From laurent.birtz at kryptiva.com Fri Jan 4 21:17:51 2008 From: laurent.birtz at kryptiva.com (Laurent Birtz) Date: Fri, 04 Jan 2008 15:17:51 -0500 Subject: [Help-gnutls] Behavior of gnutls_record_recv() Message-ID: <477E946F.7050602@kryptiva.com> Hello, I am considering using GnuTLS as a replacement of openssl for securing communications between two processes, A and B. However, I am not using a typical client-server model, where the server waits for a query from the client and the client waits for the reply from the server. Instead, A and B are peer processes, and each one can independently decide at any time to send a message to the other side. It is possible that one process fill up its input or output queue because the two processes are not operating at the same speed. Therefore, read and write quenching must be supported. For instance, if the input queue of a process is full, then this process must stop reading data from the other side but continue writing data to the other side. Can I use GnuTLS to fullfill these requirements? I am especially concerned with the gnutls_record_recv() and gnutls_record_send() functions that can return GNUTLS_E_REHANDSHAKE, GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN (I am using non-blocking sockets). The documentation says that handshake requests can be ignored. For my quenching scheme to be implementable, it is important that after a call to gnutls_record_send() that returns GNUTLS_E_AGAIN, gnutls_record_get_direction() only returns 1, i.e. wait for socket to be writable. Otherwise, if gnutls_record_get_direction() returns 0, then this means that more data will need to be received from the remote side, and this will bust my buffer capacity (in that case, the GnuTLS internal buffer might keep growing indefinitely). Pseudo-code showing my application logic: loop: int must_read = 0, must_write = 0; if (! input_queue.is_full()) { int error = gnutls_record_recv(...); if (! error) { input_queue.push(...); /* Read again later. */ must_read = 1; } else if (error == GNUTLS_E_INTERRUPTED || error == GNUTLS_E_AGAIN) { /* This must hold!! */ assert(gnutls_record_get_direction(...) == 0); must_read = 1; } ... handle other errors ... } if (! output_queue.is_empty()) { int error = gnutls_record_send(...); if (! error) { /* Write again later. */ must_write = 1; } else if (error == GNUTLS_E_INTERRUPTED || error == GNUTLS_E_AGAIN) { /* This must hold!! */ assert(gnutls_record_get_direction(...) == 1); must_write = 1; } ... handle other errors ... } select() according to must_read and must_write; goto loop; Thanks a lot for your time, Laurent Birtz From nmav at gnutls.org Sun Jan 6 14:54:21 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 6 Jan 2008 15:54:21 +0200 Subject: [Help-gnutls] Behavior of gnutls_record_recv() In-Reply-To: <477E946F.7050602@kryptiva.com> References: <477E946F.7050602@kryptiva.com> Message-ID: <200801061554.21866.nmav@gnutls.org> On Friday 04 January 2008, Laurent Birtz wrote: > Hello, > I am considering using GnuTLS as a replacement of openssl for securing > communications between two processes, A and B. However, I am not using a > typical client-server model, where the server waits for a query from the > client and the client waits for the reply from the server. Instead, A > and B are peer processes, and each one can independently decide at any > time to send a message to the other side. This does not really matter. You can send and receive arbitrary messages at any time. However why encrypt communication between processes? > It is possible that one process fill up its input or output queue > because the two processes are not operating at the same speed. > Therefore, read and write quenching must be supported. For instance, if > the input queue of a process is full, then this process must stop > reading data from the other side but continue writing data to the other > side. Is this something you expect from gnutls to do? > Can I use GnuTLS to fullfill these requirements? I am especially > concerned with the gnutls_record_recv() and gnutls_record_send() > functions that can return GNUTLS_E_REHANDSHAKE, GNUTLS_E_INTERRUPTED or > GNUTLS_E_AGAIN (I am using non-blocking sockets). GNUTLS_E_REHANDSHAKE you can ignore totally unless you explicitely request a rehandshake. > For my quenching scheme to be > implementable, it is important that after a call to gnutls_record_send() > that returns GNUTLS_E_AGAIN, gnutls_record_get_direction() only returns > 1, i.e. wait for socket to be writable. Otherwise, if > gnutls_record_get_direction() returns 0, then this means that more data > will need to be received from the remote side, and this will bust my > buffer capacity (in that case, the GnuTLS internal buffer might keep > growing indefinitely). the get_direction() function works as you describe so it might suit you. regards, Nikos From christoph_zettl at web.de Thu Jan 10 12:25:11 2008 From: christoph_zettl