From nmav at gnutls.org  Sat Nov  1 09:52:02 2003
From: nmav at gnutls.org (Nikos Mavroyanopoulos)
Date: Sat, 1 Nov 2003 10:52:02 +0200
Subject: [gnutls-dev] doc/scripts
In-Reply-To: <20031031183126.GA31460@juarez>
References: <20031031183126.GA31460@juarez>
Message-ID: <20031101085202.GA25350@gnutls.org>

On Fri, Oct 31, 2003 at 07:31:26PM +0100, Ivo Timmermans wrote:

> Hi,
> gdoc and sort1.pl are in CVS, and they are used, but not distributed
> in the tarball.
Done. I've just added them.

> 	Ivo
> -- 
> I don't need to test my programs. I have an error-correcting modem.

-- 
Nikos Mavroyanopoulos



From simon+gnutls-dev at josefsson.org  Sat Nov  1 13:54:51 2003
From: simon+gnutls-dev at josefsson.org (Simon Josefsson)
Date: Sat, 01 Nov 2003 13:54:51 +0100
Subject: [gnutls-dev] Re: doc/scripts
In-Reply-To: <20031101085202.GA25350@gnutls.org> (Nikos Mavroyanopoulos's
	message of "Sat, 1 Nov 2003 10:52:02 +0200")
References: <20031031183126.GA31460@juarez> <20031101085202.GA25350@gnutls.org>
Message-ID: <ilu7k2kp7tw.fsf@latte.josefsson.org>

Nikos Mavroyanopoulos <nmav at gnutls.org> writes:

> On Fri, Oct 31, 2003 at 07:31:26PM +0100, Ivo Timmermans wrote:
>
>> Hi,
>> gdoc and sort1.pl are in CVS, and they are used, but not distributed
>> in the tarball.
> Done. I've just added them.

In http://savannah.gnu.org/cgi-bin/viewcvs/libidn/libidn/doc/ there is
a slightly improved 'gdoc' that fixes the 'function()' regexp, and can
generate man pages for functions as well.  I'm trying to set up a nice
infrastructure for 'gdoc' documented projects, right now you can say:

GDOC_SRC = $(top_srcdir)/lib/version.c \
		$(top_srcdir)/lib/toutf8.c \
		$(top_srcdir)/lib/nfkc.c \
		$(top_srcdir)/lib/punycode.c \
		$(top_srcdir)/lib/stringprep.c \
		$(top_srcdir)/lib/idna.c
GDOC_TEXI = libidn
GDOC_TEXI_PREFIX = texi/
GDOC_MAN = dist_man
GDOC_MAN_PREFIX = man/
include $(srcdir)/Makefile.gdoci

in Makefile.am to have man pages and texi fragments be built for all
GTK-DOC documented functions.  The Makefile.gdoci is a bit fragile
right now, though.

I'm currently working on improving the 'gdoc' framework, so if you
have any ideas, I might be able to implement them.




From nmav at gnutls.org  Sun Nov  2 21:24:32 2003
From: nmav at gnutls.org (Nikos Mavroyanopoulos)
Date: Sun, 2 Nov 2003 22:24:32 +0200
Subject: [gnutls-dev] gnutls 0.9.95 and opencdk 0.5.2
Message-ID: <20031102202432.GA8194@gnutls.org>

I've just released gnutls 0.9.95. The changes since that last 
release are:
- Improved the verification functions. Added new verification
  output flags and removed the unused and redundant ones.
- Improved the OpenPGP key support.
- The prime utility was removed, and its functionality was moved
  to certtool.

Also since Timo is busy, I've released opencdk 0.5.2. The
only changes in opencdk is that it was modified to work with 
libgcrypt 1.1.43.

-- 
Nikos Mavroyanopoulos



From simon+gnutls-dev at josefsson.org  Wed Nov  5 14:39:40 2003
From: simon+gnutls-dev at josefsson.org (Simon Josefsson)
Date: Wed, 05 Nov 2003 14:39:40 +0100
Subject: [gnutls-dev] Re: doc/scripts
In-Reply-To: <ilu7k2kp7tw.fsf@latte.josefsson.org> (Simon Josefsson's
	message of "Sat, 01 Nov 2003 13:54:51 +0100")
References: <20031031183126.GA31460@juarez> <20031101085202.GA25350@gnutls.org>
	<ilu7k2kp7tw.fsf@latte.josefsson.org>
Message-ID: <ilun0bbkk83.fsf@latte.josefsson.org>

FYI, `gdoc' has been added to Texinfo's utils/ directory, and I wrote
a page with some more details at <http://josefsson.org/gdoc/>.




