyright (C) 2004, 2005 Free Software Foundation * * This file is part of GNUTLS. * @@ -29,9 +29,13 @@ #include #include #include +#include +#include /* Gnulib portability files. */ #include +#include "error.h" +#include "readline.h" extern int batch; @@ -205,15 +209,31 @@ void read_crq_set(gnutls_x509_crq crq, c int read_int(const char *input_str) { - char input[128]; + char *in; + char *endptr; + long l; - fputs(input_str, stderr); - fgets(input, sizeof(input), stdin); + in = readline (input_str); - if (strlen(input) == 1) /* only newline */ - return 0; + l = strtol (in, &endptr, 0); + + if (*endptr != '\0') + { + error (0, 0, "Trailing garbage ignored: `%s'", endptr); + free (in); + return 0; + } + + if (l <= INT_MIN || l >= INT_MAX) + { + error (0, 0, "Integer out of range: `%s'", in); + free (in); + return 0; + } + + free (in); - return atoi(input); + return (int) l; } const char *read_str(const char *input_str) From trapni at gentoo.org Wed Aug 17 18:13:12 2005 From: trapni at gentoo.org (Christian Parpart) Date: Wed, 17 Aug 2005 18:13:12 +0200 Subject: [Help-gnutls] gnutls_dh_params_generate2() leaks file descriptor to /dev/urandom? Message-ID: <200508171813.20159.trapni@gentoo.org> Hi all, I'm valgrinding my application since a few days, and also ran into a file descriptor leak within gnutls_dh_params_generate2(); The following fragment is the backtrace generated by valgrind at the time of where the file descriptor has been allocated in: ==3868== Open file descriptor 3: /dev/urandom ==3868== at 0x1579ADB82: __open_nocancel (in /lib/libpthread-2.3.5.so) ==3868== by 0x157F01DC6: (within /usr/lib/libgcrypt.so.11.2.0) ==3868== by 0x157EE728A: (within /usr/lib/libgcrypt.so.11.2.0) ==3868== by 0x157EE78B7: (within /usr/lib/libgcrypt.so.11.2.0) ==3868== by 0x157EE82D5: (within /usr/lib/libgcrypt.so.11.2.0) ==3868== by 0x157F08BAB: gcry_mpi_randomize (in /usr/lib/libgcrypt.so.11.2.0) ==3868== by 0x157EE54A3: (within /usr/lib/libgcrypt.so.11.2.0) ==3868== by 0x157EE5A53: (within /usr/lib/libgcrypt.so.11.2.0) ==3868== by 0x157EE6640: gcry_prime_generate (in /usr/lib/libgcrypt.so.11.2.0) ==3868== by 0x156F332E8: _gnutls_dh_generate_prime (in /usr/lib/libgnutls.so.12.3.1) ==3868== by 0x156F33611: gnutls_dh_params_generate2 (in /usr/lib/libgnutls.so.12.3.1) ==3868== by 0x15690DCE1: TCredentials::TCredentials() (secnet.cpp:107) ==3868== by 0x156910941: TSecureNetworkServer::TPrivate::TPrivate() (secnet.cpp:175) ==3868== by 0x15690E940: TSecureNetworkServer::TSecureNetworkServer() (secnet.cpp:274) ==3868== by 0x1554A5CE9: yacs::TServer::TServer(int, System::TStringBase const&, System::TStringBase const&, System::TStringBase const&, System::TStringBase const&, System::TStringBase const&, System::TStringBase const&, System::Diagnostics::ILogger*, System::TStringBase const&, unsigned, System::TStringBase const&, System::TStringBase const&) (TServer.cpp:90) ==3868== by 0x41DEAF: spawnServer() (yacsd.cpp:281) ==3868== by 0x41FF6C: main (yacsd.cpp:388) Well, is there anything I need to call as cleanup routine? Or why is it holding a link up to /dev/urandom all the runtime over and w/o closing at shutdown? Regards, Christian Parpart. -- 15:57:12 up 147 days, 5:04, 1 user, load average: 1.89, 3.81, 4.23 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From e_agf at yahoo.es Fri Aug 19 15:49:05 2005 From: e_agf at yahoo.es (Fran) Date: Fri, 19 Aug 2005 15:49:05 +0200 Subject: [Help-gnutls] Re: Really I can not ...avoid confusion.. OK, opinion and conclusion In-Reply-To: References: <1123874082.10421.25.camel@localhost> <1123934249.11533.17.camel@localhost> Message-ID: <1124459346.3643.34.camel@localhost> A. Index: src/certtool-cfg.c * =================================================================== * RCS file: /cvs/gnutls/gnutls/src/certtool-cfg.c,v * retrieving revision 2.11 * diff -u -p -r2.11 certtool-cfg.c * ... I think that you have the same problem with strings 128bytes size, in other case 256bytes, should be 200 + 1 bytes?; and accepts null strings. > read_crt_set ; and others --------------------------------------------------------- My opinion ------------------------------------------------------------ * It looked rather unreadable to me. Well, can be possible. (I am not a good programmer). The important is the objective not the code. Before I said: * Can be a good idea make an executable to manage a non professional * simple Certificate Authority? And Simon J.: * If you have ideas on what a good command line interface would be for use as a * CA, please explain and discuss. Large parts of the code is probably * already present in certtool, but it could use a rewrite in order to be * more user friendly. Sorry, I can not continue with reorder of certtool , functions in certtool are very linked to global variables and I can not understand all the libraries in tree of dependencies, it's impossible for me. > Generating a private key... > Generating a 1024 bit RSA private key... > operation is not possible without "initialized" secure memory (libgcrypt) This problem becomes because functions aren't a "black boxes". I tried to make full featured general black boxes functions to manage basics operations of certificates,but I can't. I think, that this functions should be something like: make_X509_crt_v3(struct X509_v3 x509,...,parameters,...,output /* file or buffer */); certtool is the face of gnutls, and without a good "certtool", I think that gnutls is a car without steering wheel. * In general, I think it is better to have several small tools for * specific purposes, rather than to try and put them all into one tool. The problem is that several small tools ca not be understand by a normal users, one example: You want go to a home in the mountain, you can see it. Software types: Specialised and guided: I. You have tree way,tree options, that you can see. II. option 1, option 2, option 3. Non guided: I. You have one objective and you can see nothing. II. Please type help or error. My idea of software is based in this: One objective have one way. In other case you make that learning curve multiply almost by 10. Can be a specialised tool but should be transparent. Note : Some messages of 2001 in list are spam. And This is all, I couldn't be more useful. Thanks to all members of list. Best regards, Fran. From nmav at gnutls.org Fri Aug 19 18:03:03 2005 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 19 Aug 2005 18:03:03 +0200 Subject: [Help-gnutls] gnutls_dh_params_generate2() leaks file descriptor to /dev/urandom? In-Reply-To: <200508171813.20159.trapni@gentoo.org> References: <200508171813.20159.trapni@gentoo.org> Message-ID: <430602B7.4020106@gnutls.org> Christian Parpart wrote: > Hi all, > > I'm valgrinding my application since a few days, and also ran into > a file descriptor leak within gnutls_dh_params_generate2(); > > The following fragment is the backtrace generated by valgrind > at the time of where the file descriptor has been allocated in: [...] > Well, is there anything I need to call as cleanup routine? Or why is it > holding a link up to /dev/urandom all the runtime over and w/o closing at > shutdown? As far as I remember this is normal libgcrypt behaviour. Some structures never get deinitialized. But to be sure I'd suggest to forward your mail to the libgcrypt-dev list. Nikos From daniel at haxx.se Mon Aug 22 09:56:45 2005 From: daniel at haxx.se (Daniel Stenberg) Date: Mon, 22 Aug 2005 09:56:45 +0200 (CEST) Subject: [Help-gnutls] CA cert verification Message-ID: Hi friends I have a little problem with my GnuTLS-enabled libcurl and CA cert verifying a server. If I build it with OpenSSL instead it succeeds (using the same CA cert file I should say). Can you perhaps point out an obvious flaw in this flow? gnutls_certificate_allocate_credentials() gnutls_certificate_set_x509_trust_file() - if a CA file has been provided gnutls_init() gnutls_set_default_priority() gnutls_certificate_type_set_priority() gnutls_credentials_set() - sets the cred with the CA file, afaik understood it gnutls_transport_set_ptr() - sets the file descriptor for the socket gnutls_handshake() - handshake, done non-blocking but I doubt that matters gnutls_certificate_get_peers() gnutls_certificate_verify_peers2() - this seems to always return error with the 'verify_status' integer (that the second argument points to) set to 66 on exit. How can I proceed to figure out why this happens? This is using GnuTLS 1.2.0. Trying 1.0.16 instead, I get verify_status return 130 instead. This is easily testable using the curl command line tool: $ curl -v https://gmail.google.com/ --cacert /usr/share/curl/curl-ca-bundle.crt (the CA cert path above comes from where Debian's curl install puts the CA cert bundle) -- -=- Daniel Stenberg -=- http://daniel.haxx.se -=- ech`echo xiun|tr nu oc|sed 'sx$[sx]$$[xoi]$xo un\2\1 is xg'`ol From akellav at gmail.com Mon Aug 22 18:27:24 2005 From: akellav at gmail.com (venkat akella) Date: Mon, 22 Aug 2005 09:27:24 -0700 Subject: [Help-gnutls] Build gnutls on windows Message-ID: <79ae4fa105082209277b2fbfc6@mail.gmail.com> Hi I am trying to build the gnutls-1.2.6 on windows using MingW/Msys environment. But getting some compilation errors saying that termios.h is not found. I saw a windows build of gnutls at the following link. http://ftp.gnupg.org/GnuPG/alpha/gnutls/ So, looks lke gnutls can be built on windows. It would be great if someone can tell how to build gnutls for windows. I could successfully built the libgpg-error-1.1 and libgcrypt-1.2.1 on mingw/msys environment except some tests of libgcrypt failed. Thanks for your time. Venkat From marlam at marlam.de Mon Aug 22 19:51:28 2005 From: marlam at marlam.de (Martin Lambers) Date: Mon, 22 Aug 2005 19:51:28 +0200 Subject: [Help-gnutls] Build gnutls on windows In-Reply-To: <79ae4fa105082209277b2fbfc6@mail.gmail.com> References: <79ae4fa105082209277b2fbfc6@mail.gmail.com> Message-ID: <20050822175128.GA8086@cthulhu.lambers.home> On Mon, 22. Aug 2005, 09:27:24 -0700, venkat akella wrote: > I am trying to build the gnutls-1.2.6 on windows using MingW/Msys > environment. But getting some compilation errors saying that termios.h > is not found. This is because the gnulib getpass module does not compile with MinGW/MSYS. I was able to compile and install at least the library and include files with the Debian mingw32 packages (cross compiling): $ ./configure --disable-random-device --disable-pseudo-random-device \ --prefix=$HOME/install/i586-mingw32msvc --without-pic \ --host=i586-mingw32msvc # this is for cross compilation $ make [this fails at the getpass module] $ cd crypto $ make $ cd ../includes $ make install $ cd ../lib $ make install I did not yet experience any