From mike.hoy at canberra.com Wed Nov 3 14:55:28 2010 From: mike.hoy at canberra.com (HOY Mike) Date: Wed, 3 Nov 2010 09:55:28 -0400 Subject: 2.10.2 Message-ID: <0C4556B6BAE1734A840FDF7EEE66C1A506D09323@AUSMERIMX01.adom.ad.corp> I seem to have missed a lot. I installed 2.10.2 and get undefined references to inflate and deflate. Do I need another library on a cup of coffee and chocolate? Mike. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mike at zentific.com Wed Nov 3 17:29:03 2010 From: mike at zentific.com (Mike Blumenkrantz) Date: Wed, 3 Nov 2010 11:29:03 -0500 Subject: leak? Message-ID: <20101103112903.0e5899b8@darc.ath.cx> Hi, I've been valgrinding some of my gnutls-using apps and have found what appears to be a small leak in the handshaking code (using 2.10.2). ecore_con_ssl.c can be found here: https://svn.enlightenment.org/svn/e/trunk/ecore/src/lib/ecore_con/ecore_con_ssl.c ==19053== 1,024 bytes in 1 blocks are definitely lost in loss record 146 of 160 ==19053== at 0x4027A66: malloc (vg_replace_malloc.c:236) ==19053== by 0x40B77D4: _gnutls_send_client_hello (gnutls_handshake.c:1985) ==19053== by 0x40B8253: _gnutls_send_hello (gnutls_handshake.c:2299) ==19053== by 0x40B9037: _gnutls_handshake_client (gnutls_handshake.c:2775) ==19053== by 0x40B8F0D: gnutls_handshake (gnutls_handshake.c:2699) ==19053== by 0x4055063: _ecore_con_ssl_server_init_gnutls (ecore_con_ssl.c:515) This leak occurs client side every single time I handshake. -- Mike Blumenkrantz Zentific: Our boolean values are huge. From nmav at gnutls.org Wed Nov 3 17:48:57 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 03 Nov 2010 17:48:57 +0100 Subject: leak? In-Reply-To: <20101103112903.0e5899b8@darc.ath.cx> References: <20101103112903.0e5899b8@darc.ath.cx> Message-ID: <4CD19279.7010300@gnutls.org> On 11/03/2010 05:29 PM, Mike Blumenkrantz wrote: > Hi, > > I've been valgrinding some of my gnutls-using apps and have found what appears > to be a small leak in the handshaking code (using 2.10.2). ecore_con_ssl.c can > be found here: > https://svn.enlightenment.org/svn/e/trunk/ecore/src/lib/ecore_con/ecore_con_ssl.c > > ==19053== 1,024 bytes in 1 blocks are definitely lost in loss record 146 of 160 > ==19053== at 0x4027A66: malloc (vg_replace_malloc.c:236) > ==19053== by 0x40B77D4: _gnutls_send_client_hello (gnutls_handshake.c:1985) > ==19053== by 0x40B8253: _gnutls_send_hello (gnutls_handshake.c:2299) > ==19053== by 0x40B9037: _gnutls_handshake_client (gnutls_handshake.c:2775) > ==19053== by 0x40B8F0D: gnutls_handshake (gnutls_handshake.c:2699) > ==19053== by 0x4055063: _ecore_con_ssl_server_init_gnutls > (ecore_con_ssl.c:515) > > > This leak occurs client side every single time I handshake. Thanks it seems it was introduced with 2.10 and eliminated again in 2.11. Anyway, does the following patch solve the issue for you? http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=f48cb4e387e0b89627310499ce5d80b3063a5ee2 regards, Nikos From nmav at gnutls.org Wed Nov 3 17:50:45 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 03 Nov 2010 17:50:45 +0100 Subject: 2.10.2 In-Reply-To: <0C4556B6BAE1734A840FDF7EEE66C1A506D09323@AUSMERIMX01.adom.ad.corp> References: <0C4556B6BAE1734A840FDF7EEE66C1A506D09323@AUSMERIMX01.adom.ad.corp> Message-ID: <4CD192E5.3060609@gnutls.org> On 11/03/2010 02:55 PM, HOY Mike wrote: > I seem to have missed a lot. I installed 2.10.2 and get undefined > references to inflate and deflate. Do I need another library on a cup > of coffee and chocolate? Where do you get those undefined references? What is your system? Don't expect anyone to guess what is your issue. inflate and deflate are zlib symbols. It might be your application is not linked with libz. regards, Nikos From mike at zentific.com Wed Nov 3 18:27:36 2010 From: mike at zentific.com (Mike Blumenkrantz) Date: Wed, 3 Nov 2010 12:27:36 -0500 Subject: leak? In-Reply-To: <4CD19279.7010300@gnutls.org> References: <20101103112903.0e5899b8@darc.ath.cx> <4CD19279.7010300@gnutls.org> Message-ID: <20101103122736.3a299ebc@darc.ath.cx> On Wed, 03 Nov 2010 17:48:57 +0100 Nikos Mavrogiannopoulos wrote: > On 11/03/2010 05:29 PM, Mike Blumenkrantz wrote: > > Hi, > > > > I've been valgrinding some of my gnutls-using apps and have found what > > appears to be a small leak in the handshaking code (using 2.10.2). > > ecore_con_ssl.c can be found here: > > https://svn.enlightenment.org/svn/e/trunk/ecore/src/lib/ecore_con/ecore_con_ssl.c > > > > ==19053== 1,024 bytes in 1 blocks are definitely lost in loss record 146 of > > 160 ==19053== at 0x4027A66: malloc (vg_replace_malloc.c:236) > > ==19053== by 0x40B77D4: _gnutls_send_client_hello > > (gnutls_handshake.c:1985) ==19053== by 0x40B8253: _gnutls_send_hello > > (gnutls_handshake.c:2299) ==19053== by 0x40B9037: > > _gnutls_handshake_client (gnutls_handshake.c:2775) ==19053== by > > 0x40B8F0D: gnutls_handshake (gnutls_handshake.c:2699) ==19053== by > > 0x4055063: _ecore_con_ssl_server_init_gnutls (ecore_con_ssl.c:515) > > > > > > This leak occurs client side every single time I handshake. > > Thanks it seems it was introduced with 2.10 and eliminated again in > 2.11. Anyway, does the following patch solve the issue for you? > > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=f48cb4e387e0b89627310499ce5d80b3063a5ee2 > > regards, > Nikos It does indeed fix the leak. -- Mike Blumenkrantz Zentific: Our boolean values are huge. From mike.hoy at canberra.com Thu Nov 11 22:15:41 2010 From: mike.hoy at canberra.com (HOY Mike) Date: Thu, 11 Nov 2010 16:15:41 -0500 Subject: gnutsl_cipher.c Message-ID: <0C4556B6BAE1734A840FDF7EEE66C1A506DFAC3D@AUSMERIMX01.adom.ad.corp> Hello Nikos, We have been having decryption problems depending upon file size. We are talking to a specialized camera with TLS 1.0, 1.1 and TLS 1.2. Under each we had file transfers that failed decryption. All with varying file