Cannot build gnutls from source: picks the wrong libnettle

Hello,

I am trying to build latest gnutls from source, and I encounter an issue. My system is Ubuntu Precise.

I have installed all dependencies as described in README-alpha.
In addition, I have built from source and installed under my home folder the latest automake and nettle.

[Side comment, when I ran "make bootstrap" I encountered an issue already reported here about missing
src/libopts/Makefile.in, and I had to run "autoreconf -fvi" to fix it. Is it normal? It could be worth
writing this in the README-alpha file...]

I am now encountering an error when I try to make GNUTLS:
make[4]: Entering directory `/home/thedoc/sources/gnutls-latest/src/crywrap'
  CC       crywrap.o
crywrap.c: In function '_crywrap_do_one':
crywrap.c:867:9: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
crywrap.c:868:9: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
crywrap.c: In function '_crywrap_setup_pidfile':
crywrap.c:819:10: warning: ignoring return value of 'fchown', declared with attribute
warn_unused_result [-Wunused-result]
crywrap.c:823:9: warning: ignoring return value of 'write', declared with attribute
warn_unused_result [-Wunused-result]
  CCLD     crywrap
../../lib/.libs/libgnutls.so: undefined reference to `nettle_rsa_pkcs1_sign_tr'
../../lib/.libs/libgnutls.so: undefined reference to `nettle_umac96_set_key'
../../lib/.libs/libgnutls.so: undefined reference to `nettle_sha512_digest'
../../lib/.libs/libgnutls.so: undefined reference to `nettle_sha384_init'
../../lib/.libs/libgnutls.so: undefined reference to `nettle_md5_digest'
../../lib/.libs/libgnutls.so: undefined reference to `nettle_gcm_encr

gnutls compile error with custom application

_______________________________________________
Gnutls-help mailing list
Gnutls-help <at> lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help

Disable anti-replay protection in DTLS ?

Hello,

I am looking at implementing DTLS over SCTP (as per RFC 6083) in my application, and I noticed that one of the
requirements is to disable the anti-replay protection, as the higher layer expects reliable delivery
above SCTP link. Could you tell me if this can be done with GNUTLS ? I was not able to find any information in
gnutls manual about this feature.

I also noticed that the retransmissions must be disabled for the handshake protocol, I think this can be
done with gnutls_heartbeat_set_timeouts by setting a retrains_timeout greater than the
total_timeout; can you confirm?

Thank you in advance!

Best regards,
Sebastien.

DLTS/SCTP (RFC6083) support?

Hello,

I would like to know if anyone has implemented DTLS over SCTP with GnuTLS, or at least had a look at RFC6083 ?
Would you have any advice about the amount of work that will be required to support this mechanism ?

Thank you in advance for any information!
Best regards,
Sébastien

_______________________________________________
Gnutls-help mailing list
Gnutls-help <at> lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help

gnutls 3.1.12

Hello,
 I've just released gnutls 3.1.12. This is a bug-fix release on the 3.1
stable branch.

* Version 3.1.12 (released 2013-06-01)

** libgnutls: Allow ECC when in SSL 3.0 to work-around a bug in certain
openssl versions.

** libgnutls: Fixes in interrupted function resumption. Report
and patch by Tim Kosse.

** libgnutls: gnutls_handshake_get_last_in() was fixed. Reported
by Mann Ern Kang.

** API and ABI modifications:
No changes since last version.

Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/≥.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ and LZIP compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.12.tar.xz
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.12.tar.lz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.12.tar.xz.sig
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.12.tar.lz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos

gnutls 3.0.30

Hello,
 I've just released gnutls 3.0.30. This is a bug-fix release on the
previous stable branch.

* Version 3.0.30 (released 2013-06-01)

** libgnutls: Allow ECC when in SSL 3.0 to work-around a bug in certain
openssl versions.

** libgnutls: When in compatibility mode allow for a wrong version in
the RSA PMS.

** libgnutls: gnutls_handshake_get_last_in() was fixed. Reported
by Mann Ern Kang.

** API and ABI modifications:
No changes since last version.

Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/≥.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ and LZIP compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.30.tar.xz
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.30.tar.lz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.30.tar.xz.sig
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.30.tar.lz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos

openpgp and gnutls_privkey_import_openpgp

hi all,

what is proper use of gnutls_privkey_import_openpgp, please?

I have a playground application to examine gnutls as a potential backend
for new Qore language module and I'm getting crashes in nettle when I
try to decrypt data.

