From ivo at o2w.nl Sat Oct 5 00:22:02 2002 From: ivo at o2w.nl (Ivo Timmermans) Date: Sat Oct 5 00:22:02 2002 Subject: [gnutls-dev]AM_PATH_LIBGNUTLS_EXTRA Message-ID: <20021004222317.GA7499@juarez> Oi, When using the AM_PATH_LIBGNUTLS_EXTRA macro in configure.in, autoconf tries to compile a piece of code that references LIBGNUTLS_EXTRA_VERSION. However, that symbol isn't defined anywhere, so the check always fails, leading configure to believe gnutls-extra isn't available. This call: AM_PATH_LIBGNUTLS_EXTRA(0.1.0) results in: checking for libgnutls-extra-config... /usr/bin/libgnutls-extra-config checking for libgnutls - version >= 0.1.0... no *** Could not run libgnutls test program, checking why... *** The test program compiled, but did not run. This usually means *** that the run-time linker is not finding LIBGNUTLS_EXTRA or finding the wrong *** version of LIBGNUTLS_EXTRA. If it is not finding LIBGNUTLS_EXTRA, you'll need to set your *** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point *** to the installed location Also, make sure you have run ldconfig if that *** is required on your system *** *** If you have an old version installed, it is best to remove it, although *** you may also be able to get things to work by modifying LD_LIBRARY_PATH *** config.log contains: configure:2384: checking for libgnutls - version >= 0.1.0 configure:2463: gcc -o conftest -O2 -fomit-frame-pointer -I/usr/include -I/usr/include -s conftest.c -L/usr/lib -lgnutls-extra -lgnutls -lz -L/usr/lib -lopencdk -L/usr/lib -lgcrypt >&5 configure: In function `main': configure:2428: `LIBGNUTLS_EXTRA_VERSION' undeclared (first use in this function) configure:2428: (Each undeclared identifier is reported only once configure:2428: for each function it appears in.) configure:2466: $? = 1 configure: program exited with status 1 configure: failed program was: (This is Debian bug 163355) Ivo -- No, I just like to run around and scream real loud! - Dee Dee From nmav at gnutls.org Sat Oct 5 09:46:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sat Oct 5 09:46:02 2002 Subject: [gnutls-dev]AM_PATH_LIBGNUTLS_EXTRA In-Reply-To: <20021004222317.GA7499@juarez> References: <20021004222317.GA7499@juarez> Message-ID: <20021005074015.GA23346@gnutls.org> On Sat, Oct 05, 2002 at 12:23:17AM +0200, Ivo Timmermans wrote: > Oi, > When using the AM_PATH_LIBGNUTLS_EXTRA macro in configure.in, autoconf > tries to compile a piece of code that references > LIBGNUTLS_EXTRA_VERSION. However, that symbol isn't defined anywhere, > so the check always fails, leading configure to believe gnutls-extra > isn't available. The patch attached, should solve this problem. This will be included in gnutls 0.5.9 (will be released next week). > Ivo > > -- > No, I just like to run around and scream real loud! > - Dee Dee > > _______________________________________________ > Gnutls-dev mailing list > Gnutls-dev at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnutls-dev > -- Nikos Mavroyanopoulos mailto:nmav at gnutls.org -------------- next part -------------- Index: includes/gnutls/extra.h =================================================================== RCS file: /cvs/gnutls/gnutls/includes/gnutls/extra.h,v retrieving revision 1.7 diff -u -u -r1.7 extra.h --- includes/gnutls/extra.h 1 Sep 2002 18:57:39 -0000 1.7 +++ includes/gnutls/extra.h 5 Oct 2002 07:41:05 -0000 @@ -25,6 +25,8 @@ #include +#define LIBGNUTLS_EXTRA_VERSION LIBGNUTLS_VERSION + /* SRP */ typedef struct DSTRUCT* gnutls_srp_server_credentials; @@ -87,6 +89,10 @@ int gnutls_certificate_set_openpgp_keyring_file( gnutls_certificate_credentials res, const char *name); int gnutls_global_init_extra(void); + +/* returns libgnutls-extra version (call it with a NULL argument) + */ +const char* gnutls_extra_check_version( const char*); /* Defines for compatibility with previous versions. */ Index: libextra/gnutls_extra.c =================================================================== RCS file: /cvs/gnutls/gnutls/libextra/gnutls_extra.c,v retrieving revision 1.5 diff -u -u -r1.5 gnutls_extra.c --- libextra/gnutls_extra.c 17 Sep 2002 17:57:59 -0000 1.5 +++ libextra/gnutls_extra.c 5 Oct 2002 07:41:11 -0000 @@ -138,7 +138,7 @@ return; } -const char* gnutls_check_version( const char*); +extern const char* gnutls_check_version( const char*); static int _gnutls_init_extra = 0; /** @@ -208,3 +208,78 @@ return 0; } + +/* Taken from libgcrypt. Needed to configure scripts. + */ + +static const char* +parse_version_number( const char *s, int *number ) +{ + int val = 0; + + if( *s == '0' && isdigit(s[1]) ) + return NULL; /* leading zeros are not allowed */ + for ( ; isdigit(*s); s++ ) { + val *= 10; + val += *s - '0'; + } + *number = val; + return val < 0? NULL : s; +} + +/* The parse version functions were copied from libgcrypt. + */ +static const char * +parse_version_string( const char *s, int *major, int *minor, int *micro ) +{ + s = parse_version_number( s, major ); + if( !s || *s != '.' ) + return NULL; + s++; + s = parse_version_number( s, minor ); + if( !s || *s != '.' ) + return NULL; + s++; + s = parse_version_number( s, micro ); + if( !s ) + return NULL; + return s; /* patchlevel */ +} + +/**************** + * Check that the the version of the library is at minimum the requested one + * and return the version string; return NULL if the condition is not + * satisfied. If a NULL is passed to this function, no check is done, + * but the version string is simply returned. + */ +const char * +gnutls_extra_check_version( const char *req_version ) +{ + const char *ver = GNUTLS_VERSION; + int my_major, my_minor, my_micro; + int rq_major, rq_minor, rq_micro; + const char *my_plvl, *rq_plvl; + + if ( !req_version ) + return ver; + + my_plvl = parse_version_string( ver, &my_major, &my_minor, &my_micro ); + if ( !my_plvl ) + return NULL; /* very strange our own version is bogus */ + rq_plvl = parse_version_string( req_version, &rq_major, &rq_minor, + &rq_micro ); + if ( !rq_plvl ) + return NULL; /* req version string is invalid */ + + if ( my_major > rq_major + || (my_major == rq_major && my_minor > rq_minor) + || (my_major == rq_major && my_minor == rq_minor + && my_micro > rq_micro) + || (my_major == rq_major && my_minor == rq_minor + && my_micro == rq_micro + && strcmp( my_plvl, rq_plvl ) >= 0) ) { + return ver; + } + return NULL; +} + Index: libextra/libgnutls-extra.m4 =================================================================== RCS file: /cvs/gnutls/gnutls/libextra/libgnutls-extra.m4,v retrieving revision 1.2 diff -u -u -r1.2 libgnutls-extra.m4 --- libextra/libgnutls-extra.m4 12 Jul 2002 17:46:57 -0000 1.2 +++ libextra/libgnutls-extra.m4 5 Oct 2002 07:41:11 -0000 @@ -49,17 +49,17 @@ #include #include #include -#include +#include int main () { system ("touch conf.libgnutlstest"); - if( strcmp( gnutls_check_version(NULL), "$libgnutls_extra_config_version" ) ) + if( strcmp( gnutls_extra_check_version(NULL), "$libgnutls_extra_config_version" ) ) { printf("\n*** 'libgnutls-extra-config --version' returned %s, but LIBGNUTLS_EXTRA (%s)\n", - "$libgnutls_extra_config_version", gnutls_check_version(NULL) ); + "$libgnutls_extra_config_version", gnutls_extra_check_version(NULL) ); printf("*** was found! If libgnutls-extra-config was correct, then it is best\n"); printf("*** to remove the old version of LIBGNUTLS_EXTRA. You may also be able to fix the error\n"); printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n"); @@ -69,21 +69,22 @@ printf("*** to point to the correct copy of libgnutls-extra-config, and remove the file config.cache\n"); printf("*** before re-running configure\n"); } - else if ( strcmp(gnutls_check_version(NULL), LIBGNUTLS_EXTRA_VERSION ) ) + else if ( strcmp(gnutls_extra_check_version(NULL), LIBGNUTLS_EXTRA_VERSION ) ) { printf("\n*** LIBGNUTLS_EXTRA header file (version %s) does not match\n", LIBGNUTLS_EXTRA_VERSION); - printf("*** library (version %s)\n", gnutls_check_version(NULL) ); + printf("*** library (version %s). This is may be due to a different version of gnutls\n", gnutls_extra_check_version(NULL) ); + printf("*** and gnutls-extra.\n"); } else { - if ( gnutls_check_version( "$min_libgnutls_version" ) ) + if ( gnutls_extra_check_version( "$min_libgnutls_version" ) ) { return 0; } else { printf("no\n*** An old version of LIBGNUTLS_EXTRA (%s) was found.\n", - gnutls_check_version(NULL) ); + gnutls_extra_check_version(NULL) ); printf("*** You need a version of LIBGNUTLS_EXTRA newer than %s. The latest version of\n", "$min_libgnutls_version" ); printf("*** LIBGNUTLS_EXTRA is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n"); @@ -129,8 +130,8 @@ #include #include #include -#include -], [ return !!gnutls_check_version(NULL); ], +#include +], [ return !!gnutls_extra_check_version(NULL); ], [ echo "*** The test program compiled, but did not run. This usually means" echo "*** that the run-time linker is not finding LIBGNUTLS_EXTRA or finding the wrong" echo "*** version of LIBGNUTLS_EXTRA. If it is not finding LIBGNUTLS_EXTRA, you'll need to set your" From dalgoda at ix.netcom.com Tue Oct 8 15:20:02 2002 From: dalgoda at ix.netcom.com (Mike Castle) Date: Tue Oct 8 15:20:02 2002 Subject: [gnutls-dev]minor patch Message-ID: <20021006053625.GA32547@thune.mrc-home.com> Declare all variables before code for older compilers. patch -p1 << \EOF diff -ru gnutls-0.5.8.orig/lib/gnutls_buffers.c gnutls-0.5.8/lib/gnutls_buffers.c --- gnutls-0.5.8.orig/lib/gnutls_buffers.c 2002-09-16 09:53:31.000000000 -0700 +++ gnutls-0.5.8/lib/gnutls_buffers.c 2002-10-05 17:39:02.000000000 -0700 @@ -202,13 +202,15 @@ size_t left; ssize_t i=0; char *ptr = iptr; + #ifdef READ_DEBUG int j,x, sum=0; #endif - session->internals.direction = 0; gnutls_transport_ptr fd = session->internals.transport_recv_ptr; + session->internals.direction = 0; + left = sizeOfPtr; while (left > 0) { EOF -- Mike Castle dalgoda at ix.netcom.com www.netcom.com/~dalgoda/ We are all of us living in the shadow of Manhattan. -- Watchmen fatal ("You are in a maze of twisty compiler features, all different"); -- gcc From nmav at gnutls.org Tue Oct 8 23:18:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Tue Oct 8 23:18:02 2002 Subject: [gnutls-dev]minor patch In-Reply-To: <20021006053625.GA32547@thune.mrc-home.com> References: <20021006053625.GA32547@thune.mrc-home.com> Message-ID: <20021008204627.GA7361@gnutls.org> On Sat, Oct 05, 2002 at 10:36:25PM -0700, Mike Castle wrote: > Declare all variables before code for older compilers. > patch -p1 << \EOF > diff -ru gnutls-0.5.8.orig/lib/gnutls_buffers.c gnutls-0.5.8/lib/gnutls_buffers.c [...] Thank you. This has already been fixed in the cvs. > -- > Mike Castle dalgoda at ix.netcom.com www.netcom.com/~dalgoda/ > We are all of us living in the shadow of Manhattan. -- Watchmen > fatal ("You are in a maze of twisty compiler features, all different"); -- gcc -- Nikos Mavroyanopoulos mailto:nmav at gnutls.org From nmav at gnutls.org Tue Oct 8 23:21:03 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Tue Oct 8 23:21:03 2002 Subject: [gnutls-dev]exim + gnutls Message-ID: <20021008211540.GA17071@gnutls.org> Hello, I attach you, in case you are interested, a very preliminary patch to exim, to use gnutls instead of openssl. I treat it as unstable because I'm not familiar with exim's source code, and I didn't understand many things. This patch compiles fine with libgnutls 0.5.9 (current cvs), which will be released within this week. Feel free to forward this, where appropriate, if one wants to maintain and fix this patch. -- Nikos Mavroyanopoulos mailto:nmav at gnutls.org -------------- next part -------------- A non-text attachment was scrubbed... Name: diff.gz Type: application/octet-stream Size: 10044 bytes Desc: not available URL: From nmav at gnutls.org Thu Oct 10 13:40:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Thu Oct 10 13:40:02 2002 Subject: [gnutls-dev]gnutls 0.5.9 Message-ID: <20021010113425.GA26859@gnutls.org> I've just released gnutls 0.5.9. The changes since 0.5.8 are: - Corrected some code which worked fine in gcc 3.2, but not with any other compiler. - Updated 'gnutls-cli' with the '--starttls' option, to allow testing starttls implementations. - Added gnutls_x509_extract_key_pk_algorithm() function which extracts the private key type, of a DER encoded key. - Added gnutls_x509_extract_certificate_dn_string() which returns the certificate's distinguished name in a single string. - Added gnutls_set_default_priority() and gnutls_set_default_export_priority() functions, to avoid calling all the *_priority() functions if the defaults are acceptable. - Added int gnutls_x509_check_certificates_hostname() which check whether the given hostname matches the owner of the given X.509 certificate. This release, also contains the new libtasn1 0.1.2. -- Nikos Mavroyanopoulos mailto:nmav at gnutls.org From ph10 at cus.cam.ac.uk Fri Oct 11 08:50:02 2002 From: ph10 at cus.cam.ac.uk (Philip Hazel) Date: Fri Oct 11 08:50:02 2002 Subject: [gnutls-dev]Re: exim + gnutls In-Reply-To: <20021008211540.GA17071@gnutls.org> Message-ID: On Wed, 9 Oct 2002, Nikos Mavroyanopoulos wrote: > Hello, > I attach you, in case you are interested, a very preliminary patch > to exim, to use gnutls instead of openssl. I treat it as unstable > because I'm not familiar with exim's source code, and I didn't understand > many things. > > This patch compiles fine with libgnutls 0.5.9 (current cvs), which will > be released within this week. Feel free to forward this, where appropriate, > if one wants to maintain and fix this patch. Thanks, Nikos! Providing support for GNUTLS is something that is on my work list. You just made my job easier. However, I won't get to it for a little while, because I'm rather busy with other stuff for the next few weeks. Regards, Philip -- Philip Hazel University of Cambridge Computing Service, ph10 at cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714. From ivo at o2w.nl Sat Oct 12 13:31:02 2002 From: ivo at o2w.nl (Ivo Timmermans) Date: Sat Oct 12 13:31:02 2002 Subject: [gnutls-dev]small patch Message-ID: <20021012113207.GA17985@juarez> Hi, The following is needed on alpha and ia64: --- lib/ext_max_record.c~ 2002-10-12 13:31:01.000000000 +0200 +++ lib/ext_max_record.c 2002-10-12 13:31:15.000000000 +0200 @@ -123,7 +123,7 @@ /* Maps numbers to record sizes according to the * extensions draft. */ -ssize_t _gnutls_mre_num2record( int num) { +int _gnutls_mre_num2record( int num) { switch( num) { case 1: return 512; Ivo -- You know you've been Raytracing too long when... * You see a physically attractive person, and your first thought is, "Nice blobs!" - Jeff Lee, http://www.shipbrook.com/jeff/ykybrtlw.html From ivo at o2w.nl Sat Oct 12 13:34:02 2002 From: ivo at o2w.nl (Ivo Timmermans) Date: Sat Oct 12 13:34:02 2002 Subject: [gnutls-dev]small patch In-Reply-To: <20021012113207.GA17985@juarez> References: <20021012113207.GA17985@juarez> Message-ID: <20021012113531.GB17985@juarez> Ivo Timmermans wrote: > Hi, > > The following is needed on alpha and ia64: A little badly worded, perhaps. What I meant is that the patch fixes a build failure on alpha and ia64. The prototype in ext_max_record.h doesn't match this function definition on those architectures, because ssize_t is typedef'd to _int64_t there. Ivo -- You are just jealous because the little voices are talking to me. From nmav at gnutls.org Sat Oct 12 17:56:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sat Oct 12 17:56:02 2002 Subject: [gnutls-dev]small patch In-Reply-To: <20021012113531.GB17985@juarez> References: <20021012113207.GA17985@juarez> <20021012113531.GB17985@juarez> Message-ID: <20021012155033.GA2800@gnutls.org> On Sat, Oct 12, 2002 at 01:35:31PM +0200, Ivo Timmermans wrote: > > Hi, > > The following is needed on alpha and ia64: > A little badly worded, perhaps. What I meant is that the patch fixes > a build failure on alpha and ia64. The prototype in ext_max_record.h > doesn't match this function definition on those architectures, because > ssize_t is typedef'd to _int64_t there. Thanks, just commited. > Ivo -- Nikos Mavroyanopoulos Email: nmav at gnutls org From nmav at gnutls.org Sun Oct 13 19:25:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sun Oct 13 19:25:02 2002 Subject: [gnutls-dev]gnutls 0.5.10 is out Message-ID: <20021013172022.GA4385@gnutls.org> I've released gnutls 0.5.10. The news in this version are: - Updated documentation. - Added server name extension. This allows clients to specify the name of the server they connect to. Useful to HTTPS. - Several corrections in the code base, mostly in signed/unsigned, checkings. As you see I've added again the server name indication, which was removed in a previous version, because I disagree with this extension[0]. It seems however that this extension will be included in the TLS extensions RFC, and most browsers will support it. [0]. This extension solves the problem of virtual hosting in TLS HTTP servers. This was firstly solved in RFC2817, but nobody ever implemented it, so HTTPS (RFC2818) will dominate servers for a long long time. -- Nikos Mavroyanopoulos Email: nmav at gnutls org From ivo at o2w.nl Mon Oct 14 21:43:02 2002 From: ivo at o2w.nl (Ivo Timmermans) Date: Mon Oct 14 21:43:02 2002 Subject: [gnutls-dev]openssl.h Message-ID: <20021014194433.GA32494@juarez> Hi, openssl.h needs to be enclosed in an extern "C" {} block. (Patch attached.) Ivo -- Um den Elefanten durch den Zoll zu schmuggeln, hatte Rasmus ihn als Sch?ferhund verkleidet. - Nichtlustig -------------- next part -------------- diff -r -u gnutls5-0.5.6.old/includes/gnutls/openssl.h gnutls5-0.5.6/includes/gnutls/openssl.h --- gnutls5-0.5.6.old/includes/gnutls/openssl.h 2002-10-05 12:00:56.000000000 +0200 +++ gnutls5-0.5.6/includes/gnutls/openssl.h 2002-10-05 12:02:42.000000000 +0200 @@ -51,6 +51,10 @@ #define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER (0x2) #define SSL_MODE_AUTO_RETRY (0x4) +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + typedef gnutls_x509_dn X509_NAME; typedef gnutls_datum X509; @@ -283,4 +287,8 @@ void RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *ctx); unsigned char *RIPEMD160(const unsigned char *buf, unsigned long len, unsigned char *md); +#ifdef __cplusplus +} +#endif /* __cplusplus */ + #endif From nmav at gnutls.org Mon Oct 14 21:50:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Mon Oct 14 21:50:02 2002 Subject: [gnutls-dev]openssl.h In-Reply-To: <20021014194433.GA32494@juarez> References: <20021014194433.GA32494@juarez> Message-ID: <20021014194420.GA16961@gnutls.org> On Mon, Oct 14, 2002 at 09:44:34PM +0200, Ivo Timmermans wrote: > Hi, > openssl.h needs to be enclosed in an extern "C" {} block. (Patch > attached.) Thanks. For the history this was fixed by Andrew, before the 0.5.10 release. Unfortunately I missed this patch and didn't include it in the release. It will be included in the next version. > Ivo > -- > Um den Elefanten durch den Zoll zu schmuggeln, hatte Rasmus ihn als > Sch??ferhund verkleidet. > - Nichtlustig -- Nikos Mavroyanopoulos Email: nmav at gnutls org From ivo at o2w.nl Mon Oct 14 21:54:01 2002 From: ivo at o2w.nl (Ivo Timmermans) Date: Mon Oct 14 21:54:01 2002 Subject: [gnutls-dev]interlibrary dependencies Message-ID: <20021014195514.GB32494@juarez> Hi Nikos, For libgnutls-extra.so to be really useful, it would be nice to have objdump -p /usr/lib/libgnutls-extra.so give the full list of dependencies. This makes at least automatic dependency generation for Debian a lot easier, but it also tells ld.so which libraries it needs. With the attached patch, it gives: NEEDED libopencdk.so.0 NEEDED libgcrypt.so.1 NEEDED libgnutls.so.5 NEEDED libz.so.1 NEEDED libc.so.6 Without it's just: NEEDED libz.so.1 NEEDED libc.so.6 Spot the difference. However! The attached patch requires you, Nikos, the one creating the release tarballs, to have a libtool installed that can handle this correctly. I don't know what kind of system you use to create these releases, but apparently the upstream maintainers of libtool didn't release a version with this capability. But for Debian, you can install libtool 1.4.2-7.1 or higher, for RedHat this seems to be fixed 1.4.2-12. More information is available from https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=58664 http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57087 Ivo -- We don't know how the Internet really works. We know how it should work, but we are constantly surprised. - Bruce Schneier -------------- next part -------------- diff -r -u gnutls5-0.5.6.old/libextra/Makefile.am gnutls5-0.5.6/libextra/Makefile.am --- gnutls5-0.5.6.old/libextra/Makefile.am 2002-10-05 12:00:56.000000000 +0200 +++ gnutls5-0.5.6/libextra/Makefile.am 2002-10-05 13:41:54.000000000 +0200 @@ -16,7 +16,8 @@ gnutls_srp.c auth_srp.c auth_srp_passwd.c auth_srp_sb64.c \ gnutls_openpgp.c gnutls_extra.c gnutls_openssl.c -libgnutls_extra_la_LDFLAGS = -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) +libgnutls_extra_la_LDFLAGS = -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) $(shell opencdk-config --libs) +libgnutls_extra_la_LIBADD = ../lib/libgnutls.la libgnutls_extra_la_SOURCES = $(COBJECTS_EXTRA) From nmav at gnutls.org Mon Oct 14 22:32:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Mon Oct 14 22:32:02 2002 Subject: [gnutls-dev]interlibrary dependencies In-Reply-To: <20021014195514.GB32494@juarez> References: <20021014195514.GB32494@juarez> Message-ID: <20021014202716.GA27441@gnutls.org> On Mon, Oct 14, 2002 at 09:55:14PM +0200, Ivo Timmermans wrote: > Hi Nikos, > For libgnutls-extra.so to be really useful, it would be nice to have > objdump -p /usr/lib/libgnutls-extra.so give the full list of > dependencies. This makes at least automatic dependency generation for > Debian a lot easier, but it also tells ld.so which libraries it needs. > With the attached patch, it gives: > > NEEDED libopencdk.so.0 > NEEDED libgcrypt.so.1 > NEEDED libgnutls.so.5 > NEEDED libz.so.1 > NEEDED libc.so.6 Commited! -- Nikos Mavroyanopoulos Email: nmav at gnutls org From wk at gnupg.org Tue Oct 15 09:53:02 2002 From: wk at gnupg.org (Werner Koch) Date: Tue Oct 15 09:53:02 2002 Subject: [gnutls-dev]interlibrary dependencies In-Reply-To: <20021014195514.GB32494@juarez> (Ivo Timmermans's message of "Mon, 14 Oct 2002 21:55:14 +0200") References: <20021014195514.GB32494@juarez> Message-ID: <87u1joi1hk.fsf@alberti.g10code.de> On Mon, 14 Oct 2002 21:55:14 +0200, Ivo Timmermans said: > +libgnutls_extra_la_LDFLAGS = -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) $(shell opencdk-config --libs) This won't work with a standard make. Automake tries hard not to depend on gmake, so we should not circumvent this by using a gmake feature. It should be done by configure. Salam-Shalom, Werner From nmav at gnutls.org Tue Oct 15 12:39:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Tue Oct 15 12:39:02 2002 Subject: [gnutls-dev]interlibrary dependencies In-Reply-To: <87u1joi1hk.fsf@alberti.g10code.de> References: <20021014195514.GB32494@juarez> <87u1joi1hk.fsf@alberti.g10code.de> Message-ID: <20021015103220.GA1264@gnutls.org> On Tue, Oct 15, 2002 at 09:51:19AM +0200, Werner Koch wrote: > > +libgnutls_extra_la_LDFLAGS = -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) $(shell opencdk-config --libs) > This won't work with a standard make. Automake tries hard not to > depend on gmake, so we should not circumvent this by using a gmake > feature. It should be done by configure. And this is the case with commited version. I used the variable $(LIBOPENCDK_LIBS), which is set by the configure script. > Salam-Shalom, > Werner -- Nikos Mavroyanopoulos Email: nmav at gnutls org From nmav at gnutls.org Mon Oct 21 10:27:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Mon Oct 21 10:27:02 2002 Subject: [gnutls-dev]Re: GnuTLS support in Anubis In-Reply-To: <20021021071815.GA1649@shaolin> References: <20021019210913.GA3228@shaolin> <20021020123906.GB504@i-net.gr> <20021021071815.GA1649@shaolin> Message-ID: <20021021082101.GA1546@gnutls.org> On Mon, Oct 21, 2002 at 09:18:15AM +0200, Wojciech Polak wrote: > Hi, > I have a problem with the gnutls_record_send() function. > My problem is that I have a big buffer (>16384 bytes), > and I would like to send this buffer with gnutls_record_send(), > but this function accepts maximum 16384 bytes. How can I send > my buffer in a one time? Do you know any good implementation? > OpenSSL's SSL_write() accepts ~50kB. You cannot. You have to call gnutls_record_send() multiple times, this has the same semantics with write(2) system call, so the recipes in Steven's book (Unix Network programming) should apply. For the history, there was a time in the early versions of gnutls the send function accepted an unlimited number of bytes. When non blocking support was introduced, this was dropped, and gnutls_record_send() only allowed the minimum number of bytes that this call would be atomic. (this might be smaller than 16384 if the max_record_extension is used) I might add be some higher level functions, that have buffering support, in a later version of gnutls --I'll add it in my todo list, but I cannot promise anything for the near future. > > In any case, gnutls is not in early beta. I know several projects that > > currently use gnutls as a primary SSL and TLS library, and there are > > also some projects in the debian distribution that use gnutls' openssl > > compatibility layer. > At the beginning I wanted to make a GnuTLS support via the OpenSSL > emulation layer, but there are missing several functions from OpenSSL. This is not necessarily a bad thing :) It is really difficult and sometimes inefficient to map openssl's functions to gnutls' ones, so the recomended way is to use the native api (which should be well documented -- or bug us!). The openssl compatibility layer is for small programs that include very basic SSL and TLS support. > Now my program Anubis supports the full GnuTLS native code. The only > problem is with this gnutls_record_send() above. Another issue from > what I have noticed is that GnuTLS is much slower that OpenSSL, > especially when a code makes two independent SSL connections > (both client and server) such as my Anubis. You must be using Ephemeral Diffie Hellman with a large key. You may use an 768 bit key, or don't use the DHE cipher suites at all. In some testings I've done, I've found that the fastest cipher suite is the one that uses: KX_RSA, CIPHER_ARCFOUR and MAC_MD5. However if you are making several connections to one server, you will probably want to use session resuming, which is much faster than renegotiating a new ciphersuite. > Kind regards, > Wojciech Polak -- Nikos Mavroyanopoulos Email: nmav at gnutls org From nmav at gnutls.org Thu Oct 24 18:33:01 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Thu Oct 24 18:33:01 2002 Subject: [gnutls-dev]Re: exim + gnutls In-Reply-To: References: <20021008211540.GA17071@gnutls.org> Message-ID: <20021024162700.GA754@gnutls.org> On Thu, Oct 24, 2002 at 04:51:50PM +0100, Philip Hazel wrote: > > I attach you, in case you are interested, a very preliminary patch > > to exim, to use gnutls instead of openssl. I treat it as unstable > > because I'm not familiar with exim's source code, and I didn't understand > > many things. > Hello Nikos, > 1. One of the things you haven't realized is the way Exim works. It does > not run as a continuously running process, except for the listening > daemon. Outgoing messages arrive and are delivered in separate processes > that do not have a common ancestor process. Thus, calling a global > initialization function once near the start of Exim is not a good idea. [...] Yes I though so, but DH and RSA temporary parameters, need only to be generated once[0]. Generating one per connection is as you've noticed is too slow. What I can suggest here, is to store them in a file, which should be shared by all exim proccesses. [0]. they may be regenerated at some configurable intervals for security reasons > 2. The next problem with the global initialization is that it takes a > long time to generate the D-H parameters. I have in fact cut that out, > because it delays starting up the daemon by quite a few seconds (on a > SPARC Ultra 1 running Solaris 8). The RSA start-up is relatively quick, > probably less than 1 second, which is still a while, but may be > tolerable. When Exim is delivering a message, it doesn't know whether This should be solved if (1) is solved. > 3. Anyway, I tried testing the server with gnutls-cli-debug and the > problem I have is the error NO_CERTIFICATE_FOUND from the call to > gnutls_handshake(). I seem to be able to hand over the file names OK, This is returned if the peer (client) did not send a certificate, and a certificate was required[1]. This is set using gnutls_certificate_server_set_request(). I may not have implemented well, the previous "verify_optional" behaviour, so now it requires a certificate to be sent by the peer if verify_optional==FALSE. [1]. If you specified some certificate in gnutls-cli and the client didn't send any, note that gnutls-cli only sends the certificate, if it's issuer matches the CA names sent by the server. In gnutls if a server sets some trusted certificates, these CA names will be sent in the certificate request message. To be more clear, in the handshake of TLS: [...] Server: Send a certificate signed by CA1 or CA2 or CA3 (the CAs I trust) Client: I send you this one signed by CA1 [...] If gnutls-cli doesn't have one signed by CA1, it will not send any. > but it doesn't like what's in the file. Question: what format does the > certificate and key have to be in? I was just using the same files that It's the same format. If a certificate is not recognized, an error will be returned at an earlier stage before handshake. > 4. It is really good to have documentation with a complete list of > functions, but it would be easier to find them for reference if they > were in alphabetical order. A list of errors and explanations could also > be useful - earlier I had MEMORY_ERROR, and had no idea what it meant. > It went away when I changed something. I'll probably add some script that sorts the function reference, and a human readable description of the error strings returned by gnutls_strerror. A MEMORY_ERROR though, is a bad thing. It is usually returned if a malloc failed, or something like this. > 5. There's a teeny buglet in gnutls-cli-debug. The command > gnutls-cli-debug localhost 1225 > (note: the -p is missing) doesn't complain: it tries to connect to port 443 Thank you. I've fixed this. > Regards, > Philip > -- > Philip Hazel University of Cambridge Computing Service, > ph10 at cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714. -- Nikos Mavroyanopoulos Email: nmav at gnutls org From ph10 at cus.cam.ac.uk Fri Oct 25 11:53:01 2002 From: ph10 at cus.cam.ac.uk (Philip Hazel) Date: Fri Oct 25 11:53:01 2002 Subject: [gnutls-dev]Re: exim + gnutls In-Reply-To: <20021008211540.GA17071@gnutls.org> Message-ID: On Wed, 9 Oct 2002, Nikos Mavroyanopoulos wrote: > I attach you, in case you are interested, a very preliminary patch > to exim, to use gnutls instead of openssl. I treat it as unstable > because I'm not familiar with exim's source code, and I didn't understand > many things. Hello Nikos, I have now managed to find time to look at your patch, but I'm having a problem making it work. I had to re-organize it so that I could conditionally compile Exim either for OpenSSL or for GnuTLS, but I don't think I actually changed any of your code significantly. I have a number of comments: 1. One of the things you haven't realized is the way Exim works. It does not run as a continuously running process, except for the listening daemon. Outgoing messages arrive and are delivered in separate processes that do not have a common ancestor process. Thus, calling a global initialization function once near the start of Exim is not a good idea. Also, there are calls to Exim that don't send or receive messages; it's a waste of time for them. I changed the code so that the daemon does make the call - that makes sense for incoming messages via the daemon, and then I had to put it also in the server/client start-up code for the individual cases. 2. The next problem with the global initialization is that it takes a long time to generate the D-H parameters. I have in fact cut that out, because it delays starting up the daemon by quite a few seconds (on a SPARC Ultra 1 running Solaris 8). The RSA start-up is relatively quick, probably less than 1 second, which is still a while, but may be tolerable. When Exim is delivering a message, it doesn't know whether it's going to be using TLS in many cases until it has actually connected to the remote host. Thus, you don't want to spend resources on expensive initialization until you know that TLS is going to be used. 3. Anyway, I tried testing the server with gnutls-cli-debug and the problem I have is the error NO_CERTIFICATE_FOUND from the call to gnutls_handshake(). I seem to be able to hand over the file names OK, but it doesn't like what's in the file. Question: what format does the certificate and key have to be in? I was just using the same files that I had successfully used with OpenSSL. Can the key and the certificate be in the same file, as they can for OpenSSL? (I tried both ways, but still got the error.) I'll copy the certificate file below, for your information. It's just a self-signed certificate for testing. If you can suggest a good way for me to find out what's going wrong here, I'd be grateful. 4. It is really good to have documentation with a complete list of functions, but it would be easier to find them for reference if they were in alphabetical order. A list of errors and explanations could also be useful - earlier I had MEMORY_ERROR, and had no idea what it meant. It went away when I changed something. 5. There's a teeny buglet in gnutls-cli-debug. The command gnutls-cli-debug localhost 1225 (note: the -p is missing) doesn't complain: it tries to connect to port 443. 6. Your previous comment about waiting for the client to close after a startup failure is deliberate. I think I must have based it on these words from RFC 2487: If the SMTP server decides that the level of authentication or privacy is not high enough for it to continue, it SHOULD reply to every SMTP command from the client (other than a QUIT command) with the 554 reply code (with a possible text string such as "Command refused due to lack of security"). This isn't quite the case of a failed handshake, of course. 7. The problem with HELP was a bug I knew about, and have now fixed. Regards, Philip -- Philip Hazel University of Cambridge Computing Service, ph10 at cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714. -----BEGIN CERTIFICATE----- MIIDNjCCAp+gAwIBAgIBADANBgkqhkiG9w0BAQQFADB2MQswCQYDVQQGEwJVSzES MBAGA1UEBxMJQ2FtYnJpZGdlMSAwHgYDVQQKExdVbml2ZXJzaXR5IG9mIENhbWJy aWRnZTEaMBgGA1UECxMRQ29tcHV0aW5nIFNlcnZpY2UxFTATBgNVBAMTDFBoaWxp cCBIYXplbDAeFw0wMjA0MTUwODA0MThaFw0yOTA4MzAwODA0MThaMHYxCzAJBgNV BAYTAlVLMRIwEAYDVQQHEwlDYW1icmlkZ2UxIDAeBgNVBAoTF1VuaXZlcnNpdHkg b2YgQ2FtYnJpZGdlMRowGAYDVQQLExFDb21wdXRpbmcgU2VydmljZTEVMBMGA1UE AxMMUGhpbGlwIEhhemVsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4eIDt pcY7ff5P3yCnXXdLWNcewKgUBj6GuNqHAFrfbZq6tDlSZ3FXVvOwU4Rgn6ciGP5R EYuR4TB26/PY+bJEVUMyAb8OmcE+l6aeG0kQlM3Wa0UUfo3GNt9U7+VU7puS3SwL jKYSI6ny17xyFcukBkiRTOo3H6z0yM742wPFeQIDAQABo4HTMIHQMB0GA1UdDgQW BBTEcwEd5VFb4YlzEKcvHKP/s4gpVDCBoAYDVR0jBIGYMIGVgBTEcwEd5VFb4Ylz EKcvHKP/s4gpVKF6pHgwdjELMAkGA1UEBhMCVUsxEjAQBgNVBAcTCUNhbWJyaWRn ZTEgMB4GA1UEChMXVW5pdmVyc2l0eSBvZiBDYW1icmlkZ2UxGjAYBgNVBAsTEUNv bXB1dGluZyBTZXJ2aWNlMRUwEwYDVQQDEwxQaGlsaXAgSGF6ZWyCAQAwDAYDVR0T BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBpuWb36BAO+aDbCWVSnt8C2rAz3Ii7 05kmrTugCiDj4VLHk6DL126Q6AuBWs9HKM/ynOOTcYTz20WkgpXaYf6Cdq/Z538d tqD1gAAL2M04O6K41RLcIicVFeXWjjwp5tfQc+AMI7rD0FCHSbhY67+UHUFyoyFK x8LiaV5jYIFfbg== -----END CERTIFICATE----- From ph10 at cus.cam.ac.uk Fri Oct 25 11:53:02 2002 From: ph10 at cus.cam.ac.uk (Philip Hazel) Date: Fri Oct 25 11:53:02 2002 Subject: [gnutls-dev]Re: exim + gnutls In-Reply-To: <20021024162700.GA754@gnutls.org> Message-ID: Thanks for your response; I'll be back when I get stuck again. :-) Philip -- Philip Hazel University of Cambridge Computing Service, ph10 at cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714. From nmav at gnutls.org Sun Oct 27 12:48:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sun Oct 27 12:48:02 2002 Subject: [gnutls-dev]updated documentation Message-ID: <20021027114139.GA2795@gnutls.org> I've updated the gnutls documentation in the web site. http://www.gnu.org/software/gnutls/documentation/gnutls now contains the function reference sorted, together with a short description of gnutls error codes. -- Nikos Mavroyanopoulos Email: nmav at gnutls org From ivo at o2w.nl Sun Oct 27 12:53:01 2002 From: ivo at o2w.nl (Ivo Timmermans) Date: Sun Oct 27 12:53:01 2002 Subject: [gnutls-dev]updated documentation In-Reply-To: <20021027114139.GA2795@gnutls.org> References: <20021027114139.GA2795@gnutls.org> Message-ID: <20021027115401.GA3190@juarez> Nikos Mavroyanopoulos wrote: > I've updated the gnutls documentation in the web site. > http://www.gnu.org/software/gnutls/documentation/gnutls > now contains the function reference sorted, together with a > short description of gnutls error codes. It gives a 403 Forbidden :) Is this the same documentation as in the package, or do you plan to include it in the package? Ivo -- `Contrariwise,' continued Tweedledee, `if it was so, it might be; and if it were so, it would be; but as it isn't, it ain't. That's logic.' - Lewis Carroll, `Through the Looking-Glass' From nmav at gnutls.org Sun Oct 27 18:49:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sun Oct 27 18:49:02 2002 Subject: [gnutls-dev]updated documentation In-Reply-To: <20021027115401.GA3190@juarez> References: <20021027114139.GA2795@gnutls.org> <20021027115401.GA3190@juarez> Message-ID: <20021027174151.GA3994@gnutls.org> On Sun, Oct 27, 2002 at 12:54:01PM +0100, Ivo Timmermans wrote: > > I've updated the gnutls documentation in the web site. > > http://www.gnu.org/software/gnutls/documentation/gnutls > > now contains the function reference sorted, together with a > > short description of gnutls error codes. > It gives a 403 Forbidden :) Ooops. Visit http://www.gnu.org/software/gnutls/ and follow the documentation link instead. > Is this the same documentation as in the package, or do you plan to > include it in the package? This is a prerelease of the documentation that will be included in gnutls 0.5.11. > Ivo > -- > `Contrariwise,' continued Tweedledee, `if it was so, it might be; and > if it were so, it would be; but as it isn't, it ain't. That's logic.' > - Lewis Carroll, `Through the Looking-Glass' -- Nikos Mavroyanopoulos Email: nmav at gnutls org From ph10 at cus.cam.ac.uk Tue Oct 29 06:54:03 2002 From: ph10 at cus.cam.ac.uk (Philip Hazel) Date: Tue Oct 29 06:54:03 2002 Subject: [gnutls-dev]Re: updated documentation In-Reply-To: <20021027114139.GA2795@gnutls.org> Message-ID: On Sun, 27 Oct 2002, Nikos Mavroyanopoulos wrote: > I've updated the gnutls documentation in the web site. > http://www.gnu.org/software/gnutls/documentation/gnutls > now contains the function reference sorted, together with a > short description of gnutls error codes. Splendid! Thank you very much. That makes things easier. I hope to get back to testing Exim later today. Philip -- Philip Hazel University of Cambridge Computing Service, ph10 at cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.