at web.de (Christoph Zettl) Date: Thu, 10 Jan 2008 12:25:11 +0100 Subject: [Help-gnutls] Problem compiling gnutls with msys Message-ID: <467048381@web.de> Hi, I have compiled and installed libgpg-error and libgcrypt. configuring gnutls works fine. but with mingw32-make there comes following output: c:\mingw\bin\mingw32-make.exe[3]: Leaving directory `c:/gnutls-2.2.0/lib/minitasn1' c:\mingw\bin\mingw32-make.exe[3]: Entering directory `c:/gnutls-2.2.0/lib' C:/msys/1.0/bin/sh.exe ../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\"/usr/local/share/locale\" -I../lgl -I../lgl -I../includes -I../includes -I./x509 -I../libextra -I../libextra/openpgp/ -I../libextra/opencdk -I/usr/local/include -I./minitasn1 -g -O2 -D_REENTRANT -D_THREAD_SAFE -pipe -I/usr/local/include -g -O2 -D_REENTRANT -D_THREAD_SAFE -MT gnutls_record.lo -MD -MP -MF .deps/gnutls_record.Tpo -c -o gnutls_record.lo gnutls_record.c Xgnutls_record.Tpo -c -o gnutls_record.lo gnutls_record.lo libtool: compile: libobj name `gnutls_record.Tpo -c -o gnutls_record.lo gnutls_record.lo' may not contain shell special characters. rm: invalid option -- c Try `rm --help' for more information. gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. "-DLOCALEDIR=\\/usr/local/share/locale\" -I../lgl -I../lgl -I../includes -I../includes -I./x509 -I../libextra -I../libextra/openpgp/ -I../libextra/opencdk -I/usr/local/include -I./minitasn1 -g -O2 -D_REENTRANT -D_THREAD_SAFE -pipe -I/usr/local/include -g -O2 -D_REENTRANT -D_THREAD_SAFE -MT gnutls_record.lo -MD -MP -MF .deps/gnutls_record.Tpo -c -o gnutls_record.lo gnutls_record.c" -DDLL_EXPORT -DPIC -o .libs/gnutls_record.Tpo -c -o gnutls_record.lo gnutls_record.o gcc.exe: gnutls_record.o: No such file or directory gcc.exe: no input files c:\mingw\bin\mingw32-make.exe[3]: *** [gnutls_record.lo] Error 1 c:\mingw\bin\mingw32-make.exe[3]: Leaving directory `c:/gnutls-2.2.0/lib' c:\mingw\bin\mingw32-make.exe[2]: *** [all-recursive] Error 1 c:\mingw\bin\mingw32-make.exe[2]: Leaving directory `c:/gnutls-2.2.0/lib' mingw32-make.exe[1]: *** [all-recursive] Error 1 mingw32-make.exe[1]: Leaving directory `c:/gnutls-2.2.0' c:\mingw\bin\mingw32-make.exe: *** [all] Error 2 might be cause of: .c.lo: $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo # source='$<' object='$@' [mailto:object='$@'] libtool=yes \ # DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \ # $(LTCOMPILE) -c -o $@ $< in makefile Thanks Christoph Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! *http://smartsurfer.web.de/?mc=100071&distributionid=000000000066* [http://smartsurfer.web.de/?mc=100071&distributionid=000000000066] -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at josefsson.org Thu Jan 10 17:21:20 2008 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 10 Jan 2008 17:21:20 +0100 Subject: [Help-gnutls] Re: Problem compiling gnutls with msys In-Reply-To: <467048381@web.de> (Christoph Zettl's message of "Thu, 10 Jan 2008 12:25:11 +0100") References: <467048381@web.de> Message-ID: <87odbtk5xb.fsf@mocca.josefsson.org> Christoph Zettl writes: > Hi, > > I have compiled and installed libgpg-error and libgcrypt. > > configuring gnutls works fine. > > but with mingw32-make there comes following output: Could it be that the LOCALEDIR path is causing problems? It seems like it is terminated with a \ thereby escaping the " after it. How did you invoke ./configure? Maybe you could avoid all trailing '/' or '\' in paths. If that doesn't solve it, please send the config.log and ./configure output. /Simon > c:\mingw\bin\mingw32-make.exe[3]: Leaving directory `c:/gnutls-2.2.0/lib/minitasn1' > c:\mingw\bin\mingw32-make.exe[3]: Entering directory `c:/gnutls-2.2.0/lib' > C:/msys/1.0/bin/sh.exe ../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\"/usr/local/share/locale\" -I../lgl -I../lgl -I../includes -I../includes -I./x509 -I../libextra -I../libextra/openpgp/ -I../libextra/opencdk -I/usr/local/include -I./minitasn1 -g -O2 -D_REENTRANT -D_THREAD_SAFE -pipe -I/usr/local/include -g -O2 -D_REENTRANT -D_THREAD_SAFE -MT gnutls_record.lo -MD -MP -MF .deps/gnutls_record.Tpo -c -o gnutls_record.lo gnutls_record.c > Xgnutls_record.Tpo -c -o gnutls_record.lo gnutls_record.lo > libtool: compile: libobj name `gnutls_record.Tpo -c -o gnutls_record.lo gnutls_record.lo' may not contain shell special characters. > rm: invalid option -- c > Try `rm --help' for more information. > gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. "-DLOCALEDIR=\\/usr/local/share/locale\" -I../lgl -I../lgl -I../includes -I../includes -I./x509 -I../libextra -I../libextra/openpgp/ -I../libextra/opencdk -I/usr/local/include -I./minitasn1 -g -O2 -D_REENTRANT -D_THREAD_SAFE -pipe -I/usr/local/include -g -O2 -D_REENTRANT -D_THREAD_SAFE -MT gnutls_record.lo -MD -MP -MF .deps/gnutls_record.Tpo -c -o gnutls_record.lo gnutls_record.c" -DDLL_EXPORT -DPIC -o .libs/gnutls_record.Tpo -c -o gnutls_record.lo gnutls_record.o > gcc.exe: gnutls_record.o: No such file or directory > gcc.exe: no input files > c:\mingw\bin\mingw32-make.exe[3]: *** [gnutls_record.lo] Error 1 > c:\mingw\bin\mingw32-make.exe[3]: Leaving directory `c:/gnutls-2.2.0/lib' > c:\mingw\bin\mingw32-make.exe[2]: *** [all-recursive] Error 1 > c:\mingw\bin\mingw32-make.exe[2]: Leaving directory `c:/gnutls-2.2.0/lib' > mingw32-make.exe[1]: *** [all-recursive] Error 1 > mingw32-make.exe[1]: Leaving directory `c:/gnutls-2.2.0' > c:\mingw\bin\mingw32-make.exe: *** [all] Error 2 > > > > might be cause of: > > .c.lo: > $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< > mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo > # source='$<' object='$@' [mailto:object='$@'] libtool=yes \ > # DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) \ > # $(LTCOMPILE) -c -o $@ $< > > in makefile > > > > Thanks > > Christoph > > > > > Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! > *http://smartsurfer.web.de/?mc=100071&distributionid=000000000066* [http://smartsurfer.web.de/?mc=100071&distributionid=000000000066] > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > http://lists.gnu.org/mailman/listinfo/help-gnutls From simon at josefsson.org Fri Jan 18 16:25:07 2008 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 18 Jan 2008 16:25:07 +0100 Subject: [Help-gnutls] GnuTLS 2.2.1 Message-ID: <87wsq7xijw.fsf@mocca.josefsson.org> We are pleased to announce a new stable GnuTLS release: Version 2.2.1. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The core GnuTLS library is distribute under the terms of the GNU Lesser General Public License version 2.1 (or later). The "extra" GnuTLS libraries -- which contains OpenPGP and TLS/IA support, LZO compression, the OpenSSL compatibility library -- and the self tests and command line tools are distributed under the GNU General Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.2 (or later). The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ What's New ========== * Version 2.2.1 (released 2008-01-17) ** Prevent linking libextra against previously installed libgnutls. Tiny patch from "Alon Bar-Lev" , see . ** Fixes the post_client_hello_function(). The extensions are now parsed in a callback friendly way. ** Fix for certificate selection in servers with certificate callbacks. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded from one of the mirror sites or direct from . The list of mirrors can be found at . Note, that GnuPG is not available at ftp.gnu.org. Here are the BZIP2 compressed sources (4.8MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-2.2.1.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-2.2.1.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-2.2.1.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-2.2.1.tar.bz2.sig Note, that we don't distribute gzip compressed tarballs. In order to check that the version of GnuTLS which you are going to install is an original and unmodified one, you should verify the OpenPGP signature. You can use the command gpg --verify gnutls-2.2.1.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. The signing key can be identified with the following information: pub 1280R/B565716F 2002-05-05 [expires: 2008-06-30] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2008-06-30] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Alternatively, after successfully verifying the OpenPGP signature of this announcement, you could verify that the files match the following checksum values. The values are for SHA-1 and SHA-224 respectively: cfc219dad028fd823be766d939dfcec73a408844 gnutls-2.2.1.tar.bz2 6a70a48e88ce47fe56abbae720da86fcfe4039c67fb6d826f42fb8f9 gnutls-2.2.1.tar.bz2 Documentation ============= The manual is available online at: http://www.gnu.org/software/gnutls/documentation.html In particular the following formats are available: HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf For developers there is a GnuTLS API reference manual formatted using the GTK-DOC tools: http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-devel mailing list, see: . Windows installer ================= GnuTLS has been ported to the Windows operating system, and a binary installer is available. The installer contains DLLs for application development, manuals, examples, and source code. The installer consists of libgpg-error 1.6, libgcrypt 1.4.0, libtasn1 1.2, opencdk 0.6.6, and GnuTLS 2.2.1. For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.2.1.exe (14MB) http://josefsson.org/gnutls4win/gnutls-2.2.1.exe.sig The checksum values for SHA-1 and SHA-224 are: e0c4662c45cca62150f22cd3ce9ee13e0cb8671b gnutls-2.2.1.exe d91d151da3bf2564851bd28c9bcf6c37ec6f806345a6d3727525caa7 gnutls-2.2.1.exe Internationalization ==================== GnuTLS messages have been translated into Dutch, German, Malay, Polish and Swedish. We welcome the addition of more translations. Support ======= Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. The GnuTLS service directory is available at: http://www.gnu.org/software/gnutls/commercial.html Happy Hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From laurent.birtz at kryptiva.com Mon Jan 21 22:02:12 2008 From: laurent.birtz at kryptiva.com (Laurent Birtz) Date: Mon, 21 Jan 2008 16:02:12 -0500 Subject: [Help-gnutls] gnutls_record_send() problem Message-ID: <47950854.2010502@kryptiva.com> I've encountered a weird problem with the stock code examples (anonymous server and client). By itself the example works fine, but if I replace the string sent ("GET / HTTP/1.0\r\n\r\n") by a zeroed buffer, then the client hangs. This does not occur if I send a buffer containing bytes with the value 1. The sample code is shown below. I am using GnuTLS 2.2.1-1, kernel 2.6.22-3-686, Debian unstable, Debian package libgnutls26. Can someone tell me what is going on? ***** Makefile ***** all: gcc -Wall -g ex-serv-anon.c -o serv /usr/lib/libgnutls-openssl.so.26.1.2 gcc -Wall -g ex-client1.c tcp.c -o client /usr/lib/libgnutls-openssl.so.26.1.2 ***** tcp.c *****: #if HAVE_CONFIG_H # include #endif #include #include #include #include #include #include #include #include #define SA struct sockaddr /* Connects to the peer and returns a socket * descriptor. */ extern int tcp_connect (void) { const char *PORT = "5556"; const char *SERVER = "127.0.0.1"; int err, sd; struct sockaddr_in sa; /* connects to server */ sd = socket (AF_INET, SOCK_STREAM, 0); memset (&sa, '\0', sizeof (sa)); sa.sin_family = AF_INET; sa.sin_port = htons (atoi (PORT)); inet_pton (AF_INET, SERVER, &sa.sin_addr); err = connect (sd, (SA *) & sa, sizeof (sa)); if (err < 0) { fprintf (stderr, "Connect error\n"); exit (1); } return sd; } /* closes the given socket descriptor. */ extern void tcp_close (int sd) { shutdown (sd, SHUT_RDWR); /* no more receptions */ close (sd); } ***** ex-client1.c *****: #if HAVE_CONFIG_H # include #endif #include #include #include #include #include #include #include #include /* A very basic TLS client, with anonymous authentication. */ #define MAX_BUF 1024 #define SA struct sockaddr #define MSG "GET / HTTP/1.0\r\n\r\n" extern int tcp_connect (void); extern void tcp_close (int sd); int main (void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_anon_client_credentials_t anoncred; /* Need to enable anonymous KX specifically. */ const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_global_init (); gnutls_anon_allocate_client_credentials (&anoncred); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); /* put the anonymous credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); /* connect to the peer */ sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fprintf (stderr, "*** Handshake failed\n"); gnutls_perror (ret); goto end; } else { printf ("- Handshake was completed\n"); } /* CHANGE HERE */ #if 1 char s[100]; memset(s, 0, 100); gnutls_record_send (session, s, 100); #else gnutls_record_send (session, MSG, strlen (MSG)); #endif ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret)); goto end; } printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_anon_free_client_credentials (anoncred); gnutls_global_deinit (); return 0; } ***** ex-serv-anon.c: ***** #if HAVE_CONFIG_H # include #endif #include #include #include #include #include #include #include #include #include #include /* This is a sample TLS 1.0 echo server, for anonymous authentication only. */ #define SA struct sockaddr #define SOCKET_ERR(err,s) if(err==-1) {perror(s);return(1);} #define MAX_BUF 1024 #define PORT 5556 /* listen to 5556 port */ #define DH_BITS 1024 /* These are global */ gnutls_anon_server_credentials_t anoncred; gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); gnutls_dh_set_prime_bits (session, DH_BITS); return session; } static gnutls_dh_params_t dh_params; static int generate_dh_params (void) { /* Generate Diffie Hellman parameters - for use with DHE * kx algorithms. These should be discarded and regenerated * once a day, once a week or once a month. Depending on the * security requirements. */ gnutls_dh_params_init (&dh_params); gnutls_dh_params_generate2 (dh_params, DH_BITS); return 0; } int main (void) { int err, listen_sd, i; int sd, ret; struct sockaddr_in sa_serv; struct sockaddr_in sa_cli; int client_len; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; /* this must be called once in the program */ gnutls_global_init (); gnutls_anon_allocate_server_credentials (&anoncred); generate_dh_params (); gnutls_anon_set_server_dh_params (anoncred, dh_params); /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); SOCKET_ERR (listen_sd, "socket"); memset (&sa_serv, '\0', sizeof (sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons (PORT); /* Server Port number */ setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int)); err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); SOCKET_ERR (err, "bind"); err = listen (listen_sd, 1024); SOCKET_ERR (err, "listen"); printf ("Server ready. Listening to port '%d'.\n\n", PORT); client_len = sizeof (sa_cli); for (;;) { session = initialize_tls_session (); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); printf ("- connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fprintf (stderr, "*** Handshake has failed (%s)\n\n", gnutls_strerror (ret)); continue; } printf ("- Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("\n- Peer has closed the GNUTLS connection\n"); break; } else if (ret < 0) { fprintf (stderr, "\n*** Received corrupted " "data(%d). Closing the connection.\n\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } printf ("\n"); /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); } close (listen_sd); gnutls_anon_free_server_credentials (anoncred); gnutls_global_deinit (); return 0; } The 'ldd' dump of the server binary is: > ldd serv linux-gate.so.1 => (0xffffe000) libgnutls-openssl.so.26 => /usr/lib/libgnutls-openssl.so.26 (0xb7f22000) libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7dd5000) libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7d5b000) libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7d4b000) libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0xb7ce3000) libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0xb7cdf000) /lib/ld-linux.so.2 (0xb7f45000) Thanks, Laurent Birtz From nmav at gnutls.org Tue Jan 22 23:20:46 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 23 Jan 2008 00:20:46 +0200 Subject: [Help-gnutls] gnutls_record_send() problem In-Reply-To: <47950854.2010502@kryptiva.com> References: <47950854.2010502@kryptiva.com> Message-ID: <200801230020.46349.nmav@gnutls.org> On Monday 21 January 2008, Laurent Birtz wrote: > I've encountered a weird problem with the stock code examples (anonymous > server and client). By itself the example works fine, but if I replace > the string sent ("GET / HTTP/1.0\r\n\r\n") by a zeroed buffer, then the > client hangs. This does not occur if I send a buffer containing bytes > with the value 1. Where does the client hang? gnutls does not parse or use the data to be sent in any way, so it's quite unlikely that sending nulls hangs gnutls. regards, Nikos From laurent.birtz at kryptiva.com Wed Jan 23 00:44:29 2008 From: laurent.birtz at kryptiva.com (Laurent Birtz) Date: Tue, 22 Jan 2008 18:44:29 -0500 Subject: [Help-gnutls] gnutls_record_send() problem In-Reply-To: <200801230020.46349.nmav@gnutls.org> References: <47950854.2010502@kryptiva.com> <200801230020.46349.nmav@gnutls.org> Message-ID: <47967FDD.1050006@kryptiva.com> Nikos Mavrogiannopoulos wrote: > On Monday 21 January 2008, Laurent Birtz wrote: > >> I've encountered a weird problem with the stock code examples (anonymous >> server and client). By itself the example works fine, but if I replace >> the string sent ("GET / HTTP/1.0\r\n\r\n") by a zeroed buffer, then the >> client hangs. This does not occur if I send a buffer containing bytes >> with the value 1. >> > > Where does the client hang? gnutls does not parse or use the data to be sent > in any way, so it's quite unlikely that sending nulls hangs gnutls. > OK, I found the problem. The server calls strlen() on the buffer, which result in 0 bytes being sent to the client, c.f. gnutls_record_send (session, buffer, strlen (buffer)) instead of gnutls_record_send (session, buffer, ret). > gnutls does not parse or use the data to be sent in any way In version 2.0.4-1, valgrind was passing me this warning when I run it on the example. I assumed some kind of compression bug was going on in when I used a zeroed buffer. ==1785== Conditional jump or move depends on uninitialised value(s) ==1785== at 0x4235432: (within /usr/lib/libz.so.1.2.3.3) ==1785== by 0x4235DCF: deflate (in /usr/lib/libz.so.1.2.3.3) ==1785== by 0x406128B: _gnutls_compress (in /usr/lib/libgnutls.so.13.9.1) ==1785== by 0x40541FD: _gnutls_m_plaintext2compressed (in /usr/lib/libgnutls.so.13.9.1) ==1785== by 0x4054A13: _gnutls_encrypt (in /usr/lib/libgnutls.so.13.9.1) ==1785== by 0x4052C5D: _gnutls_send_int (in /usr/lib/libgnutls.so.13.9.1) ==1785== by 0x4052F0A: gnutls_record_send (in /usr/lib/libgnutls.so.13.9.1) ==1785== by 0x8048D6B: main (ex-client1.c:73) Thanks, Laurent Birtz From simon at josefsson.org Wed Jan 23 18:22:54 2008 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 23 Jan 2008 18:22:54 +0100 Subject: [Help-gnutls] Re: gnutls_record_send() problem In-Reply-To: <47967FDD.1050006@kryptiva.com> (Laurent Birtz's message of "Tue, 22 Jan 2008 18:44:29 -0500") References: <47950854.2010502@kryptiva.com> <200801230020.46349.nmav@gnutls.org> <47967FDD.1050006@kryptiva.com> Message-ID: <87fxwosbgx.fsf@mocca.josefsson.org> Laurent Birtz writes: > Nikos Mavrogiannopoulos wrote: >> On Monday 21 January 2008, Laurent Birtz wrote: >> >>> I've encountered a weird problem with the stock code examples (anonymous >>> server and client). By itself the example works