Is there any public implementation of this functionality I can look
into? Any hints?

thanks,
petr vanek

selfcompiled gnutls-3.2.0, nettle-2.7; OS used: opensuse 12.3.

gnutls_global_init() is called in main(), also:
    gnutls_global_set_log_level(9);
    gnutls_global_set_log_function(log_func); // log_func is basically
printf("LOG> %d: %s", level, msg);

test_decrypt(273): 0 GNUTLS_E_SUCCESS = Success. <-- result of     res =
gnutls_privkey_init(&privkey);
test_decrypt(276): 0 GNUTLS_E_SUCCESS = Success. <--     res =
gnutls_openpgp_privkey_init(&pgppriv);
LOG> 2: ASSERT: stream.c:1035
test_decrypt(284): 0 GNUTLS_E_SUCCESS = Success. <--     res =
gnutls_openpgp_privkey_import(pgppriv, &data, GNUTLS_OPENPGP_FMT_BASE64,
"n/a for now", 0); // the ASCII armored key is in data
LOG> 2: ASSERT: privkey.c:1249
LOG> 2: ASSERT: privkey.c:1249
test_decrypt(287): 0 GNUTLS_E_SUCCESS = Success. <-- res =
gnutls_privkey_import_openpgp(privkey, pgppriv, 0);
LOG> 2: ASSERT: privkey.c:1249                <-- calling of res =
gnutls_privkey_decrypt_data(privkey, 0, &ciphertext, &plaintext);
LOG> 9: Decrypting using master PGP key
LOG> 2: ASSERT: privkey.c:1249
LOG> 2: ASSERT: pubkey.c:291
LOG> 2: ASSERT: pgp.c:1228
LOG> 2: ASSERT: privkey.c:838

Program received signal SIGSEGV, Segmentation fault.
wrap_nettle_mpi_clear (a=0x0) at mpi.c:220
220       memset(TOMPZ(a)[0]._mp_d, 0,
TOMPZ(a)[0]._mp_alloc*sizeof(mp_limb_t));
(gdb) bt
#0  wrap_nettle_mpi_clear (a=0x0) at mpi.c:220
#1  0x00007ffff7b078e7 in gnutls_pk_params_clear (p=p <at> entry=0x7fffffffdb60)
    at gnutls_pk.c:223
#2  0x00007ffff7b8551e in _gnutls_openpgp_privkey_get_mpis (
    pkey=pkey <at> entry=0x60dbd0, keyid=keyid <at> entry=0x0,
    params=params <at> entry=0x7fffffffdb60) at privkey.c:856
#3  0x00007ffff7b868db in _gnutls_openpgp_privkey_decrypt_data
(key=0x60dbd0,
    flags=<optimized out>, ciphertext=0x7fffffffdc40,
plaintext=0x7fffffffdc50)
    at privkey.c:1449
#4  0x00000000004022c9 in test_decrypt (bn=0x62c310)
    at ../qore-gnutls/main.cpp:295
#5  0x0000000000401f94 in test_encrypt () at ../qore-gnutls/main.cpp:252
#6  0x000000000040240f in main () at ../qore-gnutls/main.cpp:375

the code is:

#define QERRCHECK(err) \
    printf("%s(%d): %d %s = %s\n", __FUNCTION__, __LINE__, res,
gnutls_strerror_name(res), gnutls_strerror(res)); \
    if ((err) != 0) { \
        printf("ERROR: %s\n", gnutls_error_is_fatal((res)) ? "FATAL" :
"regular"); \
        return; \
    }

void test_decrypt(BinaryNode *bn) {
    int res;

    gnutls_privkey_t privkey;
    gnutls_openpgp_privkey_t pgppriv;

    res = gnutls_privkey_init(&privkey);
    QERRCHECK(res);

    res = gnutls_openpgp_privkey_init(&pgppriv);
    QERRCHECK(res);

    gnutls_datum_t data;
    data.data = (unsigned char*)privkeyTxt;
    data.size = sizeof(privkeyTxt);

    res = gnutls_openpgp_privkey_import(pgppriv, &data,
GNUTLS_OPENPGP_FMT_BASE64, "n/a for now", 0);
    QERRCHECK(res);

    res = gnutls_privkey_import_openpgp(privkey, pgppriv, 0);
    QERRCHECK(res);