sizes. After trouble shooting we found that in gnutls_cipher.c in the function _gnutls_ciphertext2compressed the local variable pad is defined as uint8_t. While this seemed fine we found it rolled over to an illegal value of 0 for the pad. Our fix was to change pad to an int and get a pad value of 256, instead of zero. While this works for now I am concerned we may not really be supporting a true general case with this fix. Can you tell us if this is what we should do or is there some other problem we aren't seeing? Regards, Mike Hoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Fri Nov 12 00:06:56 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 12 Nov 2010 00:06:56 +0100 Subject: gnutsl_cipher.c In-Reply-To: <0C4556B6BAE1734A840FDF7EEE66C1A506DFAC3D@AUSMERIMX01.adom.ad.corp> References: <0C4556B6BAE1734A840FDF7EEE66C1A506DFAC3D@AUSMERIMX01.adom.ad.corp> Message-ID: <4CDC7710.2090603@gnutls.org> On 11/11/2010 10:15 PM, HOY Mike wrote: > Hello Nikos, We have been having decryption problems depending upon > file size. We are talking to a specialized camera with TLS 1.0, 1.1 > and TLS 1.2. Under each we had file transfers that failed > decryption. All with varying file sizes. After trouble shooting we > found that in gnutls_cipher.c in the function > _gnutls_ciphertext2compressed the local variable pad is defined as > uint8_t. While this seemed fine we found it rolled over to an > illegal value of 0 for the pad. Our fix was to change pad to an int > and get a pad value of 256, instead of zero. Value 0 is not illegal. In TLS CBC padding can be from zero to 255. 256 is not a legal value for padding since it has to be stored in a byte. Could you provide more information on when this problem occurs? Does the TLS implementation of the camera expect 256 bytes of padding if it encounters the padding value zero? Or it does give 256 bytes of padding and says it's zero? In both cases it seems that TLS implementation is seriously broken (unless the problem is something else). Does switching to a stream cipher like arcfour solve your problem? regards, Nikos From pedro.pereira at tut.fi Mon Nov 15 20:12:14 2010 From: pedro.pereira at tut.fi (Pedro Pereira) Date: Mon, 15 Nov 2010 21:12:14 +0200 Subject: Using a Callback to Select the Certificate to Use (error) Message-ID: <20101115211214.18508399qr24us5q@webmail.tut.fi> Hi, I am trying to use a callback to select the certificates, but it seems that I am having problems compiling the gnutls example that uses callback to select the certificates. $ gcc -o client ex-cert-select.c tcp.c `pkg-config gnutls --cflags --libs` or $ gcc -o client ex-cert-select.c tcp.c -lgnutls output: /tmp/ccpq7pJM.o: In function `cert_callback': ex-cert-select.c:(.text+0x667): undefined reference to `gnutls_sign_algorithm_get_requested' collect2: ld returned 1 exit status gnutls_sign_algorithm_get_requested seems to be part of the gnutls.h, so it should be reachable with the #define and with the gnutls lib. Then I tried to use the gnutls-extra lib instead, and it compiles!? Strange...but even like that I have problems running the binary: $ gcc ex-cert-select.c tcp.c -o client -lgnutls-extra $ ./client - Server's trusted authorities: [0]: CN=GnuTLS test CA [1]: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support at cacert.org [2]: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting,OU=Certification Services Division,CN=Thawte Personal Freemail CA,EMAIL=personal-freemail at thawte.com ./client: relocation error: ./client: symbol gnutls_sign_algorithm_get_requested, version GNUTLS_2_10 not defined in file libgnutls.so.26 with link time reference ...and the program aborts. What's happening here? Can someone help me to understand how to make this work normally? Regards, Pedro From nmav at gnutls.org Mon Nov 15 21:20:55 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 15 Nov 2010 21:20:55 +0100 Subject: Using a Callback to Select the Certificate to Use (error) In-Reply-To: <20101115211214.18508399qr24us5q@webmail.tut.fi> References: <20101115211214.18508399qr24us5q@webmail.tut.fi> Message-ID: <4CE19627.9070500@gnutls.org> On 11/15/2010 08:12 PM, Pedro Pereira wrote: > Hi, > > I am trying to use a callback to select the certificates, but it seems > that I am having problems compiling the gnutls example that uses > callback to select the certificates. Which version of gnutls do you use? regards, Nikos From noloader at gmail.com Tue Nov 16 12:46:02 2010 From: noloader at gmail.com (Jeffrey Walton) Date: Tue, 16 Nov 2010 06:46:02 -0500 Subject: How to Create/Derive DER Encoded Public Keys (PKCS #1/X.509 SubjectPublicKeyInfo)? Message-ID: Hi All, I can create PKCS #8 DER encoded private keys (PrivaeKeyInfo) using certool and the following commands. How do I get GnuTLS to cough up the corresponding public keys? Nothing in certtol or gnutls-cli is jumping out at me. certtool --generate-privkey --pkcs8 --outder --bits 3072 --outfile rsa-gnutls.der certtool --dsa --generate-privkey --pkcs8 --outder --bits 1024 --outfile dsa-gnutls.der Jeffrey Walton From nmav at gnutls.org Tue Nov 16 13:03:22 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 16 Nov 2010 13:03:22 +0100 Subject: How to Create/Derive DER Encoded Public Keys (PKCS #1/X.509 SubjectPublicKeyInfo)? In-Reply-To: References: Message-ID: On Tue, Nov 16, 2010 at 12:46 PM, Jeffrey Walton wrote: > Hi All, > I can create PKCS #8 DER encoded private keys (PrivaeKeyInfo) using > certool and the following commands. How do I get GnuTLS to cough up > the corresponding public keys? Nothing in certtol or gnutls-cli is > jumping out at me. Check certtool from 2.11.x and the --certificate-pubkey option. regards, Nikos From noloader at gmail.com Tue Nov 16 14:00:05 2010 From: noloader at gmail.com (Jeffrey Walton) Date: Tue, 16 Nov 2010 08:00:05 -0500 Subject: How to Create/Derive DER Encoded Public Keys (PKCS #1/X.509 SubjectPublicKeyInfo)? In-Reply-To: References: Message-ID: On Tue, Nov 16, 2010 at 7:03 AM, Nikos Mavrogiannopoulos wrote: > On Tue, Nov 16, 2010 at 12:46 PM, Jeffrey Walton wrote: >> Hi All, >> I can create PKCS #8 DER encoded private keys (PrivaeKeyInfo) using >> certool and the following commands. How do I get GnuTLS to cough up >> the corresponding public keys? Nothing in certtol or gnutls-cli is >> jumping out at me. > > Check certtool from 2.11.x and the --certificate-pubkey option. Thank you very much. If we could only get distros to update packages more frequently... :/ From nmav at gnutls.org Tue Nov 16 14:04:36 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 16 Nov 2010 14:04:36 +0100 Subject: How to Create/Derive DER Encoded Public Keys (PKCS #1/X.509 SubjectPublicKeyInfo)? In-Reply-To: References: Message-ID: On Tue, Nov 16, 2010 at 2:00 PM, Jeffrey Walton wrote: >>> Hi All, >>> I can create PKCS #8 DER encoded private keys (PrivaeKeyInfo) using >>> certool and the following commands. How do I get GnuTLS to cough up >>> the corresponding public keys? Nothing in certtol or gnutls-cli is >>> jumping out at me. >> Check certtool from 2.11.x and the --certificate-pubkey option. > Thank you very much. If we could only get distros to update packages > more frequently... :/ 2.11.x is a development release, that's why it is not in any distribution. A stable 2.12.x release will be released soon. regards, Nikos From jay.janra at gmail.com Wed Nov 17 09:54:54 2010 From: jay.janra at gmail.com (Jay Anra) Date: Wed, 17 Nov 2010 08:54:54 +0000 Subject: gnutls_handshake() thread problem Message-ID: On 21 Oct I reported a problem I was having with inconsistent errors that appeared to be connected with libgcrypt and asynchronous sockets. It turns out the problem was not specifically libgcrypt but gnutls_handshake(). What was happening was that the socket interrupt was calling gnutls_handshake() with a response from the server, interrupting the previous call to gnutls_handshake() that had not yet returned. The interrupt call to gnutls_handshake() obviously conflicting with the previous incomplete call to gnutls_handshake() and causing all sorts of inconsistent errors. I have used a mutex to protect gnutls_hansdshake() and the problems have gone away. Would it be possible to build protection into the library for this? -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Wed Nov 17 12:45:04 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 17 Nov 2010 12:45:04 +0100 Subject: gnutls_handshake() thread problem In-Reply-To: References: Message-ID: I don't understand what the problem is there. Do you call gnutls_handshake in parallel from different threads? In that case using a mutex is the right thing. We don't support concurrent execution of gnutls_handshake from parallel threads for the same session. regards, Nikos On Wed, Nov 17, 2010 at 9:54 AM, Jay Anra wrote: > On 21 Oct I reported a problem I was having with inconsistent errors that > appeared to be connected with libgcrypt and asynchronous sockets. > > It turns out the problem was not specifically libgcrypt but > gnutls_handshake(). > > What was happening was that the socket interrupt was calling > gnutls_handshake() with a response from the server, interrupting the > previous call to gnutls_handshake() that had not yet returned. The interrupt > call to gnutls_handshake() obviously conflicting with the previous > incomplete call to gnutls_handshake() and causing all sorts of inconsistent > errors. > > I have used a mutex to protect gnutls_hansdshake() and the problems have > gone away. > > Would it be possible to build protection into the library for this? > > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > http://lists.gnu.org/mailman/listinfo/help-gnutls > > From nmav at gnutls.org Fri Nov 19 13:55:28 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 19 Nov 2010 13:55:28 +0100 Subject: GnuTLS 2.10.3 released Message-ID: <4CE673C0.2080305@gnutls.org> I've just released gnutls 2.10.3. It is a bugfix release. What's New ========== ** libgnutls: Correctly add leading zero to PKCS #8 encoded DSA key. Reported by Jeffrey Walton. ** libgnutls: Corrected memory leak in extension data calculation. Reported by Mike Blumenkrantz. ** libgnutls: Remove trailing comma in enums in gnutls.h and x509.h. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded from one of the GNU mirror sites or directly >From . The list of GNU mirrors can be found at and a list of GnuTLS mirrors can be found at . Here are the BZIP2 compressed sources (7.2MB): ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.10.2.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.10.2.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.10.2.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.10.2.tar.bz2.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos uid Nikos Mavrogiannopoulos sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Fri Nov 19 14:03:49 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 19 Nov 2010 14:03:49 +0100 Subject: GnuTLS 2.10.3 released In-Reply-To: <4CE673C0.2080305@gnutls.org> References: <4CE673C0.2080305@gnutls.org> Message-ID: <4CE675B5.9080400@gnutls.org> On 11/19/2010 01:55 PM, Nikos Mavrogiannopoulos wrote: And those are the correct links for this release! ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.10.3.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.10.3.tar.bz2 ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.10.3.