fine, but if I replace >>> the string sent ("GET / HTTP/1.0\r\n\r\n") by a zeroed buffer, then the >>> client hangs. This does not occur if I send a buffer containing bytes >>> with the value 1. >>> >> >> Where does the client hang? gnutls does not parse or use the data to >> be sent in any way, so it's quite unlikely that sending nulls hangs >> gnutls. >> > OK, I found the problem. The server calls strlen() on the buffer, > which result in 0 bytes being sent to the client, c.f. > gnutls_record_send (session, buffer, strlen (buffer)) instead of > gnutls_record_send (session, buffer, ret). The gnutls_record_send function takes a buffer and a length indicator, so the first seems OK to me. The latter would be incorrect, 'ret' is used as the return value in that function, not a length indicator. Maybe you could clarify what change you are thinking of? >> gnutls does not parse or use the data to be sent in any way > > In version 2.0.4-1, valgrind was passing me this warning when I run it on > the example. I assumed some kind of compression bug was going on in when I > used a zeroed buffer. > > ==1785== Conditional jump or move depends on uninitialised value(s) > ==1785== at 0x4235432: (within /usr/lib/libz.so.1.2.3.3) > ==1785== by 0x4235DCF: deflate (in /usr/lib/libz.so.1.2.3.3) > ==1785== by 0x406128B: _gnutls_compress (in /usr/lib/libgnutls.so.13.9.1) > ==1785== by 0x40541FD: _gnutls_m_plaintext2compressed (in /usr/lib/libgnutls.so.13.9.1) > ==1785== by 0x4054A13: _gnutls_encrypt (in /usr/lib/libgnutls.so.13.9.1) > ==1785== by 0x4052C5D: _gnutls_send_int (in /usr/lib/libgnutls.so.13.9.1) > ==1785== by 0x4052F0A: gnutls_record_send (in /usr/lib/libgnutls.so.13.9.1) > ==1785== by 0x8048D6B: main (ex-client1.c:73) I can't reproduce this. Are you using the verbatim example source code? Below is what 'valgrind ./ex-client1' prints for me when ex-serv-anon is running. /Simon ==9416== Memcheck, a memory error detector. ==9416== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==9416== Using LibVEX rev 1804, a library for dynamic binary translation. ==9416== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==9416== Using valgrind-3.3.0-Debian, a dynamic binary instrumentation framework. ==9416== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==9416== For more details, rerun with: -v ==9416== - Handshake was completed - Received 18 bytes: GET / HTTP/1.0 ==9416== ==9416== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 23 from 1) ==9416== malloc/free: in use at exit: 2,321 bytes in 39 blocks. ==9416== malloc/free: 6,006 allocs, 5,967 frees, 302,300 bytes allocated. ==9416== For counts of detected errors, rerun with: -v ==9416== searching for pointers to 39 not-freed blocks. ==9416== checked 119,308 bytes. ==9416== ==9416== 120 bytes in 5 blocks are still reachable in loss record 1 of 6 ==9416== at 0x4024AB8: malloc (vg_replace_malloc.c:207) ==9416== by 0x4048DEF: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x404563B: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4045839: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4049A66: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x404C633: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x404C913: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4045B4D: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4046171: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4044C7C: gcry_check_version (in /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x40DAC25: gnutls_global_init (gnutls_global.c:241) ==9416== by 0x8048C2B: main (ex-client1.c:40) ==9416== ==9416== ==9416== 129 bytes in 1 blocks are definitely lost in loss record 2 of 6 ==9416== at 0x4024AB8: malloc (vg_replace_malloc.c:207) ==9416== by 0x40D7B73: _gnutls_mpi_dprint_lz (gnutls_mpi.c:146) ==9416== by 0x40E3EC0: _gnutls_dh_set_peer_public (gnutls_state.c:474) ==9416== by 0x40E9580: _gnutls_proc_dh_common_server_kx (auth_dh_common.c:297) ==9416== by 0x40D3710: proc_anon_server_kx (auth_anon.c:168) ==9416== by 0x40CEDA8: _gnutls_recv_server_kx_message (gnutls_kx.c:401) ==9416== by 0x40CB35E: _gnutls_handshake_client (gnutls_handshake.c:2342) ==9416== by 0x40CBC59: gnutls_handshake (gnutls_handshake.c:2238) ==9416== by 0x8048CA3: main (ex-client1.c:63) ==9416== ==9416== ==9416== 312 bytes in 13 blocks are still reachable in loss record 3 of 6 ==9416== at 0x4024AB8: malloc (vg_replace_malloc.c:207) ==9416== by 0x4048DEF: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x404563B: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4045839: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4049A66: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x40547AF: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4054823: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4045B44: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4046171: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4044C7C: gcry_check_version (in /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x40DAC25: gnutls_global_init (gnutls_global.c:241) ==9416== by 0x8048C2B: main (ex-client1.c:40) ==9416== ==9416== ==9416== 432 bytes in 18 blocks are still reachable in loss record 4 of 6 ==9416== at 0x4024AB8: malloc (vg_replace_malloc.c:207) ==9416== by 0x4048DEF: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x404563B: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4045839: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4049A66: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x404A451: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x404A513: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4045B14: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4046171: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4044C7C: gcry_check_version (in /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x40DAC25: gnutls_global_init (gnutls_global.c:241) ==9416== by 0x8048C2B: main (ex-client1.c:40) ==9416== ==9416== ==9416== 664 bytes in 1 blocks are still reachable in loss record 5 of 6 ==9416== at 0x4024AB8: malloc (vg_replace_malloc.c:207) ==9416== by 0x4045606: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4045839: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x404585D: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x40458EC: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x405829B: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4058ECE: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4042C7A: gcry_randomize (in /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x40F211B: gc_pseudo_random (gc-libgcrypt.c:83) ==9416== by 0x40DAE2D: gnutls_global_init (gnutls_global.c:307) ==9416== by 0x8048C2B: main (ex-client1.c:40) ==9416== ==9416== ==9416== 664 bytes in 1 blocks are still reachable in loss record 6 of 6 ==9416== at 0x4024AB8: malloc (vg_replace_malloc.c:207) ==9416== by 0x4045606: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4045839: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x404585D: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x40458EC: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x40581DB: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4058ECE: (within /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x4042C7A: gcry_randomize (in /usr/lib/libgcrypt.so.11.4.3) ==9416== by 0x40F211B: gc_pseudo_random (gc-libgcrypt.c:83) ==9416== by 0x40DAE2D: gnutls_global_init (gnutls_global.c:307) ==9416== by 0x8048C2B: main (ex-client1.c:40) ==9416== ==9416== LEAK SUMMARY: ==9416== definitely lost: 129 bytes in 1 blocks. ==9416== possibly lost: 0 bytes in 0 blocks. ==9416== still reachable: 2,192 bytes in 38 blocks. ==9416== suppressed: 0 bytes in 0 blocks. From simon at josefsson.org Wed Jan 23 18:25:02 2008 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 23 Jan 2008 18:25:02 +0100 Subject: [Help-gnutls] Re: gnutls_record_send() problem In-Reply-To: <47950854.2010502@kryptiva.com> (Laurent Birtz's message of "Mon, 21 Jan 2008 16:02:12 -0500") References: <47950854.2010502@kryptiva.com> Message-ID: <87bq7csbdd.fsf@mocca.josefsson.org> Laurent Birtz writes: > I've encountered a weird problem with the stock code examples (anonymous > server and client). By itself the example works fine, but if I replace > the string sent ("GET / HTTP/1.0\r\n\r\n") by a zeroed buffer, then the > client hangs. This does not occur if I send a buffer containing bytes > with the value 1. > > The sample code is shown below. I am using GnuTLS 2.2.1-1, kernel > 2.6.22-3-686, Debian unstable, Debian package libgnutls26. Can someone > tell me what is going on? I can reproduce this. The reason is this: The server is waiting for the client to send something, which it echoes back, but since the client never sends anything (a zero string is no data) the server never responds, and the client is stuck waiting for input from the server. /Simon From laurent.birtz at kryptiva.com Wed Jan 23 19:05:16 2008 From: laurent.birtz at kryptiva.com (Laurent Birtz) Date: Wed, 23 Jan 2008 13:05:16 -0500 Subject: [Help-gnutls] Re: gnutls_record_send() problem In-Reply-To: <87bq7csbdd.fsf@mocca.josefsson.org> References: <47950854.2010502@kryptiva.com> <87bq7csbdd.fsf@mocca.josefsson.org> Message-ID: <479781DC.2020509@kryptiva.com> Simon Josefsson wrote: > I can reproduce this. The reason is this: The server is waiting for the > client to send something, which it echoes back, but since the client > never sends anything (a zero string is no data) the server never > responds, and the client is stuck waiting for input from the server. > > /Simon > Yes, both processes are blocked for reading. > The gnutls_record_send function takes a buffer and a length indicator, > so the first seems OK to me. The latter would be incorrect, 'ret' is > used as the return value in that function, not a length indicator. > Maybe you could clarify what change you are thinking of? Well, calling