    //gnutls_privkey_set_pin_function(privkey, test_decrypt_callback,
NULL); // TODO: context data

    gnutls_datum_t plaintext;
    gnutls_datum_t ciphertext;
    ciphertext.data = (unsigned char*)bn->getPtr();
    ciphertext.size = bn->size();
    res = gnutls_privkey_decrypt_data(privkey, 0, &ciphertext, &plaintext);
    QERRCHECK(res);

    gnutls_openpgp_privkey_deinit(pgppriv);
    gnutls_privkey_deinit(privkey);
}

on finding nettle under /usr/local rather than under /usr (GNU+Linux 64-bit system)

Ciao,

  I am trying to install  Gnutls 3.2.0 on a GNU+Linux 64-bit
system with  Slackware's Nettle  2.5 installed  under "/usr"
and my own installation of Nettle 2.7.1 under "/usr/local".

  I can do:

   $ /sbin/ldconfig -p | grep nettle
   libnettle.so.4 (libc6,x86-64) => /usr/local/lib/libnettle.so.4
   libnettle.so.4 (libc6,x86-64) => /usr/lib64/libnettle.so.4
   libnettle.so (libc6,x86-64) => /usr/local/lib/libnettle.so
   libnettle.so (libc6,x86-64) => /usr/lib64/libnettle.so

so I  would expect Gnutls's building  infrastructure to find
the correct version, but instead  it does not happen.  I can
also do:

   $ pkg-config nettle --libs
   -L/usr/local/lib -lnettle
   $ pkg-config nettle --cflags
   -I/usr/local/include
   $ pkg-config libtasn1 --libs
   -L/usr/local/lib -ltasn1
   $ pkg-config libtasn1 --cflags
   -I/usr/local/include

  If I just do:

   $ ./configure

the build starts and it seems to find the right Nettle:

   $ grep nettle config.log
   configure:8886: checking whether to use nettle
   configure:9384: checking for libnettle
   configure:9406: gcc -std=gnu99 -o conftest -g -O2 -L/usr/local/lib conftest.c
/usr/local/lib/libnettle.so /usr/local/lib/libhogweed.so -lgmp -Wl,-rpath -Wl,/usr/local/lib >&5
   configure:9423: checking how to link with libnettle
   configure:9425: result: /usr/local/lib/libnettle.so /usr/local/lib/libhogweed.so -lgmp
-Wl,-rpath -Wl,/usr/local/lib
   config.status:3259: creating lib/nettle/Makefile
   ac_cv_libnettle=yes
   LIBNETTLE='/usr/local/lib/libnettle.so /usr/local/lib/libhogweed.so -lgmp -Wl,-rpath -Wl,/usr/local/lib'
   LTLIBNETTLE='-L/usr/local/lib -lnettle -L/usr/local/lib -lhogweed -lgmp -R/usr/local/lib'

but then  "make" will fail  because the old Nettle  does not
have the needed  functions ("nettle_umac_*", "nettle_ecc_*",
etc.); and after building fails I see:

   $ ldd lib/.libs/libgnutls.so
   linux-vdso.so.1 (0x00007fff1730b000)
   libz.so.1 => /usr/lib64/libz.so.1 (0x00007ff2c771d000)
   libp11-kit.so.0 => /usr/lib64/libp11-kit.so.0 (0x00007ff2c750b000)
   libtasn1.so.6 => /usr/local/lib/libtasn1.so.6 (0x00007ff2c72f8000)
   libnettle.so.4 => /usr/lib64/libnettle.so.4 (0x00007ff2c70d3000)
   libhogweed.so.2 => /usr/lib64/libhogweed.so.2 (0x00007ff2c6ec0000)
   libgmp.so.10 => /usr/lib64/libgmp.so.10 (0x00007ff2c6c54000)
   libc.so.6 => /lib64/libc.so.6 (0x00007ff2c6867000)
   libdl.so.2 => /lib64/libdl.so.2 (0x00007ff2c6662000)
   libpthread.so.0 => /lib64/libpthread.so.0 (0x00007ff2c6446000)
   /lib64/ld-linux-x86-64.so.2 (0x00007ff2c7c3a000)

so libtasn1 is correctly found but Nettle... I dunno.

  The same happens if I do:

   $ ./configure LDFLAGS=-L/usr/local/lib

  If I do:

   $ ./configure --with-libnettle-prefix=/usr/local
   ...
   checking whether to use nettle... yes
   checking for libnettle... no
   configure: error:
   ***
   *** Libnettle 2.7 was not found. Note that you must compile nettle with gmp support.

and:

   $ grep nettle config.log
   config.log:7: $ ./configure --with-libnettle-prefix=/usr/local
   config.log:595:configure:8886: checking whether to use nettle
   config.log:597:configure:9384: checking for libnettle
   config.log:598:configure:9406: gcc -std=gnu99 -o conftest -g -O2 conftest.c -lnettle -lhogweed -lgmp >&5
   config.log:600:/home/marco/var/build/lib/gnutls-3.2.0/conftest.c:35: undefined reference to `nettle_umac96_set_nonce'
   config.log:634:| #include <nettle/umac.h>
   config.log:638:| nettle_umac96_set_nonce (0,0,0)
   config.log:645: *** Libnettle 2.7 was not found. Note that you must compile nettle with gmp support.
   config.log:713:ac_cv_libnettle=no

and I see that "/usr/local/lib" is not used.

  It seems to me that the distributed "configure.ac" file is
not the one used to generate "configure"; is this weird?

  I need some help.

TIA
--

-- 
"Now feel the funk blast!"
Rage Against the Machine - "Calm like a bomb"

https://archive.org

Hello,

I tried gnutls 3.1 and 3.2.0 on https://archive.org (with wget and gnutls-cli),
and both give me:
Connecting to www.archive.org|207.241.224.2|:443... connected.
GnuTLS: Could not negotiate a supported cipher suite.
Unable to establish SSL connection.

Enabling "EXPORT" in --priority (a friend helped me with that), made gnutls
choose:
|<3>| HSK[0x7a9ec0]: Selected cipher suite: RSA_AES_128_CBC_SHA1

But with openssl all just works, and chooses:
TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA

Any idea?

Regards,
Lluís.

Which CA Management Software Are Based On Last Stable GnuTLS

Hi,

Which CA Management software are based on last stable release of
GnuTLS ?

gnoMint was last released on Aug, 2010.
http://gnomint.sf.net/

Its missing many many newer features which exist today.

Want to create+use+support : newer algorithms, ciphers, etc based
certs, OCSP, DANE (DNSSEC) authentication, more bits, etc.

Last stable GnuTLS supports DANE (DNSSEC) protocols.

And want to know,
which CA Mgmt softwr can verify and indicate IF a Cert's/Key's
authenticity (and chain of Cert's authenticity) was
checked/done/passed more correctly OR not, ... (by obtaining
cert's/key's hash/checksum or full cert from domain-name's owner
approved/declared DNS records, like: TLSA, CERT, etc, using DANE
(DNSSEC) and other PKIX protocols/standards).

Thanks in advance,
-- Bright Star (Bry8Star).

_______________________________________________
Gnutls-help mailing list
Gnutls-help <at> lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help

gnutls 3.2.0

Hello,
 I've just released gnutls 3.2.0. This release significantly
improves the performance of gnutls in two ways. The new elliptic curve
implementation of nettle 2.7 is used which improves performance by a
factor of 2 (thanks to Niels Moeller), and on the ciphersuite level
the (currently) private ciphersuites with Salsa20 and UMAC-96 are
defined, giving a performance boost compared to any ARCFOUR or AES 
based ciphersuites. The new ciphersuites also provide a solution to the
recent attacks in TLS that compromise the security of CBC-based
ciphersuites and ARCFOUR. Note that since these are private --i.e.,
gnutls-specific-- ciphersuites they are not enabled by default.

In addition on this release all support for the so-called EXPORT
ciphersuites is dropped.

* Version 3.2.0 (released 2013-05-10)

** libgnutls: Use nettle's elliptic curve implementation.

** libgnutls: Added Salsa20 cipher

** libgnutls: Added UMAC-96 and UMAC-128

** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96.
As they are not standardized they are defined using private ciphersuite 
numbers.

** libgnutls: Added support for DTLS 1.2.

** libgnutls: Added support for the Application Layer Protocol
Negotiation (ALPN) extension.

** libgnutls: Removed support for the RSA-EXPORT ciphersuites.

** libgnutls: Avoid linking to librt (that also avoids unnecessary
linking to pthreads if p11-kit isn't used).

** API and ABI modifications:
gnutls_cipher_get_iv_size: Added
gnutls_hmac_set_nonce: Added
gnutls_mac_get_nonce_size: Added

Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/≥.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ and LZIP compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.0.tar.xz
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.0.tar.lz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.0.tar.xz.sig
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.0.tar.lz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos