From paul at darkrain42.org Thu Apr 1 04:53:23 2010 From: paul at darkrain42.org (Paul Aurich) Date: Wed, 31 Mar 2010 19:53:23 -0700 Subject: doc bug for gnutls_priority_init Message-ID: <4BB40AA3.3050604@darkrain42.org> The documentation for gnutls_priority_init reads, in part: The priorities option allows you to specify a semi-colon separated list of the cipher priorities to enable. However, the examples (and source code) all show *colon*-separated strings. I'm trying to use an environment variable that would let users override priorities on a per-host basis, so I'd like to do something like the following: host1=priority1;host2=priority2;... Is this safe to do (i.e. is the documentation in error) or am I missing something/would this possibly break in the future? Thanks, ~Paul -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From paul at darkrain42.org Thu Apr 1 06:31:33 2010 From: paul at darkrain42.org (Paul Aurich) Date: Wed, 31 Mar 2010 21:31:33 -0700 Subject: doc bug for gnutls_priority_init In-Reply-To: <4BB40AA3.3050604@darkrain42.org> References: <4BB40AA3.3050604@darkrain42.org> Message-ID: <4BB421A5.6030809@darkrain42.org> And Paul Aurich spoke on 03/31/2010 07:53 PM, saying: > The documentation for gnutls_priority_init reads, in part: > > The priorities option allows you to specify a semi-colon > separated list of the cipher priorities to enable. > > However, the examples (and source code) all show *colon*-separated strings. > I'm trying to use an environment variable that would let users override > priorities on a per-host basis, so I'd like to do something like the following: On a slightly related note (in that it has to do with the same function), it looks like gnutls_priority_init() doesn't free+NULL the gnutls_priority_t on error, where various other init functions do (gnutls_init, gnutls_pkcs12_init, gnutls_x509_crl_init, and maybe more). Should it do so, or should it be noted in the documentation that callers must call gnutls_priority_deinit on errors (which I'm going to do in this code to avoid leaks, but would ideally eventually become a nop)? Thanks, ~Paul -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From nmav at gnutls.org Fri Apr 2 11:01:52 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 02 Apr 2010 11:01:52 +0200 Subject: doc bug for gnutls_priority_init In-Reply-To: <4BB421A5.6030809@darkrain42.org> References: <4BB40AA3.3050604@darkrain42.org> <4BB421A5.6030809@darkrain42.org> Message-ID: <4BB5B280.3080803@gnutls.org> Paul Aurich wrote: > And Paul Aurich spoke on 03/31/2010 07:53 PM, saying: >> The documentation for gnutls_priority_init reads, in part: >> >> The priorities option allows you to specify a semi-colon >> separated list of the cipher priorities to enable. >> >> However, the examples (and source code) all show *colon*-separated strings. >> I'm trying to use an environment variable that would let users override >> priorities on a per-host basis, so I'd like to do something like the following: > > On a slightly related note (in that it has to do with the same function), > it looks like gnutls_priority_init() doesn't free+NULL the > gnutls_priority_t on error, where various other init functions do > (gnutls_init, gnutls_pkcs12_init, gnutls_x509_crl_init, and maybe more). > > Should it do so, or should it be noted in the documentation that callers > must call gnutls_priority_deinit on errors (which I'm going to do in this > code to avoid leaks, but would ideally eventually become a nop)? You are correct on both cases. I've commited a fix. Indeed a colon is required to separate the fields. regards, Nikos From nmav at gnutls.org Thu Apr 8 09:49:48 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 8 Apr 2010 09:49:48 +0200 Subject: branch master? Message-ID: Hi, Is there something else planned to be added for the next release? If not we could just branch it to allow for additions that are not planned for this release... regards, Nikos From nmav at gnutls.org Tue Apr 13 19:59:19 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 13 Apr 2010 18:59:19 +0100 Subject: cryptodev with gnutls In-Reply-To: References: Message-ID: Hello, ?If you use gnutls in embedded processors with a crypto device for off-loading operations that is supported by the linux kernel (freescale, via etc), then please try gnutls 2.9.x with the cryptodev kernel module found at http://home.gna.org/cryptodev-linux/. You might need to specify the the --enable-cryptodev configure option. Once run gnutls will utilize the crypto processor for symmetric crypto operations. To check on the improvement use the src/benchmark utility. In a freescale 8313 board with talitos the improvement on AES-128-CBC was from 70 to 100 times faster than the software implementation (not to mention that CPU was idle during the calculation time). regards, Nikos From simon at josefsson.org Tue Apr 13 20:17:08 2010 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 13 Apr 2010 20:17:08 +0200 Subject: branch master? In-Reply-To: (Nikos Mavrogiannopoulos's message of "Thu, 8 Apr 2010 09:49:48 +0200") References: Message-ID: <87sk6z8bff.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > Hi, > Is there something else planned to be added for the next release? Nope! We really should release soon. > If not we could just branch it to allow for additions that are not > planned for this release... I'd like to get master in a buildable state and release 2.9.10 as a release candidate for 2.10.x before branching. There is some stuff that needs cleaning up before a release (e.g., code indentation, fix cross-platform issues), and forward-porting those changes to the next devel branch will be quite tedious... /Simon From simon at josefsson.org Tue Apr 13 20:19:22 2010 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 13 Apr 2010 20:19:22 +0200 Subject: Missing =?utf-8?b?4oCYc3RydmVyc2NtcOKAmQ==?= Gnulib module In-Reply-To: <87ljd9k2a1.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Tue, 30 Mar 2010 22:00:54 +0200") References: <87tyrxygzr.fsf@gnu.org> <87aatpn7ey.fsf@mocca.josefsson.org> <87r5n1wyiu.fsf@gnu.org> <87ljd9k2a1.fsf@mocca.josefsson.org> Message-ID: <87ochn8bbp.fsf@mocca.josefsson.org> Simon Josefsson writes: > ludo at gnu.org (Ludovic Court?s) writes: > >> Hi Simon, >> >> Simon Josefsson writes: >> >>> ludo at gnu.org (Ludovic Court?s) writes: >> >>>> (You should really have a ?bug-libtasn1? mailing list. :-)) >>> >>> It is called gnutls-devel at gnu.org. ;) Maybe a bug-libtasn1 (or >>> help-libtasn1) list should be started, although there is some cost to >>> maintain yet another mailing list for me... let's see how heavy the >>> libtasn1-specific traffic will be on gnutls-devel first. >> >> Or you could ask for an alias bug-libtasn1 at gnu.org -> >> gnutls-devel at gnu.org, for the sake of consistency with other GNU >> projects mailing list names. > > Done, let's see if it works... I've set up help-libtasn1 at gnu.org now, which will be used in the announcement message for upcoming libtasn1 2.6. /Simon From simon at josefsson.org Wed Apr 14 15:34:15 2010 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 14 Apr 2010 15:34:15 +0200 Subject: branch master? In-Reply-To: <87sk6z8bff.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Tue, 13 Apr 2010 20:17:08 +0200") References: <87sk6z8bff.fsf@mocca.josefsson.org> Message-ID: <87sk6yyx7s.fsf@mocca.josefsson.org> Simon Josefsson writes: > I'd like to get master in a buildable state and release 2.9.10 as a > release candidate for 2.10.x before branching. There is some stuff that > needs cleaning up before a release (e.g., code indentation, fix > cross-platform issues), and forward-porting those changes to the next > devel branch will be quite tedious... I've pushed several fixes to master now, so we are getting closer... One of the things I want to clean up was the use of 'int' to specify data lengths in _some_ of the new crypto APIs: int gnutls_cipher_encrypt (const gnutls_cipher_hd_t handle, void *text, int textlen); Some of the new APIs use size_t instead: int gnutls_hmac (gnutls_hmac_hd_t handle, const void *text, size_t textlen); I believe all of them should use 'size_t' -- it is the proper type to use for data lengths in C. Nikos, what do you think? I'd appreciate if you could fix this, but I'll get to it eventually. /Simon From simon at josefsson.org Wed Apr 14 15:45:35 2010 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 14 Apr 2010 15:45:35 +0200 Subject: branch master? In-Reply-To: <87sk6yyx7s.