problems with the resulting library, the programs I linked it with work OK. The gnutls tools seem to use getpass() and mmap(), both of which are not available on Win32 AFAIK. Maybe there are other problems. Regards, Martin From jas at extundo.com Mon Aug 22 20:26:07 2005 From: jas at extundo.com (Simon Josefsson) Date: Mon, 22 Aug 2005 20:26:07 +0200 Subject: [Help-gnutls] Re: Build gnutls on windows In-Reply-To: <20050822175128.GA8086@cthulhu.lambers.home> (Martin Lambers's message of "Mon, 22 Aug 2005 19:51:28 +0200") References: <79ae4fa105082209277b2fbfc6@mail.gmail.com> <20050822175128.GA8086@cthulhu.lambers.home> Message-ID: Martin Lambers writes: > On Mon, 22. Aug 2005, 09:27:24 -0700, venkat akella wrote: >> I am trying to build the gnutls-1.2.6 on windows using MingW/Msys >> environment. But getting some compilation errors saying that termios.h >> is not found. > > This is because the gnulib getpass module does not compile with > MinGW/MSYS. Right. I am working on this now. Thanks for the report. > I was able to compile and install at least the library and include files > with the Debian mingw32 packages (cross compiling): > $ ./configure --disable-random-device --disable-pseudo-random-device \ > --prefix=$HOME/install/i586-mingw32msvc --without-pic \ > --host=i586-mingw32msvc # this is for cross compilation > $ make > [this fails at the getpass module] > $ cd crypto > $ make > $ cd ../includes > $ make install > $ cd ../lib > $ make install > > I did not yet experience any problems with the resulting library, the > programs I linked it with work OK. > > The gnutls tools seem to use getpass() and mmap(), both of which are not > available on Win32 AFAIK. Maybe there are other problems. I'll try to fix getpass. There is no reason for the tool to use mmap to read keys/certificates; a patch to fix this would be appreciated. However, both termios.h and mmap are POSIX. POSIX is a loose requirement for running the GnuTLS tools. If it is simple/clean to work around non-implemented POSIX functionality for platform such as Mingw32, GnuTLS may do it, but we won't pollute the GnuTLS code with workaround for all kind of systems. People have tried that programming approach in the past, and it leads to poor maintainability and poor quality. The best way to deal with this is to write a gnulib portability module to re-implement the missing POSIX functionality for your system. Adding such code to GnuTLS is not a problem. In general, I appreciate to hear about build problems. Thanks, Simon From marlam at marlam.de Tue Aug 23 00:06:12 2005 From: marlam at marlam.de (Martin Lambers) Date: Tue, 23 Aug 2005 00:06:12 +0200 Subject: [Help-gnutls] Re: Build gnutls on windows In-Reply-To: References: <79ae4fa105082209277b2fbfc6@mail.gmail.com> <20050822175128.GA8086@cthulhu.lambers.home> Message-ID: <20050822220612.GA7344@cthulhu.lambers.home> On Mon, 22. Aug 2005, 20:26:07 +0200, Simon Josefsson wrote: > I'll try to fix getpass. There is no reason for the tool to use mmap > to read keys/certificates; a patch to fix this would be appreciated. The attached patch against src/cli.c uses only C89 functions. It works for me. Regards, Martin From marlam at marlam.de Tue Aug 23 00:09:15 2005 From: marlam at marlam.de (Martin Lambers) Date: Tue, 23 Aug 2005 00:09:15 +0200 Subject: [Help-gnutls] Re: Build gnutls on windows In-Reply-To: References: <79ae4fa105082209277b2fbfc6@mail.gmail.com> <20050822175128.GA8086@cthulhu.lambers.home> Message-ID: <20050822220915.GA7425@cthulhu.lambers.home> [Sorry, I forgot to attach the patch. Here it is.] On Mon, 22. Aug 2005, 20:26:07 +0200, Simon Josefsson wrote: > I'll try to fix getpass. There is no reason for the tool to use mmap > to read keys/certificates; a patch to fix this would be appreciated. The attached patch against src/cli.c uses only C89 functions. It works for me. Regards, Martin -------------- next part -------------- --- cli.c.orig 2005-05-26 17:23:01.000000000 +0200 +++ cli.c 2005-08-22 23:51:20.623805000 +0200 @@ -124,35 +124,33 @@ /* Helper functions to load a certificate and key - * files into memory. They use mmap for simplicity. + * files into memory. */ -static gnutls_datum mmap_file(const char *file) +static gnutls_datum load_file(const char *file) { - int fd; - gnutls_datum mmaped_file = { NULL, 0 }; - struct stat stat_st; + FILE *f; + gnutls_datum loaded_file = { NULL, 0 }; + long filelen; void *ptr; - fd = open(file, 0); - if (fd == -1) - return mmaped_file; - - fstat(fd, &stat_st); - - if ((ptr = - mmap(NULL, stat_st.st_size, PROT_READ, MAP_SHARED, fd, - 0)) == MAP_FAILED) - return mmaped_file; - - mmaped_file.data = ptr; - mmaped_file.size = stat_st.st_size; - - return mmaped_file; + if (!(f = fopen(file, "r")) + || fseek(f, 0, SEEK_END) != 0 + || (filelen = ftell(f)) < 0 + || fseek(f, 0, SEEK_SET) != 0 + || !(ptr = malloc((size_t)filelen)) + || fread(ptr, 1, (size_t)filelen, f) < (size_t)filelen) + { + return loaded_file; + } + + loaded_file.data = ptr; + loaded_file.size = (unsigned int)filelen; + return loaded_file; } -static void munmap_file(gnutls_datum data) +static void unload_file(gnutls_datum data) { - munmap(data.data, data.size); + free(data.data); } #define MAX_CRT 6 @@ -172,7 +170,7 @@ gnutls_datum data; if (x509_certfile != NULL && x509_keyfile != NULL) { - data = mmap_file(x509_certfile); + data = load_file(x509_certfile); if (data.data == NULL) { fprintf(stderr, "*** Error loading cert file.