From mario.lenz at gmx.net Tue Aug 1 16:47:03 2006 From: mario.lenz at gmx.net (Mario Lenz) Date: Tue Aug 1 16:54:13 2006 Subject: [gnutls-dev] Client OpenPGP verification fails Message-ID: Hi! > > OK, next try: cert->subject_pk_algorithm in _gnutls_tls_sign_hdata > > (lib/gnutls_sig.c) is unknown, so the function returns > > GNUTLS_E_INTERNAL_ERROR. > > Why is subject_pk_algorithm unknown? For openpgp keys it should be set > in openpgp_pk_to_gnutls_cert(). I'm not sure, but it looks like this to me: _gnutls_handshake_client (lib/gutls_handshake.c) calls _gnutls_send_client_certificate_verify (lib/gnutls_kx.c) which calls _gnutls_gen_cert_client_cert_vrfy (lib/auth_cert.c). This one calls _gnutls_get_selected_cert (same file) to get the certificate. This certificate is handed to _gnutls_tls_sign_hdata (lib/gnutls_sig.c) which breaks because cert->subject_pk_algorithm is unknown. The "selected cert" is set as follows: _gnutls_handshake_client calls _gnutls_recv_server_certificate_request (lib/gnutls_kx.c) which calls _gnutls_proc_cert_cert_req (lib/auth_cert.c). This one calls _select_client_cert (same file) which calls cred->client_get_cert_callback (call_get_cert_callback in same file). This one calls cred->client_get_cert_callback (cert_callback in src/cli.c). Then there are calls to alloc_and_load_pgp_certs and alloc_and_load_pgp_key, and then _gnutls_selected_certs_set is called. To me, it doesn't look like openpgp_pk_to_gnutls_cert() is involved somewhere. cu Mario From nmav at gnutls.org Tue Aug 1 18:15:37 2006 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue Aug 1 18:14:52 2006 Subject: [gnutls-dev] Client OpenPGP verification fails In-Reply-To: <1154373744.29702.32.camel@mario> References: <1153254133.13947.35.camel@mario> <200607261602.14817.nmav@gnutls.org> <1154373744.29702.32.camel@mario> Message-ID: <200608011815.37456.nmav@gnutls.org> On Mon 31 Jul 2006 21:22, Mario Lenz wrote: > Hi! > > Why is subject_pk_algorithm unknown? For openpgp keys it should be > > set in openpgp_pk_to_gnutls_cert(). > I'm not sure, but it looks like this to me: [...] Hi Mario! I just saw your e-mail. Unfortunately this is officially my last "active" day for gnutls. Due to some engagements I'll no longer be able to work on it or even help with it... most probably permanently. best regards, Nikos From dragonheart at gentoo.org Fri Aug 4 01:32:30 2006 From: dragonheart at gentoo.org (Daniel Black) Date: Fri Aug 4 01:28:47 2006 Subject: [gnutls-dev] gnutls-1.4.1 --without-included-libtasn1 no respected Message-ID: ./configure --without-included-libtasn1 .. ... ... .. checking for libgcrypt-config... /usr/bin/libgcrypt-config checking for LIBGCRYPT - version >= 1.2.2... yes checking LIBGCRYPT API version... okay checking whether to disable SRP authentication support... no checking whether to disable PSK authentication support... no checking whether to disable anonymous authentication support... no checking whether to disable extra PKI stuff... no checking whether to disable OpenPGP Certificate authentication support... no checking for opencdk-config... /usr/bin/opencdk-config checking for libopencdk - version >= 0.5.5... yes checking whether to use the included opencdk... no checking whether to disable OpenSSL compatibility layer... no checking whether to use the included minitasn1... yes I said "without" included minitasn1. $ libtasn1-config --version 0.3.5 Omiting the configure option detects the installed libtasn1 correcty. -- Daniel Black Gentoo Crypto/dev-embedded/Forensics/NetMon From mario.lenz at gmx.net Sat Aug 5 18:17:25 2006 From: mario.lenz at gmx.net (Mario Lenz) Date: Sat Aug 5 18:16:58 2006 Subject: [gnutls-dev] Client OpenPGP verification fails Message-ID: Sorry, I've sent this to the wrong mailing list. Should belong here in devel: Nikos Mavrogiannopoulos gnutls.org> writes: > > But then there's another problem in libextra/gnutls_openpgp.c. Please > > have a look at _gnutls_openpgp_key_to_gcert: > > > > ret = gnutls_openpgp_key_export (cert, GNUTLS_OPENPGP_FMT_RAW, NULL, > > &der_size); > > if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) > > { > > gnutls_assert (); > > return ret; > > } > > This should be correct since decoding should fail (check that the output > pointer is NULL so there is no place to copy the output). That call is > there to get the size of the exported key only. OK, I think now I've got it: You allocate the memory later on. But there's still a problem: Even with the third parameter set to NULL, gnutls_openpgp_key_export (in libextra/openpgp/pgp.c) doesn't return GNUTLS_E_SHORT_MEMORY_BUFFER because cdk_kbnode_write_to_mem (called from gnutls_openpgp_key_export) returns 0 if you give it a NULL pointer to write to. (This might be an OpenCDK problem, though.) Could anyone have a look at it, please? I just deleted the "if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)" clause, but I'm running into another problem now. I'll let you know if I found out more. greez Mario From mario.lenz at gmx.net Sat Aug 5 18:34:12 2006 From: mario.lenz at gmx.net (Mario Lenz) Date: Sat Aug 5 18:33:10 2006 Subject: [gnutls-dev] Client OpenPGP verification fails Message-ID: <1154795652.4666.8.camel@mario> Sorry, I've sent this to the wrong mailing list. Should belong here in devel: Nikos Mavrogiannopoulos gnutls.org> writes: > > But then there's another problem in libextra/gnutls_openpgp.c. Please > > have a look at _gnutls_openpgp_key_to_gcert: > > > > ret = gnutls_openpgp_key_export (cert, GNUTLS_OPENPGP_FMT_RAW, NULL, > > &der_size); > > if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) > > { > > gnutls_assert (); > > return ret; > > } > > This should be correct since decoding should fail (check that the output > pointer is NULL so there is no place to copy the output). That call is > there to get the size of the exported key only. OK, I think now I've got it: You allocate the memory later on. But there's still a problem: Even with the third parameter set to NULL, gnutls_openpgp_key_export (in libextra/openpgp/pgp.c) doesn't return GNUTLS_E_SHORT_MEMORY_BUFFER because cdk_kbnode_write_to_mem (called from gnutls_openpgp_key_export) returns 0 if you give it a NULL pointer to write to. (This might be an OpenCDK problem, though.) Could anyone have a look at it, please? I just deleted the "if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)" clause, but I'm running into another problem now. I'll let you know if I found out more. greez Mario From mario.lenz at gmx.net Sun Aug 6 11:53:44 2006 From: mario.lenz at gmx.net (Mario Lenz) Date: Sun Aug 6 11:52:59 2006 Subject: [gnutls-dev] Client OpenPGP verification fails (solved) Message-ID: <1154858025.4401.22.camel@mario> Hi! It's working now. The problems were partly my fault... Sorry for spamming your mailing list :-/ Nevertheless, the official version doesn't work because gnutls expects cdk_kbnode_write_to_mem to return an error code when called with NULL as second argument. You should change if( !buf ) { *r_nbytes = len; /* only return the length of the buffer */ cdk_stream_close( s ); return 0; } to if( !buf ) { *r_nbytes = len; /* only return the length of the buffer */ cdk_stream_close( s ); return CDK_Too_Short; } in cdk_kbnode_write_to_mem() (src/kbnode.c). greez Mario PS Afaik there's no function to import an OpenPGP key which is secured by a pass phrase. I would like to implement one if you don't mind. Please tell me if that's ok. From jas at extundo.com Sun Aug 6 15:24:04 2006 From: jas at extundo.com (Simon Josefsson) Date: Sun Aug 6 15:22:39 2006 Subject: [gnutls-dev] Re: Client OpenPGP verification fails (solved) In-Reply-To: <1154858025.4401.22.camel@mario> (Mario Lenz's message of "Sun, 06 Aug 2006 11:53:44 +0200") References: <1154858025.4401.22.camel@mario> Message-ID: <87vep6j8uj.fsf@latte.josefsson.org> Mario Lenz writes: > Hi! > > It's working now. The problems were partly my fault... Sorry for > spamming your mailing list :-/ Hi! I'm back from vacation today, and slowly trying to catch up on this thread... Please remind me (in private) if there is some e-mail from you that contains a patch or something concrete that you'd like me to install. > Nevertheless, the official version doesn't work because gnutls expects > cdk_kbnode_write_to_mem to return an error code when called with NULL as > second argument. > > You should change > > if( !buf ) { > *r_nbytes = len; /* only return the length of the buffer */ > cdk_stream_close( s ); > return 0; > } > > to > > if( !buf ) { > *r_nbytes = len; /* only return the length of the buffer */ > cdk_stream_close( s ); > return CDK_Too_Short; > } > > in cdk_kbnode_write_to_mem() (src/kbnode.c). I have installed this, and will release opencdk 0.5.9 shortly. > Afaik there's no function to import an OpenPGP key which is secured > by a pass phrase. I would like to implement one if you don't mind. > Please tell me if that's ok. That seems useful, please go ahead! Maybe the gpg-agent should be supported, but that's another story. /Simon From jas at extundo.com Sun Aug 6 16:33:38 2006 From: jas at extundo.com (Simon Josefsson) Date: Sun Aug 6 16:32:08 2006 Subject: [gnutls-dev] OpenCDK 0.5.9 Message-ID: <87lkq2j5ml.fsf@latte.josefsson.org> The OpenCDK library provides basic parts of the OpenPGP message format. Due to some possible security problems, the library also implements parts of draft-ietf-openpgp-rfc2440bis-08.txt. The aim of the library is *not* to replace any available OpenPGP version. There will be no real support for key management (sign, revoke, alter preferences, ...) and some other parts are only rudimentary available. The main purpose is to handle and understand OpenPGP packets and to use basic operations. For example to encrypt/decrypt or to sign/verify and packet routines. Noteworthy changes in version 0.5.9 (2006-08-06) ------------------------------------------------ * Fix cdk_kbnode_write_to_mem to return CDK_Too_Short when buf is NULL, tiny patch from Mario Lenz. * Fixed opencdk-config script to include -lz, thanks to Weng Liong, Low. * Fix prototypes for AIX compiler, reported by John Heiden. * Don't use trailing comma in last enum constant, for IBM C v6. Tiny patch from Albert Chin. Commercial support contracts for OpenCDK are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding OpenCDK maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use OpenCDK, or want to help others, you are invited to join our help-gnutls mailing list, see: . Here are the compressed sources (1.2MB): http://josefsson.org/gnutls/releases/opencdk/opencdk-0.5.9.tar.gz Here are GPG detached signatures using key 0xB565716F: http://josefsson.org/gnutls/releases/opencdk/opencdk-0.5.9.tar.gz.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2006-08-14] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2006-08-14] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 7b4375bf9326d77699687845c10589d409cbd7e3 opencdk-0.5.9.tar.gz 532446665a3f4be920f81b413a0d73e94c5173af opencdk-0.5.9.tar.gz.sig f75b6108eddd6db047ab61e834ba9289087150bbd053a7219e0a5d54 opencdk-0.5.9.tar.gz 99e00f8db5601ba67105744beb4c7b3775b50115b88461bdf9b29369 opencdk-0.5.9.tar.gz.sig Enjoy, Timo, Nikos, Simon From jas at extundo.com Sun Aug 6 17:00:52 2006 From: jas at extundo.com (Simon Josefsson) Date: Sun Aug 6 16:59:24 2006 Subject: [gnutls-dev] Re: gnutls-1.4.1 --without-included-libtasn1 no respected In-Reply-To: (Daniel Black's message of "Fri, 04 Aug 2006 09:32:30 +1000") References: Message-ID: <87hd0pkixn.fsf@latte.josefsson.org> Daniel Black writes: > ./configure --without-included-libtasn1 > .. > ... > ... > .. > checking for libgcrypt-config... /usr/bin/libgcrypt-config > checking for LIBGCRYPT - version >= 1.2.2... yes > checking LIBGCRYPT API version... okay > checking whether to disable SRP authentication support... no > checking whether to disable PSK authentication support... no > checking whether to disable anonymous authentication support... no > checking whether to disable extra PKI stuff... no > checking whether to disable OpenPGP Certificate authentication support... no > checking for opencdk-config... /usr/bin/opencdk-config > checking for libopencdk - version >= 0.5.5... yes > checking whether to use the included opencdk... no > checking whether to disable OpenSSL compatibility layer... no > checking whether to use the included minitasn1... yes > > I said "without" included minitasn1. > > $ libtasn1-config --version > 0.3.5 > > Omiting the configure option detects the installed libtasn1 correcty. Should be fixed for 1.4 and 1.5 in CVS now. Let me know if it doesn't work. Thanks, Simon From ametzler at downhill.at.eu.org Sun Aug 6 19:36:20 2006 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sun Aug 6 19:34:59 2006 Subject: [gnutls-dev] OpenCDK 0.5.9 In-Reply-To: <87lkq2j5ml.fsf@latte.josefsson.org> References: <87lkq2j5ml.fsf@latte.josefsson.org> Message-ID: <20060806173620.GB24242@downhill.g.la> On 2006-08-06 Simon Josefsson wrote: [...] > * Fixed opencdk-config script to include -lz, thanks to Weng Liong, Low. [...] This test seems to be slightly broken. After ./configure --prefix=/usr ; make I end up with ------------ checking for libz... yes checking how to link with libz... /usr/lib/libz.so [...] ametzler@argenau:/tmp/opencdk8-0.5.9$ sh ./src/opencdk-config --libs -L/usr/lib -lopencdk -lgcrypt -lgpg-error /usr/lib/libz.so ------------ Note that the output includes "/usr/lib/libz.so" instead of "-lz". (If I dump --prefix=/usr it would work as expected, but I need this.) thanks, cu andreas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken. (c) Jasper Ffforde From mario.lenz at gmx.net Sun Aug 6 19:59:07 2006 From: mario.lenz at gmx.net (Mario Lenz) Date: Sun Aug 6 19:57:59 2006 Subject: [gnutls-dev] Re: Client OpenPGP verification fails (solved) In-Reply-To: <87vep6j8uj.fsf@latte.josefsson.org> References: <1154858025.4401.22.camel@mario> <87vep6j8uj.fsf@latte.josefsson.org> Message-ID: <1154887148.4546.38.camel@mario> Hi! > Please remind me (in private) if there is some e-mail from you that > contains a patch or something concrete that you'd like me to install. Just the wrong return in cdk_kbnode_write_to_mem, everything else works :-) > > Afaik there's no function to import an OpenPGP key which is secured > > by a pass phrase. I would like to implement one if you don't mind. > > Please tell me if that's ok. > > That seems useful, please go ahead! Maybe the gpg-agent should be > supported, but that's another story. (Everything happens in libextra/gnutls_openpgp.c) Rename _gnutls_openpgp_raw_privkey_to_gkey to _gnutls_openpgp_raw_enc_privkey_to_gkey, give it an additional parameter and call cdk_sk_unprotect if pw != NULL: int _gnutls_openpgp_raw_enc_privkey_to_gkey (gnutls_privkey * pkey, const gnutls_datum_t * raw_key, const char *pw) { /* no changes */ if (pw) { if (cdk_sk_unprotect (pkt->pkt.secret_key, pw) != CDK_Success) { rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; goto leave; } } /* no changes from here on */ sk = pkt->pkt.secret_key; pke_algo = sk->pk->pubkey_algo; pkey->params_size = cdk_pk_get_npkey (pke_algo); /* and so on... */ } Because the original function is missing now, add: int _gnutls_openpgp_raw_privkey_to_gkey (gnutls_privkey * pkey, const gnutls_datum_t * raw_key) { return _gnutls_openpgp_raw_enc_privkey_to_gkey (pkey, raw_key, NULL); } Rename gnutls_certificate_set_openpgp_key_mem, add pw parameter and call _gnutls_openpgp_raw_enc_privkey_to_gkey instead of _gnutls_openpgp_raw_privkey_to_gkey: int gnutls_certificate_set_openpgp_key_mem_enc (gnutls_certificate_credentials_t res, const gnutls_datum_t * cert, const gnutls_datum_t * key, const char *pw) { /* no changes */ rc = _gnutls_openpgp_raw_enc_privkey_to_gkey (&res->pkey[res->ncerts - 1], &raw, pw); /* no changes from here on */ if (rc) { gnutls_assert (); } _gnutls_free_datum (&raw); leave: cdk_kbnode_release (knode); return rc; } Add: int gnutls_certificate_set_openpgp_key_mem (gnutls_certificate_credentials_t res, const gnutls_datum_t * cert, const gnutls_datum_t * key) { return gnutls_certificate_set_openpgp_key_mem_enc (res, cert, key, NULL); } Rename gnutls_certificate_set_openpgp_key_file, add pw parameter and call gnutls_certificate_set_openpgp_key_mem_enc instead of gnutls_certificate_set_openpgp_key_mem: int gnutls_certificate_set_openpgp_key_file_enc (gnutls_certificate_credentials_t res, const char *certfile, const char *keyfile, const char *pw) { /* no changes */ rc = gnutls_certificate_set_openpgp_key_mem_enc (res, &cert, &key, pw); /* no changes from here on */ free (cert.data); free (key.data); if (rc < 0) { gnutls_assert (); return rc; } return 0; } Add: int gnutls_certificate_set_openpgp_key_file (gnutls_certificate_credentials_t res, const char *certfile, const char *keyfile) { return gnutls_certificate_set_openpgp_key_file_enc (res, certfile, keyfile, NULL); } Update the header files (includes/gnutls/extra.h and libextra/openpgp/gnutls_openpgp.h). And please have a look at _gnutls_openpgp_raw_enc_privkey_to_gkey; I'm not sure if there's anything to do with pkt if cdk_sk_unprotect (pkt->pkt.secret_key, pw) != CDK_Success. Can't help you with gpg-agent, though. greez Mario PS I've done some tests and didn't find any problems. From ametzler at downhill.at.eu.org Sun Aug 6 20:03:14 2006 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sun Aug 6 20:01:47 2006 Subject: [gnutls-dev] pkg-config support for opencdk Message-ID: <20060806180314.GA3872@downhill.g.la> Hej, attached a simple patch for adding pkg-config support to opencdk. cu andreas PS: I don't think there should be any copyright problems as my own contribution is trivial copy'n'paste from gnutls: 1. Take gnutls.pc.in and copy it as src/opencdk.pc.in. Make two one-line changes to it. 2. Add src/opencdk.pc to AC_CONFIG_FILES 3. Copy 4 lines from gnutls/lib/Makefile.am to src/Makefile.am and s/gnutls/opencdk/ -------------- next part -------------- --- opencdk8-0.5.9.orig/src/opencdk.pc.in +++ opencdk8-0.5.9/src/opencdk.pc.in @@ -0,0 +1,23 @@ +# Process this file with autoconf to produce a pkg-config metadata file. +# Copyright (C) 2002, 2003, 2004, 2005 Free Software Foundation +# Author: Simon Josefsson +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: OpenCDK +Description: Open Crypto Development Kit +Version: @VERSION@ +Libs: -L${libdir} -lopencdk +Libs.private: @LIBOPENCDK_LIBS@ @LIBZ@ +Cflags: -I${includedir} --- opencdk8-0.5.9.orig/src/Makefile.am +++ opencdk8-0.5.9/src/Makefile.am @@ -23,6 +23,12 @@ lib_LTLIBRARIES = libopencdk.la bin_SCRIPTS = opencdk-config +# Pkg-config script. +pkgconfigdir = $(libdir)/pkgconfig +pkgconfig_DATA = opencdk.pc + +DISTCLEANFILES = $(pkgconfig_DATA) + EXTRA_DIST = opencdk-config.in opencdk.m4 AM_CPPFLAGS = $(LIBGCRYPT_CFLAGS) --- opencdk8-0.5.9.orig/configure.ac +++ opencdk8-0.5.9/configure.ac @@ -91,5 +91,5 @@ AC_SUBST(LIBOPENCDK_CFLAGS) AC_CONFIG_FILES([Makefile doc/Makefile src/Makefile tests/Makefile - src/opencdk.h src/opencdk-config]) + src/opencdk.h src/opencdk-config src/opencdk.pc]) AC_OUTPUT From jas at extundo.com Mon Aug 7 08:25:35 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon Aug 7 08:24:00 2006 Subject: [gnutls-dev] Re: pkg-config support for opencdk In-Reply-To: <20060806180314.GA3872@downhill.g.la> (Andreas Metzler's message of "Sun, 6 Aug 2006 20:03:14 +0200") References: <20060806180314.GA3872@downhill.g.la> Message-ID: <87bqqxjc4g.fsf@latte.josefsson.org> Andreas Metzler writes: > Hej, > attached a simple patch for adding pkg-config support to opencdk. > cu andreas > > PS: > I don't think there should be any copyright problems as my own > contribution is trivial copy'n'paste from gnutls: > > 1. Take gnutls.pc.in and copy it as src/opencdk.pc.in. Make two > one-line changes to it. > 2. Add src/opencdk.pc to AC_CONFIG_FILES > 3. Copy 4 lines from gnutls/lib/Makefile.am to src/Makefile.am and > s/gnutls/opencdk/ Hi, I took your e-mail as a suggestion to implement this, and have installed this in CVS now. Btw, I'd recommend people to use standard autoconf-mechanisms to find opencdk, because pkg-config doesn't work for cross-compilation, and it also breaks the standard autoconf-approach of testing for features. /Simon From jas at extundo.com Mon Aug 7 08:30:36 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon Aug 7 08:29:08 2006 Subject: [gnutls-dev] Re: OpenCDK 0.5.9 In-Reply-To: <20060806173620.GB24242@downhill.g.la> (Andreas Metzler's message of "Sun, 6 Aug 2006 19:36:20 +0200") References: <87lkq2j5ml.fsf@latte.josefsson.org> <20060806173620.GB24242@downhill.g.la> Message-ID: <877j1ljbw3.fsf@latte.josefsson.org> Andreas Metzler writes: > On 2006-08-06 Simon Josefsson wrote: > [...] >> * Fixed opencdk-config script to include -lz, thanks to Weng Liong, Low. > [...] > > This test seems to be slightly broken. After > ./configure --prefix=/usr ; make > I end up with > ------------ > checking for libz... yes > checking how to link with libz... /usr/lib/libz.so > [...] > ametzler@argenau:/tmp/opencdk8-0.5.9$ sh ./src/opencdk-config --libs > -L/usr/lib -lopencdk -lgcrypt -lgpg-error /usr/lib/libz.so > ------------ > > Note that the output includes "/usr/lib/libz.so" instead of "-lz". (If > I dump --prefix=/usr it would work as expected, but I need this.) I believe I have fixed this in CVS. Thanks, Simon From mario.lenz at gmx.net Mon Aug 7 18:19:24 2006 From: mario.lenz at gmx.net (Mario Lenz) Date: Mon Aug 7 18:18:46 2006 Subject: [gnutls-dev] Using encrypted OpenPGP keys In-Reply-To: <1154887148.4546.38.camel@mario> References: <1154858025.4401.22.camel@mario> <87vep6j8uj.fsf@latte.josefsson.org> <1154887148.4546.38.camel@mario> Message-ID: <1154967565.4459.14.camel@mario> Hi! If you want to use the pass parameter in gnutls_openpgp_privkey_import (libextra/openpgp/privkey.c): int gnutls_openpgp_privkey_import (gnutls_openpgp_privkey_t key, const gnutls_datum_t * data, gnutls_openpgp_key_fmt_t format, const char *pass, unsigned int flags) { int rc; rc = _gnutls_openpgp_raw_enc_privkey_to_gkey (&key->pkey, data, pass); if (rc) { gnutls_assert (); return rc; } return 0; } Hmmm, perhaps it would be better not to add new functions, but to add a pw parameter to each function and use a define. For example: int _gnutls_openpgp_raw_privkey_to_gkey (gnutls_privkey * pkey, const gnutls_datum_t * raw_key, const char *pw) { /* no changes */ if (pw) { if (cdk_sk_unprotect (pkt->pkt.secret_key, pw) != CDK_Success) { rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; goto leave; } } /* no changes from here on */ sk = pkt->pkt.secret_key; pke_algo = sk->pk->pubkey_algo; pkey->params_size = cdk_pk_get_npkey (pke_algo); /* and so on... */ } #define _gnutls_openpgp_raw_privkey_to_gkey(pkey, raw_key) \ _gnutls_openpgp_raw_privkey_to_gkey (pkey, raw_key, NULL) (This should work, shouldn't it?) If you want me to send diffs or to work directly in the cvs, just tell me. But in this case we should first discuss wether to add new functions or to use defines. greez Mario From ametzler at downhill.at.eu.org Mon Aug 7 20:00:15 2006 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Mon Aug 7 19:59:01 2006 Subject: [gnutls-dev] Re: OpenCDK 0.5.9 In-Reply-To: <877j1ljbw3.fsf@latte.josefsson.org> References: <87lkq2j5ml.fsf@latte.josefsson.org> <20060806173620.GB24242@downhill.g.la> <877j1ljbw3.fsf@latte.josefsson.org> Message-ID: <20060807180015.GA11433@downhill.g.la> On 2006-08-07 Simon Josefsson wrote: > Andreas Metzler writes: [...] > > ametzler@argenau:/tmp/opencdk8-0.5.9$ sh ./src/opencdk-config --libs > > -L/usr/lib -lopencdk -lgcrypt -lgpg-error /usr/lib/libz.so > > ------------ > > Note that the output includes "/usr/lib/libz.so" instead of "-lz". (If > > I dump --prefix=/usr it would work as expected, but I need this.) > I believe I have fixed this in CVS. A quick test indeed seems to show that s/LIBZ/LTLIBZ/ has fixed it. thanks, cu andreas From ametzler at downhill.at.eu.org Mon Aug 7 20:24:14 2006 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Mon Aug 7 20:23:00 2006 Subject: [gnutls-dev] Re: pkg-config support for opencdk In-Reply-To: <87bqqxjc4g.fsf@latte.josefsson.org> References: <20060806180314.GA3872@downhill.g.la> <87bqqxjc4g.fsf@latte.josefsson.org> Message-ID: <20060807182414.GB11433@downhill.g.la> On 2006-08-07 Simon Josefsson wrote: > Andreas Metzler writes: > > attached a simple patch for adding pkg-config support to opencdk. > > cu andreas [...] > Hi, I took your e-mail as a suggestion to implement this, and have > installed this in CVS now. Splendid. Thank you. > Btw, I'd recommend people to use standard autoconf-mechanisms to find > opencdk, I did provide this as the current *m4 tests shipped in the gnutls software are problematic. They use foo-config to get the needed dependency libs and CFLAGS and foo-config is not smart enough. For example libgnutls-config --libs generates this output: -L/usr/lib -lgnutls -L/usr/lib -ltasn1 -lgcrypt -lgpg-error However on many systems (Linux, the Hurd, ...) it is not necessary to link indirect dependencies when doing symbolic linking. i.e. if you use gnutls-functions this will be enough gcc -lgnutls -o foo foo.c there is no need to link against -ltasn1 -lgcrypt -lgpg-error, the symbolic linker will handle these just fine at run-time. This unnecessary linkage hurts us (Debian), because dependency cycles get a lot bigger than necessary. The greater part of gnome will link against libtasn although only gnutls functions are used, and if tasn changes its soname we will need to rebuild a 100 times the packages than actually necessary (and until that has happened the yet not-rebuilt ones link against two versions of libtasn). pkg-config can solve this problem because knowledge about whether direct linking of dependency libs is necessary is built in, the output of "pkg-config --libs gnutls" differs in between "broken" and other systems. > because pkg-config doesn't work for cross-compilation, I actually do not know whether this is true, i.e. whether pkg-config --libs foo will work in scenarios where foo-config --libs works. I fail to come up with such a szenario at short time however, and googling seems to suggest that crosscompilation of pkg-config using software is possible. > and it also breaks the standard autoconf-approach of testing for > features. You can use pkg-config to find the library and then use the standard tests. I am just arguing that pkg-config might do a better job than the foo-config scripts. thanks for listening, cu andreas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken. (c) Jasper Ffforde From ametzler at downhill.at.eu.org Mon Aug 7 20:29:34 2006 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Mon Aug 7 20:28:05 2006 Subject: [gnutls-dev] Re: pkg-config support for opencdk In-Reply-To: <20060807182414.GB11433@downhill.g.la> References: <20060806180314.GA3872@downhill.g.la> <87bqqxjc4g.fsf@latte.josefsson.org> <20060807182414.GB11433@downhill.g.la> Message-ID: <20060807182934.GA11581@downhill.g.la> On 2006-08-07 Andreas Metzler wrote: > However on many systems (Linux, the Hurd, ...) it is not necessary to > link indirect dependencies when doing symbolic linking. ^^^^^^^^ dynamic, obviously. From mario.lenz at gmx.net Tue Aug 8 13:04:25 2006 From: mario.lenz at gmx.net (Mario Lenz) Date: Tue Aug 8 13:03:30 2006 Subject: [gnutls-dev] Using encrypted OpenPGP keys In-Reply-To: <1154967565.4459.14.camel@mario> References: <1154858025.4401.22.camel@mario> <87vep6j8uj.fsf@latte.josefsson.org> <1154887148.4546.38.camel@mario> <1154967565.4459.14.camel@mario> Message-ID: <1155035065.4346.3.camel@mario> Hi! > #define _gnutls_openpgp_raw_privkey_to_gkey(pkey, raw_key) \ > _gnutls_openpgp_raw_privkey_to_gkey (pkey, raw_key, NULL) > > (This should work, shouldn't it?) No, it shouldn't. But this one seems to work: #define _GNUTLS_OPENPGP_RAW_PRIVKEY_TO_GKEY(pkey, raw_key, passw, ...) \ _gnutls_openpgp_raw_privkey_to_gkey(pkey, raw_key, passw) #define _gnutls_openpgp_raw_privkey_to_gkey(pkey, raw_key, ...)\ _GNUTLS_OPENPGP_RAW_PRIVKEY_TO_GKEY (pkey, raw_key, ## __VA_ARGS__, NULL) It's a dirty hack, but nevertheless it's imo better than adding half a dozen a_very_long_long_name_indeed_enc functions to the already existing a_very_long_long_name_indeed ones. (The version without a password argument should marked as deprecated in the documentation and removed in a later release, though.) greez Mario From jas at extundo.com Tue Aug 8 14:47:39 2006 From: jas at extundo.com (Simon Josefsson) Date: Tue Aug 8 14:46:21 2006 Subject: [gnutls-dev] Re: pkg-config support for opencdk In-Reply-To: <20060807182414.GB11433@downhill.g.la> (Andreas Metzler's message of "Mon, 7 Aug 2006 20:24:14 +0200") References: <20060806180314.GA3872@downhill.g.la> <87bqqxjc4g.fsf@latte.josefsson.org> <20060807182414.GB11433@downhill.g.la> Message-ID: <87r6zrqtqs.fsf@latte.josefsson.org> Andreas Metzler writes: >> Btw, I'd recommend people to use standard autoconf-mechanisms to find >> opencdk, > > I did provide this as the current *m4 tests shipped in the gnutls > software are problematic. They use foo-config to get the needed > dependency libs and CFLAGS and foo-config is not smart enough. For > example libgnutls-config --libs generates this output: > > -L/usr/lib -lgnutls -L/usr/lib -ltasn1 -lgcrypt -lgpg-error Right, and I recommend against using gnutls*-config for the same reason too. I think Bruno's AC_LIB_HAVE_LINKFLAGS is the best choice. It works for cross-compilations, can check for particular versions through the gnutls.h LIBGNUTLS_VERSION* symbols, and doesn't add unnecessary libraries to the link line, and works with and without libtool. Using pkg-config may be simpler, and more well tested than Bruno's macro, but it doesn't follow the test-for-feature approach. > However on many systems (Linux, the Hurd, ...) it is not necessary to > link indirect dependencies when doing symbolic linking. i.e. if you use > gnutls-functions this will be enough > gcc -lgnutls -o foo foo.c > there is no need to link against -ltasn1 -lgcrypt -lgpg-error, the > symbolic linker will handle these just fine at run-time. Right. > This unnecessary linkage hurts us (Debian), because dependency cycles > get a lot bigger than necessary. The greater part of gnome will link > against libtasn although only gnutls functions are used, and if tasn > changes its soname we will need to rebuild a 100 times the packages > than actually necessary (and until that has happened the yet > not-rebuilt ones link against two versions of libtasn). Oops. > pkg-config can solve this problem because knowledge about whether > direct linking of dependency libs is necessary is built in, > the output of "pkg-config --libs gnutls" differs in between "broken" > and other systems. Ok. I think lib-link.m4 does this too; it checks which libraries are required to link. > I fail to come up with such a szenario at short time however, and > googling seems to suggest that crosscompilation of pkg-config using > software is possible. Pkg-config works fine for cross-compilation if you point each configure script at the proper pkg-config script for the already cross-compiled library. However, things doesn't happen automatically, and pkg-config doesn't know for which platform a particular library is built for. Bruno's macro uses the compiler/linker to find the libraries, and this seems like a more reliable approach. >> and it also breaks the standard autoconf-approach of testing for >> features. > > You can use pkg-config to find the library and then use the standard > tests. Yup. > I am just arguing that pkg-config might do a better job than the > foo-config scripts. Agreed, and the gnutls*-config scripts are even more deprecated than the pkg-config approach. Maybe we should remove them in 1.5.0 to make sure people stop using them. /Simon From ametzler at downhill.at.eu.org Tue Aug 8 19:00:44 2006 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Tue Aug 8 18:59:30 2006 Subject: [gnutls-dev] Re: pkg-config support for opencdk In-Reply-To: <87r6zrqtqs.fsf@latte.josefsson.org> References: <20060806180314.GA3872@downhill.g.la> <87bqqxjc4g.fsf@latte.josefsson.org> <20060807182414.GB11433@downhill.g.la> <87r6zrqtqs.fsf@latte.josefsson.org> Message-ID: <20060808170044.GA3731@downhill.g.la> On 2006-08-08 Simon Josefsson wrote: [...] > Agreed, and the gnutls*-config scripts are even more deprecated than > the pkg-config approach. Maybe we should remove them in 1.5.0 to make > sure people stop using them. [...] Hello, They currently look like the official way to get the info, as the included autoconf macros use them. - Could these macros seamlessly be replaced with better versions, or is there no way against requiring people to update their configure.ac scripts? cu and- no auto* guru -dreas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken. (c) Jasper Ffforde From mario.lenz at gmx.net Thu Aug 10 17:05:28 2006 From: mario.lenz at gmx.net (Mario Lenz) Date: Thu Aug 10 17:04:24 2006 Subject: [gnutls-dev] Using encrypted OpenPGP keys In-Reply-To: <1154887148.4546.38.camel@mario> References: <1154858025.4401.22.camel@mario> <87vep6j8uj.fsf@latte.josefsson.org> <1154887148.4546.38.camel@mario> Message-ID: <1155222329.5478.6.camel@mario> Hi! I just wanted to offer you to send diffs or to use cvs. And a little change: > int > _gnutls_openpgp_raw_enc_privkey_to_gkey (gnutls_privkey * pkey, const > gnutls_datum_t * raw_key, const char *pw) > { > /* no changes */ > > if (pw) > { > if (cdk_sk_unprotect (pkt->pkt.secret_key, pw) != CDK_Success) > { > rc = GNUTLS_E_OPENPGP_GETKEY_FAILED; > goto leave; > } > } > > /* no changes from here on */ > > sk = pkt->pkt.secret_key; > pke_algo = sk->pk->pubkey_algo; > pkey->params_size = cdk_pk_get_npkey (pke_algo); > > /* and so on... */ > > } I think "if (pw && *pw)" would be better. greez Mario From marlam at marlam.de Thu Aug 10 19:09:58 2006 From: marlam at marlam.de (Martin Lambers) Date: Thu Aug 10 20:28:09 2006 Subject: [gnutls-dev] Re: pkg-config support for opencdk In-Reply-To: <87r6zrqtqs.fsf@latte.josefsson.org> References: <20060806180314.GA3872@downhill.g.la> <87bqqxjc4g.fsf@latte.josefsson.org> <20060807182414.GB11433@downhill.g.la> <87r6zrqtqs.fsf@latte.josefsson.org> Message-ID: <20060810170958.GA6152@cthulhu.lambers.home> On Tue, 08. Aug 2006, 14:47:39 +0200, Simon Josefsson wrote: > I think Bruno's AC_LIB_HAVE_LINKFLAGS is the best choice. It works > for cross-compilations, can check for particular versions through the > gnutls.h LIBGNUTLS_VERSION* symbols, and doesn't add unnecessary > libraries to the link line, and works with and without libtool. How does the check for particular versions work with AC_LIB_HAVE_LINKFLAGS? Can you give an example? Martin From jas at extundo.com Sat Aug 12 01:21:57 2006 From: jas at extundo.com (Simon Josefsson) Date: Sat Aug 12 01:20:33 2006 Subject: [gnutls-dev] Re: [Fwd: crash in GNUTLS-1.4.0] In-Reply-To: <44CB2B34.3030401@hyd.hellosoft.com> (satyakumar's message of "Sat, 29 Jul 2006 15:02:36 +0530") References: <44CB2B34.3030401@hyd.hellosoft.com> Message-ID: <87mzaax3hm.fsf@latte.josefsson.org> With some guess-work, I was able to reproduce the problem, and the patch is below. I'm not yet sure what it is that trigger the problem. If I replace the server key/certificate with another pair, it doesn't crash, and if I instead replace the CA certificate with another CA certificate, it doesn't crash either. So it seems it is a combination with the particular CA certificate and server key/certificate that you sent. I'm going away over the weekend, so if anybody here wants to analyze this further, that would be appreciated. Here is the recipe to reproduce the crash: $ gnutls-serv --x509keyfile key.pem --x509certfile newcert.pem ... $ gnutls-cli --x509cafile cacert.pem --port 5556 localhost I'm labeling this problem as GNUTLS-SA-2006-02 because, under some unclear situations, it is a remotely triggered crash of clients. /Simon Index: gnutls_algorithms.c =================================================================== RCS file: /cvs/gnutls/gnutls/lib/gnutls_algorithms.c,v retrieving revision 2.156 retrieving revision 2.157 diff -u -p -r2.156 -r2.157 --- gnutls_algorithms.c 15 Dec 2005 13:24:29 -0000 2.156 +++ gnutls_algorithms.c 11 Aug 2006 22:40:36 -0000 2.157 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2002, 2003, 2004, 2005 Free Software Foundation + * Copyright (C) 2000, 2002, 2003, 2004, 2005, 2006 Free Software Foundation * * Author: Nikos Mavroyanopoulos * @@ -563,7 +563,7 @@ _gnutls_x509_oid2mac_algorithm (const ch { gnutls_mac_algorithm_t ret = 0; - GNUTLS_HASH_LOOP (if (strcmp (oid, p->oid) == 0) + GNUTLS_HASH_LOOP (if (p->oid && strcmp (oid, p->oid) == 0) { ret = p->id; break;} ); -------------- next part -------------- A non-text attachment was scrubbed... Name: newcert.pem Type: application/octet-stream Size: 3181 bytes Desc: not available Url : /pipermail/attachments/20060812/e6b26304/newcert.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: key.pem Type: application/octet-stream Size: 887 bytes Desc: not available Url : /pipermail/attachments/20060812/e6b26304/key.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: cacert.pem Type: application/octet-stream Size: 1009 bytes Desc: not available Url : /pipermail/attachments/20060812/e6b26304/cacert.obj From jas at extundo.com Sat Aug 12 01:25:50 2006 From: jas at extundo.com (Simon Josefsson) Date: Sat Aug 12 01:24:16 2006 Subject: [gnutls-dev] Re: [Fwd: crash in GNUTLS-1.4.0] In-Reply-To: <87mzaax3hm.fsf@latte.josefsson.org> (Simon Josefsson's message of "Sat, 12 Aug 2006 01:21:57 +0200") References: <44CB2B34.3030401@hyd.hellosoft.com> <87mzaax3hm.fsf@latte.josefsson.org> Message-ID: <87irkyx3b5.fsf@latte.josefsson.org> It seems that the mailing list archive removes non-textual attachments, so for reference, here are the certificates and keys again, now labeled as text/plain. Sigh... /Simon -------------- next part -------------- -----BEGIN CERTIFICATE----- MIICuzCCAiSgAwIBAgIBADANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJBQTEL MAkGA1UECBMCQUExCzAJBgNVBAcTAkFBMQswCQYDVQQKEwJBQTELMAkGA1UECxMC QUExCzAJBgNVBAMTAkFBMB4XDTA2MDcyNDA4NTYxMloXDTA3MDcyNDA4NTYxMlow TjELMAkGA1UEBhMCQUExCzAJBgNVBAgTAkFBMQswCQYDVQQHEwJBQTELMAkGA1UE ChMCQUExCzAJBgNVBAsTAkFBMQswCQYDVQQDEwJBQTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAuo+yJMuPBAdLNNe+gioKBQjELvk8TBOnbbEEyHai6tAweZ3t lrMbfpblRKI2EOQb9XN5h/C2ydqhkjBr/bhgMCaqbLfbeVLQ+06BWAp11aqnQcJs LbfNmCIvk5LCoRtPvyZkbkJynwnyzpc+ITJbFl/0Th+aNiQ8t4pcSsM1y2kCAwEA AaOBqDCBpTAdBgNVHQ4EFgQUo+LYt8+H23l697rSTmd7wVbMJS8wdgYDVR0jBG8w bYAUo+LYt8+H23l697rSTmd7wVbMJS+hUqRQME4xCzAJBgNVBAYTAkFBMQswCQYD VQQIEwJBQTELMAkGA1UEBxMCQUExCzAJBgNVBAoTAkFBMQswCQYDVQQLEwJBQTEL MAkGA1UEAxMCQUGCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQAI AGq7UWdP+htE9JkUj92nWpnxZqt9gE9BXSL1cmM1Qnd9M3m4gxnI13G7RSruWc4R aUZ0ic+Izf5wCcSQYwfubPFbpCyjCFQWa0vvthJ3Znz3YrKtyD2uawgNzQxgkJa2 ZKEzbsc8xhpo/yoLlrHTEVzvNvkNhGnh9rvLWIf57g== -----END CERTIFICATE----- -------------- next part -------------- -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDh2Ea7rR+kjLPiud4uuRPBzEZhsoBD5FHl79Uh/Q3r40EeqxXA uTK2tPud2jkpZoNcU1mWiNAAC8rWHs823DSl6WlgTicW6CkDgkp0bQuXTVw44sKf oYCKb2fHjnEbWf2miVfIRXa9sZw8vIjb44Dv7VpWIWbDFL3JpEgcZ+5UnwIDAQAB AoGAJUQIt+MjO4W0EQ9WaCNF7U6Fto07uPgtw2FFq+wTpf7DugnE9x4YDini8vMV R42Q02U1fS9qEvffKmG/E3BWh1KXweDtUBxOU2YJ4SeQZFYmqD/sxm2cn7y8Ljxr roouWoaCnAGyKri4AG6zw0ns6BU6DlXeUf12XpVVw/UBBDECQQDyEWjhJf035s92 g7/pidOn1UXOc3f7jRumZhJQ6Ut57IfHXAuprOu6JulU2hhTfAF0aFbVYeL96QC6 rXbgyC3DAkEA7tfWRHKorruzQZQQYNAf0QO+gu6//6WQXmKmT+cYypkUy2z56hg3 H8euPtGEIFNJ/ToResgJ/t2XEGtpeZXD9QJBAIoW2GeoDj23k54eJnqJP468oWfW gxmjM6THEafKjl3tSr+1iImwtYCp9e2LxNjLIuFPLEnp313Nb7cOgYRVbZUCQEDh mxAvAYmt7Y0T9rsF7o6t8LPKvZdp12T8cWdlRMPMf+ye5ujjuR3F9ZyU98p8Na43 dwYejzCP63iHZTilKX0CQQDEKwEv0nmkQEd/+mZdjoJvzLgwXvpGJ4QaZ5FVSux7 N/ZKFlZ19NJ8wornLIRJaRKHQACdOaT24hGs0TKcxEki -----END RSA PRIVATE KEY----- -------------- next part -------------- Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: shaWithRSAEncryption Issuer: C=AA, ST=AA, L=AA, O=AA, OU=AA, CN=AA Validity Not Before: Jul 24 08:58:59 2006 GMT Not After : Jul 24 08:58:59 2007 GMT Subject: C=AA, ST=AA, L=AA, O=AA, OU=AA, CN=AA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e1:d8:46:bb:ad:1f:a4:8c:b3:e2:b9:de:2e:b9: 13:c1:cc:46:61:b2:80:43:e4:51:e5:ef:d5:21:fd: 0d:eb:e3:41:1e:ab:15:c0:b9:32:b6:b4:fb:9d:da: 39:29:66:83:5c:53:59:96:88:d0:00:0b:ca:d6:1e: cf:36:dc:34:a5:e9:69:60:4e:27:16:e8:29:03:82: 4a:74:6d:0b:97:4d:5c:38:e2:c2:9f:a1:80:8a:6f: 67:c7:8e:71:1b:59:fd:a6:89:57:c8:45:76:bd:b1: 9c:3c:bc:88:db:e3:80:ef:ed:5a:56:21:66:c3:14: bd:c9:a4:48:1c:67:ee:54:9f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9A:ED:80:53:94:36:64:99:7C:41:11:36:D3:B1:95:8C:C2:C9:58:2C X509v3 Authority Key Identifier: keyid:A3:E2:D8:B7:CF:87:DB:79:7A:F7:BA:D2:4E:67:7B:C1:56:CC:25:2F DirName:/C=AA/ST=AA/L=AA/O=AA/OU=AA/CN=AA serial:00 Signature Algorithm: shaWithRSAEncryption 95:9e:02:7c:97:3f:16:b9:4d:98:32:90:91:12:c3:42:12:e4: db:1c:7c:aa:de:55:74:a6:3f:24:a3:dd:b3:41:f3:16:af:3a: a5:38:0d:41:62:a0:c6:ce:18:21:85:bf:80:a5:54:63:00:80: 45:55:8c:8b:ec:d8:f2:1d:e1:b8:c4:9a:37:dc:94:ed:ff:14: d2:77:10:b9:f2:81:18:63:ef:9f:19:52:af:c3:2f:c2:e4:40: b5:b5:1d:2a:a1:fc:e8:33:08:12:3a:54:fb:d8:50:09:63:05: 8e:04:30:1b:4f:66:1e:80:00:6c:48:18:d7:81:30:b0:97:d6: 1f:6f -----BEGIN CERTIFICATE----- MIIC3jCCAkugAwIBAgIBATAJBgUrDgMCDwUAME4xCzAJBgNVBAYTAkFBMQswCQYD VQQIEwJBQTELMAkGA1UEBxMCQUExCzAJBgNVBAoTAkFBMQswCQYDVQQLEwJBQTEL MAkGA1UEAxMCQUEwHhcNMDYwNzI0MDg1ODU5WhcNMDcwNzI0MDg1ODU5WjBOMQsw CQYDVQQGEwJBQTELMAkGA1UECBMCQUExCzAJBgNVBAcTAkFBMQswCQYDVQQKEwJB QTELMAkGA1UECxMCQUExCzAJBgNVBAMTAkFBMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDh2Ea7rR+kjLPiud4uuRPBzEZhsoBD5FHl79Uh/Q3r40EeqxXAuTK2 tPud2jkpZoNcU1mWiNAAC8rWHs823DSl6WlgTicW6CkDgkp0bQuXTVw44sKfoYCK b2fHjnEbWf2miVfIRXa9sZw8vIjb44Dv7VpWIWbDFL3JpEgcZ+5UnwIDAQABo4HT MIHQMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk IENlcnRpZmljYXRlMB0GA1UdDgQWBBSa7YBTlDZkmXxBETbTsZWMwslYLDB2BgNV HSMEbzBtgBSj4ti3z4fbeXr3utJOZ3vBVswlL6FSpFAwTjELMAkGA1UEBhMCQUEx CzAJBgNVBAgTAkFBMQswCQYDVQQHEwJBQTELMAkGA1UEChMCQUExCzAJBgNVBAsT AkFBMQswCQYDVQQDEwJBQYIBADAJBgUrDgMCDwUAA4GBAJWeAnyXPxa5TZgykJES w0IS5NscfKreVXSmPySj3bNB8xavOqU4DUFioMbOGCGFv4ClVGMAgEVVjIvs2PId 4bjEmjfclO3/FNJ3ELnygRhj758ZUq/DL8LkQLW1HSqh/OgzCBI6VPvYUAljBY4E MBtPZh6AAGxIGNeBMLCX1h9v -----END CERTIFICATE----- From jas at extundo.com Sat Aug 12 01:28:28 2006 From: jas at extundo.com (Simon Josefsson) Date: Sat Aug 12 01:27:01 2006 Subject: [gnutls-dev] GnuTLS 1.4.2 Message-ID: <87ejvmx36r.fsf@latte.josefsson.org> I am happy to announce GnuTLS 1.4.2, a bugfix release on the stable 1.4 branch. This version is what we recommend for those who need a stable version of GnuTLS. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Noteworthy changes since 1.4.1: ** Fix a crash (strcmp() on a NULL value) in the certificate verification logic. This can happen if you call gnutls_certificate_verify_peers2 and have a certain mix of local CA certificates and the peer send special certificates, that together trigger certain behaviour. It is not known at this point whether the crash can be triggered without the special local CA certificate, and thus turn this into a remote crash of clients that verify server certificates when they talk to a server with the special server certificate. See GNUTLS-SA-2006-2 on http://www.gnu.org/software/gnutls/security.html for more up to date information. Reported by satyakumar . ** Change SRP and Cert-Type extensions to match IANA registry. ** OpenCDK updated to 0.5.9 to fix some problems with OpenPGP support. ** Make --without-included-libtasn1 work. Reported by Daniel Black . ** API and ABI modifications: No changes since last version. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. All manual formats are available from: http://www.gnutls.org/manual/ Direct link to the most popular formats: http://www.gnutls.org/manual/gnutls.html - HTML format http://www.gnutls.org/manual/gnutls.pdf - PDF format http://www.gnutls.org/reference/ch01.html - API Reference, GTK-DOC HTML If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ (updated fastest) Here are the compressed sources (3.9MB): http://josefsson.org/gnutls/releases/gnutls-1.4.2.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.4.2.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2006-08-14] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2006-08-14] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 671b10bca94fa441d0d1da29a7c52fed0b0c5ae7 gnutls-1.4.2.tar.bz2 01fea5a4e371e0a4300655af40b4a4fdf34f1eff gnutls-1.4.2.tar.bz2.sig 9492a46afbc9f850156dfe08ef6fef30f9cf914d7f106cc09270aeb8 gnutls-1.4.2.tar.bz2 5066dcd05d724140ae86b4b8d236cb151e0e58d6ab0daaffd7e0a40a gnutls-1.4.2.tar.bz2.sig Enjoy, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available Url : /pipermail/attachments/20060812/8fab7d5a/attachment.pgp From jas at extundo.com Sun Aug 13 17:18:15 2006 From: jas at extundo.com (Simon Josefsson) Date: Sun Aug 13 17:16:58 2006 Subject: [gnutls-dev] Re: Compiler warnings on 64bit archs In-Reply-To: <20060628182808.GA20098@downhill.aus.cc> (Andreas Metzler's message of "Wed, 28 Jun 2006 20:28:08 +0200") References: <20060616111950.GA9894@downhill.aus.cc> <87ver1axvx.fsf@latte.josefsson.org> <20060616175918.GA3141@downhill.aus.cc> <20060624120910.GA14075@downhill.aus.cc> <87bqsex66b.fsf@latte.josefsson.org> <20060628182808.GA20098@downhill.aus.cc> Message-ID: <8764gwwtoo.fsf@latte.josefsson.org> Andreas Metzler writes: > After adding the missing AC_CHECK_SIZEOF(void *), this indeed works. > > So how would you like to have the 19 [1] occurences of this issue > fixed, is there a central header file GNUTLS_POINTER_TO_INT can be > thrown into (besides gnutls.h)? > > thanks, cu andreas > [1] > in gnutls-20060628.tar.gz: > gnutls_openssl.c:283: warning: cast to pointer from integer of different size > gnutls_openssl.c:290: warning: cast to pointer from integer of different size > gnutls_openssl.c:301: warning: cast to pointer from integer of different size > gnutls_openssl.c:880: warning: cast from pointer to integer of different size > gnutls_openssl.c:892: warning: cast to pointer from integer of different size I've moved the macros to gnutls_int, and fixed the above warnings. > serv.c:954: warning: cast to pointer from integer of different size > cli.c:831: warning: cast to pointer from integer of different size > psk.gaa:28: warning: assignment makes integer from pointer without a cast > tls_test.c:270: warning: cast to pointer from integer of different size > ex-cert-select.c:156: warning: cast to pointer from integer of different size > ex-client1.c:54: warning: cast to pointer from integer of different size > ex-client2.c:62: warning: cast to pointer from integer of different size > ex-client-resume.c:61: warning: cast to pointer from integer of different size > ex-serv1.c:134: warning: cast to pointer from integer of different size > ex-serv-anon.c:119: warning: cast to pointer from integer of different size > ex-serv-export.c:179: warning: cast to pointer from integer of different size > ex-serv-pgp.c:138: warning: cast to pointer from integer of different size > ex-client-srp.c:72: warning: cast to pointer from integer of different size > ex-serv-srp.c:123: warning: cast to pointer from integer of different size Those are not in the library, and from what I understand, the cast isn't actually invalid -- the behaviour is what we intend and well defined on all platforms we care about, isn't it? The right solution is probably to change the APIs so this situation never arise. Without more insight to what harm (if any?) the warning causes, changing the API doesn't seem warranted. /Simon From ametzler at downhill.at.eu.org Sun Aug 13 18:54:38 2006 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sun Aug 13 18:53:18 2006 Subject: [gnutls-dev] Re: Compiler warnings on 64bit archs In-Reply-To: <8764gwwtoo.fsf@latte.josefsson.org> References: <20060616111950.GA9894@downhill.aus.cc> <87ver1axvx.fsf@latte.josefsson.org> <20060616175918.GA3141@downhill.aus.cc> <20060624120910.GA14075@downhill.aus.cc> <87bqsex66b.fsf@latte.josefsson.org> <20060628182808.GA20098@downhill.aus.cc> <8764gwwtoo.fsf@latte.josefsson.org> Message-ID: <20060813165438.GA328@downhill.g.la> On 2006-08-13 Simon Josefsson wrote: > Andreas Metzler writes: >> After adding the missing AC_CHECK_SIZEOF(void *), this indeed works. >> >> So how would you like to have the 19 [1] occurences of this issue >> fixed, is there a central header file GNUTLS_POINTER_TO_INT can be >> thrown into (besides gnutls.h)? >> >> thanks, cu andreas >> [1] >> in gnutls-20060628.tar.gz: >> gnutls_openssl.c:283: warning: cast to pointer from integer of different size [...] > I've moved the macros to gnutls_int, and fixed the above warnings. Thanks. gnutls_openssl.c needs a #include >> serv.c:954: warning: cast to pointer from integer of different size >> cli.c:831: warning: cast to pointer from integer of different size [...] > Those are not in the library, and from what I understand, the cast > isn't actually invalid -- the behaviour is what we intend and well > defined on all platforms we care about, isn't it? [...] I honestly do not know. GLIBS docs just says "The problem is that on some systems you need to do this: [...]", with this being the cast to (long). cu andreas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken. (c) Jasper Ffforde From jas at extundo.com Sun Aug 13 22:26:59 2006 From: jas at extundo.com (Simon Josefsson) Date: Sun Aug 13 22:25:40 2006 Subject: [gnutls-dev] GnuTLS 1.5.0 - experimental, with Windows installer Message-ID: <87y7tsv0to.fsf@latte.josefsson.org> I am happy to announce GnuTLS 1.5.0, the first release on the current experimental branch. We recommend the 1.4.x branch for those looking for a stable version. One goal with the 1.5.x branch is to make Windows x86 a supported platform for GnuTLS. We do this by providing a binary Windows installer of GnuTLS, cross-compiled from GNU/Linux using MinGW and NSIS, see below. The installer is (lightly) tested on Windows 2000 and Windows XP. It is possible to develop applications in Visual Studio or MinGW that links to the library. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. * Version 1.5.0 (released 2006-08-13) ** Change SRP and Cert-Type extensions to match IANA registry. ** Fixed bug in OpenPGP authentication handshake. ** Improvements for building under MinGW. Provides internal inet_ntop and inet_pton functions and arpa/inet.h header. Calls WSAStartup and WSACleanup in gnutls_global_init and gnutls_global_deinit, respectively. Loads getaddrinfo and getnameinfo at run-time from ws2_32.dll, and falls back on a simple replacement if it is not available. Builds the library with -mms-bitfields -Wl,--enable-runtime-pseudo-reloc. Links with --output-def, to create *.def files, which are installed. ** The examples now (conditionally) include config.h and link to gnulib. No other source changes were necessary, so the examples should continue to be possible to use stand-alone without any autoconf or gnulib stuff. ** Added C++ header "gnutlsxx.h" and library "libgnutlsxx". You may unconditionally disable it with --disable-cxx. See includes/gnutls/gnutlsxx.h and lib/gnutlsxx.cpp for the implementation. ** Made command line tool '--version' behave according to GNU Standards. This enables 'make distcheck' to succeed. ** OpenCDK updated to 0.5.9 to fix some problems with OpenPGP support. ** Make --without-included-libtasn1 work. Reported by Daniel Black . ** Fix a crash (strcmp() on a NULL value) in the certificate verification logic. See http://www.gnu.org/software/gnutls/security.html regardging GNUTLS-SA-2006-2 for more up to date information. Reported by satyakumar . ** API and ABI modifications: No changes since last version. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. All manual formats are available from: http://www.gnutls.org/manual/ Direct link to the most popular formats: http://www.gnutls.org/manual/gnutls.html - HTML format http://www.gnutls.org/manual/gnutls.pdf - PDF format http://www.gnutls.org/reference/ch01.html - API Reference, GTK-DOC HTML If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ (updated fastest) Here are the compressed sources (3.9MB): http://josefsson.org/gnutls/releases/gnutls-1.4.2.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.4.2.tar.bz2.sig Here is the Windows installer (14MB): http://josefsson.org/gnutls4win/gnutls-1.5.0.exe http://josefsson.org/gnutls4win/gnutls-1.5.0.exe.sig More information about the Windows installer: http://josefsson.org/gnutls4win/ The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2006-08-14] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2006-08-14] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: cf20e68fde70ffc12c7859ebc0787417eac57b45 gnutls-1.5.0.tar.bz2 84d498f3962c116f71db34285a7e0a66a427dac2 gnutls-1.5.0.tar.bz2.sig 3881082cb42c1a921c9f654a5b2ae89c197688041f59251deac47047 gnutls-1.5.0.tar.bz2 4cd713a295016049e6f5fd49bb21b35c47108f85033fad5ab36af3f2 gnutls-1.5.0.tar.bz2.sig e4c463c72959f2a0a4aa1e4f14ca856d847ce9c5 gnutls-1.5.0.exe e0b93c63600d19c76a92ab860ba0435779bc6715 gnutls-1.5.0.exe.sig 7364ca23de0bdea9f5597018c4d9f95afe81557a3246eb981befc479 gnutls-1.5.0.exe 483ca0d7b290a1cc4fa8a4d3028d695e9dd843bb2227a74d58b9b27e gnutls-1.5.0.exe.sig Enjoy, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available Url : /pipermail/attachments/20060813/23ccbbcb/attachment.pgp From jas at extundo.com Tue Aug 15 16:12:52 2006 From: jas at extundo.com (Simon Josefsson) Date: Tue Aug 15 16:11:22 2006 Subject: [gnutls-dev] Re: Compiler warnings on 64bit archs In-Reply-To: <20060813165438.GA328@downhill.g.la> (Andreas Metzler's message of "Sun, 13 Aug 2006 18:54:38 +0200") References: <20060616111950.GA9894@downhill.aus.cc> <87ver1axvx.fsf@latte.josefsson.org> <20060616175918.GA3141@downhill.aus.cc> <20060624120910.GA14075@downhill.aus.cc> <87bqsex66b.fsf@latte.josefsson.org> <20060628182808.GA20098@downhill.aus.cc> <8764gwwtoo.fsf@latte.josefsson.org> <20060813165438.GA328@downhill.g.la> Message-ID: <87sljy3x5n.fsf@latte.josefsson.org> Andreas Metzler writes: > On 2006-08-13 Simon Josefsson wrote: >> Andreas Metzler writes: >>> After adding the missing AC_CHECK_SIZEOF(void *), this indeed works. >>> >>> So how would you like to have the 19 [1] occurences of this issue >>> fixed, is there a central header file GNUTLS_POINTER_TO_INT can be >>> thrown into (besides gnutls.h)? >>> >>> thanks, cu andreas >>> [1] >>> in gnutls-20060628.tar.gz: >>> gnutls_openssl.c:283: warning: cast to pointer from integer of different size > [...] >> I've moved the macros to gnutls_int, and fixed the above warnings. > > Thanks. gnutls_openssl.c needs a > #include I've fixed this by copying the macros instead. >>> serv.c:954: warning: cast to pointer from integer of different size >>> cli.c:831: warning: cast to pointer from integer of different size > [...] >> Those are not in the library, and from what I understand, the cast >> isn't actually invalid -- the behaviour is what we intend and well >> defined on all platforms we care about, isn't it? > [...] > > I honestly do not know. GLIBS docs just says "The problem is that on > some systems you need to do this: [...]", with this being the cast to > (long). I was referring to the warning itself -- is there actually anything wrong with the code here? What can go wrong and how? We know that we can shut up the compiler by using this macro, but I'm starting to have second thoughts whether we actually should do this. Doesn't some standard specify what should happen when you cast an integer to a pointer, when they have different sizes? Even if the behaviour is undefined, are there any real-world systems that break if we don't cast 'int' to 'long' before casting it to 'void*'? We probably should have had this discussion before adding the macro, though. Thanks, Simon From jas at extundo.com Fri Aug 18 10:34:24 2006 From: jas at extundo.com (Simon Josefsson) Date: Fri Aug 18 10:33:09 2006 Subject: [gnutls-dev] Re: pkg-config support for opencdk In-Reply-To: <20060808170044.GA3731@downhill.g.la> (Andreas Metzler's message of "Tue, 8 Aug 2006 19:00:44 +0200") References: <20060806180314.GA3872@downhill.g.la> <87bqqxjc4g.fsf@latte.josefsson.org> <20060807182414.GB11433@downhill.g.la> <87r6zrqtqs.fsf@latte.josefsson.org> <20060808170044.GA3731@downhill.g.la> Message-ID: <87zme2cui7.fsf@latte.josefsson.org> Andreas Metzler writes: > On 2006-08-08 Simon Josefsson wrote: > [...] >> Agreed, and the gnutls*-config scripts are even more deprecated than >> the pkg-config approach. Maybe we should remove them in 1.5.0 to make >> sure people stop using them. > [...] > > Hello, > They currently look like the official way to get the info, as the > included autoconf macros use them. Yes, I know. > - Could these macros seamlessly be replaced with better versions, or > is there no way against requiring people to update their > configure.ac scripts? It should be possible. However, I'm not sure what the best solution is: 1) libgnutls-config 2) pkg-config 3) Bruno's lib-link.m4 macros. There are advantages and disadvantages with all. Bruno's macro is what I prefer, but the disadvantage there is that the macro requires the 'config.rpath' script. Not all applications have that script, and copying both a libgnutls.m4 and a config.rpath may be a bit complicated. Maybe this is a small price to pay? Pkg-config has the problem that it adds another dependency, and it seems unclear (to me, not being a pkg-config expert) whether pkg-config does the right thing for libtool, cross-compilation, and various platform behaviours (-rpath, -Wl,-rpath, -R, etc). At the least, it seems that a new libgnutls.m4 could use pkg-config, but additionally try to link with the library, to check that it works, before using it. This will help when cross-compiling; e.g., it won't automatically try to use a i386-linux library when you build for i386-mingw. libgnutls-config is a maintenance problem, but not really a huge problem, the scripts have only been touched a few times in several years. The current design seems to have the same problems as pkg-config, though. I think we should try to solve this in 1.5.x, before 1.6. /Simon From jas at extundo.com Fri Aug 18 10:41:15 2006 From: jas at extundo.com (Simon Josefsson) Date: Fri Aug 18 10:39:38 2006 Subject: [gnutls-dev] Re: pkg-config support for opencdk In-Reply-To: <20060810170958.GA6152@cthulhu.lambers.home> (Martin Lambers's message of "Thu, 10 Aug 2006 19:09:58 +0200") References: <20060806180314.GA3872@downhill.g.la> <87bqqxjc4g.fsf@latte.josefsson.org> <20060807182414.GB11433@downhill.g.la> <87r6zrqtqs.fsf@latte.josefsson.org> <20060810170958.GA6152@cthulhu.lambers.home> Message-ID: <87veoqcu6s.fsf@latte.josefsson.org> Martin Lambers writes: > On Tue, 08. Aug 2006, 14:47:39 +0200, Simon Josefsson wrote: >> I think Bruno's AC_LIB_HAVE_LINKFLAGS is the best choice. It works >> for cross-compilations, can check for particular versions through the >> gnutls.h LIBGNUTLS_VERSION* symbols, and doesn't add unnecessary >> libraries to the link line, and works with and without libtool. > > How does the check for particular versions work with > AC_LIB_HAVE_LINKFLAGS? Can you give an example? In gsasl I use: AC_LIB_HAVE_LINKFLAGS(gnutls,, [#include ], [gnutls_certificate_verify_peers2 (0, 0);]) You could modify it into: AC_LIB_HAVE_LINKFLAGS(gnutls,, [#include #if LIBGNUTLS_VERSION_NUMBER < 0x010500 error too old gnutls #endif], [gnutls_certificate_verify_peers2 (0, 0);]) I didn't test this, but something like it should work. Note that the test for gnutls_certificate_verify_peers2() is an implicit version test -- gsasl need a gnutls version that have that particular feature. That is the best approach: test the GnuTLS library for the properties (e.g., APIs) that your application actually needs. Doing so will work even if someone has back-ported a feature to an older version, for example. /Simon From sig at netdot.net Sun Aug 20 23:35:11 2006 From: sig at netdot.net (Aaron VanDevender) Date: Mon Aug 21 01:25:39 2006 Subject: [gnutls-dev] BUG: gnutls_x509_crq_export return value Message-ID: <1156109711.2895.35.camel@lazlo.netdot.net> The documentation for gnutls_x509_crq_export says that it should return 0 upon success, but it seems that it actually returns the size of the exported record (as of 1.4.5). cheers -Aaron -- sig@netdot.net Plead the First. From jas at extundo.com Mon Aug 21 10:57:05 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon Aug 21 10:55:29 2006 Subject: [gnutls-dev] Re: BUG: gnutls_x509_crq_export return value In-Reply-To: <1156109711.2895.35.camel@lazlo.netdot.net> (Aaron VanDevender's message of "Sun, 20 Aug 2006 16:35:11 -0500") References: <1156109711.2895.35.camel@lazlo.netdot.net> Message-ID: <87r6zaa2la.fsf@latte.josefsson.org> Aaron VanDevender writes: > The documentation for gnutls_x509_crq_export says that it should return > 0 upon success, but it seems that it actually returns the size of the > exported record (as of 1.4.5). Hi. Thanks for the report. I can't understand why that would happen, by reading the source. Do you have a test-case to reproduce this? The gnutls_x509_crq_export function is simple: return _gnutls_x509_export_int (crq->crq, format, PEM_CRQ, *output_data_size, output_data, output_data_size); And by reading the code, _gnutls_x509_export_int seem to only return 0 or negative values. Maybe you can help me by pointing out how gnutls_x509_crq_export ends up returning positive values...? Thanks, Simon From jas at extundo.com Sun Aug 27 22:54:05 2006 From: jas at extundo.com (Simon Josefsson) Date: Sun Aug 27 22:52:24 2006 Subject: [gnutls-dev] Re: GnuTLS 1.5.0 - experimental, with Windows installer In-Reply-To: <20060827195423.GA15469@novel.fannet.ru> (Roman Bogorodskiy's message of "Sun, 27 Aug 2006 23:54:23 +0400") References: <87y7tsv0to.fsf@latte.josefsson.org> <20060827195423.GA15469@novel.fannet.ru> Message-ID: <87d5alj3wy.fsf@latte.josefsson.org> Roman Bogorodskiy writes: > Simon Josefsson wrote: > >> I am happy to announce GnuTLS 1.5.0, the first release on the current >> experimental branch. We recommend the 1.4.x branch for those looking >> for a stable version. > > It doesn't build on FreeBSD (I have checked 6.x and -CURRENT) because > you didn't include in various examples. I had to patch > it to make compile. Patches are trivial, you could check out here: > > http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/gnutls-devel/files/ Thanks. I've fixed this in CVS for 1.5.1. For reference, what function or type required netinet/in.h? Quoting the compiler errors would be great. /Simon