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Wed, 14 Apr 2010 15:34:15 +0200") References: <87sk6z8bff.fsf@mocca.josefsson.org> <87sk6yyx7s.fsf@mocca.josefsson.org> Message-ID: <87iq7uywow.fsf@mocca.josefsson.org> Another thing, running most of the self tests (including the easy to debug mini.c) results in a valgrind warning -- I suspect this was introduced with the new crypto code (the warning is in the MPI parts), could you take a look? Also, I have disabled the safe-renegotiation test because it doesn't appear portable, it breaks with MinGW+Wine. Still haven't tested the more exotic platforms like Solaris.. /Simon From nmav at gnutls.org Wed Apr 14 17:24:22 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 14 Apr 2010 17:24:22 +0200 Subject: branch master? In-Reply-To: <87sk6yyx7s.fsf@mocca.josefsson.org> References: <87sk6z8bff.fsf@mocca.josefsson.org> <87sk6yyx7s.fsf@mocca.josefsson.org> Message-ID: <4BC5DE26.2060209@gnutls.org> Simon Josefsson wrote: > I believe all of them should use 'size_t' -- it is the proper type to > use for data lengths in C. Nikos, what do you think? I'd appreciate if > you could fix this, but I'll get to it eventually. I'll check it as soon. From nmav at gnutls.org Wed Apr 14 17:27:39 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 14 Apr 2010 17:27:39 +0200 Subject: branch master? In-Reply-To: <87iq7uywow.fsf@mocca.josefsson.org> References: <87sk6z8bff.fsf@mocca.josefsson.org> <87sk6yyx7s.fsf@mocca.josefsson.org> <87iq7uywow.fsf@mocca.josefsson.org> Message-ID: <4BC5DEEB.8070006@gnutls.org> Simon Josefsson wrote: > Another thing, running most of the self tests (including the easy to > debug mini.c) results in a valgrind warning -- I suspect this was > introduced with the new crypto code (the warning is in the MPI parts), > could you take a look? I don't see any warnings. Could you send me the warnings you see? It could be some 64/32 bit issue. > Also, I have disabled the safe-renegotiation test because it doesn't > appear portable, it breaks with MinGW+Wine. Still haven't tested the > more exotic platforms like Solaris.. What is non-portable about it? It is the same as openpgp-certs/testcerts. From simon at josefsson.org Thu Apr 15 11:18:37 2010 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 15 Apr 2010 11:18:37 +0200 Subject: branch master? In-Reply-To: <4BC5DEEB.8070006@gnutls.org> (Nikos Mavrogiannopoulos's message of "Wed, 14 Apr 2010 17:27:39 +0200") References: <87sk6z8bff.fsf@mocca.josefsson.org> <87sk6yyx7s.fsf@mocca.josefsson.org> <87iq7uywow.fsf@mocca.josefsson.org> <4BC5DEEB.8070006@gnutls.org> Message-ID: <87pr21m5ua.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > Simon Josefsson wrote: >> Another thing, running most of the self tests (including the easy to >> debug mini.c) results in a valgrind warning -- I suspect this was >> introduced with the new crypto code (the warning is in the MPI parts), >> could you take a look? > > I don't see any warnings. Could you send me the warnings you see? > It could be some 64/32 bit issue. My system is 32bit. Here is the error: ==19676== Conditional jump or move depends on uninitialised value(s) ==19676== at 0x413E329: _gcry_mpi_print (mpicoder.c:584) ==19676== by 0x40F1268: gcry_mpi_print (visibility.c:308) ==19676== by 0x4066628: wrap_gcry_mpi_print (mpi-libgcrypt.c:77) ==19676== by 0x4063249: _gnutls_dh_common_print_server_kx (auth_dh_common.c:327) ==19676== by 0x404C142: gen_anon_server_kx (auth_anon.c:104) ==19676== by 0x4046D87: _gnutls_send_server_kx_message (gnutls_kx.c:207) ==19676== by 0x40436EF: _gnutls_handshake_server (gnutls_handshake.c:3022) ==19676== by 0x4043E19: gnutls_handshake (gnutls_handshake.c:2698) ==19676== by 0x80491AB: doit (mini.c:204) ==19676== by 0x80498AC: main (utils.c:149) ==19676== ==19676== Conditional jump or move depends on uninitialised value(s) ==19676== at 0x413E329: _gcry_mpi_print (mpicoder.c:584) ==19676== by 0x40F1268: gcry_mpi_print (visibility.c:308) ==19676== by 0x4066628: wrap_gcry_mpi_print (mpi-libgcrypt.c:77) ==19676== by 0x406326C: _gnutls_dh_common_print_server_kx (auth_dh_common.c:328) ==19676== by 0x404C142: gen_anon_server_kx (auth_anon.c:104) ==19676== by 0x4046D87: _gnutls_send_server_kx_message (gnutls_kx.c:207) ==19676== by 0x40436EF: _gnutls_handshake_server (gnutls_handshake.c:3022) ==19676== by 0x4043E19: gnutls_handshake (gnutls_handshake.c:2698) ==19676== by 0x80491AB: doit (mini.c:204) ==19676== by 0x80498AC: main (utils.c:149) ==19676== ==19676== Conditional jump or move depends on uninitialised value(s) ==19676== at 0x413E329: _gcry_mpi_print (mpicoder.c:584) ==19676== by 0x40F1268: gcry_mpi_print (visibility.c:308) ==19676== by 0x4066628: wrap_gcry_mpi_print (mpi-libgcrypt.c:77) ==19676== by 0x406328F: _gnutls_dh_common_print_server_kx (auth_dh_common.c:329) ==19676== by 0x404C142: gen_anon_server_kx (auth_anon.c:104) ==19676== by 0x4046D87: _gnutls_send_server_kx_message (gnutls_kx.c:207) ==19676== by 0x40436EF: _gnutls_handshake_server (gnutls_handshake.c:3022) ==19676== by 0x4043E19: gnutls_handshake (gnutls_handshake.c:2698) ==19676== by 0x80491AB: doit (mini.c:204) ==19676== by 0x80498AC: main (utils.c:149) ==19676== ==19676== Conditional jump or move depends on uninitialised value(s) ==19676== at 0x413E329: _gcry_mpi_print (mpicoder.c:584) ==19676== by 0x40F1268: gcry_mpi_print (visibility.c:308) ==19676== by 0x4066628: wrap_gcry_mpi_print (mpi-libgcrypt.c:77) ==19676== by 0x40638E6: _gnutls_gen_dh_common_client_kx (auth_dh_common.c:143) ==19676== by 0x4046B7F: _gnutls_send_client_kx_message (gnutls_kx.c:303) ==19676== by 0x404307F: _gnutls_handshake_client (gnutls_handshake.c:2837) ==19676== by 0x4043E97: gnutls_handshake (gnutls_handshake.c:2694) ==19676== by 0x80491F0: doit (mini.c:195) ==19676== by 0x80498AC: main (utils.c:149) ==19676== Self test `./mini' finished with 0 errors ==19676== Invalid free() / delete / delete[] ==19676== at 0x4024866: free (vg_replace_malloc.c:325) ==19676== by 0x42725DB: ??? (in /lib/i686/cmov/libc-2.10.2.so) ==19676== by 0x42720B9: ??? (in /lib/i686/cmov/libc-2.10.2.so) ==19676== by 0x4020412: _vgnU_freeres (vg_preloaded.c:62) ==19676== by 0x41FCA43: _Exit (_exit.S:30) ==19676== by 0x41924DE: exit (exit.c:100) ==19676== by 0x4179B5C: (below main) (libc-start.c:254) ==19676== Address 0x415e580 is not stack'd, malloc'd or (recently) free'd ==19676== PASS: mini >> Also, I have disabled the safe-renegotiation test because it doesn't >> appear portable, it breaks with MinGW+Wine. Still haven't tested the >> more exotic platforms like Solaris.. > > What is non-portable about it? It is the same as > openpgp-certs/testcerts. That one is also not portable, it uses bash... Would probably be noticed when building on Solaris. Maybe it can be rewritten using standard /bin/sh constructs. /Simon From nmav at gnutls.org Thu Apr 15 18:32:54 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 15 Apr 2010 18:32:54 +0200 Subject: branch master? In-Reply-To: <87pr21m5ua.fsf@mocca.josefsson.org> References: <87sk6z8bff.fsf@mocca.josefsson.org> <87sk6yyx7s.fsf@mocca.josefsson.org> <87iq7uywow.fsf@mocca.josefsson.org> <4BC5DEEB.8070006@gnutls.org> <87pr21m5ua.fsf@mocca.josefsson.org> Message-ID: <4BC73FB6.3050001@gnutls.org> Simon Josefsson wrote: > Nikos Mavrogiannopoulos writes: > >> Simon Josefsson wrote: >>> Another thing, running most of the self tests (including the easy to >>> debug mini.c) results in a valgrind warning -- I suspect this was >>> introduced with the new crypto code (the warning is in the MPI parts), >>> could you take a look? >> I don't see any warnings. Could you send me the warnings you see? >> It could be some 64/32 bit issue. > > My system is 32bit. Here is the error: > ==19676== Conditional jump or move depends on uninitialised value(s) > ==19676== at 0x413E329: _gcry_mpi_print (mpicoder.c:584) > ==19676== by 0x40F1268: gcry_mpi_print (visibility.c:308) > ==19676== by 0x4066628: wrap_gcry_mpi_print (mpi-libgcrypt.c:77) > ==19676== by 0x4063249: _gnutls_dh_common_print_server_kx (auth_dh_common.c:327) > ==19676== by 0x404C142: gen_anon_server_kx (auth_anon.c:104) > ==19676== by 0x4046D87: _gnutls_send_server_kx_message (gnutls_kx.c:207) > ==19676== by 0x40436EF: _gnutls_handshake_server (gnutls_handshake.c:3022) > ==19676== by 0x4043E19: gnutls_handshake (gnutls_handshake.c:2698) > ==19676== by 0x80491AB: doit (mini.c:204) > ==19676== by 0x80498AC: main (utils.c:149) This one is on libgcrypt and seems unrelated with any changes I've done. Are you sure this wasn't before? > That one is also not portable, it uses bash... Would probably be > noticed when building on Solaris. Maybe it can be rewritten using > standard /bin/sh constructs. Depends on what their purpose is. Maybe we split release time tests and tests that should be done on the downloader to avoid spending so much time on test portability (and perform the needed tests). regards, Nikos From simon at josefsson.org Tue Apr 20 08:51:07 2010 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 20 Apr 2010 08:51:07 +0200 Subject: GNU Libtasn1 2.6 Message-ID: <87zl0yliqs.fsf@mocca.josefsson.org> GNU Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER/BER encoding/decoding. GNU Libtasn1 is used by GnuTLS to handle X.509 structures and by GNU Shishi to handle Kerberos V5 structures. NOTE! Future release announcements will not be cross-posted to help-gnutls, gnutls-devel or help-shishi. Please subscribe to info-gnu or join our new mailing list help-libtasn1: http://lists.gnu.org/mailman/listinfo/info-gnu http://lists.gnu.org/mailman/listinfo/help-libtasn1 * Noteworthy changes in release 2.6 (2010-04-20) [stable] - Fix build failure on platforms without support for GNU LD version scripts. - libtasn1: Simplified implementation of asn1_check_version. - tests: Improved