[gnutls-dev] [Help-gnutls] push/pull functions

[Nikos Mavrogiannopoulos]

On Wednesday 26 September 2007, Robin Redeker wrote:
> Hi!

> I have a (maybe not so?) simple question:
> Can I call gnutls_record_recv/gnutls_record_send safely while I'm in a
> push/pull callback?

As long as you don't use the same session, it should be safe.

> The reason I'm asking is that I want to make bindings for GNU Smalltalk,
> which has support for non-preemtive multiple threads of execution.

gnutls can be used with multiple threads, as long as the gcrypt callbacks are 
set and the same session is not accessed by multiple threads.

> What if some kind of re-handshake happens while I call
> gnutls_record_recv? Will GnuTLS detect that it is still waiting for the
> callback to read to return?

A rehandshake will be detected by the return value of gnutls_record_recv(). It 
is in-band data so it should procceed normally.

> And there is also another issue I stepped over while testing. I somehow
> could't get the anonymous client example to work with gnutls-serv.
> I've tried running the server with:
>    gnutls-serv -p 12331 --kx "Anon DH"
>    gnutls-serv -p 12331 --kx "Anon DH" -g
>    gnutls-serv -p 12331 --kx "Anon DH" --dhparams /tmp/dh.pem (with a
>    properly initialized dh.pem)

Thank you for reporting this. It seems that it was a bug in the handshake 
function and couldn't negotiate anonymous DH if a certificate wasn't set. It 
must be corrected in the git repository (and attached patch).


regards,
Nikos
-------------- next part --------------
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index f8d2724..3787796 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -2801,11 +2801,11 @@ _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
   int ret = 0;
   cipher_suite_st *newSuite, cs;
   int newSuiteSize = 0, i;
-  gnutls_certificate_credentials_t x509_cred;
+  gnutls_certificate_credentials_t cert_cred;
   gnutls_kx_algorithm_t kx;
   int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
-  gnutls_kx_algorithm_t *alg;
-  int alg_size;
+  gnutls_kx_algorithm_t *alg = NULL;
+  int alg_size = 0;
 
   /* if we should use a specific certificate, 
    * we should remove all algorithms that are not supported
@@ -2813,29 +2813,30 @@ _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
    * method (CERTIFICATE).
    */
 
-  x509_cred =
+  cert_cred =
     (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
 							 GNUTLS_CRD_CERTIFICATE,
 							 NULL);
 
-  /* if x509_cred==NULL we should remove all X509 ciphersuites
+  /* If there are certificate credentials, find an appropriate certificate
+   * or disable them;
    */
-
   if (session->security_parameters.entity == GNUTLS_SERVER
-      && x509_cred != NULL)
+      && cert_cred != NULL)
     {
       ret = _gnutls_server_select_cert (session, requested_pk_algo);
       if (ret < 0)
 	{
 	  gnutls_assert ();
-	  return ret;
+	  _gnutls_x509_log("Could not find an appropriate certificate: %s\n", gnutls_strerror(ret));
+	  cert_cred = NULL;
 	}
     }
 
   /* get all the key exchange algorithms that are 
    * supported by the X509 certificate parameters.
    */
-  if ((ret =
+  if (cert_cred != NULL && (ret =
        _gnutls_selected_cert_supported_kx (session, &alg, &alg_size)) < 0)
     {
       gnutls_assert ();