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.10.3.tar.bz2.sig From jay.janra at gmail.com Fri Nov 19 15:46:58 2010 From: jay.janra at gmail.com (Jay Anra) Date: Fri, 19 Nov 2010 14:46:58 +0000 Subject: gnutls_handshake() thread problem In-Reply-To: References: Message-ID: answering your question: 'Do you call gnutls_handshake in parallel from different threads?' Sort of, although not explicitly. It's a consequence of using asynchronous sockets. The concurrency comes from the interrupt generated by the SIGIO signal, which gets sent to my process when data arrives on the socket. Obviously I have no control over the timing of this signal, so it may cause concurrent calls to gnutls_handshake() or it may not. My point is that if you support asynchronous sockets, you need to stop concurrent calls or advertise the fact that the programmer needs to take action to stop it. regards Jay On Wed, Nov 17, 2010 at 11:45 AM, Nikos Mavrogiannopoulos wrote: > I don't understand what the problem is there. Do you call > gnutls_handshake in parallel from different threads? In that case > using a mutex is the right thing. We don't support concurrent > execution of gnutls_handshake from parallel threads for the same > session. > > regards, > Nikos > > On Wed, Nov 17, 2010 at 9:54 AM, Jay Anra wrote: > > On 21 Oct I reported a problem I was having with inconsistent errors that > > appeared to be connected with libgcrypt and asynchronous sockets. > > > > It turns out the problem was not specifically libgcrypt but > > gnutls_handshake(). > > > > What was happening was that the socket interrupt was calling > > gnutls_handshake() with a response from the server, interrupting the > > previous call to gnutls_handshake() that had not yet returned. The > interrupt > > call to gnutls_handshake() obviously conflicting with the previous > > incomplete call to gnutls_handshake() and causing all sorts of > inconsistent > > errors. > > > > I have used a mutex to protect gnutls_hansdshake() and the problems have > > gone away. > > > > Would it be possible to build protection into the library for this? > > > > _______________________________________________ > > Help-gnutls mailing list > > Help-gnutls at gnu.org > > http://lists.gnu.org/mailman/listinfo/help-gnutls > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Fri Nov 19 16:07:15 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 19 Nov 2010 16:07:15 +0100 Subject: gnutls_handshake() thread problem In-Reply-To: References: Message-ID: <4CE692A3.3040405@gnutls.org> On 11/19/2010 03:46 PM, Jay Anra wrote: > answering your question: 'Do you call gnutls_handshake in parallel from > different threads?' > > Sort of, although not explicitly. It's a consequence of using asynchronous > sockets. The concurrency comes > from the interrupt generated by the SIGIO signal, which gets sent to my > process when data arrives on the socket. > Obviously I have no control over the timing of this signal, so it may cause > concurrent calls to gnutls_handshake() > or it may not. I still cannot understand why you need to call gnutls_handshake() in a concurrent way. Could you explain your scenario? In any case all gnutls functions are reentrant as long as each session is handled in a single thread. regards, Nikos From noloader at gmail.com Sun Nov 21 03:53:42 2010 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 20 Nov 2010 21:53:42 -0500 Subject: GnuTLS and pkg-config Message-ID: Hi All, I was reading the online manual, Section 7.1.5, Building the Source, at http://www.gnu.org/software/gnutls/manual/gnutls.html. I think the pkg-config trick is kind of neat, so I started kicking the tires. On Ubuntu, I seem to be having some problems getting useful information from pkg-config. Any ideas? Jeff $ uname -a Linux 2.6.32-25-generic #45-Ubuntu SMP Sat Oct 16 19:52:42 UTC 2010 x86_64 GNU/Linux $ pkg-config gnutls --cflags Package gnutls was not found in the pkg-config search path. Perhaps you should add the directory containing `gnutls.pc' to the PKG_CONFIG_PATH environment variable No package 'gnutls' found $ apt-cache pkgnames | grep libgnutls | sort libgnutls11-dev libgnutls13-dbg libgnutls26 libgnutls26-dbg libgnutls5-dev libgnutls-dev $ pkg-config libgnutls26 --cflags Package libgnutls26 was not found in the pkg-config search path. Perhaps you should add the directory containing `libgnutls26.pc' to the PKG_CONFIG_PATH environment variable No package 'libgnutls26' found $ From bradh at frogmouth.net Sun Nov 21 04:26:38 2010 From: bradh at frogmouth.net (Brad Hards) Date: Sun, 21 Nov 2010 14:26:38 +1100 Subject: GnuTLS and pkg-config In-Reply-To: References: Message-ID: <201011211426.38453.bradh@frogmouth.net> On Sunday, November 21, 2010 01:53:42 pm Jeffrey Walton wrote: > $ pkg-config gnutls --cflags This is the right syntax (not the "gnutls26" thing you tried later). I get bradh at bradh-VirtualBox:~$ pkg-config gnutls --libs -lgnutls bradh at bradh-VirtualBox:~$ apt-cache pkgnames | grep libgnutls | sort libgnutls26 libgnutls26-dbg libgnutls-dev on my ubuntu 10.10 box, using packages. Are you sure you've installed it correctly? Have you tried looking for gnutls.pc on the filesystem? Does it work for other packages? In any case, it works from source, so this is an issue between you and your distro packages (rather than a gnutls issue). Brad From noloader at gmail.com Sun Nov 21 04:49:09 2010 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 20 Nov 2010 22:49:09 -0500 Subject: GnuTLS and pkg-config In-Reply-To: <201011211426.38453.bradh@frogmouth.net> References: <201011211426.38453.bradh@frogmouth.net> Message-ID: On Sat, Nov 20, 2010 at 10:26 PM, Brad Hards wrote: > On Sunday, November 21, 2010 01:53:42 pm Jeffrey Walton wrote: >> $ pkg-config gnutls --cflags > This is the right syntax (not the "[lib]gnutls26" thing you tried later). OK. Thanks. When pkg-config did not work for the general name, I began trying specific names. > bradh at bradh-VirtualBox:~$ pkg-config gnutls --libs > -lgnutls > bradh at bradh-VirtualBox:~$ apt-cache pkgnames | grep libgnutls | sort > libgnutls26 > libgnutls26-dbg > libgnutls-dev > on my ubuntu 10.10 box, using packages. > > Are you sure you've installed it correctly? I believe so. I usually use the point-and-click Synaptic Package Manager out of laziness. I reserve apt-cache and apt-get for problems. > Have you tried looking for gnutls.pc on the filesystem? It looks like lots of libraries are missing the PC files, including GnuTLS. $ ls /usr/lib | wc 1833 1833 33085 $ ls /usr/lib/pkgconfig/ | wc 58 58 913 > Does it work for other packages? Going out on a limb, I'm guessing about 58 of 1800 or so will work. > In any case, it works from source, so this is an issue between you and your > distro packages (rather than a gnutls issue). Agreed. I'll get a report in for the missing package configuration file. Thanks for the help, Jeff From bradh at frogmouth.net Sun Nov 21 05:04:20 2010 From: bradh at frogmouth.net (Brad Hards) Date: Sun, 21 Nov 2010 15:04:20 +1100 Subject: GnuTLS and pkg-config In-Reply-To: References: <201011211426.38453.bradh@frogmouth.net> Message-ID: <201011211504.20653.bradh@frogmouth.net> On Sunday, November 21, 2010 02:49:09 pm Jeffrey Walton wrote: > Agreed. I'll get a report in for the missing package configuration file. I just checked http://launchpadlibrarian.net/48177067/libgnutls- dev_2.8.6-1_amd64.deb and it contains the .pc file. I think the problem is on your end. Brad From noloader at gmail.com Sun Nov 21 05:13:38 2010 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 20 Nov 2010 23:13:38 -0500 Subject: GnuTLS and pkg-config In-Reply-To: <201011211504.20653.bradh@frogmouth.net> References: <201011211426.38453.bradh@frogmouth.net> <201011211504.20653.bradh@frogmouth.net> Message-ID: On Sat, Nov 20, 2010 at 11:04 PM, Brad Hards wrote: > On Sunday, November 21, 2010 02:49:09 pm Jeffrey Walton wrote: >> Agreed. I'll get a report in for the missing package configuration file. > I just checked http://launchpadlibrarian.net/48177067/libgnutls- > dev_2.8.6-1_amd64.deb and it contains the .pc file. > > I think the problem is on your end. OK. Thanks. Jeff $ dpkg -s libgnutls26 Package: libgnutls26 Status: install ok installed Priority: standard Section: libs Installed-Size: 1176 Maintainer: Ubuntu Developers Architecture: amd64 Source: gnutls26 Version: 2.8.5-2 Replaces: gnutls0, gnutls0.4, gnutls3 Depends: libc6 (>= 2.8), libgcrypt11 (>= 1.4.2), libtasn1-3 (>= 1.6-0), zlib1g (>= 1:1.1.4) Suggests: gnutls-bin Conflicts: gnutls0, gnutls0.4 Description: the GNU TLS library - runtime library gnutls is a portable library which implements the Transport Layer Security (TLS) 1.0 and Secure Sockets Layer (SSL) 3.0 protocols. . Currently gnutls implements: - the TLS 1.0 and SSL 3.0 protocols, without any US-export controlled algorithms - X509 Public Key Infrastructure (with several limitations). - SRP for TLS authentication. - TLS Extension mechanism . This package contains the runtime libraries. Original-Maintainer: Debian GnuTLS Maintainers Homepage: http://www.gnutls.org/ From noloader at gmail.com Sun Nov 21 05:31:26 2010 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 20 Nov 2010 23:31:26 -0500 Subject: GnuTLS and pkg-config In-Reply-To: <201011211504.20653.bradh@frogmouth.net> References: <201011211426.38453.bradh@frogmouth.net> <201011211504.20653.bradh@frogmouth.net> Message-ID: On Sat, Nov 20, 2010 at 11:04 PM, Brad Hards wrote: > On Sunday, November 21, 2010 02:49:09 pm Jeffrey Walton wrote: >> Agreed. I'll get a report in for the missing package configuration file. > I just checked http://launchpadlibrarian.net/48177067/libgnutls- > dev_2.8.6-1_amd64.deb and it contains the .pc file. > > I think the problem is on your end. I opened a bug report: http://bugs.launchpad.net/ubuntu/+bug/678020. The report simply states, "libgnutls appears to be missing its package configuration file, or the configuration file is not available." I have not turned any knobs on the package system, so I don't believe I've broken anything. If its broken on my side, it came that way out of the box. If the report trickles back to the GnuTLS development team, then my apologies. From wkfta at hotmail.com Mon Nov 22 10:42:26 2010 From: wkfta at hotmail.com (liuxiaoyu) Date: Mon, 22 Nov 2010 17:42:26 +0800 Subject: MD2 certificate or Hybrid certificate support in GNU TLS In-Reply-To: References: Message-ID: Hi, Few monthes ago, I asked whether MD2 algorithm signed certificate can be suppported by GNU TLS and got answer "No". Now, another question is, is it possible some certificate can be signed with MD2 and SHA1 hybrid algorithm? If yes, can it be spported by GNU TLS? Thanks. Thanks and Regards, Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From jay.janra at gmail.com Mon Nov 22 10:42:03 2010 From: jay.janra at gmail.com (Jay Anra) Date: Mon, 22 Nov 2010 09:42:03 +0000 Subject: gnutls_handshake() thread problem In-Reply-To: <4CE692A3.3040405@gnutls.org> References: <4CE692A3.3040405@gnutls.org> Message-ID: OK I install a signal handler for SIGIO - call it sig_handler() and then open a socket and make it asynchronous and non-blocking. The program then goes to sleep waiting for the server to respond. I am using the GNUTLS library for ftp (FTPeS) transfers so, as soon as the TCP/IP connection is established with the ftp server, the server responds with a 220 'hello' message. When the 220 message arrives, my program receives the SIGIO and the sig_handler function is automatically invoked. I use the sig_handler() function to send back an 'AUTH TLS' message requesting that the server sets up TLS encryption on the connection. This is done just in the sig_handler() function which is effectively an interrupt handler, and does not 'wake up' the main thread. when the AUTH TLS message has been sent, the interrupt terminates and the program goes back to sleep. The server responds with a 234 message accepting TLS as a method of encryption. At this point the main thread is woken up to start the handshake process and it calls gnutls_handshake(). As it's using a non-blocking socket, it returns immediately and the main thread goes to sleep waiting for a response from the server. The handshake response from the server is received and triggers the sig_handler() again which this time calls gnutls_handshake() to continue the handshake process, this goes on until the handshake is complete. When the handshake is complete, the main thread is woken up again to start the authentication. The interrupt that was triggered by the servers response was causing sig_handler() and hence gnutls_handshake() to be called before the previous call to gnutls_handshake() (from the initial call from the main thread) had completed. I am running the code on a busy server so I am at the mercy of the scheduler and sometimes the thread running the previous call to gnutls_handshake() was 'swapped out' when the interrupt arrived. So, when my process next got CPU time, it was the interrupt that ran and not the end of the gnutls_handshake() call. I assume you would not normally expect a remote host to respond to a block of handshake data without the call to gnutls_handshake() that sent the previous block of data to the server, to have completed. The scheduler on a busy machine together with asynchronous, non-blocking sockets add the possibility of unintentionally adding a virtual thread to the program with the sig_handler function, and calling gnutls_handshake concurrently. There are numerous reasons why I have coded this the way I have. There are any number of ways to stop this concurrency happening, masking signals, mutexes, putting the call to gnutls_handshake() in a while loop in the main thread etc, but unless you know that it's needed, you don't put it in because it's added complexity in the program. regards Jay On Fri, Nov 19, 2010 at 3:07 PM, Nikos Mavrogiannopoulos wrote: > On 11/19/2010 03:46 PM, Jay Anra wrote: > > answering your question: 'Do you call gnutls_handshake in parallel from > > different threads?' > > > > Sort of, although not explicitly. It's a consequence of using > asynchronous > > sockets. The concurrency comes > > from the interrupt generated by the SIGIO signal, which gets sent to my > > process when data arrives on the socket. > > Obviously I have no control over the timing of this signal, so it may > cause > > concurrent calls to gnutls_handshake() > > or it may not. > > I still cannot understand why you need to call gnutls_handshake() in a > concurrent way. Could you explain your scenario? In any case all gnutls > functions are reentrant as long as each session is handled in a single > thread. > > regards, > Nikos > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Tue Nov 23 10:16:18 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 23 Nov 2010 10:16:18 +0100 Subject: MD2 certificate or Hybrid certificate support in GNU TLS In-Reply-To: References: Message-ID: 2010/11/22 liuxiaoyu : > Hi, > Few monthes ago, I asked whether MD2 algorithm signed certificate can be > suppported by GNU TLS and got answer?"No". Now,?another question is, is it > possible some certificate can be signed with MD2 and SHA1 hybrid algorithm? > If yes, can it be spported by GNU TLS? Thanks. MD2 and SHA1 hybrid algorithm? What is that? regards, Nikos From fred at ludd.ltu.se Wed Nov 24 14:50:07 2010 From: fred at ludd.ltu.se (Fredrik Unger) Date: Wed, 24 Nov 2010 14:50:07 +0100 Subject: main: TLS init def ctx failed: -1 Message-ID: <4CED180F.3090207@ludd.ltu.se> Hi, I am setting up a openldap deamon (slapd) on a Debian Squeeze box. Debian is using gnutls. When using a certificate that works on an older Debian installation where openssl was linked to openldap it works. Using the same certificate in the gnutls version results in main: TLS init def ctx failed: -1 and the server fails to start. Using ldap with -d -1 (most debug information) nothing new is provided that can help resolve the issue. The certificate is created with openssl. It has an encrypted key, but I have also tried it with an unencrypted key. Same results. The permissions are ok for the certificate and key. What can I do more to figure out what is wrong? certtool -i < cert.pem shows information like : Subject Public Key Algorithm: RSA Signature Algorithm: RSA-SHA I have tried setting TLSCipherSuite, but to no avail. Not sure what I would set it to. According to http://wiki.debian.org/LDAP/OpenLDAPSetup "NOTE: On Debian Squeeze openldap is linked with gnutls as well, but works just fine with certificate generated by openssl. " But that does not seems to be the case for me. Any pointers or information on how I should set up the certificate to start the slapd deamon ? /Fred From fred at ludd.ltu.se Fri Nov 26 14:10:00 2010 From: fred at ludd.ltu.se (Fredrik Unger) Date: Fri, 26 Nov 2010 14:10:00 +0100 Subject: main: TLS init def ctx failed: -1 In-Reply-To: <4CED180F.3090207@ludd.ltu.se> References: <4CED180F.3090207@ludd.ltu.se> Message-ID: <4CEFB1A8.4070105@ludd.ltu.se> Hi, Have tried to dig deeper, using gnutls-serv. gnutls-serv --version gnutls-serv (GnuTLS) 2.8.6 sudo gnutls-serv --debug 9 --x509cafile /etc/ssl/cacert.pem --x509certfile /etc/ldap/cert/cert.pem --x509keyfile /etc/ldap/cert/key.pem Processed 1 CA certificate(s). |<2>| ASSERT: <<<<<_b64.c:519 |<2>| ASSERT: privkey.c:171 |<2>| ASSERT: privkey.c:388 |<2>| ASSERT: privkey.c:415 |<2>| ASSERT: x509_b64.c:452 |<2>| Could not find '-----BEGIN PRIVATE KEY' |<2>| ASSERT: x509_b64.c:452 |<2>| Could not find '-----BEGIN ENCRYPTED PRIVATE KEY' |<2>| ASSERT: privkey_pkcs8.c:1099 |<2>| ASSERT: gnutls_x509.c:547 |<2>| ASSERT: gnutls_x509.c:597 Error reading '/etc/ldap/cert/cert.pem' or '/etc/ldap/cert/key.pem' Error: Base64 unexpected header error. sudo cat /etc/ldap/cert/key.pem -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,CA6CC40CD8CF4D0C802B925FC4EAAE91 Is the header the problem ? Using openssl the key works : openssl version OpenSSL 0.9.8o 01 Jun 2010 sudo openssl s_server -cert /etc/ldap/cert/cert.pem -key /etc/ldap/cert/key.pem -www Enter pass phrase for /etc/ldap/cert/key.pem: Using default temp DH parameters Using default temp ECDH parameters ACCEPT The key was created with an old openssl version (Oct 2008 after the dsa-1571 problem). Do you need more information ? Can create a new key, but if is a gnutls bug, this report might help. /Fredrik Unger From nmav at gnutls.org Fri Nov 26 14:21:38 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 26 Nov 2010 14:21:38 +0100 Subject: main: TLS init def ctx failed: -1 In-Reply-To: <4CEFB1A8.4070105@ludd.ltu.se> References: <4CED180F.3090207@ludd.ltu.se> <4CEFB1A8.4070105@ludd.ltu.se> Message-ID: On Fri, Nov 26, 2010 at 2:10 PM, Fredrik Unger wrote: > sudo cat /etc/ldap/cert/key.pem > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: AES-256-CBC,CA6CC40CD8CF4D0C802B925FC4EAAE91 > Is the header the problem ? This is a private openssl format. gnutls accepts keys if they are encrypted with PKCS #8 or if they are unencrypted. regards, Nikos From fred at ludd.ltu.se Fri Nov 26 15:12:50 2010 From: fred at ludd.ltu.se (Fredrik Unger) Date: Fri, 26 Nov 2010 15:12:50 +0100 Subject: main: TLS init def ctx failed: -1 In-Reply-To: References: <4CED180F.3090207@ludd.ltu.se> <4CEFB1A8.4070105@ludd.ltu.se> Message-ID: <4CEFC062.6080008@ludd.ltu.se> On 11/26/2010 02:21 PM, Nikos Mavrogiannopoulos wrote: > On Fri, Nov 26, 2010 at 2:10 PM, Fredrik Unger wrote: >> sudo cat /etc/ldap/cert/key.pem >> -----BEGIN RSA PRIVATE KEY----- >> Proc-Type: 4,ENCRYPTED >> DEK-Info: AES-256-CBC,CA6CC40CD8CF4D0C802B925FC4EAAE91 >> Is the header the problem ? > This is a private openssl format. gnutls accepts keys if they are encrypted with > PKCS #8 or if they are unencrypted. Thanks, with unencrypted key gnutls-serv works, openldap does unfortunately still not start. After looking into the openldap source code I have come to the conclusion that it fails somewhere inside the if-branch that starts at line 350 of tls_g.c (random browsable code from the internet.. ) http://src.opensolaris.org/source/xref/sfw/usr/src/cmd/openldap/openldap-2.4.21/libraries/libldap/tls_g.c#350 since if for example the key in the configuration is left out it fails with the "TLS: only one of certfile and keyfile specified" debug statement. I guess my only option now is to instrument that part with debug information to see what return -1 triggers the error. Or can I turn on some gnutls flag that prints debug information ? Thank you for your help. /Fred From nmav at gnutls.org Fri Nov 26 18:13:09 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 26 Nov 2010 18:13:09 +0100 Subject: main: TLS init def ctx failed: -1 In-Reply-To: <4CEFC062.6080008@ludd.ltu.se> References: <4CED180F.3090207@ludd.ltu.se> <4CEFB1A8.4070105@ludd.ltu.se> <4CEFC062.6080008@ludd.ltu.se> Message-ID: On Fri, Nov 26, 2010 at 3:12 PM, Fredrik Unger wrote: > I guess my only option now is to instrument that part with debug information > to see what return -1 triggers the error. > Or can I turn on some gnutls flag that prints debug information ? There is fascility to do that. Check the functions at: http://www.gnu.org/software/gnutls/manual/html_node/Debugging.html#Debugging Using level 2 or 3 should be adequate. regards, Nikos From vesely at tana.it Mon Nov 29 14:06:24 2010 From: vesely at tana.it (Alessandro Vesely) Date: Mon, 29 Nov 2010 14:06:24 +0100 Subject: Developing DKIM using GNUtls Message-ID: <4CF3A550.7090505@tana.it> Hi all, I have little crypto experience. However, I've been using a dkim library (OpenDKIM) based on OpenSSL to write a mail filter. I'd like to compile that library with GNUtls instead. Is that possible? I've browsed GNUtls' API page and found gnutls_fingerprint() can produce required hashes, but haven't been able to find functions to produce/verify RSA signatures using just the keys. (DKIM does not use x509 certificates.) TIA Ale From nmav at gnutls.org Mon Nov 29 14:49:20 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 29 Nov 2010 14:49:20 +0100 Subject: Developing DKIM using GNUtls In-Reply-To: <4CF3A550.7090505@tana.it> References: <4CF3A550.7090505@tana.it> Message-ID: Check gnutls 2.11.x. There is new API to sign/verify using private keys and plain public keys. regards, Nikos On Mon, Nov 29, 2010 at 2:06 PM, Alessandro Vesely wrote: > Hi all, > I have little crypto experience. ?However, I've been using a dkim > library (OpenDKIM) based on OpenSSL to write a mail filter. ?I'd like > to compile that library with GNUtls instead. ?Is that possible? > > I've browsed GNUtls' API page and found gnutls_fingerprint() can > produce required hashes, but haven't been able to find functions to > produce/verify RSA signatures using just the keys. ?(DKIM does not use > x509 certificates.) > > TIA > Ale > > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > http://lists.gnu.org/mailman/listinfo/help-gnutls > From vesely at tana.it Mon Nov 29 20:37:03 2010 From: vesely at tana.it (Alessandro Vesely) Date: Mon, 29 Nov 2010 20:37:03 +0100 Subject: Developing DKIM using GNUtls In-Reply-To: References: <4CF3A550.7090505@tana.it> Message-ID: <4CF400DF.90806@tana.it> On 29/Nov/10 14:49, Nikos Mavrogiannopoulos wrote: > On Mon, Nov 29, 2010 at 2:06 PM, Alessandro Vesely wrote: >> Hi all, >> I have little crypto experience. However, I've been using a dkim >> library (OpenDKIM) based on OpenSSL to write a mail filter. I'd like >> to compile that library with GNUtls instead. Is that possible? > > Check gnutls 2.11.x. There is new API to sign/verify using private > keys and plain public keys. You probably mean gnutls_privkey_sign_data and similar. Nice one. (I browsed the current Debian distro, i.e. 2.4.2) Thanx From isumon20 at yahoo.com Mon Nov 29 23:11:14 2010 From: isumon20 at yahoo.com (Sumon Islam) Date: Mon, 29 Nov 2010 14:11:14 -0800 (PST) Subject: gnutls extension Message-ID: <835829.49239.qm@web120411.mail.ne1.yahoo.com> Hi, I would like to extend the gnutls, I followed all steps (point 1 to 4) as the link specified (http://www.gnu.org/software/gnutls/devel/manual/gnutls.html#TLS-Extension-Handling). I made simple ext_foobar.c and ext_foobar.h ( I avoided the API steps of point 5 at the first time for simplicity), attached below. Then I did ./configure --enable-foobar, make and make install, but could not get any message (of extension part) when run the client and server. I found that ./configure --enable-foobar gives "checking whether to disable foobar support... yes" output. But only ./configure gives "checking whether to disable foobar support... no" So I did ./configure, make and make install and run the client and server (with compile) again, but could not get any extension output.I also tried with autoreconf to build the program with extension, but no improvement. I downloaded the client (http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-anonymous-authentication.html#Simple-client-example-with-anonymous-authentication) and server (http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-anonymous-authentication.html#Echo-Server-with-anonymous-authentication) and run the unmodified version. Do I need to change anything in the client and server program to initiate the extension? I could not find anything that can help me. Please help me to get the extension message when run the client and server, and guide me to the right direction. Thank you. Best regards, Sumon /* ext_foobar.h */ int _gnutls_foobar_recv_params (gnutls_session_t session, const opaque * data, size_t data_size); int _gnutls_foobar_send_params (gnutls_session_t session, opaque * data, size_t data_size); /* ext_foobar.c */ #include #include "ext_foobar.h" int _gnutls_foobar_recv_params (gnutls_session_t session, const opaque * data, size_t data_size) { if (session->security_parameters.entity == GNUTLS_CLIENT) { printf("data rcvd from client:%s\n", data); return 0; } else { printf("data rcvd from server:\n%s\n", data); return 0; } } int _gnutls_foobar_send_params (gnutls_session_t session, opaque * data, size_t data_size) { if (session->security_parameters.entity == GNUTLS_CLIENT) { data= gnutls_malloc(17); data_size=16; memcpy (data, "server: hi there", 16); return 17; } else { data= gnutls_malloc(17); data_size=16; memcpy (data, "client: hi there", 16); return 17; } } -------------- next part -------------- An HTML attachment was scrubbed... URL: From msk at cloudmark.com Tue Nov 30 19:01:57 2010 From: msk at cloudmark.com (Murray S. Kucherawy) Date: Tue, 30 Nov 2010 10:01:57 -0800 Subject: RSA sign/verify and hash generation functions In-Reply-To: <4CF52F69.2020909@gnutls.org> References: <4CF52F69.2020909@gnutls.org> Message-ID: > -----Original Message----- > From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos > Sent: Tuesday, November 30, 2010 9:08 AM > To: Murray S. Kucherawy > Cc: help-gnutls at gnu.org > Subject: Re: RSA sign/verify and hash generation functions > > > Does gnutls-2.11.4 provide a reasonable interface for libgcrypt for > > working with that key format? > > What key format? X.509 is a format for certificates. gnutls does support > various key formats and most probably the one you might mean. Sorry, you're right. I meant to say PEM format, i.e. the default output of openssl's "genrsa" function. For the signing operation in the application I'm looking to port, the key will either be in PEM or DER form. For verifying, it will be in PEM form with the "BEGIN" and "END" tags removed. From nmav at gnutls.org Tue Nov 30 18:13:27 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 30 Nov 2010 18:13:27 +0100 Subject: gnutls extension In-Reply-To: <835829.49239.qm@web120411.mail.ne1.yahoo.com> References: <835829.49239.qm@web120411.mail.ne1.yahoo.com> Message-ID: <4CF530B7.4020701@gnutls.org> On 11/29/2010 11:11 PM, Sumon Islam wrote: > Hi, > I would like to extend the gnutls, I followed all steps (point 1 to 4) as the > link specified > (http://www.gnu.org/software/gnutls/devel/manual/gnutls.html#TLS-Extension-Handling). > I made simple ext_foobar.c and ext_foobar.h ( I avoided the API steps of point > 5 at the first time for simplicity), attached below. You only need to do the configure stuff only if you plan to disable your extension... Do you really need it? Just avoid the ifdef and if parts. > I downloaded the client > (http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-anonymous-authentication.html#Simple-client-example-with-anonymous-authentication) > and server > (http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-anonymous-authentication.html#Echo-Server-with-anonymous-authentication) > and run the unmodified version. Do I need to change anything in the client and > server program to initiate the extension? No you shouldn't. For simple examples on extensions check ext_server_name and ext_max_record. regards, Nikos From nmav at gnutls.org Tue Nov 30 18:07:53 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 30 Nov 2010 18:07:53 +0100 Subject: RSA sign/verify and hash generation functions In-Reply-To: References: Message-ID: <4CF52F69.2020909@gnutls.org> On 11/30/2010 01:43 AM, Murray S. Kucherawy wrote: > Hi all, > > I see in the archives a request for support of RSA signing/verifying functions and SHA generation features. I see that such are also present in libgcrypt-1.4.6 (and possibly earlier) so perhaps that's all I need, but that library doesn't appear to support X.509 format for RSA keys. > Does gnutls-2.11.4 provide a reasonable interface for libgcrypt for working with that key format? What key format? X.509 is a format for certificates. gnutls does support various key formats and most probably the one you might mean. regards, Nikos