\n"); exit(1); @@ -196,9 +194,9 @@ x509_crt_size = ret; /* fprintf(stderr, "Processed %d client certificates...\n", ret); */ - munmap_file(data); + unload_file(data); - data = mmap_file(x509_keyfile); + data = load_file(x509_keyfile); if (data.data == NULL) { fprintf(stderr, "*** Error loading key file.\n"); exit(1); @@ -215,11 +213,11 @@ exit(1); } - munmap_file(data); + unload_file(data); } #ifdef USE_OPENPGP if (pgp_certfile != NULL && pgp_keyfile != NULL) { - data = mmap_file(pgp_certfile); + data = load_file(pgp_certfile); if (data.data == NULL) { fprintf(stderr, "*** Error loading PGP cert file.\n"); exit(1); @@ -236,9 +234,9 @@ exit(1); } - munmap_file(data); + unload_file(data); - data = mmap_file(x509_keyfile); + data = load_file(x509_keyfile); if (data.data == NULL) { fprintf(stderr, "*** Error loading PGP key file.\n"); exit(1); @@ -257,7 +255,7 @@ exit(1); } - munmap_file(data); + unload_file(data); } #endif From jas at extundo.com Tue Aug 23 11:38:28 2005 From: jas at extundo.com (Simon Josefsson) Date: Tue, 23 Aug 2005 11:38:28 +0200 Subject: [Help-gnutls] Re: Build gnutls on windows In-Reply-To: <20050822220915.GA7425@cthulhu.lambers.home> (Martin Lambers's message of "Tue, 23 Aug 2005 00:09:15 +0200") References: <79ae4fa105082209277b2fbfc6@mail.gmail.com> <20050822175128.GA8086@cthulhu.lambers.home> <20050822220915.GA7425@cthulhu.lambers.home> Message-ID: Martin Lambers writes: > [Sorry, I forgot to attach the patch. Here it is.] > > On Mon, 22. Aug 2005, 20:26:07 +0200, Simon Josefsson wrote: >> I'll try to fix getpass. There is no reason for the tool to use mmap >> to read keys/certificates; a patch to fix this would be appreciated. > > The attached patch against src/cli.c uses only C89 functions. It works > for me. The patch look good! To be able to use it, you'll have to assign copyright of your work to the FSF. Is this OK with you? I can send you the required form offline. Thanks, Simon From nmav at gnutls.org Tue Aug 23 20:31:21 2005 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 23 Aug 2005 20:31:21 +0200 Subject: [Help-gnutls] CA cert verification In-Reply-To: References: Message-ID: <200508232031.21862.nmav@gnutls.org> On Monday 22 August 2005 09:56, Daniel Stenberg wrote: Hello, > I have a little problem with my GnuTLS-enabled libcurl and CA cert > verifying a server. If I build it with OpenSSL instead it succeeds (using > the same CA cert file I should say). > > Can you perhaps point out an obvious flaw in this flow? > gnutls_certificate_allocate_credentials() > gnutls_certificate_set_x509_trust_file() - if a CA file has been provided You may want to check the return value to see how many certificates were loaded. > gnutls_init() > gnutls_set_default_priority() > gnutls_certificate_type_set_priority() > gnutls_credentials_set() - sets the cred with the CA file, afaik understood > gnutls_transport_set_ptr() - sets the file descriptor for the socket > gnutls_handshake() - handshake, done non-blocking but I doubt that matters It doesn't. > gnutls_certificate_get_peers() > gnutls_certificate_verify_peers2() - this seems to always return error with > the 'verify_status' integer (that the second argument points to) set to 66 > on exit. What is the error number returned? The status is garbage if this function returns an error code. The sequence looks good. It is just like gnutls-cli, so the problem is somewhere in the details. > $ curl -v https://gmail.google.com/ --cacert > /usr/share/curl/curl-ca-bundle.crt What does gnutls-cli gives with the same input? -- Nikos Mavrogiannopoulos From marlam at marlam.de Tue Aug 23 22:19:36 2005 From: marlam at marlam.de (Martin Lambers) Date: Tue, 23 Aug 2005 22:19:36 +0200 Subject: [Help-gnutls] Re: Build gnutls on windows In-Reply-To: References: <79ae4fa105082209277b2fbfc6@mail.gmail.com> <20050822175128.GA8086@cthulhu.lambers.home> <20050822220915.GA7425@cthulhu.lambers.home> Message-ID: <20050823201935.GA24128@cthulhu.lambers.home> On Tue, 23. Aug 2005, 11:38:28 +0200, Simon Josefsson wrote: > >> I'll try to fix getpass. There is no reason for the tool to use mmap > >> to read keys/certificates; a patch to fix this would be appreciated. > > > > The attached patch against src/cli.c uses only C89 functions. It works > > for me. > > The patch look good! To be able to use it, you'll have to assign > copyright of your work to the FSF. Is this OK with you? I can send > you the required form offline. The copyright assignment process is started. The patch unfortunately leaves '#include ' (line 30) in cli.c. This line must be removed. A corrected patch is attached. As a test, I changed gl/getpass.h and gl/getpass.c so that it compiles on Win32 (and always returns NULL ;) After that, a crossbuild with the Debian mingw32 package worked fine! So a gnulib getpass module that works for MinGW is all that is missing for a successful Win32 build. I have one question, though: src/common.h defines socklen_t to int for Win32. This is a redefinition since configure previously detected a missing socklen_t and then defined it to be size_t in config.h. I think the definition in src/common.h (line 11) should be removed, and the configure script should always define socklen_t to int. The 'NOTE' section in the Linux connect(2) man page says that it was historically an int, and Win32 and MacOS X still use int. Last, I wrote a simple getpass() version for Win32 (attached). This works completely different from the gnulib getpass module since - Windows has no /dev/tty concept - Windows cannot switch terminal properties (AFAIK). I have no idea how something like this could be properly integrated into a gnulib module. Regards, Martin -------------- next part -------------- --- cli.c.orig 2005-05-26 17:23:01.000000000 +0200 +++ cli.c 2005-08-23 22:06:55.902740000 +0200 @@ -27,7 +27,6 @@ #include #include #include -#include #include #include #include @@ -124,35 +123,33 @@ /* Helper functions to load a certificate and key - * files into memory. They use mmap for simplicity. + * files into memory. */ -static gnutls_datum mmap_file(const char *file) +static gnutls_datum load_file(const char *file) { - int fd; - gnutls_datum mmaped_file = { NULL, 0 }; - struct stat stat_st; + FILE *f; + gnutls_datum loaded_file = { NULL, 0 }; + long filelen; void *ptr; - fd = open(file, 0); - if (fd == -1) - return mmaped_file; - - fstat(fd, &stat_st); - - if ((ptr = - mmap(NULL, stat_st.st_size, PROT_READ, MAP_SHARED, fd, - 0)) == MAP_FAILED) - return mmaped_file; - - mmaped_file.data = ptr; - mmaped_file.size = stat_st.st_size; - - return mmaped_file; + if (!(f = fopen(file, "r")) + || fseek(f, 0, SEEK_END) != 0 + || (filelen = ftell(f)) < 0 + || fseek(f, 0, SEEK_SET) != 0 + || !(ptr = malloc((size_t)filelen)) + || fread(ptr, 1, (size_t)filelen, f) < (size_t)filelen) + { + return loaded_file; + } + + loaded_file.data = ptr; + loaded_file.size = (unsigned int)filelen; + return loaded_file; } -static void munmap_file(gnutls_datum data) +static void unload_file(gnutls_datum data) { - munmap(data.data, data.size); + free(data.data); } #define MAX_CRT 6 @@ -172,7 +169,7 @@ gnutls_datum data; if (x509_certfile != NULL && x509_keyfile != NULL) { - data = mmap_file(x509_certfile); + data = load_file(x509_certfile); if (data.data == NULL) { fprintf(stderr, "*** Error loading cert file.\n"); exit(1); @@ -196,9 +193,9 @@ x509_crt_size = ret; /* fprintf(stderr, "Processed %d client certificates...\n", ret); */ - munmap_file(data); + unload_file(data); - data = mmap_file(x509_keyfile); + data = load_file(x509_keyfile); if (data.data == NULL) { fprintf(stderr, "*** Error loading key file.\n"); exit(1); @@ -215,11 +212,11 @@ exit(1); } - munmap_file(data); + unload_file(data); } #ifdef USE_OPENPGP if (pgp_certfile != NULL && pgp_keyfile != NULL) { - data = mmap_file(pgp_certfile); + data = load_file(pgp_certfile); if (data.data == NULL) { fprintf(stderr, "*** Error loading PGP cert file.\n"); exit(1); @@ -236,9 +233,9 @@ exit(1); } - munmap_file(data); + unload_file(data); - data = mmap_file(x509_keyfile); + data = load_file(x509_keyfile); if (data.data == NULL) { fprintf(stderr, "*** Error loading PGP key file.\n"); exit(1); @@ -257,7 +254,7 @@ exit(1); } - munmap_file(data); + unload_file(data); } #endif -------------- next part -------------- A non-text attachment was scrubbed... Name: win32-getpass.h Type: text/x-chdr Size: 114 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: win32-getpass.c Type: text/x-csrc Size: 617 bytes Desc: not available URL: From daniel at haxx.se Tue Aug 23 23:25:27 2005 From: daniel at haxx.se (Daniel Stenberg) Date: Tue, 23 Aug 2005 23:25:27 +0200 (CEST) Subject: [Help-gnutls] CA cert verification In-Reply-To: <200508232031.21862.nmav@gnutls.org> References: <200508232031.21862.nmav@gnutls.org> Message-ID: On Tue, 23 Aug 2005, Nikos Mavrogiannopoulos wrote: Thanks for responding! >> gnutls_certificate_set_x509_trust_file() - if a CA file has been provided > You may want to check the return value to see how many certificates were > loaded. It returns 59. And incidently: $ grep -c "BEGIN CERTIFICATE" /usr/share/curl/curl-ca-bundle.crt 59 >> gnutls_certificate_verify_peers2() - this seems to always return error with >> the 'verify_status' integer (that the second argument points to) set to 66 >> on exit. > What is the error number returned? The status is garbage if this function > returns an error code. It returns zero. It bails out in case it returns a < 0 value. > The sequence looks good. It is just like gnutls-cli, so the problem is > somewhere in the details. > >> $ curl -v https://gmail.google.com/ --cacert >> /usr/share/curl/curl-ca-bundle.crt > What does gnutls-cli gives with the same input? (Still using 1.2.0) $ gnutls-cli --x509certfile /usr/share/curl/curl-ca-bundle.crt gmail.google.com ... - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted ... So it seems it agrees with what my code ends up thinking... ? Or am I not doing the right gnutls-cli command line? Any chance this is a problem that has been fixed since this version I use? The same verifying command line, using the openssl tool I believe would be: $ openssl s_client -connect gmail.google.com:443 -CAfile /usr/share/curl/curl-ca-bundle.crt It reports success. -- -=- Daniel Stenberg -=- http://daniel.haxx.se -=- ech`echo xiun|tr nu oc|sed 'sx$[sx]$$[xoi]$xo un\2\1 is xg'`ol From jas at extundo.com Tue Aug 23 23:58:29 2005 From: jas at extundo.com (Simon Josefsson) Date: Tue, 23 Aug 2005 23:58:29 +0200 Subject: [Help-gnutls] Re: Build gnutls on windows In-Reply-To: <20050823201935.GA24128@cthulhu.lambers.home> (Martin