From ivo at o2w.nl  Thu Nov  6 22:55:49 2003
From: ivo at o2w.nl (Ivo Timmermans)
Date: Thu, 6 Nov 2003 22:55:49 +0100
Subject: [gnutls-dev] gnutls_anon_allocate_client_credentials
Message-ID: <20031106215549.GA28327@juarez>

Hi,

The declarations of gnutls_anon_allocate_client_credentials and
gnutls_anon_free_client_credentials have the wrong argument type.  See
attached patch.


	Ivo

-- 
Floating point exception
-------------- next part --------------
--- lib/gnutls.h.in.in.orig	2003-11-06 22:49:53.000000000 +0100
+++ lib/gnutls.h.in.in	2003-11-06 22:54:39.000000000 +0100
@@ -322,8 +322,8 @@
 
 void gnutls_anon_set_server_dh_params( gnutls_anon_server_credentials res, gnutls_dh_params dh_params);
 
-void gnutls_anon_free_client_credentials( gnutls_anon_server_credentials sc);
-int gnutls_anon_allocate_client_credentials( gnutls_anon_server_credentials *sc);
+void gnutls_anon_free_client_credentials( gnutls_anon_client_credentials sc);
+int gnutls_anon_allocate_client_credentials( gnutls_anon_client_credentials *sc);
 
 /* CERTFILE is an x509 certificate in PEM form.
  * KEYFILE is a pkcs-1 private key in PEM form (for RSA keys).

From ivo at o2w.nl  Sun Nov  9 15:08:22 2003
From: ivo at o2w.nl (Ivo Timmermans)
Date: Sun, 9 Nov 2003 15:08:22 +0100
Subject: [gnutls-dev] python-gnutls 0.1
Message-ID: <20031109140822.GA9759@juarez>

Hi,

The last few days I've been working on python bindings for gnutls, the
result of it is now available as python-gnutls version 0.1.
It's really minimal, it's just enough to make a simple anonymous
TLS/SSL client.

You can get it from http://home.o2w.net/~ivo/python-gnutls/dist/ .

Have fun,


	Ivo

-- 
While Mac evangelism is as silly as worshipping a dead Sci-fi writer,
Linux evangelism seems to expect everyone to rely on the belief of
miracles with no further evidence needed.
	- Steve Gilliard



From algernon at bonehunter.rulez.org  Mon Nov 10 17:47:51 2003
From: algernon at bonehunter.rulez.org (Gergely Nagy)
Date: Mon, 10 Nov 2003 17:47:51 +0100
Subject: [gnutls-dev] Some problems with GnuTLS 0.9.95
Message-ID: <83ad74cgqw.wl%algernon@csodapalota.hu>

Hi!

While updating a project of mine to take advantage of GnuTLS 0.9, I
noticed a few glitches. The most annoying one is that the prototype
for gnutls_handshake_set_rsa_pms_check is included in gnutls/gnutls.h,
but the function itself was removed from the library. I think the
header would need an update to reflect this.

Another problem is that gnutls_x509_crt_get_dn() does not work as
documented. According to the docs, when I call gnutls_x509_crt_get_dn
(crt, NULL, &size), it should set size to the length of the
DN. However, it does not, and returns GNUTLS_E_INVALID_REQUEST (size
was set to 0 before the call, but if the buffer is NULL, I think that
gnutls_x509_crt_get_dn should ignore the initial value of size). Using
gnutls_x509_crt_get_dn (crt, &tmp_buf, &size), where tmp_buf is a
single char, and size is 1, works as expected. Well, almost. I'd
expect that this code would get me a DN:

gnutls_x509_crt cert;
char *buf;
size_t size = 0;

[...]
gnutls_x509_crt_get_dn (cert, NULL, &size);
buf = (char *)malloc (size);
gnutls_x509_crt_get_dn (cert, buf, &size);
[...]