self-checks. - Update gnulib files, fix many syntax-check nits, indent code, fix license templates. Homepage: http://www.gnu.org/software/libtasn1/ Here are the compressed sources (1.7MB): ftp://ftp.gnu.org/gnu/libtasn1/libtasn1-2.6.tar.gz http://ftp.gnu.org/gnu/libtasn1/libtasn1-2.6.tar.gz Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnu.org/gnu/libtasn1/libtasn1-2.6.tar.gz.sig http://ftp.gnu.org/gnu/libtasn1/libtasn1-2.6.tar.gz.sig A ZIP archive containing the Windows binaries (268KB): http://josefsson.org/gnutls4win/libtasn1-2.6.zip http://josefsson.org/gnutls4win/libtasn1-2.6.zip.sig A Debian mingw32 package is also available (240KB): http://josefsson.org/gnutls4win/mingw32-libtasn1_2.6-1_all.deb Commercial support contracts for Libtasn1 are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding Libtasn1 maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use Libtasn1, or want to help others, you are invited to join the help-libtasn1 mailing list, see: http://lists.gnu.org/mailman/listinfo/help-libtasn1 All manuals are available from: http://www.gnu.org/software/libtasn1/manual/ Specifically, the following formats are available. The main manual: HTML: http://www.gnu.org/software/libtasn1/manual/libtasn1.html PDF: http://www.gnu.org/software/libtasn1/manual/libtasn1.pdf API Reference manual: http://www.gnu.org/software/libtasn1/reference/ - GTK-DOC HTML For developers interested in improving code quality, we publish Cyclomatic code complexity charts that help you find code that may need review and improvements: http://www.gnu.org/software/libtasn1/cyclo/ Also useful are code coverage charts which indicate parts of the source code that needs to be tested better by the included self-tests: http://www.gnu.org/software/libtasn1/coverage/ The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2011-03-30] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2011-03-30] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: dd02f3c8aaa0a1500d65c1e4ae690b76085f621e libtasn1-2.6.tar.gz ba6d50d1e7340f8d1ce07880381afd990ea700c6c4c1cacdba0c2ffd libtasn1-2.6.tar.gz a53c27e245c31be7bdf340dc7ec89cafb758c715 libtasn1-2.6.zip ecbdb08988c28041b98a2373b43fda47cc459d4116719f96cf8f3e76 libtasn1-2.6.zip db5400688eff7c36c3f0baa57f13afda842d665b mingw32-libtasn1_2.6-1_all.deb 7a446b8404e715abb2ec1a24dbe38d3a54169537ad4172ddbf62afdb mingw32-libtasn1_2.6-1_all.deb Happy hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 420 bytes Desc: not available URL: From simon at josefsson.org Wed Apr 21 23:26:14 2010 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 21 Apr 2010 23:26:14 +0200 Subject: branch master? In-Reply-To: <4BC73FB6.3050001@gnutls.org> (Nikos Mavrogiannopoulos's message of "Thu, 15 Apr 2010 18:32:54 +0200") References: <87sk6z8bff.fsf@mocca.josefsson.org> <87sk6yyx7s.fsf@mocca.josefsson.org> <87iq7uywow.fsf@mocca.josefsson.org> <4BC5DEEB.8070006@gnutls.org> <87pr21m5ua.fsf@mocca.josefsson.org> <4BC73FB6.3050001@gnutls.org> Message-ID: <878w8gzedl.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > Simon Josefsson wrote: >> Nikos Mavrogiannopoulos writes: >> >>> Simon Josefsson wrote: >>>> Another thing, running most of the self tests (including the easy to >>>> debug mini.c) results in a valgrind warning -- I suspect this was >>>> introduced with the new crypto code (the warning is in the MPI parts), >>>> could you take a look? >>> I don't see any warnings. Could you send me the warnings you see? >>> It could be some 64/32 bit issue. >> >> My system is 32bit. Here is the error: > >> ==19676== Conditional jump or move depends on uninitialised value(s) >> ==19676== at 0x413E329: _gcry_mpi_print (mpicoder.c:584) >> ==19676== by 0x40F1268: gcry_mpi_print (visibility.c:308) >> ==19676== by 0x4066628: wrap_gcry_mpi_print (mpi-libgcrypt.c:77) >> ==19676== by 0x4063249: _gnutls_dh_common_print_server_kx > (auth_dh_common.c:327) >> ==19676== by 0x404C142: gen_anon_server_kx (auth_anon.c:104) >> ==19676== by 0x4046D87: _gnutls_send_server_kx_message > (gnutls_kx.c:207) >> ==19676== by 0x40436EF: _gnutls_handshake_server > (gnutls_handshake.c:3022) >> ==19676== by 0x4043E19: gnutls_handshake (gnutls_handshake.c:2698) >> ==19676== by 0x80491AB: doit (mini.c:204) >> ==19676== by 0x80498AC: main (utils.c:149) > > This one is on libgcrypt and seems unrelated with any changes > I've done. Are you sure this wasn't before? I tried 2.9.9 and 2.8.6 and it also generates that warning -- seems like a recently introduced libgcrypt bug to me? >> That one is also not portable, it uses bash... Would probably be >> noticed when building on Solaris. Maybe it can be rewritten using >> standard /bin/sh constructs. > > Depends on what their purpose is. Maybe we split release time > tests and tests that should be done on the downloader to avoid > spending so much time on test portability (and perform the needed > tests). That could work -- configure could test for the necessary functionality that is required by these non-portable scripts, and only enable them when the features are available. /Simon From simon at josefsson.org Thu Apr 22 00:58:43 2010 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 22 Apr 2010 00:58:43 +0200 Subject: GnuTLS 2.9.10 - first release candidate for 2.10.0 Message-ID: <87eii8xvj0.fsf@mocca.josefsson.org> The GnuTLS 2.9.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. It has been several months since the last development release, far too long... I finally managed to build git master on my machine and cross-compiled it to Windows so it seemed like a good time to make this release. We want to start the process of getting this development cycle out into a stable 2.10.0 branch, so let's consider this the first release candidate. This release will likely be a bit rough considering the many changes, but even more reason to start testing it! Things on my radar before we can release 2.10.0: - Write release notes, explaining the TLS renegotiation stuff - Make sure self-tests passes on Solaris and Mac OS X too - Check that TLS renegotiation behaviour is what we want it to be - Do more code review (I've not had time to do this myself lately) - Sanity check by installing it as the system GnuTLS on a GNU/Linux system and make sure normal things still appear to work Here are the compressed sources (6.4MB): http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.10.tar.bz2 ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.10.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.10.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.10.tar.bz2.sig Windows build: http://josefsson.org/gnutls4win/gnutls-2.9.10.exe http://josefsson.org/gnutls4win/gnutls-2.9.10.exe.sig http://josefsson.org/gnutls4win/gnutls-2.9.10.zip http://josefsson.org/gnutls4win/gnutls-2.9.10.zip.sig http://josefsson.org/gnutls4win/mingw32-gnutls_2.9.10-1_all.deb Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.9.10 (released 2010-04-22) ** libgnutls: Time verification extended to trusted certificate list. Unless new constant GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS flag is specified. ** certtool: Display postalCode and Name X.509 DN attributes correctly. Based on patch by Pavan Konjarla. Adds new constant GNUTLS_OID_X520_POSTALCODE and GNUTLS_OID_X520_NAME. ** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746) Solves the issue discussed in: and . Note that to allow connecting to unpatched servers the full protection is only enabled if the priority string %SAFE_RENEGOTIATION is specified. You can check whether protection is in place by querying gnutls_safe_renegotiation_status(). New error codes GNUTLS_E_SAFE_RENEGOTIATION_FAILED and GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED added. ** libgnutls: When checking openpgp self signature also check the signatures ** of all subkeys. Ilari Liusvaara noticed and reported the issue and provided test vectors as well. ** libgnutls: Added cryptodev support (/dev/crypto). Tested with http://www.logix.cz/michal/devel/cryptodev/. Added benchmark utility for AES. Adds new error codes GNUTLS_E_CRYPTODEV_IOCTL_ERROR and GNUTLS_E_CRYPTODEV_DEVICE_ERROR. ** libgnutls: Exported API to access encryption and hash algorithms. The new API functions are gnutls_cipher_decrypt, gnutls_cipher_deinit, gnutls_cipher_encrypt, gnutls_cipher_get_block_size, gnutls_cipher_init, gnutls_hash, gnutls_hash_deinit, gnutls_hash_fast, gnutls_hash_get_len, gnutls_hash_init, gnutls_hash_output, gnutls_hmac, gnutls_hmac_deinit, gnutls_hmac_fast, gnutls_hmac_get_len, gnutls_hmac_init, gnutls_hmac_output. New API constants are GNUTLS_MAC_SHA224 and GNUTLS_DIG_SHA224. ** libgnutls: Added gnutls_certificate_set_verify_function() to allow verification of certificate upon receipt rather than waiting until the end of the handshake. ** libgnutls: Don't send alerts during handshake. Instead new error code GNUTLS_E_UNKNOWN_SRP_USERNAME is added. ** certtool: Corrected two issues that affected certificate request generation. (1) Null padding is added on integers (found thanks to Wilankar Trupti), (2) In optional SignatureAlgorithm parameters field for DSA keys the DSA parameters were added. Those were rejected by Verisign. Gnutls no longer adds those parameters there since other implementations don't do either and having them does not seem to offer anything (anyway you need the signer's certificate to verify thus public key will be available). Found thanks to Boyan Kasarov. This however has the side-effect that public key IDs shown by certtool are now different than previous gnutls releases. (3) the option --pgp-certificate-info will verify self signatures ** certtool: Allow exporting of Certificate requests on DER format. ** certtool: New option --no-crq-extensions to avoid extensions in CSRs. ** gnutls-cli: Handle reading binary data from server. Reported by and tiny patch from Vitaly Mayatskikh in . ** minitasn1: Upgraded to libtasn1 version 2.6. ** i18n: Updated Czech, Dutch, French, Polish, Swedish translation. ** Added Italian and Simplified Chinese translation. Thanks to Petr Pisar, Erwin Poeze, Nicolas Provost, Jakub Bogusz, Daniel Nylander, Sergio Zanchetta, Tao Wei, and Aron Xu. ** doc: The GTK-DOC manual is significantly improved. ** API and ABI modifications: %DISABLE_SAFE_RENEGOTIATION: Added to priority strings (do not use). %INITIAL_SAFE_RENEGOTIATION: Added to priority strings. %UNSAFE_RENEGOTIATION: Added to priority strings. GNUTLS_DIG_SHA224: ADDED. GNUTLS_E_CRYPTODEV_DEVICE_ERROR: ADDED. GNUTLS_E_CRYPTODEV_IOCTL_ERROR: ADDED. GNUTLS_E_SAFE_RENEGOTIATION_FAILED: ADDED. GNUTLS_E_UNKNOWN_SRP_USERNAME: ADDED. GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED: ADDED. GNUTLS_MAC_SHA224: ADDED. GNUTLS_OID_X520_NAME: ADDED. GNUTLS_OID_X520_POSTALCODE: ADDED. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: ADDED. GNUTLS_VERSION_MAX: ADDED. gnutls_certificate_set_verify_function: ADDED. gnutls_cipher_decrypt: ADDED. gnutls_cipher_deinit: ADDED. gnutls_cipher_encrypt: ADDED. gnutls_cipher_get_block_size: ADDED. gnutls_cipher_init: ADDED. gnutls_hash: ADDED. gnutls_hash_deinit: ADDED. gnutls_hash_fast: ADDED. gnutls_hash_get_len: ADDED. gnutls_hash_init: ADDED. gnutls_hash_output: ADDED. gnutls_hmac: ADDED. gnutls_hmac_deinit: ADDED. gnutls_hmac_fast: ADDED. gnutls_hmac_get_len: ADDED. gnutls_hmac_init: ADDED. gnutls_hmac_output: ADDED. gnutls_safe_negotiation_set_initial: ADDED. gnutls_safe_renegotiation_set: ADDED. gnutls_safe_renegotiation_status: ADDED. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 420 bytes Desc: not available URL: From simon at josefsson.org Thu Apr 22 09:17:19 2010 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 22 Apr 2010 09:17:19 +0200 Subject: Draft release notes for 2.10.0 Message-ID: <87633knegw.fsf@mocca.josefsson.org> Below are draft release notes, please check for correctness and help me identify things I have forgotten. Live copy of the file is always available from: http://git.savannah.gnu.org/cgit/gnutls.git/tree/doc/announce.txt We need to write a section about the new TLS safe renegotiation support, and ideas on what to write here is appreciated. I think we need to point to other documents explaining the problem, and describe what this release adds to mitigate the problem. And describe our semantics when talking with old servers... /Simon We are proud to announce a new stable GnuTLS release: Version 2.10.0. GnuTLS is a modern C library that implements the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The GnuTLS library is distributed under the terms of the GNU Lesser General Public License version 2.1 (or later). The "extra" GnuTLS library (which contains TLS/IA support, LZO compression and Libgcrypt FIPS-mode handler), the OpenSSL compatibility library, the self tests and the command line tools are all distributed under the GNU General Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.3 (or later). The project page of the library is available at: http://www.gnu.org/software/gnutls/ What's New ========== Version 2.10.0 is the first stable release on the 2.10.x branch and is the result of 11 months of work on the experimental 2.9.x branch. The GnuTLS 2.10.x branch replaces the GnuTLS 2.8.x branch as the supported stable branch, although we will continue to support GnuTLS 2.8.x for some time. ** libgnutls: Time verification extended to trusted certificate list. Unless new constant GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS flag is specified. ** certtool: Display postalCode and Name X.509 DN attributes correctly. Based on patch by Pavan Konjarla. Adds new constant GNUTLS_OID_X520_POSTALCODE and GNUTLS_OID_X520_NAME. ** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746) Solves the issue discussed in: and . Note that to allow connecting to unpatched servers the full protection is only enabled if the priority string %SAFE_RENEGOTIATION is specified. You can check whether protection is in place by querying gnutls_safe_renegotiation_status(). New error codes GNUTLS_E_SAFE_RENEGOTIATION_FAILED and GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED added. ** libgnutls: When checking openpgp self signature also check the signatures ** of all subkeys. Ilari Liusvaara noticed and reported the issue and provided test vectors as well. ** libgnutls: Added cryptodev support (/dev/crypto). Tested with http://www.logix.cz/michal/devel/cryptodev/. Added benchmark utility for AES. Adds new error codes GNUTLS_E_CRYPTODEV_IOCTL_ERROR and GNUTLS_E_CRYPTODEV_DEVICE_ERROR. ** libgnutls: Exported API to access encryption and hash algorithms. The new API functions are gnutls_cipher_decrypt, gnutls_cipher_deinit, gnutls_cipher_encrypt, gnutls_cipher_get_block_size, gnutls_cipher_init, gnutls_hash, gnutls_hash_deinit, gnutls_hash_fast, gnutls_hash_get_len, gnutls_hash_init, gnutls_hash_output, gnutls_hmac, gnutls_hmac_deinit, gnutls_hmac_fast, gnutls_hmac_get_len, gnutls_hmac_init, gnutls_hmac_output. New API constants are GNUTLS_MAC_SHA224 and GNUTLS_DIG_SHA224. ** libgnutls: Added gnutls_certificate_set_verify_function() to allow verification of certificate upon receipt rather than waiting until the end of the handshake. ** libgnutls: Don't send alerts during handshake. Instead new error code GNUTLS_E_UNKNOWN_SRP_USERNAME is added. ** certtool: Corrected two issues that affected certificate request generation. (1) Null padding is added on integers (found thanks to Wilankar Trupti), (2) In optional SignatureAlgorithm parameters field for DSA keys the DSA parameters were added. Those were rejected by Verisign. Gnutls no longer adds those parameters there since other implementations don't do either and having them does not seem to offer anything (anyway you need the signer's certificate to verify thus public key will be available). Found thanks to Boyan Kasarov. This however has the side-effect that public key IDs shown by certtool are now different than previous gnutls releases. (3) the option --pgp-certificate-info will verify self signatures ** certtool: Allow exporting of Certificate requests on DER format. ** certtool: New option --no-crq-extensions to avoid extensions in CSRs. ** gnutls-cli: Handle reading binary data from server. Reported by and tiny patch from Vitaly Mayatskikh in . ** minitasn1: Upgraded to libtasn1 version 2.6. ** doc: The GTK-DOC manual is significantly improved. ** libgnutls: Cleanups and several bug fixes. Found by Steve Grubb and Tomas Mraz. ** Link libgcrypt explicitly to certtool, gnutls-cli, gnutls-serv. ** Fix --disable-valgrind-tests. Reported by Ingmar Vanhassel in . ** libgnutls: Fix for memory leaks on interrupted handshake. Reported by Tang Tong. ** libgnutls: Addition of support for TLS 1.2 signature algorithms ** extension and certificate verify field. This requires changes for TLS 1.2 servers and clients that use callbacks for certificate retrieval. They are now required to check with gnutls_sign_algorithm_get_requested() whether the certificate they send complies with the peer's preferences in signature algorithms. ** libgnutls: In server side when resuming a session do not overwrite the ** initial session data with the resumed session data. ** libgnutls: Added support for AES-128, AES-192 and AES-256 in PKCS #8 ** encryption. This affects also PKCS #12 encoded files. This adds the following new enums: GNUTLS_CIPHER_AES_192_CBC, GNUTLS_PKCS_USE_PBES2_AES_128, GNUTLS_PKCS_USE_PBES2_AES_192, GNUTLS_PKCS_USE_PBES2_AES_256. ** libgnutls: Fix PKCS#12 encoding. The error you would get was "The OID is not supported.". Problem introduced for the v2.8.x branch in 2.7.6. ** certtool: Added the --pkcs-cipher option. To explicitely specify the encryption algorithm to use. ** tests: Added "pkcs12_encode" self-test to check PKCS#12 functions. ** tests: Fix time bomb in chainverify self-test. Reported by Andreas Metzler in . ** tests: Fix expired cert in chainverify self-test. ** libgnutls: TLS 1.2 server mode fixes. Now interoperates against Opera. Contributed by Daiki Ueno. ** libgnutlsxx: Fix link problems. Tiny patch from Boyan Kasarov . ** guile: Compatibility with guile 2.x. By Ludovic Courtes . ** libgnutls: Enable Camellia ciphers by default. ** libgnutls: Add new functions to extract X.509 Issuer Alternative Names. The new functions are gnutls_x509_crt_get_issuer_alt_name2, gnutls_x509_crt_get_issuer_alt_name, and gnutls_x509_crt_get_issuer_alt_othername_oid. Contributed by Brad Hards . ** libgnutls: Client-side TLS 1.2 and SHA-256 ciphersuites now works. The new supported ciphersuites are AES-128/256 in CBC mode with ANON-DH/RSA/DHE-DSS/DHE-RSA. Contributed by Daiki Ueno. Further, SHA-256 is now the preferred default MAC (however it is only used with TLS 1.2). ** libgnutls: Make OpenPGP hostname checking work again. The patch to resolve the X.509 CN/SAN issue accidentally broken OpenPGP hostname comparison. ** libgnutls: When printing X.509 certificates, handle XMPP SANs better. Reported by Howard Chu in . ** Fix use of deprecated types internally. Use of deprecated types in GnuTLS from now on will lead to a compile error, to prevent this from happening again. ** libgnutls: Support for TLS tickets was contributed by Daiki Ueno. The new APIs are gnutls_session_ticket_enable_client, gnutls_session_ticket_enable_server, and gnutls_session_ticket_key_generate. ** gnutls-cli, gnutls-serv: New parameter --noticket to disable TLS tickets. ** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields. By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS into 1) not printing the entire CN/SAN field value when printing a certificate and 2) cause incorrect positive matches when matching a hostname against a certificate. Some CAs apparently have poor checking of CN/SAN values and issue these (arguable invalid) certificates. Combined, this can be used by attackers to become a MITM on server-authenticated TLS sessions. The problem is mitigated since attackers needs to get one certificate per site they want to attack, and the attacker reveals his tracks by applying for a certificate at the CA. It does not apply to client authenticated TLS sessions. Research presented independently by Dan Kaminsky and Moxie Marlinspike at BlackHat09. Thanks to Tomas Hoger for providing one part of the patch. [GNUTLS-SA-2009-4] [CVE-2009-2730]. ** libgnutls: Fix rare failure in gnutls_x509_crt_import. The function may fail incorrectly when an earlier certificate was imported to the same gnutls_x509_crt_t structure. ** libgnutls: Fix return value of gnutls_certificate_client_get_request_status. Before it always returned false. Reported by Peter Hendrickson in . ** libgnutls: Fix off-by-one size computation error in unknown DN printing. The error resulted in truncated strings when printing unknown OIDs in X.509 certificate DNs. Reported by Tim Kosse in . ** libgnutls: Fix PKCS#12 decryption from password. The encryption key derived from the password was incorrect for (on average) 1 in every 128 input for random inputs. Reported by "Kukosa, Tomas" in . ** libgnutls: Return correct bit lengths of some MPIs. gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and gnutls_dh_get_peers_public_bits. Before the reported value was overestimated. Reported by Peter Hendrickson in . ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. Report and patch by Tim Kosse in and . ** libgnutls: Relax checking of required libtasn1/libgcrypt versions. Before we required that the runtime library used the same (or more recent) libgcrypt/libtasn1 as it was compiled with. Now we just check that the runtime usage is above the minimum required. Reported by Marco d'Itri via Andreas Metzler in . ** tests: Added new self-test pkcs12_s2k_pem to detect MPI bit length error. ** tests: Improved test vectors in self-test pkcs12_s2k. ** tests: Added new self-test dn2 to detect off-by-one size error. ** tests: Fix failure in "chainverify" because a certificate have expired. ** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle. Forwarded by Martin von Gagern from . ** Reduce stack usage for some CRQ functions. ** Doc fixes for CRQ functions. TLS Safe Renegotiation Support ============================== TBA API/ABI changes in GnuTLS 2.10 ============================== No offically supported interfaces have been modified or removed. The library should be completely backwards compatible on both the source and binary level. The following symbols have been added to the library: gnutls_certificate_set_verify_function: ADDED. gnutls_cipher_decrypt: ADDED. gnutls_cipher_deinit: ADDED. gnutls_cipher_encrypt: ADDED. gnutls_cipher_get_block_size: ADDED. gnutls_cipher_init: ADDED. gnutls_hash: ADDED. gnutls_hash_deinit: ADDED. gnutls_hash_fast: ADDED. gnutls_hash_get_len: ADDED. gnutls_hash_init: ADDED. gnutls_hash_output: ADDED. gnutls_hmac: ADDED. gnutls_hmac_deinit: ADDED. gnutls_hmac_fast: ADDED. gnutls_hmac_get_len: ADDED. gnutls_hmac_init: ADDED. gnutls_hmac_output: ADDED. gnutls_safe_negotiation_set_initial: ADDED. gnutls_safe_renegotiation_set: ADDED. gnutls_safe_renegotiation_status: ADDED. gnutls_sign_algorithm_get_requested: ADDED. gnutls_x509_crt_get_issuer_alt_name2: ADDED. gnutls_x509_crt_get_issuer_alt_name: ADDED. gnutls_x509_crt_get_issuer_alt_othername_oid: ADDED. gnutls_session_ticket_key_generate: ADDED. gnutls_session_ticket_enable_client: ADDED. gnutls_session_ticket_enable_server: ADDED. In addition to the functions above, the following non-function definitions have been added to the header files: GNUTLS_DIG_SHA224: ADDED. GNUTLS_E_CRYPTODEV_DEVICE_ERROR: ADDED. GNUTLS_E_CRYPTODEV_IOCTL_ERROR: ADDED. GNUTLS_E_SAFE_RENEGOTIATION_FAILED: ADDED. GNUTLS_E_UNKNOWN_SRP_USERNAME: ADDED. GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED: ADDED. GNUTLS_MAC_SHA224: ADDED. GNUTLS_OID_X520_NAME: ADDED. GNUTLS_OID_X520_POSTALCODE: ADDED. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: ADDED. GNUTLS_VERSION_MAX: ADDED. GNUTLS_CIPHER_AES_192_CBC: ADDED to gnutls/gnutls.h. GNUTLS_PKCS_USE_PBES2_AES_128: ADDED to gnutls/x509.h. GNUTLS_PKCS_USE_PBES2_AES_192: ADDED to gnutls/x509.h. GNUTLS_PKCS_USE_PBES2_AES_256: ADDED to gnutls/x509.h. GNUTLS_BAG_SECRET: ADDED to gnutls/pkcs12.h. GNUTLS_DIG_UNKNOWN: ADDED to gnutls/gnutls.h. Getting the Software ==================== GnuTLS may be downloaded from one of the mirror sites or direct from . The list of mirrors can be found at . Here are the BZIP2 compressed sources (6.0MB): ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.10.0.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.10.0.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.10.0.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.10.0.tar.bz2.sig Note, that we don't distribute gzip compressed tarballs. In order to check that the version of GnuTLS which you are going to install is an original and unmodified one, you should verify the OpenPGP signature. You can use the command gpg --verify gnutls-2.10.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. The signing key can be identified with the following information: pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Alternatively, after successfully verifying the OpenPGP signature of this announcement, you could verify that the files match the following checksum values. The values are for SHA-1 and SHA-224 respectively: 7c102253bb4e817f393b9979a62c647010312eac gnutls-2.10.0.tar.bz2 57ee306f261ed331b8386baf854f737fbf24da7b3bcc32331d34176b gnutls-2.10.0.tar.bz2 Documentation ============= The manual is available online at: http://www.gnu.org/software/gnutls/documentation.html In particular the following formats are available: HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf For developers there is a GnuTLS API reference manual formatted using the GTK-DOC tools: http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: http://lists.gnu.org/mailman/listinfo/help-gnutls If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-dev mailing list, see: http://lists.gnu.org/mailman/listinfo/gnutls-devel Windows installer ================= GnuTLS has been ported to the Windows operating system, and a binary installer is available. The installer contains DLLs for application development, manuals, examples, and source code. The installer uses libgpg-error v1.7, libgcrypt v1.4.5, libtasn1 v2.6, and GnuTLS v2.10.0. For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.10.0.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.10.0.exe.sig The checksum values for SHA-1 and SHA-224 are: 8a7965168c542edec3259469b6c0e87a9a2b4626 gnutls-2.10.0.exe 5f76c907eac768b714dc7187a17f87c0393439cf1ef44ab145aab6e3 gnutls-2.10.0.exe A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.10.0.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.10.0.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB) The checksum values for SHA-1 and SHA-224 are: aca9f9f1adba09b952e095039595d4c5d9e67d46 mingw32-gnutls_2.10.0-1_all.deb 269020738a9f36135e3f231a94cdb2cabc0edd3658092d76b87c27dc mingw32-gnutls_2.10.0-1_all.deb Internationalization ==================== The GnuTLS library messages have been translated into Czech, Dutch, French, German, Italian, Malay, Polish, Simplified Chinese, Swedish, and Vietnamese. We welcome the addition of more translations. Support ======= Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. The GnuTLS service directory is available at: http://www.gnu.org/software/gnutls/commercial.html Happy Hacking, Simon From nmav at gnutls.org Thu Apr 22 13:29:16 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 22 Apr 2010 14:29:16 +0300 Subject: Draft release notes for 2.10.0 In-Reply-To: <87633knegw.fsf@mocca.josefsson.org> References: <87633knegw.fsf@mocca.josefsson.org> Message-ID: On Thu, Apr 22, 2010 at 10:17 AM, Simon Josefsson wrote: Hi, > We need to write a section about the new TLS safe renegotiation support, > and ideas on what to write here is appreciated. ?I think we need to > point to other documents explaining the problem, and describe what this > release adds to mitigate the problem. ?And describe our semantics when > talking with old servers... A proper discussion would be more proper in the documentation rather in the release notes. A quick note might say that gnutls implements the TLS safe renegotiation counter-measures as described in RFC5746, against a plaintext injection attack that affects TLS as is currently used by HTTP(S) protocol. More information about the vulnerability at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555. Unfortunately fully deployment of the solution requires breaking backwards compatibility with older servers and clients. For that reason gnutls enables it but does not enforce its security features unless the peer also supports safe renegotiation, to maintain compatibility with existing software. This decision will be reconsidered once the majority of internet servers/clients that use TLS have adopted safe renegotiation. > ** libgnutls: Added cryptodev support (/dev/crypto). > Tested with http://www.logix.cz/michal/devel/cryptodev/. ?Added [...] Please use this link for the release notes: http://home.gna.org/cryptodev-linux/ regards, Nikos From simon at josefsson.org Thu Apr 29 09:41:03 2010 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 29 Apr 2010 09:41:03 +0200 Subject: Draft release notes for 2.10.0 In-Reply-To: (Nikos Mavrogiannopoulos's message of "Thu, 22 Apr 2010 14:29:16 +0300") References: <87633knegw.fsf@mocca.josefsson.org> Message-ID: <87zl0mpuy8.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > On Thu, Apr 22, 2010 at 10:17 AM, Simon Josefsson wrote: > > Hi, > >> We need to write a section about the new TLS safe renegotiation support, >> and ideas on what to write here is appreciated. ?I think we need to >> point to other documents explaining the problem, and describe what this >> release adds to mitigate the problem. ?And describe our semantics when >> talking with old servers... > > A proper discussion would be more proper in the documentation rather > in the release notes. Yes. I have written the section below for the manual. Please review it for correctness! /Simon 3.10 Safe Renegotiation ======================= Some application protocols and implementations uses the TLS renegotiation feature in a manner that enables attackers to insert content of his choice in the beginning of a TLS session. The simplest example is HTTP. For HTTP one attack works by having the attacker simulate a client and connect to a server, with server-only authentication, and send some data intended to cause harm. When the proper client attempts to contact the server, the attacker hijacks that connection and uses the TLS renegotiation feature with the server and splices in the client connection to the already established connection between the client and server. The attacker will not be able to read the data exchanged between the client and the server. However, some server implementations will (incorrectly) assume that the data sent by the attacker was sent by the now authenticated client. The result is a prefix plain-text injection attack. While fixing these application protocols and implementations would be one natural reaction, an extension to TLS has been designed that cryptographically binds together any renegotiated handshakes with the initial negotiation. When the extension is used, the attack is detected and the session can be terminated. The extension is specified in [RFC5746] (*note Bibliography::). GnuTLS supports the safe renegotiation extension. By default, GnuTLS clients will attempt to negotiate the safe renegotiation extension when talking to servers. Also by default, GnuTLS servers will accept the extension when presented by clients. However, by default GnuTLS client and servers will not refuse renegotiation attempts when the extension has not been negotiated, as this would break backwards compatibility and cause too much operational problems. We will likely reconsider these defaults in the future. To modify the default behaviour, we have introduced three new priority strings. The priority strings can be used by applications (*note gnutls_priority_set::) and end users (e.g., `--priority' parameter to `gnutls-cli' and `gnutls-serv'). The `%UNSAFE_RENEGOTIATION' priority string requests what is today the default behaviour, i.e., that handshakes without the safe renegotiation extension is permitted. To make more use of the extension, you may provide the `%SAFE_RENEGOTIATION' priority string. In this mode, clients will require that the server supports the extension for the initial handshake, and servers will require that the client supports the extension for any renegotiated handshakes. If you want to make a server refuse even initial handshakes without the safe renegotiation extension, use the `%INITIAL_SAFE_RENEGOTIATION' priority string. It is possible to disable use of the extension completely by using the `%DISABLE_SAFE_RENEGOTIATION' priority string however this is strongly discouraged! For applications we have introduced three new APIs related to safe renegotiation. The *note gnutls_safe_renegotiation_status:: function is used to check if the extension has been negotiated on a session, and can be used both by clients and servers. The *note gnutls_safe_renegotiation_set:: function allows applications to request that the extension should be disabled (or re-enabled) in handshakes for the session. The *note gnutls_safe_negotiation_set_initial:: function is only relevant for servers, and is used to enforce that clients support the extension even on the initial handshake. From simon at josefsson.org Thu Apr 29 09:41:48 2010 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 29 Apr 2010 09:41:48 +0200 Subject: Draft release notes for 2.10.0 In-Reply-To: (Nikos Mavrogiannopoulos's message of "Thu, 22 Apr 2010 14:29:16 +0300") References: <87633knegw.fsf@mocca.josefsson.org> Message-ID: <87vdbapuwz.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: >> ** libgnutls: Added cryptodev support (/dev/crypto). >> Tested with http://www.logix.cz/michal/devel/cryptodev/. ?Added > [...] > Please use this link for the release notes: > http://home.gna.org/cryptodev-linux/ Fixed, thanks. /Simon From simon at josefsson.org Thu Apr 29 10:10:07 2010 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 29 Apr 2010 10:10:07 +0200 Subject: safe renegotiation in client side In-Reply-To: <1268688690.24408.284.camel@vespa.frost.loc> (Tomas Mraz's message of "Mon, 15 Mar 2010 22:31:30 +0100") References: <4B9E9CA9.4070901@gnutls.org> <1268688690.24408.284.camel@vespa.frost.loc> Message-ID: <8739yeptls.fsf@mocca.josefsson.org> Tomas Mraz writes: > On Mon, 2010-03-15 at 21:46 +0100, Nikos Mavrogiannopoulos wrote: >> As you may have noticed there was a big fuss lately about a bug in the >> TLS protocol that could cause a client to connect to the wrong server >> via a renegotiation. There is a fix to the protocol that is >> unfortunately incompatible with previous versions (if security is >> required). Thus a gnutls client implementing the fix cannot connect to >> any non-patched server[0]. To achieve compatibility one has to to >> explicitly allow unsafe renegotiation with a priority string. This is >> not always possible since gnutls might be used unintentionally by a >> program via another library. >> >> With some trials in my system I noticed that the current behavior causes >> denial of service and a simple user might not even have control over the >> priority string for gnutls. >> >> Given your experiences (as system packager, user, implementor or so), >> what do you think is the adoption of priority strings in programs? Given >> a program that uses gnutls is it easy to set a string with the >> algorithms etc. needed for the negotiation? > > The OpenSSL upstream decided to allow the client to talk to the > unpatched servers by default. Of course it means that if the client > talks to such server it is vulnerable to the attack. They've also added > a function call so an application can query whether the connection is > protected by the safe renegotiation or not. GnuTLS will behave the same. > I, as maintainer of OpenSSL and gnutls packages in Fedora and Red Hat > Enterprise Linux, decided when backporting the safe renegotiation > patches to the old gnutls packages in released distributions, that the > client has to be tolerant to missing safe renegotiation support on > connected servers for now and so I have removed the strict client side > check from the backported patches. If the adoption of the safe > renegotiation extension gets better, we will release updated packages > which will contain the strict client side check. What is your opinion on whether servers should refuse renegotiation attempts from clients that doesn't support the extension? /Simon From simon at josefsson.org Thu Apr 29 10:16:07 2010 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 29 Apr 2010 10:16:07 +0200 Subject: safe renegotiation Message-ID: <87y6g6oerc.fsf@mocca.josefsson.org> I've tested the safe renegotiation stuff a bit more, and I believe we could tweak the defaults to make them slightly more secure: let %SAFE_RENEGOTIATION be the default for servers. This means that servers will refuse to RE-negotiate against clients that does not support the extension. We surveyed GnuTLS server applications earlier, and found that none of them (except one) supported TLS renegotiation at all. The impact of this change should be minimal. The odd package is mod_gnutls for Apache, but it exposes a priority string interface to the administrator, thus allowing them to override the behaviour easily -- however we should recommend that they don't, because it is really insecure. Thoughts? Objections? /Simon From nmav at gnutls.org Thu Apr 29 11:02:14 2010 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 29 Apr 2010 11:02:14 +0200 Subject: safe renegotiation In-Reply-To: <87y6g6oerc.fsf@mocca.josefsson.org> References: <87y6g6oerc.fsf@mocca.josefsson.org> Message-ID: On Thu, Apr 29, 2010 at 10:16 AM, Simon Josefsson wrote: > I've tested the safe renegotiation stuff a bit more, and I believe we > could tweak the defaults to make them slightly more secure: let > %SAFE_RENEGOTIATION be the default for servers. > > This means that servers will refuse to RE-negotiate against clients that > does not support the extension. [...] > The odd package is mod_gnutls for Apache, but it exposes a priority > string interface to the administrator, thus allowing them to override > the behaviour easily -- however we should recommend that they don't, > because it is really insecure. This will actually harm mod_gnutls. Renegotiation is a common issue in HTTPS (for upgrading authentication using a certificate for certain locations). If people notice that no clients can connect on their servers will either install an older version of gnutls that "works" or just go to mod_ssl. Moreover it is problematic in the sense that an administrator might not detect at all that his site is inaccessible and only find out after losing customers or so. I think that fixing a security issue but as a side-effect causing serious issues in interoperability with old software is a recipe for people to move out of your software (intel never managed to get rid of x86, and I don't think we can afford it). Let's be conservative and wait. This issue proved not to be that important in the internet (not many people upgraded because of this). regards, Nikos From tmraz at redhat.com Thu Apr 29 12:22:09 2010 From: tmraz at redhat.com (Tomas Mraz) Date: Thu, 29 Apr 2010 12:22:09 +0200 Subject: safe renegotiation in client side In-Reply-To: <8739yeptls.fsf@mocca.josefsson.org> References: <4B9E9CA9.4070901@gnutls.org> <1268688690.24408.284.camel@vespa.frost.loc> <8739yeptls.fsf@mocca.josefsson.org> Message-ID: <1272536529.17052.440.camel@vespa.frost.loc> On Thu, 2010-04-29 at 10:10 +0200, Simon Josefsson wrote: > Tomas Mraz writes: > > > On Mon, 2010-03-15 at 21:46 +0100, Nikos Mavrogiannopoulos wrote: > >> As you may have noticed there was a big fuss lately about a bug in the > >> TLS protocol that could cause a client to connect to the wrong server > >> via a renegotiation. There is a fix to the protocol that is > >> unfortunately incompatible with previous versions (if security is > >> required). Thus a gnutls client implementing the fix cannot connect to > >> any non-patched server[0]. To achieve compatibility one has to to > >> explicitly allow unsafe renegotiation with a priority string. This is > >> not always possible since gnutls might be used unintentionally by a > >> program via another library. > >> > >> With some trials in my system I noticed that the current behavior causes > >> denial of service and a simple user might not even have control over the > >> priority string for gnutls. > >> > >> Given your experiences (as system packager, user, implementor or so), > >> what do you think is the adoption of priority strings in programs? Given > >> a program that uses gnutls is it easy to set a string with the > >> algorithms etc. needed for the negotiation? > > > > The OpenSSL upstream decided to allow the client to talk to the > > unpatched servers by default. Of course it means that if the client > > talks to such server it is vulnerable to the attack. They've also added > > a function call so an application can query whether the connection is > > protected by the safe renegotiation or not. > > GnuTLS will behave the same. > > > I, as maintainer of OpenSSL and gnutls packages in Fedora and Red Hat > > Enterprise Linux, decided when backporting the safe renegotiation > > patches to the old gnutls packages in released distributions, that the > > client has to be tolerant to missing safe renegotiation support on > > connected servers for now and so I have removed the strict client side > > check from the backported patches. If the adoption of the safe > > renegotiation extension gets better, we will release updated packages > > which will contain the strict client side check. > > What is your opinion on whether servers should refuse renegotiation > attempts from clients that doesn't support the extension? This is clear, they must refuse to renegotiate with them otherwise they are clearly vulnerable. OpenSSL does the same. There probably should be an option to allow it though. In case of OpenSSL it is the SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which is not enabled by default. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From simon at josefsson.org Thu Apr 29 12:32:40 2010 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 29 Apr 2010 12:32:40 +0200 Subject: safe renegotiation In-Reply-To: (Nikos Mavrogiannopoulos's message of "Thu, 29 Apr 2010 11:02:14 +0200") References: <87y6g6oerc.fsf@mocca.josefsson.org> Message-ID: <87vdbamtvb.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > On Thu, Apr 29, 2010 at 10:16 AM, Simon Josefsson wrote: >> I've tested the safe renegotiation stuff a bit more, and I believe we >> could tweak the defaults to make them slightly more secure: let >> %SAFE_RENEGOTIATION be the default for servers. >> >> This means that servers will refuse to RE-negotiate against clients that >> does not support the extension. > [...] >> The odd package is mod_gnutls for Apache, but it exposes a priority >> string interface to the administrator, thus allowing them to override >> the behaviour easily -- however we should recommend that they don't, >> because it is really insecure. > > This will actually harm mod_gnutls. Renegotiation is a common issue in > HTTPS (for upgrading authentication using a certificate for certain > locations). It is not used frequently though, and it is vulnerable to attack. My main point is that mod_gnutls may 1) document this problem and suggesting people to use %UNSAFE_RENEGOTIATION in the docstring, or even 2) use %UNSAFE_RENEGOTIATION by default if no other priority string is provided. > If people notice that no clients can connect on their servers will > either install an older version of gnutls that "works" or just go to > mod_ssl. Moreover it is problematic in the sense that an administrator > might not detect at all that his site is inaccessible and only find > out after losing customers or so. I think that fixing a security issue > but as a side-effect causing serious issues in interoperability with > old software is a recipe for people to move out of your software > (intel never managed to get rid of x86, and I don't think we can > afford it). > > Let's be conservative and wait. This issue proved not to be that > important in the internet (not many people upgraded because of this). According to Tomas, OpenSSL protect against this. If that is the case, I think the answer is simple: we should do the same. /Simon From thoger at redhat.com Thu Apr 29 13:57:45 2010 From: thoger at redhat.com (Tomas Hoger) Date: Thu, 29 Apr 2010 13:57:45 +0200 Subject: safe renegotiation In-Reply-To: References: <87y6g6oerc.fsf@mocca.josefsson.org> Message-ID: <20100429135745.3ae19904@redhat.com> On Thu, 29 Apr 2010 11:02:14 +0200 Nikos Mavrogiannopoulos wrote: > This will actually harm mod_gnutls. Renegotiation is a common issue in > HTTPS (for upgrading authentication using a certificate for certain > locations). Client certificate authentication should really be the only common use case where renegotiation is really required with https. > If people notice that no clients can connect on their servers will > either install an older version of gnutls that "works" or just go to > mod_ssl. Anyone who goes to mod_ssl or mod_nss will face the same issue when using new OpenSSL or NSS, as they both reject renegotiation with unpatched clients. mod_ssl got new config directive - SSLInsecureRenegotiation [1] - allowing admins to let old clients renegotiate. For mod_nss, you can set NSS_SSL_ENABLE_RENEGOTIATION [2] environment variable to achieve the similar result. If mod_gnutls already has directive for setting priority string, it can be an easy way to revert back to insecure renegotiation for those who need it. [1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation [2] https://developer.mozilla.org/NSS_3.12.6_release_notes th. From thoger at redhat.com Thu Apr 29 16:08:27 2010 From: thoger at redhat.com (Tomas Hoger) Date: Thu, 29 Apr 2010 16:08:27 +0200 Subject: Draft release notes for 2.10.0 In-Reply-To: <87zl0mpuy8.fsf@mocca.josefsson.org> References: <87633knegw.fsf@mocca.josefsson.org> <87zl0mpuy8.fsf@mocca.josefsson.org> Message-ID: <20100429160827.3480c1dd@redhat.com> On Thu, 29 Apr 2010 09:41:03 +0200 Simon Josefsson wrote: > proper client attempts to contact the server, the attacker hijacks > that connection and uses the TLS renegotiation feature with the > server and splices in the client connection to the already > established connection between the client and server. "*attacker* and server" > However, some server implementations will (incorrectly) assume that > the data sent by the attacker was sent by the now authenticated > client. Renegotiation does not have to change client authentication status (either TLS or application level). Twitter attack is one example. > However, by default GnuTLS client and servers will not refuse > renegotiation attempts when the extension has not been negotiated, as > this would break backwards compatibility and cause too much > operational problems. We will likely reconsider these defaults in > the future. If these defaults change (discussion in the other thread), you may wish to extend this to cover different impact of allowing initial / re- negotiation on clients and servers. > To modify the default behaviour, we have introduced three new priority Following paragraph describes 4, even though one is special. HTH th. From simon at josefsson.org Fri Apr 30 16:53:07 2010 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 30 Apr 2010 16:53:07 +0200 Subject: Draft release notes for 2.10.0 In-Reply-To: <20100429160827.3480c1dd@redhat.com> (Tomas Hoger's message of "Thu, 29 Apr 2010 16:08:27 +0200") References: <87633knegw.fsf@mocca.josefsson.org> <87zl0mpuy8.fsf@mocca.josefsson.org> <20100429160827.3480c1dd@redhat.com> Message-ID: <877hnpf0vg.fsf@mocca.josefsson.org> Tomas Hoger writes: > On Thu, 29 Apr 2010 09:41:03 +0200 Simon Josefsson wrote: > >> proper client attempts to contact the server, the attacker hijacks >> that connection and uses the TLS renegotiation feature with the >> server and splices in the client connection to the already >> established connection between the client and server. > > "*attacker* and server" Fixed, thanks. >> However, some server implementations will (incorrectly) assume that >> the data sent by the attacker was sent by the now authenticated >> client. > > Renegotiation does not have to change client authentication status > (either TLS or application level). Twitter attack is one example. I added a paragraph explaining that the paragraph is only one example, and that other scenarios exists, see entire patch in: http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=468b1d0d428cb36042ee4014bcac4a4513d1e74a >> However, by default GnuTLS client and servers will not refuse >> renegotiation attempts when the extension has not been negotiated, as >> this would break backwards compatibility and cause too much >> operational problems. We will likely reconsider these defaults in >> the future. > > If these defaults change (discussion in the other thread), you may > wish to extend this to cover different impact of allowing initial / re- > negotiation on clients and servers. I agree -- and I believe we'll change the defaults here, so this aspect needs to be revisited. >> To modify the default behaviour, we have introduced three new priority > > Following paragraph describes 4, even though one is special. Fixed too. Thanks, Simon From beebe at math.utah.edu Fri Apr 30 16:33:30 2010 From: beebe at math.utah.edu (Nelson H. F. Beebe) Date: Fri, 30 Apr 2010 08:33:30 -0600 (MDT) Subject: [bug-gnutls] gnutls-2.8.6 build comments Message-ID: A build attempt for gnutls-2.8.6 fails on Red Hat 4 AMD64 for two reasons: incorrect handling of libraries at configure time, and a C++ error in the doc/examples/ex-cxx.cpp file. The library problem arises because the gnutls configure script erroneously inserts explicit paths to shared libraries, instead of relying on the normal shared library search mechanism, and the setting of LDFLAGS. On both Red Hat and OpenSuSE GNU/Linux on AMD64, the default world is a 64-bit one, and 64-bit libraries go into /usr/lib64 and /usr/local/lib64. The /usr/lib and /usr/local/lib directories are reserved for 32-bit libraries. Unfortunately, the configure puts /usr/local/lib in front of shared library names. I was able to resolve that problem by temporarily renaming several shared and static libraries in /usr/local/lib, but that was possible only because the system on which I did that is a single-user machine over which I have complete control; it would not be possible on most of our GNU/Linux systems that are accessible to thousands of our users. Recommendation: do not insert explicit directory paths for libraries, but instead, use the LDFLAGS settings to guide the loader to their proper location. With the above changes, I was able to get most of the compilations to succeed, but I'm stymied by a C++ compilation error in doc/examples/ex-cxx.cpp. I have dozens of versions of the gcc family installed in my environment, and I tried g++ (4.3.0 20070209), g++-4.3.4, g++-4.4.1, g++-4.5.0, and g++-4.6.0, each time doing the build in a clean freshly-unpacked gnutls-2.8.6 directory. Here is an example of the failures that I see: libtool: link: g++-4.6 -g -O2 -Wl,-rpath -Wl,/usr/local/lib64 -o ex-cxx ex-cxx.o -L/usr/local/lib64 ./.libs/libexamples.a ../../lib/.libs/libgnutls.so ../../libextra/.libs/libgnutls-extra.so ../../gl/.libs/libgnu.a ../../lib/.libs/libgnutlsxx.so -Wl,-rpath -Wl,/local/build/bare/gnutls-2.8.6/lib/.libs -Wl,-rpath -Wl,/local/build/bare/gnutls-2.8.6/libextra/.libs -Wl,-rpath -Wl,/usr/local/lib ex-cxx.o(.text+0xa9): In function `main': /usr/local/ashare/x86_64-linux/gcc-4.6-20100416/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.6.0/../../../../include/c++/4.6.0/ostream:513: undefined reference to `std::basic_ostream >& std::__ostream_insert >(std::basic_ostream >&, char const*, long)' ex-cxx.o(.text+0x135):/usr/local/ashare/x86_64-linux/gcc-4.6-20100416/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.6.0/../../../../include/c++/4.6.0/ostream:513: undefined reference to `std::basic_ostream >& std::__ostream_insert >(std::basic_ostream >&, char const*, long)' ex-cxx.o(.text+0x157):/usr/local/ashare/x86_64-linux/gcc-4.6-20100416/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.6.0/../../../../include/c++/4.6.0/ostream:513: undefined reference to `std::basic_ostream >& std::__ostream_insert >(std::basic_ostream >&, char const*, long)' ex-cxx.o(.text+0x25c): In function `main': /usr/local/ashare/x86_64-linux/gcc-4.6-20100416/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.6.0/../../../../include/c++/4.6.0/bits/locale_facets.h:868: undefined reference to `std::ctype::_M_widen_init() const' ex-cxx.o(.text+0x2bc): In function `main': /usr/local/ashare/x86_64-linux/gcc-4.6-20100416/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.6.0/../../../../include/c++/4.6.0/bits/basic_string.h:232: undefined reference to `std::basic_string, std::allocator >::_Rep::_S_empty_rep_storage' ex-cxx.o(.text+0x324):/usr/local/ashare/x86_64-linux/gcc-4.6-20100416/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.6.0/../../../../include/c++/4.6.0/bits/basic_string.h:232: undefined reference to `std::basic_string, std::allocator >::_Rep::_S_empty_rep_storage' ex-cxx.o(.text+0x344): In function `main': /usr/local/ashare/x86_64-linux/gcc-4.6-20100416/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.6.0/../../../../include/c++/4.6.0/bits/locale_facets.h:868: undefined reference to `std::ctype::_M_widen_init() const' ex-cxx.o(.text+0x364):/usr/local/ashare/x86_64-linux/gcc-4.6-20100416/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.6.0/../../../../include/c++/4.6.0/bits/locale_facets.h:868: undefined reference to `std::ctype::_M_widen_init() const' ex-cxx.o(.text+0x3c9): In function `main': /usr/local/ashare/x86_64-linux/gcc-4.6-20100416/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.6.0/../../../../include/c++/4.6.0/bits/basic_string.h:232: undefined reference to `std::basic_string, std::allocator >::_Rep::_S_empty_rep_storage' ------------------------------------------------------------------------------- - Nelson H. F. Beebe Tel: +1 801 581 5254 - - University of Utah FAX: +1 801 581 4148 - - Department of Mathematics, 110 LCB Internet e-mail: beebe at math.utah.edu - - 155 S 1400 E RM 233 beebe at acm.org beebe at computer.org - - Salt Lake City, UT 84112-0090, USA URL: http://www.math.utah.edu/~beebe/ - -------------------------------------------------------------------------------