Lambers's message of "Tue, 23 Aug 2005 22:19:36 +0200") References: <79ae4fa105082209277b2fbfc6@mail.gmail.com> <20050822175128.GA8086@cthulhu.lambers.home> <20050822220915.GA7425@cthulhu.lambers.home> <20050823201935.GA24128@cthulhu.lambers.home> Message-ID: Martin Lambers writes: > On Tue, 23. Aug 2005, 11:38:28 +0200, Simon Josefsson wrote: >> >> I'll try to fix getpass. There is no reason for the tool to use mmap >> >> to read keys/certificates; a patch to fix this would be appreciated. >> > >> > The attached patch against src/cli.c uses only C89 functions. It works >> > for me. >> >> The patch look good! To be able to use it, you'll have to assign >> copyright of your work to the FSF. Is this OK with you? I can send >> you the required form offline. > > The copyright assignment process is started. Thanks! > The patch unfortunately leaves '#include ' (line 30) in cli.c. > This line must be removed. A corrected patch is attached. Looks good. I'll wait with installing this until the papers have arrived. > As a test, I changed gl/getpass.h and gl/getpass.c so that it compiles > on Win32 (and always returns NULL ;) > After that, a crossbuild with the Debian mingw32 package worked fine! So > a gnulib getpass module that works for MinGW is all that is missing for > a successful Win32 build. Ok. I have discovered more problems with getpass when cross-compiling GnuTLS to a uClibc system. It seems getpass will require some work... However, this shouldn't be too difficult. getpass is conceptually simple. > I have one question, though: src/common.h defines socklen_t to int for > Win32. This is a redefinition since configure previously detected a > missing socklen_t and then defined it to be size_t in config.h. > I think the definition in src/common.h (line 11) should be removed, and > the configure script should always define socklen_t to int. The > 'NOTE' section in the Linux connect(2) man page says that it was > historically an int, and Win32 and MacOS X still use int. Installed in CVS now. > Last, I wrote a simple getpass() version for Win32 (attached). This > works completely different from the gnulib getpass module since > - Windows has no /dev/tty concept > - Windows cannot switch terminal properties (AFAIK). > I have no idea how something like this could be properly integrated into > a gnulib module. I will attempt to incorporate your ideas into the gnulib getpass module. Thanks, Simon From daniel at haxx.se Wed Aug 24 00:05:18 2005 From: daniel at haxx.se (Daniel Stenberg) Date: Wed, 24 Aug 2005 00:05:18 +0200 (CEST) Subject: [Help-gnutls] CA cert verification In-Reply-To: References: <200508232031.21862.nmav@gnutls.org> Message-ID: On Tue, 23 Aug 2005, Daniel Stenberg wrote: > Any chance this is a problem that has been fixed since this version I use? I just tried 1.2.6 and it behaves exactly the same way I described, both the lib when used by my code and the gnutls-cli tool. -- -=- Daniel Stenberg -=- http://daniel.haxx.se -=- ech`echo xiun|tr nu oc|sed 'sx$[sx]$$[xoi]$xo un\2\1 is xg'`ol From jas at extundo.com Wed Aug 24 00:11:22 2005 From: jas at extundo.com (Simon Josefsson) Date: Wed, 24 Aug 2005 00:11:22 +0200 Subject: [Help-gnutls] Re: CA cert verification In-Reply-To: (Daniel Stenberg's message of "Tue, 23 Aug 2005 23:25:27 +0200 (CEST)") References: <200508232031.21862.nmav@gnutls.org> Message-ID: Daniel Stenberg writes: >>> $ curl -v https://gmail.google.com/ --cacert >>> /usr/share/curl/curl-ca-bundle.crt >> What does gnutls-cli gives with the same input? > > (Still using 1.2.0) > > $ gnutls-cli --x509certfile /usr/share/curl/curl-ca-bundle.crt gmail.google.com > ... > - Peer's certificate issuer is unknown > - Peer's certificate is NOT trusted > ... > > So it seems it agrees with what my code ends up thinking... ? Or am I not > doing the right gnutls-cli command line? > > Any chance this is a problem that has been fixed since this version I use? Using gnutls-cli from GnuTLS 1.2.6 appears to be able to connect and verify the peer fine here (see below). Cheers, Simon jas at latte:~$ gnutls-cli --x509cafile /usr/share/curl/curl-ca-bundle.crt gmail.google.com Processed 59 CA certificate(s). Resolving 'gmail.google.com'... Connecting to '64.233.183.107:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: # The hostname in the certificate matches 'gmail.google.com'. # valid since: Wed Jun 8 00:12:57 CEST 2005 # expires at: Thu Jun 8 00:12:57 CEST 2006 # fingerprint: 1E:56:99:FD:16:73:C1:95:8F:9F:AD:43:29:F1:93:5A # Subject's DN: C=US,ST=California,L=Mountain View,O=Google Inc,CN=gmail.google.com # Issuer's DN: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC CA - Certificate[1] info: # valid since: Thu May 13 02:00:00 CEST 2004 # expires at: Tue May 13 01:59:59 CEST 2014 # fingerprint: 84:84:03:56:10:85:53:ED:9A:CA:60:B5:FA:99:D3:31 # Subject's DN: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC CA # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority - Peer's certificate is trusted - Version: TLS 1.0 - Key Exchange: RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: NULL - Handshake was completed - Simple Client Mode: ... From daniel at haxx.se Wed Aug 24 00:15:31 2005 From: daniel at haxx.se (Daniel Stenberg) Date: Wed, 24 Aug 2005 00:15:31 +0200 (CEST) Subject: [Help-gnutls] Re: CA cert verification In-Reply-To: References: <200508232031.21862.nmav@gnutls.org> Message-ID: On Wed, 24 Aug 2005, Simon Josefsson wrote: >> $ gnutls-cli --x509certfile /usr/share/curl/curl-ca-bundle.crt gmail.google.com > jas at latte:~$ gnutls-cli --x509cafile /usr/share/curl/curl-ca-bundle.crt gmail.google.com *Yikes* I didn't even use the correct command line option... :-O Thanks Simon. I'll go check the source code for gnutls-cli and see what I can learn from that. -- -=- Daniel Stenberg -=- http://daniel.haxx.se -=- ech`echo xiun|tr nu oc|sed 'sx$[sx]$$[xoi]$xo un\2\1 is xg'`ol From daniel at haxx.se Wed Aug 24 09:33:13 2005 From: daniel at haxx.se (Daniel Stenberg) Date: Wed, 24 Aug 2005 09:33:13 +0200 (CEST) Subject: [Help-gnutls] Re: CA cert verification In-Reply-To: References: <200508232031.21862.nmav@gnutls.org> Message-ID: On Wed, 24 Aug 2005, Simon Josefsson wrote: > jas at latte:~$ gnutls-cli --x509cafile /usr/share/curl/curl-ca-bundle.crt > gmail.google.com The key difference turns out to be: gnutls_certificate_set_verify_flags(cred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); Which gnutls-cli sets and I didn't. When I use this, I can successfully verify this server's certificate! Perhaps the gnutls_certificate_verify_peers2() description in the docs could hint about the possibility that this is needed? Another little nit that is slightly related: gnutls-cli uses the gnutls_certificate_verify_peers() function (alias, not the *2 version), there are numerous references to this function in the docs but there's no description for it... I take it the gnutls_certificate_verify_peers2() is the one we should be using, but it would probably be suitable if gnutls-cli was switched to use it and if the references in the docs were updated as well. -- -=- Daniel Stenberg -=- http://daniel.haxx.se -=- ech`echo xiun|tr nu oc|sed 'sx$[sx]$$[xoi]$xo un\2\1 is xg'`ol From jas at extundo.com Wed Aug 24 12:15:52 2005 From: jas at extundo.com (Simon Josefsson) Date: Wed, 24 Aug 2005 12:15:52 +0200 Subject: [Help-gnutls] Re: CA cert verification In-Reply-To: (Daniel Stenberg's message of "Wed, 24 Aug 2005 09:33:13 +0200 (CEST)") References: <200508232031.21862.nmav@gnutls.org> Message-ID: Daniel Stenberg writes: > On Wed, 24 Aug 2005, Simon Josefsson wrote: > >> jas at latte:~$ gnutls-cli --x509cafile >> /usr/share/curl/curl-ca-bundle.crt gmail.google.com > > The key difference turns out to be: > > gnutls_certificate_set_verify_flags(cred, > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); > > Which gnutls-cli sets and I didn't. When I use this, I can > successfully verify this server's certificate! > > Perhaps the gnutls_certificate_verify_peers2() description in the docs could > hint about the possibility that this is needed? Good idea, I added: * Note that some commonly used X.509 Certificate Authorities are * still using Version 1 certificates. If you want to accept them, * you need to call gnutls_certificate_set_verify_flags() with, e.g., * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter. > Another little nit that is slightly related: > > gnutls-cli uses the gnutls_certificate_verify_peers() function > (alias, not the *2 version), there are numerous references to this > function in the docs but there's no description for it... I take it > the gnutls_certificate_verify_peers2() is the one we should be > using, but it would probably be suitable if gnutls-cli was switched > to use it and if the references in the docs were updated as well. I fixed all reference to gnutls_certificate_verify_peers in the documentation that I could find. If you find any remaining occurrences, let me know. I also made the old function documented in GTK-DOC again, but with a reference to the new function. I fixed gnutls-cli too. Frankly, I'm not sure why gnutls_certificate_verify_peers is deprecated. The return values are negative for "real" errors, zero for success and positive for "soft" verification errors. Nikos? Thanks, Simon From marlam at marlam.de Wed Aug 24 17:58:13 2005 From: marlam at marlam.de (Martin Lambers) Date: Wed, 24 Aug 2005 17:58:13 +0200 Subject: [Help-gnutls] Re: CA cert verification In-Reply-To: References: <200508232031.21862.nmav@gnutls.org> Message-ID: <20050824155813.GA8611@cthulhu.lambers.home> On Wed, 24. Aug 2005, 12:15:52 +0200, Simon Josefsson wrote: > Good idea, I added: > > * Note that some commonly used X.509 Certificate Authorities are > * still using Version 1 certificates. If you want to accept them, > * you need to call gnutls_certificate_set_verify_flags() with, e.g., > * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter. What is the reason why Version 1 certificates are not accepted by default? Is it safe to always set the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag? Martin From nmav at gnutls.org Wed Aug 24 19:41:24 2005 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 24 Aug 2005 19:41:24 +0200 Subject: [Help-gnutls] Re: CA cert verification In-Reply-To: References: Message-ID: <200508241941.24892.nmav@gnutls.org> On Wednesday 24 August 2005 12:15, Simon Josefsson wrote: [...] > > The key difference turns out to be: > > gnutls_certificate_set_verify_flags(cred, > > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); [...] > * Note that some commonly used X.509 Certificate Authorities are > * still using Version 1 certificates. If you want to accept them, > * you need to call gnutls_certificate_set_verify_flags() with, e.g., > * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter. Indeed, without this flag most of the old (really old) root certificates won't work. (it's funny that some of them even use md2!). > I fixed all reference to gnutls_certificate_verify_peers in the > documentation that I could find. If you find any remaining > occurrences, let me know. I also made the old function documented in > GTK-DOC again, but with a reference to the new function. I fixed > gnutls-cli too. > Frankly, I'm not sure why gnutls_certificate_verify_peers is > deprecated. The return values are negative for "real" errors, zero > for success and positive for "soft" verification errors. Nikos? The problem is that it very easy for this function to be misused. I didn't want to mix negative numbers and bit checking, that why I deprecated it. (and since it is deprecated it shouldn't be documented since it may be removed in future versions). -- Nikos Mavrogiannopoulos From nmav at gnutls.org Wed Aug 24 19:48:37 2005 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 24 Aug 2005 19:48:37 +0200 Subject: [Help-gnutls] Re: CA cert verification In-Reply-To: <20050824155813.GA8611@cthulhu.lambers.home> References: <20050824155813.GA8611@cthulhu.lambers.home> Message-ID: <200508241948.37895.nmav@gnutls.org> On Wednesday 24 August 2005 17:58, Martin Lambers wrote: > > * Note that some commonly used X.509 Certificate Authorities are > > * still using Version 1 certificates. If you want to accept them, > > * you need to call gnutls_certificate_set_verify_flags() with, e.g., > > * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter. > What is the reason why Version 1 certificates are not accepted by > default? Is it safe to always set the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT > flag? In general it is not. A v1 certificate does not contain information about its status (ca, person etc). You may think that this is not that bad since this is a trusted list anyway. The problem arises when people add single non-ca certificates to this list. Say someone may add a certificate of a web site there. This should have the effect of this certificate to be able to certify others. This is not desirable. (the proper solution would be though not to use the trusted list for these non CA certificates). -- Nikos Mavrogiannopoulos From jas at extundo.com Thu Aug 25 23:57:22 2005 From: jas at extundo.com (Simon Josefsson) Date: Thu, 25 Aug 2005 23:57:22 +0200 Subject: [Help-gnutls] Re: CA cert verification In-Reply-To: <200508241941.24892.nmav@gnutls.org> (Nikos Mavrogiannopoulos's message of "Wed, 24 Aug 2005 19:41:24 +0200") References: <200508241941.24892.nmav@gnutls.org> Message-ID: Nikos Mavrogiannopoulos writes: >> I fixed all reference to gnutls_certificate_verify_peers in the >> documentation that I could find. If you find any remaining >> occurrences, let me know. I also made the old function documented in >> GTK-DOC again, but with a reference to the new function. I fixed >> gnutls-cli too. >> Frankly, I'm not sure why gnutls_certificate_verify_peers is >> deprecated. The return values are negative for "real" errors, zero >> for success and positive for "soft" verification errors. Nikos? > The problem is that it very easy for this function to be misused. > I didn't want to mix negative numbers and bit checking, that why I deprecated > it. (and since it is deprecated it shouldn't be documented since it may be > removed in future versions). Having documentation say the function is deprecated may help people move away from the function; otherwise they may stick with the function due to absence of knowledge that it is deprecated. Further, perhaps it is useful to do something that I do in GNU SASL for deprecated functions. The following causes GCC to give warnings when someone use a deprecated function. This hasn't caused me any problems on any non-GCC compiler. I'll see about installing this in GNUTLS too. Cheers, Simon #ifndef __attribute__ /* This feature is available in gcc versions 2.5 and later. */ # if __cplusplus == 1 || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5) # define __attribute__(Spec) /* empty */ # endif #endif ... extern int gsasl_client_listmech (Gsasl * ctx, char *out, size_t * outlen) __attribute__ ((deprecated)); From jas at extundo.com Fri Aug 26 00:16:01 2005 From: jas at extundo.com (Simon Josefsson) Date: Fri, 26 Aug 2005 00:16:01 +0200 Subject: [Help-gnutls] Re: Build gnutls on windows In-Reply-To: <79ae4fa105082209277b2fbfc6@mail.gmail.com> (venkat akella's message of "Mon, 22 Aug 2005 09:27:24 -0700") References: <79ae4fa105082209277b2fbfc6@mail.gmail.com> Message-ID: venkat akella writes: > Hi > I am trying to build the gnutls-1.2.6 on windows using MingW/Msys > environment. But getting some compilation errors saying that termios.h > is not found. I believe I have fixed the getpass module now (which used termios.h). Please test today's daily snapshot: http://josefsson.org/daily/gnutls/gnutls-20050826.tar.gz I think the only remaining problem for Mingw32 is the use of mmap in gnutls-cli, but once Martin's copyright assignment has arrived, it will be solved too. I'll likely release 1.2.7 within a few days, before Martin's patch can be installed, though. Regards, Simon