From jas at extundo.com Thu Dec 8 21:01:27 2005 From: jas at extundo.com (Simon Josefsson) Date: Thu, 08 Dec 2005 21:01:27 +0100 Subject: [Help-gnutls] Experimental: GnuTLS 1.3.1 Message-ID: We are pleased to announce the availability of GnuTLS version 1.3.1, the second release on the experimental 1.3.x branch. The goal of 1.3.x will be to merge work currently done on CVS branches, for TLS Pre-Shared-Keys and TLS Inner Application. Other planned improvements in 1.3.x are system-independent resume data structures, modularization of the bignum operations, and TLS OpenPGP improvements. So far, TLS-PSK and system-independent resume data has been implemented. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ (updated fastest) Here are the compressed sources: http://josefsson.org/gnutls/releases/gnutls-1.3.1.tar.gz (3.0MB) ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.3.1.tar.bz2 (3.0MB) Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.3.1.tar.bz2.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.3.1.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: 1280R/B565716F 2002-05-05 [expires: 2006-02-28] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the build reports for various platforms: http://josefsson.org/autobuild-logs/gnutls.html Here are the SHA-1 checksums: 80eb527cf981344778d0dd6cb2ed25f379d8785c gnutls-1.3.1.tar.bz2 5b260e5d3594a8cf8ea79376bd97775a5f566920 gnutls-1.3.1.tar.bz2.sig Enjoy, Nikos and Simon Noteworthy changes since version 1.3.0: ** Support for DHE-PSK cipher suites has been added. This method offers perfect forward secrecy. ** Fix gnutls-cli STARTTLS hang when SIGINT is sent too quickly, thanks to Otto Maddox and Nozomu Ando . ** Corrected a bug in certtool for 64 bit machines. Reported by Max Kellermann . ** New function to set a X.509 private key and certificate pairs, and/or CRLs, from an PKCS#12 file, suggested by Emile van Bergen . The integrity of the PKCS#12 file is protected through a password based MAC; public-key based signatures for integrity protection are not supported. PKCS#12 bags may be encrypted using password derived symmetric keys, public-key based encryption is not supported. The PKCS#8 keys may be encrypted using passwords. The API use the same password for all operations. We believe that any more flexibility create too much complexity that would hurt overall security, but may add more PKCS#12 related APIs if real-world experience indicate otherwise. ** gnutls_x509_privkey_import_pkcs8 now accept unencrypted PEM PKCS#8 keys, reported by Emile van Bergen . This will enable "certtool -k -8" to parse those keys. ** Certtool now generate keys in unencrypted PKCS#8 format for empty passwords. Use "certtool -p -8" and press press enter at the prompt. Earlier, certtool would have encrypted the key using an empty password. ** Certtool now accept --password for --key-info and encrypted PKCS#8 keys. Earlier it would have prompted the user for it, even if --password was supplied. ** Added self test of PKCS#8 parsing. Unencrypted and encrypted (pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHAAnd40BitRC2-CBC) formats are tested. The test is in tests/pkcs8. ** API and ABI modifications: New function to set X.509 credentials from a PKCS#12 file: gnutls_certificate_set_x509_simple_pkcs12_file New gnutls_kx_algorithm_t enum type: GNUTLS_KX_DHE_PSK New API to return session data (better data types than gnutls_session_get_data): gnutls_session_get_data2 New API to set PSK Diffie-Hellman parameters: gnutls_psk_set_server_dh_params -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 423 bytes Desc: not available URL: From flashcode at flashtux.org Sun Dec 11 16:58:41 2005 From: flashcode at flashtux.org (FlashCode) Date: Sun, 11 Dec 2005 16:58:41 +0100 Subject: [Help-gnutls] Restore gnutls session after execvp - possible? Message-ID: <20051211155841.GE1040@flashtux.org> Hi, I'm developing an IRC client called WeeChat (http://weechat.flashtux.org). I'm adding a new feature: /upgrade command, which does an execvp() of weechat, without closing connections to servers (sockets are still open after execvp). For some servers, user may connect thru gnutls (SSL), and I need to save session in file when upgrading, then restore it when starting new process. Is it possible to do that with gnutls today? I saw an example in the doc, but situation is not exactly the same, socket is reopen after close, then gnutls session reloaded. In my case, socket is not closed. I tried something like that : 1. quit weechat without closing sockets, and do that for gnutls: - for each gnutls server: gnutls_session_get_data (ptr_server->gnutls_sess, NULL, &session_size); session_data = malloc (session_size); gnutls_session_get_data (server->gnutls_sess, session_data, &session_size); /* save session data to session file */ gnutls_bye (server->gnutls_sess, GNUTLS_SHUT_RDWR); gnutls_deinit (server->gnutls_sess); - global: gnutls_certificate_free_credentials (gnutls_xcred); gnutls_global_deinit(); 2. start new weechat via execvp (load session file): - global: gnutls_global_init (); gnutls_certificate_allocate_credentials (&gnutls_xcred); gnutls_certificate_set_x509_trust_file (gnutls_xcred, "ca.pem", GNUTLS_X509_FMT_PEM); - for each gnutls server: gnutls_set_default_priority (server->gnutls_sess); gnutls_certificate_type_set_priority (server->gnutls_sess, cert_type_prio); gnutls_credentials_set (server->gnutls_sess, GNUTLS_CRD_CERTIFICATE, gnutls_xcred); /* read session & size (internal stuff not shown here) */ gnutls_session_set_data (server->gnutls_sess, session_data, session_size); gnutls_transport_set_ptr (server->gnutls_sess, (gnutls_transport_ptr) server->sock); if (gnutls_handshake (server->gnutls_sess) < 0) printf ("handshake failed\n"); Problem: the handshake always failed when restoring weechat session. Thank you in advance, any help appreciated. -- Cordialement / Best regards Sebastien. Web: http://www.flashtux.org - email: flashcode at flashtux.org IRC: FlashCode at irc.freenode.net - Jabber: flashcode at jabber.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From jas at extundo.com Sun Dec 11 19:51:06 2005 From: jas at extundo.com (Simon Josefsson) Date: Sun, 11 Dec 2005 19:51:06 +0100 Subject: [Help-gnutls] Re: Restore gnutls session after execvp - possible? In-Reply-To: <20051211155841.GE1040@flashtux.org> (flashcode@flashtux.org's message of "Sun, 11 Dec 2005 16:58:41 +0100") References: <20051211155841.GE1040@flashtux.org> Message-ID: FlashCode writes: > Hi, > > I'm developing an IRC client called WeeChat > (http://weechat.flashtux.org). > I'm adding a new feature: /upgrade command, which does an execvp() of > weechat, without closing connections to servers (sockets are still > open after execvp). > > For some servers, user may connect thru gnutls (SSL), and I need to save > session in file when upgrading, then restore it when starting new > process. > > Is it possible to do that with gnutls today? > > I saw an example in the doc, but situation is not exactly the same, > socket is reopen after close, then gnutls session reloaded. > In my case, socket is not closed. How do you achieve that? I thought you had to close sockets and re-open them in a new process. I don't know how to achieve what you want in GnuTLS, but I don't know how to achieve what you already do either (exec another process and inherit the open socket) so I may likely be missing something. Perhaps others know more. > I tried something like that : > > > 1. quit weechat without closing sockets, and do that for gnutls: > > - for each gnutls server: > > gnutls_session_get_data (ptr_server->gnutls_sess, NULL, > &session_size); > session_data = malloc (session_size); > gnutls_session_get_data (server->gnutls_sess, session_data, > &session_size); > /* save session data to session file */ > gnutls_bye (server->gnutls_sess, GNUTLS_SHUT_RDWR); > gnutls_deinit (server->gnutls_sess); > > - global: > > gnutls_certificate_free_credentials (gnutls_xcred); > gnutls_global_deinit(); > > 2. start new weechat via execvp (load session file): > > - global: > > gnutls_global_init (); > gnutls_certificate_allocate_credentials (&gnutls_xcred); > gnutls_certificate_set_x509_trust_file (gnutls_xcred, > "ca.pem", GNUTLS_X509_FMT_PEM); > > - for each gnutls server: > > gnutls_set_default_priority (server->gnutls_sess); > gnutls_certificate_type_set_priority (server->gnutls_sess, > cert_type_prio); > gnutls_credentials_set (server->gnutls_sess, > GNUTLS_CRD_CERTIFICATE, > gnutls_xcred); > /* read session & size (internal stuff not shown here) */ > gnutls_session_set_data (server->gnutls_sess, > session_data, session_size); > gnutls_transport_set_ptr (server->gnutls_sess, > (gnutls_transport_ptr) > server->sock); > if (gnutls_handshake (server->gnutls_sess) < 0) > printf ("handshake failed\n"); > > Problem: the handshake always failed when restoring weechat session. > > Thank you in advance, any help appreciated. > > -- > Cordialement / Best regards > Sebastien. > > Web: http://www.flashtux.org - email: flashcode at flashtux.org > IRC: FlashCode at irc.freenode.net - Jabber: flashcode at jabber.org > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > http://lists.gnu.org/mailman/listinfo/help-gnutls From smurf at smurf.noris.de Sun Dec 11 21:54:59 2005 From: smurf at smurf.noris.de (Matthias Urlichs) Date: Sun, 11 Dec 2005 21:54:59 +0100 Subject: [Help-gnutls] Re: Restore gnutls session after execvp - possible? In-Reply-To: References: <20051211155841.GE1040@flashtux.org> Message-ID: <20051211205459.GB19879@kiste.smurf.noris.de> Hi, Simon Josefsson: > How do you achieve that? I thought you had to close sockets and > re-open them in a new process. > If you have an open file descriptor, you can choose whether it is automagically closed when you execve() something. (fcntl, close-on-exec flag) > I don't know how to achieve what you want in GnuTLS, but I don't know > how to achieve what you already do either (exec another process and > inherit the open socket) so I may likely be missing something. > Perhaps others know more. > The basic idea is to save the internal gnutls data structure in such a way that you only need to plug in the file descriptor and everything is back where it was. Personally I'd say that > > - global: > > > > gnutls_certificate_free_credentials (gnutls_xcred); > > gnutls_global_deinit(); > > Why are you doing that? You're execvp-ing a new process, the data structures will vanish anyway -- and you risk closing the sockets when you do this. > > if (gnutls_handshake (server->gnutls_sess) < 0) > > printf ("handshake failed\n"); > > Does that call work when you use it *before* doing your save-execvp-restore dance? -- Matthias Urlichs | {M:U} IT Design @ m-u-it.de | smurf at smurf.noris.de Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de - - You can have whiskey as your friend. You can have a dog as your friend. But if you have a woman as your friend, you're going to wind up drunk and kissing your dog. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From jas at extundo.com Sun Dec 11 22:46:15 2005 From: jas at extundo.com (Simon Josefsson) Date: Sun, 11 Dec 2005 22:46:15 +0100 Subject: [Help-gnutls] Re: Restore gnutls session after execvp - possible? In-Reply-To: <20051211205459.GB19879@kiste.smurf.noris.de> (Matthias Urlichs's message of "Sun, 11 Dec 2005 21:54:59 +0100") References: <20051211155841.GE1040@flashtux.org> <20051211205459.GB19879@kiste.smurf.noris.de> Message-ID: Matthias Urlichs writes: > Hi, > > Simon Josefsson: >> How do you achieve that? I thought you had to close sockets and >> re-open them in a new process. >> > If you have an open file descriptor, you can choose whether it is > automagically closed when you execve() something. (fcntl, close-on-exec > flag) Oh. I see. Thanks for the pointer. >> I don't know how to achieve what you want in GnuTLS, but I don't know >> how to achieve what you already do either (exec another process and >> inherit the open socket) so I may likely be missing something. >> Perhaps others know more. >> > The basic idea is to save the internal gnutls data structure in such a > way that you only need to plug in the file descriptor and everything is > back where it was. Right. I don't think this is possible. The resume data that is stored is not intended for this use. It is intended where you create a new connection and want to re-use earlier TLS handshakes to optimize things. It _may_ be possible to use the resume stuff for this purpose, most of the useful data items are present. I think it require a new API. E.g., gnutls_resume_connect that accept the resume data. Further, I'm not sure I understand _why_ this is done. Perhaps if you describe why you want to execvpe and carry over the TLS-protected socket to the new process, we can suggest better solutions. Still, if someone want to make this work, I'd welcome any patches. > Personally I'd say that > >> > - global: >> > >> > gnutls_certificate_free_credentials (gnutls_xcred); >> > gnutls_global_deinit(); >> > > Why are you doing that? You're execvp-ing a new process, the data > structures will vanish anyway -- and you risk closing the sockets when you > do this. I agree, although those functions should not close the socket. >> > if (gnutls_handshake (server->gnutls_sess) < 0) >> > printf ("handshake failed\n"); >> > > Does that call work when you use it *before* doing your > save-execvp-restore dance? Most likely not. /Simon From flashcode at flashtux.org Sun Dec 11 23:33:30 2005 From: flashcode at flashtux.org (FlashCode) Date: Sun, 11 Dec 2005 23:33:30 +0100 Subject: [Help-gnutls] Re: Restore gnutls session after execvp - possible? In-Reply-To: References: <20051211155841.GE1040@flashtux.org> <20051211205459.GB19879@kiste.smurf.noris.de> Message-ID: <20051211223330.GF1040@flashtux.org> On Sun, Dec 11, 2005 at 10:46:15PM +0100, Simon Josefsson wrote: > Matthias Urlichs writes: > > > Hi, > > > > Simon Josefsson: > >> How do you achieve that? I thought you had to close sockets and > >> re-open them in a new process. > >> > > If you have an open file descriptor, you can choose whether it is > > automagically closed when you execve() something. (fcntl, close-on-exec > > flag) > > Oh. I see. Thanks for the pointer. > > >> I don't know how to achieve what you want in GnuTLS, but I don't know > >> how to achieve what you already do either (exec another process and > >> inherit the open socket) so I may likely be missing something. > >> Perhaps others know more. > >> > > The basic idea is to save the internal gnutls data structure in such a > > way that you only need to plug in the file descriptor and everything is > > back where it was. > > Right. I don't think this is possible. > > The resume data that is stored is not intended for this use. It is > intended where you create a new connection and want to re-use earlier > TLS handshakes to optimize things. > > It _may_ be possible to use the resume stuff for this purpose, most of > the useful data items are present. I think it require a new API. > E.g., gnutls_resume_connect that accept the resume data. > > Further, I'm not sure I understand _why_ this is done. Perhaps if you > describe why you want to execvpe and carry over the TLS-protected > socket to the new process, we can suggest better solutions. > > Still, if someone want to make this work, I'd welcome any patches. > Hi Matthias and Simon, I tried without: gnutls_certificate_free_credentials (gnutls_xcred); gnutls_global_deinit(); same result.. My goal is to be able to launch new version of IRC client, without disconnecting from IRC server, so use same socket and gnutls environment. Today I forbid any upgrade when gnutls is used, since it seems not possible to do such re-connection by resuming gnutls data. If this is possible in the future, feel free to tell me. Thank you. -- Cordialement / Best regards Sebastien. Web: http://www.flashtux.org - email: flashcode at flashtux.org IRC: FlashCode at irc.freenode.net - Jabber: flashcode at jabber.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From smurf at smurf.noris.de Mon Dec 12 04:40:45 2005 From: smurf at smurf.noris.de (Matthias Urlichs) Date: Mon, 12 Dec 2005 04:40:45 +0100 Subject: [Help-gnutls] Re: Restore gnutls session after execvp - possible? In-Reply-To: References: <20051211155841.GE1040@flashtux.org> <20051211205459.GB19879@kiste.smurf.noris.de> Message-ID: <20051212034045.GF19879@kiste.smurf.noris.de> Hi, Simon Josefsson: > Further, I'm not sure I understand _why_ this is done. Perhaps if you > describe why you want to execvpe and carry over the TLS-protected > socket to the new process, we can suggest better solutions. > One application of this idea, not related to execve()ing yourself, is to be able to pass the connection on to another process by way of a Unix socket and sendmsg(). That'd allow you to use one applicationto accept a connection, estabish SSL, and thn dispatch it to another, which helps with privilege separation. > >> > if (gnutls_handshake (server->gnutls_sess) < 0) > >> > printf ("handshake failed\n"); > >> > > > Does that call work when you use it *before* doing your > > save-execvp-restore dance? > > Most likely not. Thought so. The connection already is established (as far as the other side is concerned, anyway), the handshake has happened, so this call shouldn't be there. Just resume sending/receiving. (Assuming that the data structures are set up correctly, which they probably are not...) Fixing that shouldn't be *that* difficult, but I'd suggest writing a completely different API for this, which just marshals the full internal state of a connection into one area of memory / restores it from there. -- Matthias Urlichs | {M:U} IT Design @ m-u-it.de | smurf at smurf.noris.de Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de - - Her attitude to music was purely ballistic - just point your voice at the end of the verse and go for it. -- Terry Pratchett (Maskerade) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From jas at extundo.com Mon Dec 12 12:43:49 2005 From: jas at extundo.com (Simon Josefsson) Date: Mon, 12 Dec 2005 12:43:49 +0100 Subject: [Help-gnutls] Re: Restore gnutls session after execvp - possible? In-Reply-To: <20051212034045.GF19879@kiste.smurf.noris.de> (Matthias Urlichs's message of "Mon, 12 Dec 2005 04:40:45 +0100") References: <20051211155841.GE1040@flashtux.org> <20051211205459.GB19879@kiste.smurf.noris.de> <20051212034045.GF19879@kiste.smurf.noris.de> Message-ID: Matthias Urlichs writes: > Hi, > > Simon Josefsson: >> Further, I'm not sure I understand _why_ this is done. Perhaps if you >> describe why you want to execvpe and carry over the TLS-protected >> socket to the new process, we can suggest better solutions. >> > One application of this idea, not related to execve()ing yourself, is to > be able to pass the connection on to another process by way of a Unix > socket and sendmsg(). > > That'd allow you to use one applicationto accept a connection, estabish > SSL, and thn dispatch it to another, which helps with privilege > separation. Right. > The connection already is established (as far as the other side is > concerned, anyway), the handshake has happened, so this call shouldn't > be there. Just resume sending/receiving. (Assuming that the data > structures are set up correctly, which they probably are not...) > > Fixing that shouldn't be *that* difficult, but I'd suggest writing a > completely different API for this, which just marshals the full internal > state of a connection into one area of memory / restores it from there. I agree. The resumption data API may be a starting pointer, that should include most of the required internal state. Patches to implement this are very welcome. I have added the following to the TODO list: - Make it possible to extract the internal state of a session, to be able to execve a new process that take over the current living socket (using the fcntl close-on-exec flag) and continue the TLS session as well. Thanks, Simon From jas at extundo.com Wed Dec 14 14:37:02 2005 From: jas at extundo.com (Simon Josefsson) Date: Wed, 14 Dec 2005 14:37:02 +0100 Subject: [Help-gnutls] GnuTLS 1.2.8 with TLS Inner Application (TLS/IA) support Message-ID: We are pleased to present a customized version of GnuTLS 1.2.8 that adds an implementation of the TLS Inner Application (TLS/IA) protocol. The TLS/IA protocol was designed to be used in the EAP-TTLSv1 protocol, to perform user authentication of Wireless LAN network nodes using IEEE 802.1x. The TLS/IA and TTLSv1 protocols were published through the IETF and descriptions can be found at: http://josefsson.org/tlsia/draft-funk-tls-inner-application-extension-01.txt http://josefsson.org/tlsia/draft-ietf-pppext-eap-ttls-05.txt The goal is to merge this TLS/IA branch with the main development branch (1.3.x) and then to investigate how EAP-TTLSv1 can be implemented. We invite suggestions and comments on these matters. This work was done by Simon Josefsson Datakonsult in close co-operation with Emile van Bergen of E-advies, under commission for Lumiad. Lumiad is a Dutch based privately held company. Lumiad is specialized in wireless applications and wireless security solutions. Lumiad supports open source projects, from which large parts will be used in Lumiad products. Lumiad was happy to sponsor this specific TLS/IA module. We see this module as a first step for the correct implementation of the EAP-TTLSV1 standard in open source products. http://www.lumiad.nl/ E-advies is a privately held company based in the Netherlands that designs and develops software and solutions, and provides consultancy in telecommunications and storage. Its flagship product is OpenRADIUS, an industrial strength RADIUS server that offers complete freedom in policy definition, and is available under the GNU General Public License. Simon Josefsson Datakonsult, a Stockholm based privately held company that specialize in development and standardization of security and internationalization technologies, is currently funding GnuTLS maintenance. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. The NEWS entries for this release are: - GnuTLS now support TLS Inner application (TLS/IA) as per draft-funk-tls-inner-application-extension-01. This functionality is added to libgnutls-extra, so it is licensed under the GPL. - API and ABI modifications: gnutls_ia_handshake: New function, to perform TLS/IA handshake. gnutls_ia_handshake_p: New function, a predicate to decide whether to TLS/IA handshake. gnutls_ia_free_client_credentials, gnutls_ia_allocate_client_credentials, gnutls_ia_free_server_credentials, gnutls_ia_allocate_server_credentials: New functions to allocate a TLS/IA credential. gnutls_ia_set_client_avp_function, gnutls_ia_set_server_avp_function, gnutls_ia_set_client_avp_ptr, gnutls_ia_get_client_avp_ptr, gnutls_ia_set_server_avp_ptr, gnutls_ia_get_server_avp_ptr: New functions to handle the AVP callback. gnutls_ia_require_inner_phase: New functions, to toggle TLS/IA application phases. gnutls_ia_permute_inner_secret: New function to mix session keys with inner secret. gnutls_ia_endphase_send, gnutls_ia_send, gnutls_ia_recv: Low-level API. gnutls_ia_generate_challenge, gnutls_ia_extract_inner_secret: New functions that can be used after successful TLS/IA negotiation. gnutls_ia_mode_t: Enum type with TLS/IA modes. gnutls_ia_apptype_t: Enum type with TLS/IA packet types. GNUTLS_A_INNER_APPLICATION_FAILURE, GNUTLS_A_INNER_APPLICATION_VERIFICATION: Enum values for TLS/IA alerts. GNUTLS_E_WARNING_IA_IPHF_RECEIVED, GNUTLS_E_WARNING_IA_FPHF_RECEIVED: New error codes, to signal when an application phase has finished. GNUTLS_E_IA_VERIFY_FAILED: New error code to signal TLS/IA verify failure. If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://josefsson.org/gnutls/ Here are the compressed sources: http://josefsson.org/gnutls/releases/tlsia/gnutls-1.2.8+ia.1.tar.bz2 (2.5MB) Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/tlsia/gnutls-1.2.8+ia.1.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: 1280R/B565716F 2002-05-05 [expires: 2006-02-28] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 checksums: 4296d3bcdd32f11df9b3ea16f1811f4bc6569fd9 gnutls-1.2.8+ia.1.tar.bz2 da6445dfb716adbbcb696a205f0361c0add2a9e1 gnutls-1.2.8+ia.1.tar.bz2.sig Enjoy, Simon From jas at extundo.com Thu Dec 15 14:18:37 2005 From: jas at extundo.com (Simon Josefsson) Date: Thu, 15 Dec 2005 14:18:37 +0100 Subject: [Help-gnutls] Experimental: GnuTLS 1.3.2 Message-ID: We are pleased to announce the availability of GnuTLS version 1.3.2, another release on the experimental 1.3.x branch. The goal of 1.3.x will be to merge work currently done on CVS branches, for TLS Pre-Shared-Keys and TLS Inner Application (TLS/IA). Other planned improvements in 1.3.x are system-independent resume data structures, modularization of the bignum operations, and TLS OpenPGP improvements. With this release, the TLS-PSK, TLS/IA and system-independent resume data goals have been met. Currently, http://www.gnutls.org/ and ftp://ftp.gnutls.org/ appear to be down. The web pages on http://www.gnu.org/software/gnutls/ are no longer updated automatically, presumably due to Savannah's recent CVS changes. This means http://josefsson.org/gnutls/ is the only distribution point right now. I'm considering using ftp.gnu.org as the canonical distribution point in the future. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://josefsson.org/gnutls/ (updated fastest) http://www.gnu.org/software/gnutls/ Here are the compressed sources: http://josefsson.org/gnutls/releases/gnutls-1.3.2.tar.gz (3.1MB) Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.3.2.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: 1280R/B565716F 2002-05-05 [expires: 2006-02-28] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the build reports for various platforms: http://josefsson.org/autobuild-logs/gnutls.html Here are the SHA-1 checksums: f0bc87bb29591b710d63699896cb26f539a47e6b gnutls-1.3.2.tar.bz2 2f7293627dd39968d7341b793c4bf252ac366379 gnutls-1.3.2.tar.bz2.sig Enjoy, Nikos and Simon Noteworthy changes since version 1.3.1: ** GnuTLS now support TLS Inner application (TLS/IA). This is per draft-funk-tls-inner-application-extension-01. This functionality is added to libgnutls-extra, so it is licensed under the GNU General Public License. ** New APIs to access the TLS Pseudo-Random-Function (PRF). The PRF is used by some protocols building on TLS, such as EAP-PEAP and EAP-TTLS. One function to access the raw PRF and one to access the PRF seeded with the client/server random fields are provided. Suggested by Jouni Malinen . ** New APIs to acceess the client and server random fields in a session. These fields can be useful by protocols using TLS. Note that these fields are typically used as input to the TLS PRF, and if this is your intended use, you should use the TLS PRF API that use the client/server random field directly. Suggested by Jouni Malinen . ** Internal type cleanups. The uint8, uint16, uint32 types have been replaced by uint8_t, uint16_t, uint32_t. Gnulib is used to guarantee the presence of correct types on platforms that lack them. The uint type have been replaced by unsigned. ** API and ABI modifications: New functions to invoke the TLS Pseudo-Random-Function (PRF): gnutls_prf gnutls_prf_raw New functions to retrieve the session's client and server random values: gnutls_session_get_server_random gnutls_session_get_client_random New function, to perform TLS/IA handshake: gnutls_ia_handshake New function to decide whether to do a TLS/IA handshake: gnutls_ia_handshake_p New functions to allocate a TLS/IA credential: gnutls_ia_allocate_client_credentials gnutls_ia_free_client_credentials gnutls_ia_allocate_server_credentials gnutls_ia_free_server_credentials New functions to handle the AVP callback: gnutls_ia_set_client_avp_function gnutls_ia_set_client_avp_ptr gnutls_ia_get_client_avp_ptr gnutls_ia_set_server_avp_function gnutls_ia_set_server_avp_ptr gnutls_ia_get_server_avp_ptr New functions, to toggle TLS/IA application phases: gnutls_ia_require_inner_phase New function to mix session keys with inner secret: gnutls_ia_permute_inner_secret Low-level API (used internally by gnutls_ia_handshake): gnutls_ia_endphase_send gnutls_ia_send gnutls_ia_recv New functions that can be used after successful TLS/IA negotiation: gnutls_ia_generate_challenge gnutls_ia_extract_inner_secret Enum type with TLS/IA modes: gnutls_ia_mode_t Enum type with TLS/IA packet types: gnutls_ia_apptype_t Enum values for TLS/IA alerts: GNUTLS_A_INNER_APPLICATION_FAILURE GNUTLS_A_INNER_APPLICATION_VERIFICATION New error codes, to signal when an application phase has finished: GNUTLS_E_WARNING_IA_IPHF_RECEIVED GNUTLS_E_WARNING_IA_FPHF_RECEIVED New error code to signal TLS/IA verify failure: GNUTLS_E_IA_VERIFY_FAILED -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 423 bytes Desc: not available URL: From zero_effect at mail.bg Thu Dec 29 21:56:18 2005 From: zero_effect at mail.bg (zero_effect at mail.bg) Date: Thu, 29 Dec 2005 22:56:18 +0200 Subject: [Help-gnutls] Compiling and linking problems Message-ID: <1135889778.0a30f60c9830e@www.mail.bg> So I have written my first application with GnuTLS, but when I decided to compile it, there appears some errors that I can't correct. The application is closely based on the SRP client example and is written in C++. When I use the GnuTLS 1.3.x branch the compiler gives me the following error: > # g++ -o client client.cxx > In file included from common.h:4 > from client.cxx:32 > /usr/include/gnutls/extra.h:95: error: expected `,' or `...' before "new" It doesn't appear when I make my application C compatible and compile it with gcc C compiler. Maybe the cause of the error is that in C++ there is a operator named "new", but in the header file "new" is used as a pointer. The second error appears while the linking (no matter which version I use - 1.2.x or 1.3.x): > # gcc -o client client.cxx `libgnutls-config --libs --cflags` > /tmp/ccWTsMl2.o(.text+0x12f): In function `main': > : undefined reference to `gnutls_global_init_extra' > collect2: ld return 1 exit status My compiler is GCC 3.4.3 and the linker is Binutils 2.15.90. The distribution is made from scratch by me. Any ideas or suggestions on how I can fix these errors? ----------------------------- ????? DVD ? ????.??: ? Star Wars ?????? III: ??????????? ?? ?????? ? ??????? ??????? ? ??????? ??????? http://www.slon.bg From agl at imperialviolet.org Thu Dec 29 22:59:31 2005 From: agl at imperialviolet.org (Adam Langley) Date: Thu, 29 Dec 2005 13:59:31 -0800 Subject: [Help-gnutls] Compiling and linking problems In-Reply-To: <1135889778.0a30f60c9830e@www.mail.bg> References: <1135889778.0a30f60c9830e@www.mail.bg> Message-ID: <396556a20512291359y5d3a0ccbi9fcdb8a806f3bd8@mail.gmail.com> On 12/29/05, zero_effect at mail.bg wrote: > So I have written my first application with GnuTLS, but when > I decided to compile it, there appears some errors that I > can't correct. The application is closely based on the SRP > client example and is written in C++. You should wrap you #includes like: extern "C" { #include } I can't test it out right now, but it should solve your linking error at least. AGL -- Adam Langley agl at imperialviolet.org http://www.imperialviolet.org 650-283-9641 From zero_effect at mail.bg Fri Dec 30 10:24:01 2005 From: zero_effect at mail.bg (zero_effect at mail.bg) Date: Fri, 30 Dec 2005 11:24:01 +0200 Subject: [Help-gnutls] Compiling and linking problems In-Reply-To: <396556a20512291359y5d3a0ccbi9fcdb8a806f3bd8@mail.gmail.com> References: <1135889778.0a30f60c9830e@www.mail.bg> <396556a20512291359y5d3a0ccbi9fcdb8a806f3bd8@mail.gmail.com> Message-ID: <1135934641.8a897c9c9091f@www.mail.bg> ????? ?? ????? ?? Adam Langley : > You should wrap you #includes like: > > extern "C" { > #include > } It doesn't solve any of these errors. It doesn't work when I try it with 1.3.2, nor with 1.2.8. No matter which language I use it doesn't link. ZE ----------------------------- ????? ????? ? ????.??: ? ???? ????? ? ?????????????? ?????, ??????? ? ?????????? ?? ????? ?? ?????, ??????? ? ????, ???? ?????? http://www.slon.bg From jas at extundo.com Fri Dec 30 19:46:40 2005 From: jas at extundo.com (Simon Josefsson) Date: Fri, 30 Dec 2005 19:46:40 +0100 Subject: [Help-gnutls] Re: Compiling and linking problems In-Reply-To: <1135889778.0a30f60c9830e@www.mail.bg> (zero effect's message of "Thu, 29 Dec 2005 22:56:18 +0200") References: <1135889778.0a30f60c9830e@www.mail.bg> Message-ID: zero_effect at mail.bg writes: > So I have written my first application with GnuTLS, but when > I decided to compile it, there appears some errors that I > can't correct. The application is closely based on the SRP > client example and is written in C++. > > When I use the GnuTLS 1.3.x branch the compiler gives me the > following error: >> # g++ -o client client.cxx >> In file included from common.h:4 >> from client.cxx:32 >> /usr/include/gnutls/extra.h:95: error: expected `,' or > `...' before "new" > It doesn't appear when I make my application C compatible > and compile it with gcc C compiler. Maybe the cause of the > error is that in C++ there is a operator named "new", but > in the header file "new" is used as a pointer. Are you sure your code doesn't contain syntactic bugs? Hm. Perhaps C++ doesn't like variables called 'new'? It is used in this prototype: typedef int (*gnutls_ia_avp_func) (gnutls_session_t session, void *ptr, const char *last, size_t lastlen, char **new, size_t * newlen); Try renaming 'new' to 'next' and see if it builds. If it works, I'll change it. > The second error appears while the linking (no matter which > version I use - 1.2.x or 1.3.x): >> # gcc -o client client.cxx `libgnutls-config --libs > --cflags` >> /tmp/ccWTsMl2.o(.text+0x12f): In function `main': >> : undefined reference to `gnutls_global_init_extra' >> collect2: ld return 1 exit status If you are using libgnutls-extra, you should use `libgnutls-extra-config --libs --cflags' instead. From zero_effect at mail.bg Fri Dec 30 22:23:48 2005 From: zero_effect at mail.bg (zero_effect at mail.bg) Date: Fri, 30 Dec 2005 23:23:48 +0200 Subject: [Help-gnutls] Re: Compiling and linking problems In-Reply-To: References: <1135889778.0a30f60c9830e@www.mail.bg> Message-ID: <1135977828.d03be9d6efa19@www.mail.bg> > zero_effect at mail.bg writes: > > > So I have written my first application with GnuTLS, but > when > > I decided to compile it, there appears some errors that > I > > can't correct. The application is closely based on the > SRP > > client example and is written in C++. > > > > When I use the GnuTLS 1.3.x branch the compiler gives > me the > > following error: > >> # g++ -o client client.cxx > >> In file included from common.h:4 > >> from client.cxx:32 > >> /usr/include/gnutls/extra.h:95: error: expected `,' or > > `...' before "new" > > It doesn't appear when I make my application C > compatible > > and compile it with gcc C compiler. Maybe the cause of > the > > error is that in C++ there is a operator named "new", > but > > in the header file "new" is used as a pointer. > > Are you sure your code doesn't contain syntactic bugs? > > Hm. Perhaps C++ doesn't like variables called 'new'? It > is used in > this prototype: > > typedef int (*gnutls_ia_avp_func) (gnutls_session_t > session, void *ptr, > const char *last, size_t lastlen, > char **new, size_t * newlen); > > Try renaming 'new' to 'next' and see if it builds. If it > works, I'll > change it. > > > The second error appears while the linking (no matter > which > > version I use - 1.2.x or 1.3.x): > >> # gcc -o client client.cxx `libgnutls-config --libs > > --cflags` > >> /tmp/ccWTsMl2.o(.text+0x12f): In function `main': > >> : undefined reference to `gnutls_global_init_extra' > >> collect2: ld return 1 exit status > > If you are using libgnutls-extra, you should use > `libgnutls-extra-config --libs --cflags' instead. > > Well, the both suggestions really work for me. Thanks a lot. ----------------------------- ????? DVD ? ????.??: ? Star Wars ?????? III: ??????????? ?? ?????? ? ??????? ??????? ? ??????? ??????? http://www.slon.bg