However, I'm using something like this to work around the problems I
found:

gnutls_x509_crt cert;
char *buf, tmp_buf[3];
size_t size = 1;

[...]
gnutls_x509_crt_get_dn (cert, tmp_buf, &size);
size += 2;
buf = (char *)malloc (size);
gnutls_x509_crt_get_dn (cert, buf, &size);
[...]

I think this is horrible.

I would suggest an audit of all functions that should behave similarly
to check if they do (last I checked, gnutls_server_name_get() worked
for example).

Cheers,
-- 
Gergely Nagy



From nmav at gnutls.org  Mon Nov 10 22:27:57 2003
From: nmav at gnutls.org (Nikos Mavroyanopoulos)
Date: Mon, 10 Nov 2003 23:27:57 +0200
Subject: [gnutls-dev] Some problems with GnuTLS 0.9.95
In-Reply-To: <83ad74cgqw.wl%algernon@csodapalota.hu>
References: <83ad74cgqw.wl%algernon@csodapalota.hu>
Message-ID: <20031110212757.GA13438@gnutls.org>

On Mon, Nov 10, 2003 at 05:47:51PM +0100, Gergely Nagy wrote:

> Hi!
> While updating a project of mine to take advantage of GnuTLS 0.9, I
> noticed a few glitches. The most annoying one is that the prototype
> for gnutls_handshake_set_rsa_pms_check is included in gnutls/gnutls.h,
> but the function itself was removed from the library. I think the
> header would need an update to reflect this.
> Another problem is that gnutls_x509_crt_get_dn() does not work as
> documented. According to the docs, when I call gnutls_x509_crt_get_dn
> (crt, NULL, &size), it should set size to the length of the
> DN. However, it does not, and returns GNUTLS_E_INVALID_REQUEST (size
> was set to 0 before the call, but if the buffer is NULL, I think that
> gnutls_x509_crt_get_dn should ignore the initial value of size). Using
> gnutls_x509_crt_get_dn (crt, &tmp_buf, &size), where tmp_buf is a
> single char, and size is 1, works as expected. Well, almost. I'd
> expect that this code would get me a DN:
[...]
Thank you. I've just commited a fix in the cvs. I'll try to check 
all those functions soon.

> Cheers,
> -- 
> Gergely Nagy

-- 
Nikos Mavroyanopoulos



From nmav at gnutls.org  Tue Nov 11 17:57:45 2003
From: nmav at gnutls.org (Nikos Mavroyanopoulos)
Date: Tue, 11 Nov 2003 18:57:45 +0200
Subject: [gnutls-dev] gnutls 0.9.97
Message-ID: <20031111165745.GA32718@gnutls.org>

I've just released gnutls 0.9.97. The changes since the
last release are:
- The certtool utility can now generate PKCS #12 structures
  without specifying a certificate.
- Added capability to read CRLs to certtool.
- Corrected some functions which return GNUTLS_E_SHORT_MEMORY_BUFFER
  to properly set the required buffer size.
- Corrected a bug in libgcrypt detection.

-- 
Nikos Mavroyanopoulos



From nspring at cs.washington.edu  Tue Nov 11 19:13:03 2003
From: nspring at cs.washington.edu (Neil Spring)
Date: Tue, 11 Nov 2003 10:13:03 -0800
Subject: [gnutls-dev] is ftp.gnutls.org behind a firewall?
Message-ID: <B114B0BC-1472-11D8-9857-000A95718DA4@cs.washington.edu>

Although other ftp clients work, curl 
ftp://ftp.gnutls.org/pub/crypto/gnutls/devel/gnutls-0.9.97.tar.gz fails 
because curl tries to use the EPSV command.  EPSV returns a port to 
connect to (when I tried, this port was 32225), but connection setup to 
that port times out, presumably because a firewall somewhere doesn't 
know that it should forward the syn packet.

The ftp control connection transcript, reconstructed by ethereal:
...
250 OK. Current directory is /pub/crypto/gnutls
EPSV
229 Extended Passive mode OK (|||32225|)

If it's possible, could you pass this along to someone who can fix 
this, either by disabling EPSV-style downloads at the server (I assume 
curl would respond to an error message by falling back to PASV) or by 
telling the firewall to pass the pureftpd-configured port range for 
passive downloads to the ftp server?  Making curl work is somewhat 
important for use with Fink -- although it will try other mirrors 
first, it would be good if the master server was available as a 
fall-back.

thanks,
-neil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20031111/6e34b660/attachment.pgp>

From nmav at gnutls.org  Tue Nov 11 22:37:24 2003
From: nmav at gnutls.org (Nikos Mavroyanopoulos)
Date: Tue, 11 Nov 2003 23:37:24 +0200
Subject: [gnutls-dev] is ftp.gnutls.org behind a firewall?
In-Reply-To: <B114B0BC-1472-11D8-9857-000A95718DA4@cs.washington.edu>
References: <B114B0BC-1472-11D8-9857-000A95718DA4@cs.washington.edu>
Message-ID: <20031111213723.GA4012@gnutls.org>

On Tue, Nov 11, 2003 at 10:13:03AM -0800, Neil Spring wrote:

> Although other ftp clients work, curl 
> ftp://ftp.gnutls.org/pub/crypto/gnutls/devel/gnutls-0.9.97.tar.gz fails 
> because curl tries to use the EPSV command.  EPSV returns a port to 
> connect to (when I tried, this port was 32225), but connection setup to 
> that port times out, presumably because a firewall somewhere doesn't 
> know that it should forward the syn packet.

Thank you for reporting this. I've contacted the administrator. 
It should be corrected within the week. 

> thanks,
> -neil



> _______________________________________________
> Gnutls-dev mailing list
> Gnutls-dev at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-dev


-- 
Nikos Mavroyanopoulos



From papadopo at shfj.cea.fr  Wed Nov 12 14:50:32 2003
From: papadopo at shfj.cea.fr (Dimitri Papadopoulos-Orfanos)
Date: Wed, 12 Nov 2003 14:50:32 +0100
Subject: [gnutls-dev] gnutls-0.9.96 build failure on Solaris
Message-ID: <3FB23AA8.2080600@shfj.cea.fr>

Hi,

GnuTLS 0.9.96 fails to build on Solaris 8 using the Sun ONE Studio 7 
compiler.

The problem seems to be that the bundled minitasn1 library doesn't 
include <alloca.h> prior to using alloca():

	#ifdef HAVE_ALLOCA
	# define _asn1_alloca alloca
	# define _asn1_afree(x)
	#else
	# define _asn1_alloca _asn1_malloc
	# define _asn1_afree _asn1_free
	#endif /* HAVE_ALLOCA */

Instead the source code should look like:

	#ifdef HAVE_ALLOCA
	# ifdef HAVE_ALLOCA_H
	#  include <alloca.h>
	# endif
	# define _asn1_alloca alloca
	# define _asn1_afree(x)
	#else
	# define _asn1_alloca _asn1_malloc
	# define _asn1_afree _asn1_free
	#endif /* HAVE_ALLOCA */

By the way, are you sure you really need to use alloca()?
http://sources.redhat.com/ml/gdb/2000-11/threads.html#00053
http://www.gnu.org/software/libc/manual/html_mono/libc.html#Disadvantages%20of%20Alloca
I really don't know much about all that, so bear with me if I'm talking 
complete nonsense, but can't alloca() result in security issues, if 
somehow the software is tricked into allocating more memory than the 
machine can provide?


There were also warnings that could point to real problems, such as 
src/common.h defining:
	void socket_init( void);
instead of
	void sockets_init( void);

Here are some of these warnings:
"gnutls_auth.c", line 98: warning: enum type mismatch: op "="
"gnutls_auth.c", line 122: warning: enum type mismatch: op "="
"auth_cert.c", line 1234: warning: enum type mismatch: arg #2
"serv.c", line 553: warning: implicit function declaration: sockets_init
"serv.c", line 947: warning: statement not reached


Finally there were the usual signed/unsigned warnings you already know 
about. See attached build log.

--
Dimitri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls-0.9.96.log.gz
Type: application/x-gzip
Size: 14505 bytes
Desc: not available
URL: </pipermail/attachments/20031112/b8e7d0e3/attachment.bin>

From nmav at gnutls.org  Sun Nov 16 12:53:27 2003
From: nmav at gnutls.org (Nikos Mavroyanopoulos)
Date: Sun, 16 Nov 2003 13:53:27 +0200
Subject: [gnutls-dev] gnutls 0.9.98
Message-ID: <20031116115327.GA5414@gnutls.org>

I've just released gnutls 0.9.98. This release adds a few features
required for the stable release. There will be no more feature
additions in 0.9.99 which would be (hopefuly) the last before a stable 1.0.
Unfortunately this version breaks binary compatibility with 0.9.97,
so a recompilation is required.

- The openssl compatibility layer was moved to gnutls-openssl
  library instead of being included in the gnutls-extra library.
- Added the RIPEMD ciphersuites defined in draft-ietf-tls-openpgp-keys-04.
- Building with openpgp support is now mandatory.
- gnutls4 compatibility header is no longer included by default in
  gnutls.h.
- gnutls8 function usage yelds a deprecation warning in gcc3.
- gnutls_x509_*_set_dn_by_oid() and gnutls_x509_*_get_*_dn_by_oid()
  functions have a raw_flag parameter added.
- Added gnutls_x509_*_get_dn_oid() and gnutls_x509_crt_get_extension_oid()
  functions which return the available OIDs.

-- 
Nikos Mavroyanopoulos



From krasic at cs.ubc.ca  Sat Nov 22 23:32:19 2003
From: krasic at cs.ubc.ca (Charles 'Buck' Krasic)
Date: Sat, 22 Nov 2003 14:32:19 -0800
Subject: [gnutls-dev] question about openpgp authentication
Message-ID: <1069540339.25531.11.camel@galibier.cs.ubc.ca>

Hi,

I'm experimenting with gnu-tls, to see if it might work in my video
streaming system.   The openpgp authentication is what has attracted me
to gnu tls.   

I'm new to gnu tls (and gnupg too), so I'm still coming to grips with
how the API should be used.  

My question regards secret keys and passphrases.  It seemed that to get
the gnutls handshake to work, I had to remove the passphrase from my
secret key.  Is this correct?  This seems to make sense, since I can't
see how gnutls could use the key otherwise.   If so, I would prefer that
the key be passphrase protected, since leaving secret keys unprotected
is generally a pretty bad idea.   Hence, is there any hope that gnutls
might add some support for passphrase checking of secret keys?  Or is
there some other software that would do this?  

-- Buck




From nmav at gnutls.org  Sun Nov 23 18:24:09 2003
From: nmav at gnutls.org (Nikos Mavroyanopoulos)
Date: Sun, 23 Nov 2003 19:24:09 +0200
Subject: [gnutls-dev] question about openpgp authentication
In-Reply-To: <1069540339.25531.11.camel@galibier.cs.ubc.ca>
References: <1069540339.25531.11.camel@galibier.cs.ubc.ca>
Message-ID: <20031123172409.GA12302@gnutls.org>

On Sat, Nov 22, 2003 at 02:32:19PM -0800, Charles 'Buck' Krasic wrote:

> Hi,
> I'm experimenting with gnu-tls, to see if it might work in my video
> streaming system.   The openpgp authentication is what has attracted me
> to gnu tls.   
> I'm new to gnu tls (and gnupg too), so I'm still coming to grips with
> how the API should be used.  
> My question regards secret keys and passphrases.  It seemed that to get
> the gnutls handshake to work, I had to remove the passphrase from my
> secret key.  Is this correct?  This seems to make sense, since I can't
> see how gnutls could use the key otherwise.   If so, I would prefer that
> the key be passphrase protected, since leaving secret keys unprotected
> is generally a pretty bad idea.   Hence, is there any hope that gnutls
> might add some support for passphrase checking of secret keys?  Or is
> there some other software that would do this?  

The current gnutls' api does not allow encrypted openpgp keys. This
might change in the future, (after the first stable release). Servers need
to have the keys decrypted --because they must read the keys non-interactively,
and adding a password into a configuration file is as bad as having the
plain key. 

Clients may use encrypted keys, but they need to use gnupg for now.
They should decrypt the key (with gnupg), pass it to gnutls,
and then delete the decrypted one.

> -- Buck

-- 
Nikos Mavroyanopoulos



From krasic at cs.ubc.ca  Tue Nov 25 21:57:48 2003
From: krasic at cs.ubc.ca (Charles 'Buck' Krasic)
Date: Tue, 25 Nov 2003 12:57:48 -0800
Subject: [gnutls-dev] Another openpgp question...
Message-ID: <1069793868.11429.7.camel@galibier.cs.ubc.ca>

Hi,

I another question regarding OpenPGP and TLS.  I would like the server
side of the TLS session to be able to query what key the client used
after the handshake has completed.   

As far as I can tell, the closest thing to this right now is the
gnutls_openpgp_set_recv_key_function(), but this is only used if the
client sends a fingerprint instead of their public key.   But, for the
case where the client just sends their key, the API doesn't provide any
way to find out what key the client used.

Would it be hard to add such a query to the API?  I.e. something like:

  gnutls_openpgp_get_peer_key()

-- Buck





From nmav at gnutls.org  Tue Nov 25 22:31:25 2003
From: nmav at gnutls.org (Nikos Mavroyanopoulos)
Date: Tue, 25 Nov 2003 23:31:25 +0200
Subject: [gnutls-dev] Another openpgp question...
In-Reply-To: <1069793868.11429.7.camel@galibier.cs.ubc.ca>
References: <1069793868.11429.7.camel@galibier.cs.ubc.ca>
Message-ID: <20031125213124.GA22933@gnutls.org>

On Tue, Nov 25, 2003 at 12:57:48PM -0800, Charles 'Buck' Krasic wrote:

> Hi,
> I another question regarding OpenPGP and TLS.  I would like the server
> side of the TLS session to be able to query what key the client used
> after the handshake has completed.   
> As far as I can tell, the closest thing to this right now is the
> gnutls_openpgp_set_recv_key_function(), but this is only used if the
> client sends a fingerprint instead of their public key.   But, for the
> case where the client just sends their key, the API doesn't provide any
> way to find out what key the client used.
> Would it be hard to add such a query to the API?  I.e. something like:
>   gnutls_openpgp_get_peer_key()
Hello Charles,
 You could use gnutls_certificate_get_peers(). The openpgp key authentication
is part of the certificate authentication, so all the gnutls_certificate_*
functions apply. 

> -- Buck

-- 
Nikos Mavroyanopoulos



From krasic at cs.ubc.ca  Wed Nov 26 02:43:11 2003
From: krasic at cs.ubc.ca (Charles 'Buck' Krasic)
Date: Tue, 25 Nov 2003 17:43:11 -0800
Subject: [gnutls-dev] Another openpgp question...
In-Reply-To: <20031125213124.GA22933@gnutls.org>
References: <1069793868.11429.7.camel@galibier.cs.ubc.ca>
	<20031125213124.GA22933@gnutls.org>
Message-ID: <1069810991.11423.17.camel@galibier.cs.ubc.ca>

Hi Nikos,

Thanks for your replies.  They have been very helpful.

I've been able to get GnuTLS basically working in my video streaming
system.   At first, I got it working with AES128 + SHA1.   I noticed
that the CPU load was quite high (not a big suprise) so I started to try
and measure some other combinations.   This is where I ran into a lot of
trouble.   I'm not an expert in OpenPGP or gnupg, so it's not obvious to
me what kinds of keys are required for the different ciphers supported
in GnuTLS.   I made some progress by enabling GnuTLS's logging, but I
still don't understand what is required to get certain ciphers to work.

For example,  I can get the ARCFOUR_SHA cipher, but not ARCFOUR_MD5 (128
or 40).  

I am basically content for now that I have some encryption working, but
it would be nice to have some clarification on issues above.   

Are there many other users of GnuTLS's OpenPGP support?

-- Buck

On Tue, 2003-11-25 at 13:31, Nikos Mavroyanopoulos wrote:
> On Tue, Nov 25, 2003 at 12:57:48PM -0800, Charles 'Buck' Krasic wrote:
> 
> > Hi,
> > I another question regarding OpenPGP and TLS.  I would like the server
> > side of the TLS session to be able to query what key the client used
> > after the handshake has completed.   
> > As far as I can tell, the closest thing to this right now is the
> > gnutls_openpgp_set_recv_key_function(), but this is only used if the
> > client sends a fingerprint instead of their public key.   But, for the
> > case where the client just sends their key, the API doesn't provide any
> > way to find out what key the client used.
> > Would it be hard to add such a query to the API?  I.e. something like:
> >   gnutls_openpgp_get_peer_key()
> Hello Charles,
>  You could use gnutls_certificate_get_peers(). The openpgp key authentication
> is part of the certificate authentication, so all the gnutls_certificate_*
> functions apply. 
> 
> > -- Buck




From nmav at gnutls.org  Wed Nov 26 10:19:56 2003
From: nmav at gnutls.org (Nikos Mavroyanopoulos)
Date: Wed, 26 Nov 2003 11:19:56 +0200
Subject: [gnutls-dev] Another openpgp question...
In-Reply-To: <1069810991.11423.17.camel@galibier.cs.ubc.ca>
References: <1069793868.11429.7.camel@galibier.cs.ubc.ca>
	<20031125213124.GA22933@gnutls.org>
	<1069810991.11423.17.camel@galibier.cs.ubc.ca>
Message-ID: <20031126091956.GA17130@gnutls.org>

On Tue, Nov 25, 2003 at 05:43:11PM -0800, Charles 'Buck' Krasic wrote:

> Hi Nikos,
> Thanks for your replies.  They have been very helpful.
> I've been able to get GnuTLS basically working in my video streaming
> system.   At first, I got it working with AES128 + SHA1.   I noticed
> that the CPU load was quite high (not a big suprise) so I started to try
> and measure some other combinations.   This is where I ran into a lot of

If the high load is during the handshake, you should consider using
session resuming to avoid rehandshakes. If the high load is during
the record layer tranfers, then there is little you can do. ARCFOUR
is the fastest cipher supported, so using it is a good idea (I haven't
checked the speed difference between SHA1 and RIPEMD algorithms).

> trouble.   I'm not an expert in OpenPGP or gnupg, so it's not obvious to
> me what kinds of keys are required for the different ciphers supported
> in GnuTLS.   I made some progress by enabling GnuTLS's logging, but I
> still don't understand what is required to get certain ciphers to work.
> For example,  I can get the ARCFOUR_SHA cipher, but not ARCFOUR_MD5 (128
> or 40).  

> I am basically content for now that I have some encryption working, but
> it would be nice to have some clarification on issues above.   

Not all combinations of ciphers are available, even if the API implies
that. The openpgp ciphersuites do not include MD5 as an HMAC option. They
only allow SHA and RIPEMD-160. They also do not include the export
ciphers since they were obsoleted by the TLS Working group.

Also note that the DHE_RSA ciphersuites may get disabled if your
key is encrypt only. The same for plain RSA if your key is sign
only.

> -- Buck


-- 
Nikos Mavroyanopoulos



From nmav at gnutls.org  Wed Nov 26 15:18:21 2003
From: nmav at gnutls.org (Nikos Mavroyanopoulos)
Date: Wed, 26 Nov 2003 16:18:21 +0200
Subject: [gnutls-dev] Another openpgp question...
In-Reply-To: <20031126091956.GA17130@gnutls.org>
References: <1069793868.11429.7.camel@galibier.cs.ubc.ca>
	<20031125213124.GA22933@gnutls.org>
	<1069810991.11423.17.camel@galibier.cs.ubc.ca>
	<20031126091956.GA17130@gnutls.org>
Message-ID: <20031126141821.GA928@gnutls.org>

On Wed, Nov 26, 2003 at 11:19:56AM +0200, Nikos Mavroyanopoulos wrote:

> > I am basically content for now that I have some encryption working, but
> > it would be nice to have some clarification on issues above.   
> Not all combinations of ciphers are available, even if the API implies
> that. The openpgp ciphersuites do not include MD5 as an HMAC option. They
> only allow SHA and RIPEMD-160. They also do not include the export
> ciphers since they were obsoleted by the TLS Working group.
Sorry, I'm totaly wrong here. There is no openpgp ciphersuites concept
(they are common for both openpgp and x.509 certificates).

The fact that you cannot use MD5 is that you are probably using the 
DHE_RSA or the DHE_DSS ciphersuites, which have only be defined with SHA as
the HMAC algorithm. MD5 is only used in the plain _RSA_ ciphersuites,
so you have to enable GNUTLS_KX_RSA, which requires a key marked as encrypt 
only (I think that gnupg asks for the type at the key generation proccess).

MD5 was faster than SHA-1 (I don't know about RIPEMD), and is not
weaker in any way (at least for the HMAC construction).

-- 
Nikos Mavroyanopoulos



From wk at gnupg.org  Thu Nov 27 11:29:43 2003
From: wk at gnupg.org (Werner Koch)
Date: Thu, 27 Nov 2003 11:29:43 +0100
Subject: [gnutls-dev] Another openpgp question...
In-Reply-To: <20031126091956.GA17130@gnutls.org> (Nikos Mavroyanopoulos's
	message of "Wed, 26 Nov 2003 11:19:56 +0200")
References: <1069793868.11429.7.camel@galibier.cs.ubc.ca>
	<20031125213124.GA22933@gnutls.org>
	<1069810991.11423.17.camel@galibier.cs.ubc.ca>
	<20031126091956.GA17130@gnutls.org>
Message-ID: <87n0ai5cko.fsf@alberti.g10code.de>

On Wed, 26 Nov 2003 11:19:56 +0200, Nikos Mavroyanopoulos said:

> is the fastest cipher supported, so using it is a good idea (I haven't
> checked the speed difference between SHA1 and RIPEMD algorithms).

SHA-1 is slightly faster on ia32 CPUs, but nothing one should really
care about.


-- 
Werner Koch                                      <wk at gnupg.org>
The GnuPG Experts                                http://g10code.com
Free Software Foundation Europe                  http://fsfeurope.org




From wk at gnupg.org  Thu Nov 27 18:07:27 2003
From: wk at gnupg.org (Werner Koch)
Date: Thu, 27 Nov 2003 18:07:27 +0100
Subject: [gnutls-dev] Another openpgp question...
In-Reply-To: <20031127105332.GA27457@gnutls.org> (Nikos Mavroyanopoulos's
	message of "Thu, 27 Nov 2003 12:53:32 +0200")
References: <1069793868.11429.7.camel@galibier.cs.ubc.ca>
	<20031125213124.GA22933@gnutls.org>
	<1069810991.11423.17.camel@galibier.cs.ubc.ca>
	<20031126091956.GA17130@gnutls.org> <20031126141821.GA928@gnutls.org>
	<1069867860.28256.8.camel@galibier.cs.ubc.ca>
	<20031126232207.GA17177@gnutls.org>
	<20031127074949.GC776@daredevil.joesixpack.net>
	<20031127105332.GA27457@gnutls.org>
Message-ID: <871xrt3flc.fsf@alberti.g10code.de>

On Thu, 27 Nov 2003 12:53:32 +0200, Nikos Mavroyanopoulos said:

> with a specific flag to be used with TLS. Is there any flag
> that can be used? Is it possible at all?

Yes, the latest OpenPGP draft describes key flag 0x20 for
authentication.  GnuPG 1.3.3 support this but creates this flag
currently only for smartcard keys.

  Werner

-- 
Werner Koch                                      <wk at gnupg.org>
The GnuPG Experts                                http://g10code.com
Free Software Foundation Europe                  http://fsfeurope.org




From nmav at gnutls.org  Fri Nov 28 22:22:47 2003
From: nmav at gnutls.org (Nikos Mavroyanopoulos)
Date: Fri, 28 Nov 2003 23:22:47 +0200
Subject: [gnutls-dev] gnutls 0.9.99
Message-ID: <20031128212247.GA4324@gnutls.org>

I've just released gnutls-0.9.99. The most important
changes since gnutls 0.9.98 are:
- Some fixes in the gnutls.h header for the gnutls_server_name_set()
  and gnutls_server_name_get() prototypes.
- Exported the gnutls_x509_privkey_sign_data(), gnutls_x509_privkey_verify_data
  and gnutls_x509_crt_verify_data().
- Some fixes in the openpgp authentication.
- Removed the Twofish cipher.

-- 
Nikos Mavroyanopoulos