strlen() on a buffer received from a client is a security hole (I guess it's OK in the case of an example). In this context 'ret' is the number of bytes read by gnutls_record_recv(), so it is a length indicator. I assume strlen() was used to avoid counting the terminating 0. > I can't reproduce this. Are you using the verbatim example source code? > Below is what 'valgrind ./ex-client1' prints for me when ex-serv-anon is > running. I guess it depends on other factors than just the version of GnuTLS. The problem is gone in the latest version. Thanks, Laurent Birtz From simon at josefsson.org Thu Jan 24 14:28:24 2008 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 24 Jan 2008 14:28:24 +0100 Subject: [Help-gnutls] Re: gnutls_record_send() problem In-Reply-To: <479781DC.2020509@kryptiva.com> (Laurent Birtz's message of "Wed, 23 Jan 2008 13:05:16 -0500") References: <47950854.2010502@kryptiva.com> <87bq7csbdd.fsf@mocca.josefsson.org> <479781DC.2020509@kryptiva.com> Message-ID: <87r6g7ic93.fsf@mocca.josefsson.org> Laurent Birtz writes: > Simon Josefsson wrote: >> I can reproduce this. The reason is this: The server is waiting for the >> client to send something, which it echoes back, but since the client >> never sends anything (a zero string is no data) the server never >> responds, and the client is stuck waiting for input from the server. >> >> /Simon >> > Yes, both processes are blocked for reading. Right. >> The gnutls_record_send function takes a buffer and a length indicator, >> so the first seems OK to me. The latter would be incorrect, 'ret' is >> used as the return value in that function, not a length indicator. >> Maybe you could clarify what change you are thinking of? > > Well, calling strlen() on a buffer received from a client is a > security hole (I guess it's OK in the case of an example). In this example, I don't see a problem. The relevant code is: char buffer[MAX_BUF + 1]; ... memset (buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); ... /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); Thus strlen will always hit the 0 after the string received from the client, if not sooner. > In this context 'ret' is the number of bytes read by > gnutls_record_recv(), so it is a length indicator. Ok. I looked at the client code when I made that comment. > I assume strlen() was used to avoid counting the terminating 0. Right. It is a echo client/server for simple strings. If you want to use it for any other purpose, you need to rewrite it. >> I can't reproduce this. Are you using the verbatim example source code? >> Below is what 'valgrind ./ex-client1' prints for me when ex-serv-anon is >> running. > > I guess it depends on other factors than just the version of > GnuTLS. The problem is gone in the latest version. Good! /Simon From mail_kurapati at yahoo.co.in Tue Jan 29 12:43:24 2008 From: mail_kurapati at yahoo.co.in (Kurapati Raja Sekhar) Date: Tue, 29 Jan 2008 11:43:24 +0000 (GMT) Subject: [Help-gnutls] Need help urgently!!! on Client / Server with PSK-TLS Message-ID: <311969.51304.qm@web8602.mail.in.yahoo.com> Hi All, I need to work with Client server connection by using PSK-TLS cipher. I am very new to gnutls, any one can send me the simple client and server which uses PSK-TLS for secure connection. Thanks & Regards, RRR --------------------------------- Forgot the famous last words? Access your message archive online. Click here. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg-debian.org at fifthhorseman.net Tue Jan 29 21:20:00 2008 From: dkg-debian.org at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 29 Jan 2008 15:20:00 -0500 Subject: [Help-gnutls] Need help urgently!!! on Client / Server with PSK-TLS In-Reply-To: <311969.51304.qm@web8602.mail.in.yahoo.com> (Kurapati Raja Sekhar's message of "Tue\, 29 Jan 2008 11\:43\:24 +0000 \(GMT\)") References: <311969.51304.qm@web8602.mail.in.yahoo.com> Message-ID: <878x28qt8v.fsf@squeak.fifthhorseman.net> On Tue 2008-01-29 06:43:24 -0500, Kurapati Raja Sekhar wrote: > I need to work with Client server connection by using PSK-TLS > cipher. I am very new to gnutls, any one can send me the simple > client and server which uses PSK-TLS for secure connection. It looks like the documentation doesn't have that example. Maybe you could work from one of the examples (like the simple client with anonymous authentication [0] and its matching server [1]), and modify them to work with PSK [2]. If you wanted to contribute back your new code, i imagine that the documentation maintainers would consider adopting it and publishing it for others to follow. Regards, --dkg [0] http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-anonymous-authentication.html [1] http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-anonymous-authentication.html [2] http://www.gnu.org/software/gnutls/manual/html_node/Authentication-using-PSK.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: