From carlo at alinoe.com Sun Aug 4 18:17:38 2019 From: carlo at alinoe.com (Carlo Wood) Date: Sun, 4 Aug 2019 18:17:38 +0200 Subject: [gnutls-help] Asynchronous operation. Message-ID: <20190804181738.757d14a1@hikaru> Is it possible to use gnutls with a library that does all the socket I/O? Assuming TCP, data being sent and received is merely a stream. Shouldn't it be possible to make gnutls oblivious of network layers and sockets and merely put it in between a stream of data? Aka, [Application] <---> [gnutls] <---> [async I/O library] Where the application takes care of setting up the TCP connection and uses call backs from gnutls to write data an output buffer that the I/O library writes to a socket, while data from the socket is written to a buffer and from there passed on to gnutls. On the other side would then just be plain data going back and forth. If this is possible, is there client example code that uses this method? -- Carlo Wood From deng at randomsample.de Thu Aug 8 11:53:58 2019 From: deng at randomsample.de (David Engster) Date: Thu, 08 Aug 2019 11:53:58 +0200 Subject: [gnutls-help] TLS v1.3 - Gnus and GnuTLS - Client resets connection In-Reply-To: <87ftmcnipd.fsf@gmail.com> (Chris Marusich's message of "Thu, 08 Aug 2019 01:51:26 -0700") References: <87ftmcnipd.fsf@gmail.com> Message-ID: <87v9v8rnih.fsf@randomsample> Chris Marusich writes: > I don't know if post handshake authentication has anything to do with > the error I saw (I have no reason to believe that it does), but I > mention this because it makes me wonder if perhaps Gnus needs to be > updated to play nicely with GnuTLS' implementation of TLS v1.3. > > Another possibility is that Gmail's IMAP server is misbehaving, but I > don't know if the evidence supports that conclusion at this time. > > Thoughts? I'm glad I have a work-around, but if there's anything I can > do to help resolve the actual problem, please let me know. Yes, a lot of people doing TLS connections in Emacs are currently struggling with this. For details, see this bug report: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34341 This will be fixed in Emacs 27 (or maybe another Emacs 26 point release, whichever comes first). -David From npostavs at gmail.com Thu Aug 8 14:02:33 2019 From: npostavs at gmail.com (Noam Postavsky) Date: Thu, 8 Aug 2019 08:02:33 -0400 Subject: [gnutls-help] TLS v1.3 - Gnus and GnuTLS - Client resets connection In-Reply-To: <87v9v8rnih.fsf@randomsample> References: <87ftmcnipd.fsf@gmail.com> <87v9v8rnih.fsf@randomsample> Message-ID: On Thu, 8 Aug 2019 at 07:08, David Engster wrote: > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34341 > > This will be fixed in Emacs 27 (or maybe another Emacs 26 point > release, whichever comes first). 26.3 will come first; it should already be fixed in the 26.2.90 pretest. From carlo at alinoe.com Thu Aug 8 18:04:15 2019 From: carlo at alinoe.com (Carlo Wood) Date: Thu, 8 Aug 2019 18:04:15 +0200 Subject: [gnutls-help] Asynchronous operation. In-Reply-To: <20181027002013.3e41da93@hikaru> References: <20181027002013.3e41da93@hikaru> Message-ID: <20190808180415.5898cc7d@hikaru> Both, this message (see below) and my question of a week or so ago have been completely ignored. In the mean time I figured out that gnutls does not support this myself. So, I'll switch to another library I guess. On Sat, 27 Oct 2018 00:20:13 +0200 Carlo Wood wrote: > Hello list, > > I wrote a library (GPL) that aims for not creating more threads > than CPU cores. This library provides a thread pool and does > all timer and socket/filedescriptor monitoring. > > At the moment I can create a TCP connection and read/write data > in a 100% non-blocking way by means of callback functions (well, > not really - but that would be the same); when it is possible > to write data and I have data, a function is called that allows > me to do that: write the data. When a socket has data then a > function is called that allows me to read that data. > > I now wish to add TLS layer to this. In order to (still) never > put a thread to sleep (except a specialized one that does the calls > to epoll) I need this gnutls to provided the following > interface: it should call a callback function (that I configured) > to tell me that it is interested in reading and/or writing (not > to get actual data or write it - just to tell me that it is ready > to do so). When there is nothing to do for the library, it should > return from whatever function I called (it should never go to sleep > internally, or internally wait for anything (like sockets or a > timer)). > > When the library indicates it is interested in reading or writing > data, I will call functions of the library as soon as this is > possible; ie, when the library wants to read I can provide it a > non-blocking fd that it can read from, or I can do reading and > buffering myself and call a function of the library providing a > buffer pointer and the number of characters available in the buffer. > [ Ideal would be when the gnutls also provided an end-of-message > detection function that I could use to know when I have a complete > message, so that my library can provide strictly contiguous messages, > but this is not absolutely necessary (the result I'd expect is that > the library will make a copy of the data that I provide; which is > slower, but that is ok I suppose). If each message always starts with > a header that contains the total length of that message then I provide > the end-of-message decoder myself of course. ] > > Reading https://gnutls.org/manual/gnutls.html#Asynchronous-operation > I'm a bit lost however... it seems kind of clear, but not entirely ;). > > Is there client example code available somewhere that shows how > this can be done? > > Many thanks for your time, > Carlo Wood > > PS In case anyone is interested; my library in question exists of many > git submodules, each of which alone hardly ever make a whole; the only > currently existing repository that brings it all together is > https://github.com/CarloWood/ai-statefultask-testsuite > and the submodule that I'd add the TLS to will be > https://github.com/CarloWood/evio > > PS2 About the end-of-message detection: I don't want to ever copy > data around in memory unless absolutely necessary: data is read from > a socket into a buffer that is considerably larger than the average > message size; whenever all data in the buffer is processed, it starts > again at the beginning of the buffer. Only in the event that data > comes in faster than it can be processed it might happen that a > message wraps over the end into a newly allocated block. In that case > (which should seldom happen) I prefer to make a copy into a new buffer > to make the message contiguous because decoding contiguous messages > is usually much faster and normally they are contiguous anyway. > In order to know if a (new) message wraps over the end of the current > buffer I simply look if 1) the current memory block is full, 2) there > is no 'end-of-message' between where we are and the end of the current > block. This can of course be done much much faster than decoding > the message, especially for binary protocols that simply have the > length of a message in the header of each message (or have fixed size > messages, etc). > -- Carlo Wood From carlo at alinoe.com Thu Aug 8 18:07:45 2019 From: carlo at alinoe.com (Carlo Wood) Date: Thu, 8 Aug 2019 18:07:45 +0200 Subject: [gnutls-help] Asynchronous operation. In-Reply-To: <20190804181738.757d14a1@hikaru> References: <20190804181738.757d14a1@hikaru> Message-ID: <20190808180745.0a405e37@hikaru> Maybe it will be of help to someone else when I add this in the archives myself: No, this is not supported by gnutls. Like so many libraries it is egocentric based around what the library wants ("I want to write", "I want to read") which is incompatible with event driven I/O. If you need TLS for an event driven (truely non-blocking) application I suggest you have a look at matrixssl. This is what I'm going to use (see https://github.com/CarloWood/matrixssl for any commits that I added to it). On Sun, 4 Aug 2019 18:17:38 +0200 Carlo Wood wrote: > Is it possible to use gnutls with a library that does all the socket > I/O? > > Assuming TCP, data being sent and received is merely a stream. > Shouldn't it be possible to make gnutls oblivious of network > layers and sockets and merely put it in between a stream of data? > > Aka, > > [Application] <---> [gnutls] <---> [async I/O library] > > Where the application takes care of setting up the TCP connection > and uses call backs from gnutls to write data an output > buffer that the I/O library writes to a socket, while data > from the socket is written to a buffer and from there passed > on to gnutls. > > On the other side would then just be plain data going > back and forth. > > If this is possible, is there client example code that uses > this method? > -- Carlo Wood From johnjmar at linux.vnet.ibm.com Tue Aug 20 21:07:34 2019 From: johnjmar at linux.vnet.ibm.com (johnjmar) Date: Tue, 20 Aug 2019 14:07:34 -0500 Subject: [gnutls-help] GnuTLS asm accelerated crypto for PowerPC (ppc64le) Message-ID: GnuTLS seems to inherit openssl accelerated crypto .pl scripts for asm generation, and then incorporates them in their own releases. Specifically cryptograms also available at https://www.openssl.org/~appro/cryptogams/. However, it appears current PowerPC (ppc64le) accelerations are not inherited. Is there a reson for this current state? How much effort needed to get these upstream? Please advise. From kenan at kdtsh.net Sat Aug 24 03:37:38 2019 From: kenan at kdtsh.net (Kenan Toker) Date: Sat, 24 Aug 2019 11:37:38 +1000 Subject: [gnutls-help] Guile bindings not built due to "'guile-snarf' from Guile not found' Message-ID: <8ae7628a-9cae-c243-0298-9a2e93f20ce4@kdtsh.net> Hi all, I've been having some trouble installing GnuTLS 3.6.9 with Guile bindings. I am running macOS 10.14.6, and have been using the Homebrew 2.1.10 package manager to manage the GnuTLS package. I have Guile 2.2.6 installed on my machine. I've been using the --build-from-source flag in Homebrew so I can specify flags for configure. When running .configure, I've have Homebrew do the following: ./configure --enable-guile --with-guile-site-dir=/usr/local/Cellar/guile/2.2.6/share/guile/site --disable-dependency-tracking --disable-silent-rules --prefix=#{prefix} --sysconfdir=#{etc} --with-default-trust-store-file=#{etc}/openssl/cert.pem --disable-heartbeat-support --with-p11-kit Most of these are just the standard flags that come with the Homebrew formula, but the first two flags I've added to have make build bindings for Guile. When configure gets to building Guile bindings, I get the following logging output: checking whether building Guile bindings... yes *** *** Detecting GNU Guile... checking for guile-snarf... no configure: WARNING: `guile-snarf' from Guile not found.? Guile bindings not built. I do have guile-snarf installed, I believe it comes with Guile: $ which guile-snarf /usr/local/bin/guile-snarf I can see in the configure script that, around lines 62528-62618 where Guile bindings are handled, on line 62545 is the following: ac_cv_path_guile_snarf="$guile_snarf" # Let the user override the test with a path. I interpreted this as saying that I should try to set the location of guile-snarf as an environment variable (i.e. 'export guile_snarf=/usr/local/bin/guile-snarf'), but I didn't have any luck doing that. Is there a way for me to tell GnuTLS configure where guile-snarf is installed? Or is this a red-herring and I'm missing something? Thanks a lot for your help in advance, Kenan -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenan at kdtsh.net Sat Aug 24 07:59:50 2019 From: kenan at kdtsh.net (Kenan Toker) Date: Sat, 24 Aug 2019 15:59:50 +1000 Subject: [gnutls-help] Guile bindings not built due to "'guile-snarf' from Guile not found' In-Reply-To: <8ae7628a-9cae-c243-0298-9a2e93f20ce4@kdtsh.net> References: <8ae7628a-9cae-c243-0298-9a2e93f20ce4@kdtsh.net> Message-ID: <1f2766ac-db83-362a-2ba2-316caa2f7dda@kdtsh.net> To all who read this: This ended up being a Homebrew problem. I was able to build GnuTLS from source without Homebrew in the way, and it installed fine. If you need to make GnuTLS play nice with Homebrew, use `brew link'. NB you need to install GnuTLS in /usr/local/Cellar to do this - see the --prefix and --sysconfdir flags below. ./configure --enable-guile --with-guile-site-dir=no --disable-dependency-tracking --disable-silent-rules --prefix=/usr/local/Cellar/gnutls/3.6.9 --sysconfdir=/usr/local/etc/gnutls --with-default-trust-store-file=/usr/local/etc/openssl/cert.pem --disable-heartbeat-support --with-p11-kit make make install brew link gnutls Cheers, Kenan On 24/8/19 11:37 am, Kenan Toker wrote: > > Hi all, > > I've been having some trouble installing GnuTLS 3.6.9 with Guile > bindings. I am running macOS 10.14.6, and have been using the Homebrew > 2.1.10 package manager to manage the GnuTLS package. I have Guile > 2.2.6 installed on my machine. I've been using the --build-from-source > flag in Homebrew so I can specify flags for configure. > > When running .configure, I've have Homebrew do the following: > > ./configure --enable-guile > --with-guile-site-dir=/usr/local/Cellar/guile/2.2.6/share/guile/site > --disable-dependency-tracking --disable-silent-rules > --prefix=#{prefix} --sysconfdir=#{etc} > --with-default-trust-store-file=#{etc}/openssl/cert.pem > --disable-heartbeat-support --with-p11-kit > > Most of these are just the standard flags that come with the Homebrew > formula, but the first two flags I've added to have make build > bindings for Guile. > > When configure gets to building Guile bindings, I get the following > logging output: > > checking whether building Guile bindings... yes > *** > *** Detecting GNU Guile... > > checking for guile-snarf... no > configure: WARNING: `guile-snarf' from Guile not found.? Guile > bindings not built. > > I do have guile-snarf installed, I believe it comes with Guile: > > $ which guile-snarf > /usr/local/bin/guile-snarf > > I can see in the configure script that, around lines 62528-62618 where > Guile bindings are handled, on line 62545 is the following: > > ac_cv_path_guile_snarf="$guile_snarf" # Let the user override the > test with a path. > > I interpreted this as saying that I should try to set the location of > guile-snarf as an environment variable (i.e. 'export > guile_snarf=/usr/local/bin/guile-snarf'), but I didn't have any luck > doing that. > > Is there a way for me to tell GnuTLS configure where guile-snarf is > installed? Or is this a red-herring and I'm missing something? > > Thanks a lot for your help in advance, > Kenan > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gregs at sloop.net Wed Aug 28 07:39:49 2019 From: gregs at sloop.net (Gregory Sloop) Date: Tue, 27 Aug 2019 22:39:49 -0700 Subject: [gnutls-help] dh parameters Message-ID: <864817614.20190827223949@sloop.net> For some applications - say OpenVPN servers - I need a dh.pem [dh parameters file] It looks like GNUTLS doesn't have the option to generate dh params like OpenSSL does, but has the following as a option: certtool --get-dh-params --outfile dh.pem --sec-param ultra 1) Will that ^^ do what I want? 2) So, is there any difference between that and the openssl command to generate dh params? openssl dhparam -out /config/auth/dh.pem 4096 3) If the certtool example above isn't adequate, is there a good way to accomplish what I want in certtool, or otherwise? 4) Can someone point me to something that might be accessible to a mere mortal [i.e. non-cryptographer] for explanation? :) --- #1 and 3 are the most important for me to get answers to. Thanks -Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: From jgh at wizmail.org Wed Aug 28 18:56:00 2019 From: jgh at wizmail.org (Jeremy Harris) Date: Wed, 28 Aug 2019 17:56:00 +0100 Subject: [gnutls-help] ocsp stapling Message-ID: The current docs at https://www.gnutls.org/manual/gnutls.html#OCSP-stapling list gnutls_ocsp_status_request_is_checked() as being usable server-side. However, the function description at https://www.gnutls.org/manual/gnutls.html#gnutls_005focsp_005fstatus_005frequest_005fis_005fchecked reads as if it is aimed at client-side support. The implementation calls gnutls_ocsp_status_request_get() for the _SR_IS_AVAIL case, which is documented as "response received from the TLS server" - ie. client-side only. What should be used for observability of stapling request and presented response status, server side? -- Cheers, Jeremy From sean at seangreenslade.com Thu Aug 29 21:14:37 2019 From: sean at seangreenslade.com (Sean Greenslade) Date: Thu, 29 Aug 2019 12:14:37 -0700 Subject: [gnutls-help] dh parameters In-Reply-To: <864817614.20190827223949@sloop.net> References: <864817614.20190827223949@sloop.net> Message-ID: On August 27, 2019 10:39:49 PM PDT, Gregory Sloop wrote: >For some applications - say OpenVPN servers - I need a dh.pem [dh >parameters file] >It looks like GNUTLS doesn't have the option to generate dh params like >OpenSSL does, but has the following as a option: >certtool --get-dh-params --outfile dh.pem --sec-param ultra > >1) Will that ^^ do what I want? > >2) So, is there any difference between that and the openssl command to >generate dh params? >openssl dhparam -out /config/auth/dh.pem 4096 > >3) If the certtool example above isn't adequate, is there a good way to >accomplish what I want in certtool, or otherwise? > >4) Can someone point me to something that might be accessible to a mere >mortal [i.e. non-cryptographer] for explanation? :) > >--- >#1 and 3 are the most important for me to get answers to. > >Thanks >-Gre As far as I know, both tools can generate DH param files usable by gnutls. Regarding number 4, this page has some decent explanations if you have a little background in public-private crypto: https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters The really short version is that these parameters are used during the initial key exchange between the client and server. They are not secrets, however. The reason you may want to generate your own is to prevent certain types of attacks. That said, the attack is currently unfeasible for 4096-bit primes, so it's likely a moot point. See the above link for more details. --Sean