From carolin.latze at unifr.ch Wed Jan 6 11:26:56 2010 From: carolin.latze at unifr.ch (LATZE Carolin) Date: Wed, 6 Jan 2010 11:26:56 +0100 Subject: example for tls authz extension Message-ID: Hi everybody, according to the NEWS file, there should be example files for the tls authz extension in doc/examples, but there are no file implementing that extension in there.... Why did they disappear? Regards Carolin From carolin.latze at unifr.ch Wed Jan 6 15:07:02 2010 From: carolin.latze at unifr.ch (LATZE Carolin) Date: Wed, 6 Jan 2010 15:07:02 +0100 Subject: How to implement new supplemental data Message-ID: Hi everybody, I try to implement a TLS extensions that requires to send supplemental data too (umm.... is this the right list for that problem?) I found a pretty good tutorial about how to add a new extension (http://www.gnu.org/software/gnutls/devel/manual/html_node/TLS-Extension-Handling.html). However I did not find any documentation about how to implement the supplemental data message, which is why I grep'ed through the code and tried to understand it. I think it is done the following way (could somebody please confirm that?): in lib/gnutls_supplemental.c add a quadruple to _gnutls_supplemental[], e.g.: gnutls_supplemental_entry _gnutls_supplemental[] = { { "foobar_data", GNUTLS_SUPPLEMENTAL_FOOBAR_DATA, gnutls_foobar_supp_recv_params, gnutls_foobar_supp_send_params }, {0, 0, 0, 0} }; Afterwards add gnutls_foobar_supp_recv_params and gnutls_foobar_supp_send_params to ext_foobar.{h|c} and implement it. In gnutls_foobar_recv_param and/ or gnutls_foobar_send_param set do_send_supplemental and/ or do_recv_supplemental. Is that all (sounds somehow too simple :-D) Cheers Carolin From nmav at gnutls.org Sun Jan 10 12:11:14 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 10 Jan 2010 12:11:14 +0100 Subject: example for tls authz extension In-Reply-To: References: Message-ID: <4B49B5D2.9070507@gnutls.org> LATZE Carolin wrote: > Hi everybody, > > according to the NEWS file, there should be example files for the tls authz extension in doc/examples, but there are no file implementing that extension in there.... Why did they disappear? Hi, tls-authz was removed from gnutls due to patent reasons: * Version 2.1.3 (released 2007-10-17) ** TLS authorization support removed. This technique may be patented in the future, and it is not of crucial importance for the Internet community. After deliberation we have concluded that the best thing we can do in this situation is to encourage society not to adopt this technique. We have decided to lead the way with our own actions. regards, Nikos From nmav at gnutls.org Sun Jan 10 12:28:01 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 10 Jan 2010 12:28:01 +0100 Subject: gnutls_openpgp_crt_verify_self and key fingerprint In-Reply-To: <20091230225005.GA17876@Knoppix> References: <20091230225005.GA17876@Knoppix> Message-ID: <4B49B9C1.1080200@gnutls.org> Ilari Liusvaara wrote: > I'm writing new protocol implementation that utilizes TLS-OpenPGP > and GnuTLS and I am not completely sure what I'm doing with > authentication is safe thing to do: > > Does gnutls_openpgp_crt_verify_self() verify OpenPGP certificate > throughly enough that the gnutls_openpgp_crt_get_fingerprint() > output can be trusted not to be forgeable by grabbing certificate > (without stealing/deriving corresponding private keys) with desired > fingerprint and tampering with it? Hello, The verify_self() verifies the self signature and that's all. It doesn't say whether someone you trust has signed this certificate. > The scenario I'm most worried about is attacker using unauthorized > subkey (missing/invalid main->subkey signature) to pass TLS signature > checks. If that is not caught, the fingerprint value will be > completely untrustworthy (since AFAIK fingerprint comes from the > main key and does not directly cover subkeys). I'm guessing whole > purpose of ...verify_self() is to catch trickery like that (if not, > what it is for?) Could you please elaborate on the scenario above? I cannot really understand what you worry of. regards, Nikos From carolin.latze at unifr.ch Mon Jan 11 16:48:17 2010 From: carolin.latze at unifr.ch (LATZE Carolin) Date: Mon, 11 Jan 2010 16:48:17 +0100 Subject: gnutls_x509_crt_import fails with INVALID REQUEST Message-ID: Hi everybody, I wrote a very small client and server example using gnutls_certificate_set_x509_key_file(xcred,CERTFILE,KEYFILE,GNUTLS_X509_FMT_PEM); to read the client's certificate and key out of files. That lead to a successful handshake. Now I want to use the callback to choose the right client certificate during the handshake. In order to so, I replace the function above with gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); Furthermore, I defined a callback, that is really executed. Inside the callback, I wanted the read the same client certificate I used in the first example using the following functions out of the samples: static gnutls_datum_t load_file (const char *file) { FILE *f; gnutls_datum_t loaded_file = { NULL, 0 }; long filelen; void *ptr; if (!(f = fopen (file, "r")) || fseek (f, 0, SEEK_END) != 0 || (filelen = ftell (f)) < 0 || fseek (f, 0, SEEK_SET) != 0 || !(ptr = malloc ((size_t) filelen)) || fread (ptr, 1, (size_t) filelen, f) < (size_t) filelen) { return loaded_file; } loaded_file.data = ptr; loaded_file.size = (unsigned int) filelen; return loaded_file; } And afterwards: static void load_keys (void) { int ret; gnutls_datum_t data; data = load_file (CERTFILE); if (data.data == NULL) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } gnutls_x509_crt_init (&crt); ret = gnutls_x509_crt_import (crt, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf (stderr, "*** Error loading cert file: %s\n", gnutls_strerror (ret)); exit (1); } and so on.... but gnutls_x509_crt_import fails with INVALID REQUEST.... Any ideas why? This is exactly the same certificate. certtool as well as the first example did not have any problem with that certificate so why does the import method? Regards Carolin From carolin.latze at unifr.ch Mon Jan 11 16:48:38 2010 From: carolin.latze at unifr.ch (LATZE Carolin) Date: Mon, 11 Jan 2010 16:48:38 +0100 Subject: gnutls_x509_crt_import fails with INVALID REQUEST In-Reply-To: References: Message-ID: BTW... I am using GnuTLS 2.8.5 ________________________________________ From: LATZE Carolin Sent: Monday, January 11, 2010 4:48 PM To: help-gnutls at gnu.org Subject: gnutls_x509_crt_import fails with INVALID REQUEST Hi everybody, I wrote a very small client and server example using gnutls_certificate_set_x509_key_file(xcred,CERTFILE,KEYFILE,GNUTLS_X509_FMT_PEM); to read the client's certificate and key out of files. That lead to a successful handshake. Now I want to use the callback to choose the right client certificate during the handshake. In order to so, I replace the function above with gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); Furthermore, I defined a callback, that is really executed. Inside the callback, I wanted the read the same client certificate I used in the first example using the following functions out of the samples: static gnutls_datum_t load_file (const char *file) { FILE *f; gnutls_datum_t loaded_file = { NULL, 0 }; long filelen; void *ptr; if (!(f = fopen (file, "r")) || fseek (f, 0, SEEK_END) != 0 || (filelen = ftell (f)) < 0 || fseek (f, 0, SEEK_SET) != 0 || !(ptr = malloc ((size_t) filelen)) || fread (ptr, 1, (size_t) filelen, f) < (size_t) filelen) { return loaded_file; } loaded_file.data = ptr; loaded_file.size = (unsigned int) filelen; return loaded_file; } And afterwards: static void load_keys (void) { int ret; gnutls_datum_t data; data = load_file (CERTFILE); if (data.data == NULL) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } gnutls_x509_crt_init (&crt); ret = gnutls_x509_crt_import (crt, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf (stderr, "*** Error loading cert file: %s\n", gnutls_strerror (ret)); exit (1); } and so on.... but gnutls_x509_crt_import fails with INVALID REQUEST.... Any ideas why? This is exactly the same certificate. certtool as well as the first example did not have any problem with that certificate so why does the import method? Regards Carolin From carolin.latze at unifr.ch Mon Jan 11 17:25:01 2010 From: carolin.latze at unifr.ch (LATZE Carolin) Date: Mon, 11 Jan 2010 17:25:01 +0100 Subject: gnutls_x509_crt_import fails with INVALID REQUEST In-Reply-To: References: , Message-ID: I found out, that the error already happens in gnutls_x509_crt_init (&crt);, which gives "ASN1 parser: Element was not found." Any hints would be appreciated... ________________________________________ From: help-gnutls-bounces+carolin.latze=unifr.ch at gnu.org [help-gnutls-bounces+carolin.latze=unifr.ch at gnu.org] On Behalf Of LATZE Carolin [carolin.latze at unifr.ch] Sent: Monday, January 11, 2010 4:48 PM To: help-gnutls at gnu.org Subject: RE: gnutls_x509_crt_import fails with INVALID REQUEST BTW... I am using GnuTLS 2.8.5 ________________________________________ From: LATZE Carolin Sent: Monday, January 11, 2010 4:48 PM To: help-gnutls at gnu.org Subject: gnutls_x509_crt_import fails with INVALID REQUEST Hi everybody, I wrote a very small client and server example using gnutls_certificate_set_x509_key_file(xcred,CERTFILE,KEYFILE,GNUTLS_X509_FMT_PEM); to read the client's certificate and key out of files. That lead to a successful handshake. Now I want to use the callback to choose the right client certificate during the handshake. In order to so, I replace the function above with gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); Furthermore, I defined a callback, that is really executed. Inside the callback, I wanted the read the same client certificate I used in the first example using the following functions out of the samples: static gnutls_datum_t load_file (const char *file) { FILE *f; gnutls_datum_t loaded_file = { NULL, 0 }; long filelen; void *ptr; if (!(f = fopen (file, "r")) || fseek (f, 0, SEEK_END) != 0 || (filelen = ftell (f)) < 0 || fseek (f, 0, SEEK_SET) != 0 || !(ptr = malloc ((size_t) filelen)) || fread (ptr, 1, (size_t) filelen, f) < (size_t) filelen) { return loaded_file; } loaded_file.data = ptr; loaded_file.size = (unsigned int) filelen; return loaded_file; } And afterwards: static void load_keys (void) { int ret; gnutls_datum_t data; data = load_file (CERTFILE); if (data.data == NULL) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } ret = gnutls_x509_crt_import (crt, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf (stderr, "*** Error loading cert file: %s\n", gnutls_strerror (ret)); exit (1); } and so on.... but gnutls_x509_crt_import fails with INVALID REQUEST.... Any ideas why? This is exactly the same certificate. certtool as well as the first example did not have any problem with that certificate so why does the import method? Regards Carolin _______________________________________________ Help-gnutls mailing list Help-gnutls at gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls From nmav at gnutls.org Mon Jan 11 19:10:31 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 11 Jan 2010 19:10:31 +0100 Subject: gnutls_x509_crt_import fails with INVALID REQUEST In-Reply-To: References: , Message-ID: <4B4B6997.3080908@gnutls.org> LATZE Carolin wrote: > I found out, that the error already happens in gnutls_x509_crt_init (&crt);, which gives "ASN1 parser: Element was not found." > > Any hints would be appreciated... Did you use gnutls_global_init? From carolin.latze at unifr.ch Mon Jan 11 19:23:45 2010 From: carolin.latze at unifr.ch (Carolin Latze) Date: Mon, 11 Jan 2010 19:23:45 +0100 Subject: gnutls_x509_crt_import fails with INVALID REQUEST In-Reply-To: <4B4B6997.3080908@gnutls.org> References: , <4B4B6997.3080908@gnutls.org> Message-ID: <4B4B6CB1.8080101@unifr.ch> Nikos Mavrogiannopoulos wrote: > LATZE Carolin wrote: > >> I found out, that the error already happens in gnutls_x509_crt_init (&crt);, which gives "ASN1 parser: Element was not found." >> >> Any hints would be appreciated... >> > > Did you use gnutls_global_init? > Nice one. Yes I did, but after calling load_keys(). Changing the order did the trick. Thanks a lot!!!! From simon at josefsson.org Mon Jan 11 23:07:49 2010 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 11 Jan 2010 23:07:49 +0100 Subject: libtasn1 2.4 release candidate Message-ID: <87wrzoe1my.fsf@mocca.josefsson.org> It is release time, and I'm starting with libtasn1 this time... Please check that this one works for you: http://daily.josefsson.org/libtasn1/libtasn1-20100111.tar.gz I'll release it as v2.4 next week or so unless there are any negative reports. /Simon From simon at josefsson.org Mon Jan 18 09:10:52 2010 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 18 Jan 2010 09:10:52 +0100 Subject: GNU Libtasn1 2.4 Message-ID: <87hbqjsuib.fsf@mocca.josefsson.org> GNU Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER/BER encoding/decoding. GNU Libtasn1 is used by GnuTLS to handle X.509 structures and by GNU Shishi to handle Kerberos V5 structures. * Noteworthy changes in release 2.4 (2010-01-18) [stable] - Doc fixes. - Updated gnulib files. - Clean up copyright notices. Homepage: http://www.gnu.org/software/libtasn1/ Here are the compressed sources (1.5MB): ftp://ftp.gnu.org/gnu/libtasn1/libtasn1-2.4.tar.gz http://ftp.gnu.org/gnu/libtasn1/libtasn1-2.4.tar.gz Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnu.org/gnu/libtasn1/libtasn1-2.4.tar.gz.sig http://ftp.gnu.org/gnu/libtasn1/libtasn1-2.4.tar.gz.sig A ZIP archive containing the Windows binaries (268KB): http://josefsson.org/gnutls4win/libtasn1-2.4.zip http://josefsson.org/gnutls4win/libtasn1-2.4.zip.sig A Debian mingw32 package is also available (240KB): http://josefsson.org/gnutls4win/mingw32-libtasn1_2.4-1_all.deb Commercial support contracts for Libtasn1 are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding Libtasn1 maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use Libtasn1, or want to help others, you are invited to join the help-gnutls mailing list, see: . All manuals are available from: http://www.gnu.org/software/gsasl/manual/ Specifically, the following formats are available. The main manual: HTML: http://www.gnu.org/software/gsasl/manual/gsasl.html PDF: http://www.gnu.org/software/gsasl/manual/gsasl.pdf API Reference manual: http://www.gnu.org/software/gsasl/reference/ - GTK-DOC HTML For developers interested in improving code quality, we publish Cyclomatic code complexity charts that help you find code that may need review and improvements: http://www.gnu.org/software/gnutls/cyclo/ Also useful are code coverage charts which indicate parts of the source code that needs to be tested better by the included self-tests: http://www.gnu.org/software/gnutls/coverage/ The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 8cecbb6335e0294ddbcb3a798f0c61c7a2735f23 libtasn1-2.4.tar.gz 04229d6777d176e09aad870b08b69b29eb8826249046f52521f6c975 libtasn1-2.4.tar.gz bcbef65089c6ea44ff5065e4f933c58e650153a0 libtasn1-2.4.zip b81f7643664975a7de12058b20489d8a489121880101c4b1fb24a115 libtasn1-2.4.zip b99a35e23c9e8d3afc2e7ca808f951d0d00c282d mingw32-libtasn1_2.4-1_all.deb 177f47b46154b56623f5b4e51b747e82b6ee4d646c01ce8f38fb3afb mingw32-libtasn1_2.4-1_all.deb Happy hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 420 bytes Desc: not available URL: