From nmav at gnutls.org Sat Sep 12 11:56:47 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 12 Sep 2015 11:56:47 +0200
Subject: [gnutls-help] gnutls 3.3.18
Message-ID: <1442051807.11698.0.camel@gnutls.org>
Hello,
I've just released gnutls 3.3.18. This is a bug-fix release on
the current stable branch.
* Version 3.3.18 (released 2015-09-12)
** libgnutls: When re-importing CRLs to a trust list ensure that there
no duplicate entries.
** certtool: Removed any arbitrary limits imposed on input file sizes
and maximum number of certificates imported.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
.??A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.18.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.18.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.18.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.18.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Sat Sep 12 11:57:37 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 12 Sep 2015 11:57:37 +0200
Subject: [gnutls-help] gnutls 3.4.5
Message-ID: <1442051857.11698.1.camel@gnutls.org>
Hello,
I've just released gnutls 3.4.5. This version fixes bugs and adds
minor features to the next stable branch.
* Version 3.4.5 (released 2015-09-12)
** libgnutls: When re-importing CRLs to a trust list ensure that there
no duplicate entries.
** certtool: Removed any arbitrary limits imposed on input file sizes
and maximum number of certificates imported.
** certtool: Allow specifying fixed dates on CRL generation.
** gnutls-cli-debug: Added check for inappropriate fallback support
(RFC7507).
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded directly from
.??A list of GnuTLS mirrors can be
found at .
Here are the XZ and LZIP compressed sources:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.5.tar.xz
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.5.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.5.tar.xz.sig
ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.5.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From iyzsong at gmail.com Sat Sep 12 13:49:37 2015
From: iyzsong at gmail.com (=?utf-8?B?5a6L5paH5q2m?=)
Date: Sat, 12 Sep 2015 19:49:37 +0800
Subject: [gnutls-help] gnutls fail for cert-tests.pkcs7 when build with
libtans1-4.6.
In-Reply-To: <87oah7oqqq.fsf@gmail.com>
References: <87oah7oqqq.fsf@gmail.com>
Message-ID: <87lhcboo1a.fsf@gmail.com>
??? writes:
> when update libtasn1 from 4.5 to 4.6, gnutls fail to pass the
> cert-tests.pkcs7 test, get:
> import error: ASN1 parser: Error in DER parsing.
>
> with libtasn1-4.5, the test does pass.
> is this an known issue?
And the gnutls is 3.4.4.1.
From snover1992 at gmail.com Tue Sep 8 06:27:45 2015
From: snover1992 at gmail.com (Loc Vu)
Date: Tue, 8 Sep 2015 11:27:45 +0700
Subject: [gnutls-help] install gnutls fail in kali linux
Message-ID:
HI.I have a problem when try to install gnutls in kali linux.
in configure process :
root at lco:~/Downloads/gnutls-3.4.4# ./configure
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
***
*** Checking for compilation programs...
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for Minix Amsterdam compiler... no
checking for ar... ar
checking for ranlib... ranlib
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking whether _XOPEN_SOURCE should be defined... no
checking for _LARGEFILE_SOURCE value needed for large files... no
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking dependency style of gcc... gcc3
checking the archiver (ar) interface... ar
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking for bison... no
checking for byacc... no
checking for a sed that does not truncate output... /bin/sed
checking for autogen... /bin/true
configure: WARNING:
***
*** autogen not found. Will not link against libopts.
***
checking for inline... inline
checking for ANSI C header files... (cached) yes
checking cpuid.h usability... yes
checking cpuid.h presence... yes
checking for cpuid.h... yes
checking for getrandom... no
checking for getentropy... no
checking for NETTLE... no
configure: error:
***
*** Libnettle 3.1 was not found.
I have manually isntalll libnettle3.1 but it's still not found.My English
is not good so hope you can understand.
Thank you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From iyzsong at gmail.com Sat Sep 12 12:51:09 2015
From: iyzsong at gmail.com (=?utf-8?B?5a6L5paH5q2m?=)
Date: Sat, 12 Sep 2015 18:51:09 +0800
Subject: [gnutls-help] gnutls fail for cert-tests.pkcs7 when build with
libtans1-4.6.
Message-ID: <87oah7oqqq.fsf@gmail.com>
when update libtasn1 from 4.5 to 4.6, gnutls fail to pass the
cert-tests.pkcs7 test, get:
import error: ASN1 parser: Error in DER parsing.
with libtasn1-4.5, the test does pass.
is this an known issue?
From ludo at gnu.org Mon Sep 14 10:24:23 2015
From: ludo at gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Date: Mon, 14 Sep 2015 10:24:23 +0200
Subject: [gnutls-help] gnutls fail for cert-tests.pkcs7 when build with
libtans1-4.6.
In-Reply-To: <87lhcboo1a.fsf@gmail.com> (=?utf-8?B?IuWui+aWh+atpiIncw==?=
message of "Sat, 12 Sep 2015 19:49:37 +0800")
References: <87oah7oqqq.fsf@gmail.com> <87lhcboo1a.fsf@gmail.com>
Message-ID: <87lhc9v26g.fsf@gnu.org>
??? skribis:
> ??? writes:
>
>> when update libtasn1 from 4.5 to 4.6, gnutls fail to pass the
>> cert-tests.pkcs7 test, get:
>> import error: ASN1 parser: Error in DER parsing.
>>
>> with libtasn1-4.5, the test does pass.
>> is this an known issue?
> And the gnutls is 3.4.4.1.
Same with GnuTLS 3.4.5 on libtasn1 4.6:
--8<---------------cut here---------------start------------->8---
import error: ASN1 parser: Error in DER parsing.
full.p7b: PKCS7 decoding failed
--8<---------------cut here---------------end--------------->8---
Ludo?.
From n.mavrogiannopoulos at gmail.com Mon Sep 14 12:17:30 2015
From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos)
Date: Mon, 14 Sep 2015 12:17:30 +0200
Subject: [gnutls-help] gnutls fail for cert-tests.pkcs7 when build with
libtans1-4.6.
In-Reply-To: <87oah7oqqq.fsf@gmail.com>
References: <87oah7oqqq.fsf@gmail.com>
Message-ID:
On Sat, Sep 12, 2015 at 12:51 PM, ??? wrote:
> when update libtasn1 from 4.5 to 4.6, gnutls fail to pass the
> cert-tests.pkcs7 test, get:
> import error: ASN1 parser: Error in DER parsing.
> with libtasn1-4.5, the test does pass.
> is this an known issue?
Thanks, that's not a known issue to me. Noted. For now I'd recommend
to stick with libtasn1 4.5, as I don't have many cycles to check it.
regards,
Nikos
From iyzsong at gmail.com Mon Sep 14 13:33:44 2015
From: iyzsong at gmail.com (=?utf-8?B?5a6L5paH5q2m?=)
Date: Mon, 14 Sep 2015 19:33:44 +0800
Subject: [gnutls-help] gnutls fail for cert-tests.pkcs7 when build with
libtans1-4.6.
In-Reply-To:
References: <87oah7oqqq.fsf@gmail.com>
Message-ID: <8737yhgrqf.fsf@gmail.com>
Nikos Mavrogiannopoulos writes:
> On Sat, Sep 12, 2015 at 12:51 PM, ??? wrote:
>> when update libtasn1 from 4.5 to 4.6, gnutls fail to pass the
>> cert-tests.pkcs7 test, get:
>> import error: ASN1 parser: Error in DER parsing.
>> with libtasn1-4.5, the test does pass.
>> is this an known issue?
>
> Thanks, that's not a known issue to me. Noted. For now I'd recommend
> to stick with libtasn1 4.5, as I don't have many cycles to check it.
Got it, Thanks!
From jonetsu at teksavvy.com Mon Sep 14 20:29:36 2015
From: jonetsu at teksavvy.com (jonetsu)
Date: Mon, 14 Sep 2015 14:29:36 -0400
Subject: [gnutls-help] Use of autogen ?
Message-ID: <628371a16f3b90e7d155f3680aec3377@teksavvy.com>
I am trying to build the recent Debian GnuTLS package 3.3.17 on a somewhat older Debian system. ?It needs autogen which in turn needs Guile. ?Guile brings an awful lot of dependency problems. ?As far as I can see, autogen is used to process large amounts of text. ?Is it needed by GnuTLS apart form I presume, documentation purposes ?
Thanks.
From nmav at gnutls.org Tue Sep 15 12:55:29 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 15 Sep 2015 12:55:29 +0200
Subject: [gnutls-help] Use of autogen ?
In-Reply-To: <628371a16f3b90e7d155f3680aec3377@teksavvy.com>
References: <628371a16f3b90e7d155f3680aec3377@teksavvy.com>
Message-ID:
On Mon, Sep 14, 2015 at 8:29 PM, jonetsu wrote:
> I am trying to build the recent Debian GnuTLS package 3.3.17 on a somewhat older Debian system. It needs autogen which in turn needs Guile. Guile brings an awful lot of dependency problems. As far as I can see, autogen is used to process large amounts of text. Is it needed by GnuTLS apart form I presume, documentation purposes ?
You don't need autogen to build the releases of gnutls. It is only
needed if you are building from the git repository.
regards,
Nikos
From jonetsu at teksavvy.com Mon Sep 21 17:27:33 2015
From: jonetsu at teksavvy.com (jonetsu)
Date: Mon, 21 Sep 2015 11:27:33 -0400
Subject: [gnutls-help] make check errors in system running FIPS mode
Message-ID:
Hello,
A large number of failures are reported during the tests when they are done with the kernel being in FIPS mode and the file /etc/system-fips exists. ?The same compile done without these two does not report any error.
Is there a setup to be made to run these tests when in FIPS mode ? ?Does this involve the DNSSEC warning shown at the end of the configure script ?
Thanks !
% ./configure --enable-fips140-mode?
% make
% make check
Testsuite summary for GnuTLS 3.3.16
# TOTAL: 88
# PASS: ?2
# SKIP: ?4
# XFAIL: 0
# FAIL: ?82
# XPASS: 0
# ERROR: 0
configure: summary of build options:
? version: ? ? ? ? ? ? ?3.3.16 shared 69:8:41
? Host/Target system: ? armv7l-unknown-linux-gnueabihf
? Build system: ? ? ? ? armv7l-unknown-linux-gnueabihf
? Install prefix: ? ? ? /usr/local
? Compiler: ? ? ? ? ? ? gcc
? CFlags: ? ? ? ? ? ? ? -g -O2
? Library types: ? ? ? ?Shared=yes, Static=no
? Local libopts: ? ? ? ?yes
? Local libtasn1: ? ? ? yes
? Use nettle-mini: ? ? ?no
? nettle-version: ? ? ? 2.7.1
configure: External hardware support:
? /dev/crypto: ? ? ? ? ?no
? Hardware accel: ? ? ? none
? Padlock accel: ? ? ? ?yes
? PKCS#11 support: ? ? ?no
? TPM support: ? ? ? ? ?no
configure: Optional features:
(note that included applications might not compile properly
if features are disabled)
? DTLS-SRTP support: ? ?yes
? ALPN support: ? ? ? ? yes
? OCSP support: ? ? ? ? yes
? Ses. ticket support: ?yes
? OpenPGP support: ? ? ?yes
? SRP support: ? ? ? ? ?yes
? PSK support: ? ? ? ? ?yes
? DHE support: ? ? ? ? ?yes
? ECDHE support: ? ? ? ?yes
? RSA-EXPORT support: ? yes
? Anon auth support: ? ?yes
? Heartbeat support: ? ?yes
? Unicode support: ? ? ?yes
? Self checks: ? ? ? ? ?yes
? Non-SuiteB curves: ? ?yes
? FIPS140 mode: ? ? ? ? yes
configure: Optional applications:
? crywrap app: ? ? ? ? ?no
configure: Optional libraries:
? Guile wrappers: ? ? ? no
? C++ library: ? ? ? ? ?yes
? DANE library: ? ? ? ? no
? OpenSSL compat: ? ? ? yes
configure: System files:
? Trust store pkcs11: ??
? Trust store dir: ? ? ?
? Trust store file: ? ? /etc/ssl/certs/ca-certificates.crt
? Blacklist file: ? ? ??
? CRL file: ? ? ? ? ? ??
? Priority file: ? ? ? ?/etc/gnutls/default-priorities
? DNSSEC root key file: /etc/unbound/root.key
configure: WARNING:
***
*** The DNSSEC root key file in /etc/unbound/root.key was not found.
*** This file is needed for the verification of DNSSEC responses.
*** Use the command: unbound-anchor -a "/etc/unbound/root.key"
*** to generate or update it.
***?
From nmav at gnutls.org Tue Sep 22 08:24:00 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 22 Sep 2015 08:24:00 +0200
Subject: [gnutls-help] make check errors in system running FIPS mode
In-Reply-To:
References:
Message-ID:
On Mon, Sep 21, 2015 at 5:27 PM, jonetsu wrote:
> Hello,
> A large number of failures are reported during the tests when they are done with the kernel being in FIPS mode and the file /etc/system-fips exists. The same compile done without these two does not report any error.
> Is there a setup to be made to run these tests when in FIPS mode ? Does this involve the DNSSEC warning shown at the end of the configure script ?
In FIPS140-2 mode the library must have integrity tests, and if these
are not present it will fail to load. You may use the environment
variable GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS (set to 1), to skip these
tests.
regards,
Nikos
From jonetsu at teksavvy.com Tue Sep 22 15:51:33 2015
From: jonetsu at teksavvy.com (jonetsu)
Date: Tue, 22 Sep 2015 09:51:33 -0400
Subject: [gnutls-help] make check errors in system running FIPS mode
In-Reply-To:
References:
Message-ID: <34bd3c0918fce7bca2adb5fe3bb2b5dd@teksavvy.com>
> From: "Nikos Mavrogiannopoulos"
> Date: 09/22/15 02:24
> In FIPS140-2 mode the library must have integrity tests, and if these
> are not present it will fail to load. You may use the environment
> variable GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS (set to 1), to skip these
> tests.
Thanks. OTOH, the interest is to have the test succeed. ?I have looked into the INSTALL file and the user guide but did not find anything about running integrity tests, howto setup for them, etc. ?In fips-test.c there is a mention:
fprintf(stderr,
"Please note that if in FIPS140 mode, you need to assure the library's integrity prior to running this test\n");
How are these integrity tests run ? ?Is there documentation about them ?
Thanks.
From max.bruce12 at gmail.com Tue Sep 22 23:37:52 2015
From: max.bruce12 at gmail.com (Max Bruce)
Date: Tue, 22 Sep 2015 14:37:52 -0700
Subject: [gnutls-help] GNUTLS_E_PULL_ERROR in gnutls_record_recv
Message-ID:
I can't find online what it means, and the name is not very specific. It's
not consistent, if I restart the server several times, it'll work
eventually for a while. TCP is all fine, and the handshake works fine. When
I write a HTTP request over gnutls-cli, it doesn't throw any errors until
the connection times out, but my server throws this after receiving a
STDIN(it's all non blocking IO).
Code:
int i = gnutls_record_recv(sessiond, ra, size);
if(i < 0) {
free(ra);
errno = i;
return NULL;
}
It seems to have started after we tested this on a Debian box, rather than
an Ubuntu one. No code has changed, and the GNUTLS & supporting library
version are the same.
--
Thanks,
Max Bruce
www.avuna.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From testuser448 at gmail.com Tue Sep 22 23:26:24 2015
From: testuser448 at gmail.com (Test User)
Date: Tue, 22 Sep 2015 21:26:24 +0000 (UTC)
Subject: [gnutls-help] =?utf-8?q?Failure_building_v3=2E3=2E18_on_MinGW=3A_?=
=?utf-8?q?undefned_reference_to_rpl=5Ffseek?=
Message-ID:
make[4]: Entering directory `/c/data/open_source/gnutls-3.3.18-build/lib'
CC system.lo
CCLD libgnutls.la
opencdk/.libs/libminiopencdk.a(armor.o): In function `armor_decode':
c:\data\open_source\gnutls-3.3.18-build\lib\opencdk/../../../gnutls-3.3.18/lib/o
pencdk/armor.c:232: undefined reference to `rpl_fseek'
opencdk/.libs/libminiopencdk.a(stream.o): In function `cdk_stream_seek':
c:\data\open_source\gnutls-3.3.18-build\lib\opencdk/../../../gnutls-3.3.18/lib/o
pencdk/stream.c:1081: undefined reference to `rpl_fseek'
collect2.exe: error: ld returned 1 exit status
I understand that the system is trying to replace fseek with rpl_fseek,
but where is the definition of rpl_fseek?
From nmav at gnutls.org Wed Sep 23 13:01:46 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 23 Sep 2015 13:01:46 +0200
Subject: [gnutls-help] Failure building v3.3.18 on MinGW: undefned
reference to rpl_fseek
In-Reply-To:
References:
Message-ID:
On Tue, Sep 22, 2015 at 11:26 PM, Test User wrote:
> make[4]: Entering directory `/c/data/open_source/gnutls-3.3.18-build/lib'
> CC system.lo
> CCLD libgnutls.la
> opencdk/.libs/libminiopencdk.a(armor.o): In function `armor_decode':
> c:\data\open_source\gnutls-3.3.18-build\lib\opencdk/../../../gnutls-3.3.18/lib/o
> pencdk/armor.c:232: undefined reference to `rpl_fseek'
> opencdk/.libs/libminiopencdk.a(stream.o): In function `cdk_stream_seek':
> c:\data\open_source\gnutls-3.3.18-build\lib\opencdk/../../../gnutls-3.3.18/lib/o
> pencdk/stream.c:1081: undefined reference to `rpl_fseek'
> collect2.exe: error: ld returned 1 exit status
> I understand that the system is trying to replace fseek with rpl_fseek,
> but where is the definition of rpl_fseek?
That is most likely a bug in gnulib. It tried to replace fseek in your
system even though there is no fseek module in gnutls. What does
gl/stdio.h contain in your system? Most likely you'll need to remove
the following lines from it:
# undef fseek
# define fseek rpl_fseek
regards,
Nikos
From nmav at gnutls.org Wed Sep 23 13:05:10 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 23 Sep 2015 13:05:10 +0200
Subject: [gnutls-help] GNUTLS_E_PULL_ERROR in gnutls_record_recv
In-Reply-To:
References:
Message-ID:
On Tue, Sep 22, 2015 at 11:37 PM, Max Bruce wrote:
> I can't find online what it means, and the name is not very specific. It's
> not consistent, if I restart the server several times, it'll work eventually
> for a while. TCP is all fine, and the handshake works fine. When I write a
> HTTP request over gnutls-cli, it doesn't throw any errors until the
> connection times out, but my server throws this after receiving a STDIN(it's
> all non blocking IO).
> Code:
> int i = gnutls_record_recv(sessiond, ra, size);
> if(i < 0) {
> free(ra);
> errno = i;
> return NULL;
> }
> It seems to have started after we tested this on a Debian box, rather than
> an Ubuntu one. No code has changed, and the GNUTLS & supporting library
> version are the same.
A pull error is an error in recv(). You can use the debugging
information provided by gnutls (e.g., via setting the env variable
GNUTLS_DEBUG_LEVEL) to get more information on the failure. I'd also
recommend to check the gnutls manual at: www.gnutls.org/manual
regards,
Nikos
From nmav at gnutls.org Wed Sep 23 13:06:45 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 23 Sep 2015 13:06:45 +0200
Subject: [gnutls-help] make check errors in system running FIPS mode
In-Reply-To: <34bd3c0918fce7bca2adb5fe3bb2b5dd@teksavvy.com>
References:
<34bd3c0918fce7bca2adb5fe3bb2b5dd@teksavvy.com>
Message-ID:
On Tue, Sep 22, 2015 at 3:51 PM, jonetsu wrote:
>> From: "Nikos Mavrogiannopoulos"
>> Date: 09/22/15 02:24
>
>> In FIPS140-2 mode the library must have integrity tests, and if these
>> are not present it will fail to load. You may use the environment
>> variable GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS (set to 1), to skip these
>> tests.
> Thanks. OTOH, the interest is to have the test succeed. I have looked into the INSTALL file and the user guide but did not find anything about running integrity tests, howto setup for them, etc. In fips-test.c there is a mention:
> fprintf(stderr,
> "Please note that if in FIPS140 mode, you need to assure the library's integrity prior to running this test\n");
> How are these integrity tests run ? Is there documentation about them ?
They are run on the gnutls global initializer. There is no
documentation for the FIPS140 operations. It affects too few people to
make sense writing it. Unless there is someone contributing that
documentation I don't think that this will change soon.
regards,
Nikos
From jonetsu at teksavvy.com Wed Sep 23 17:54:31 2015
From: jonetsu at teksavvy.com (jonetsu)
Date: Wed, 23 Sep 2015 11:54:31 -0400
Subject: [gnutls-help] make check errors in system running FIPS mode
In-Reply-To:
References:
<34bd3c0918fce7bca2adb5fe3bb2b5dd@teksavvy.com>
Message-ID: <4b1d6a3ead2c088bbc1a1f6a350c4ff1@teksavvy.com>
> From: "Nikos Mavrogiannopoulos"
> Date: 09/23/15 07:06
> They are run on the gnutls global initializer. There is no
> documentation for the FIPS140 operations. It affects too few people to
> make sense writing it. Unless there is someone contributing that
> documentation I don't think that this will change soon.
What is meant exactly by 'run on the gnutls global initializer' ?
How can we apply this knowledge to running the tests ?
If we do not want to skip the FIPS tests and have them hopefully succeeded, does this mean that we have to go on a test per test basis, see what it does, then see how it can actually be run (does it need to connect to something else, etc...). Isn't there any high level overview like a setup to be done prior to turn the tests ? ?Are the test self-contained or do they need to use external sources ? ?Does gnutls have to be installed (make install) before running running them ?
Thanks.
From jonetsu at teksavvy.com Fri Sep 25 17:32:23 2015
From: jonetsu at teksavvy.com (jonetsu)
Date: Fri, 25 Sep 2015 11:32:23 -0400
Subject: [gnutls-help] How to run the test suite in FIPS mode ?
Message-ID: <548cc23ef3da3f6ee2a1b439cbd9fff1@teksavvy.com>
Hello,
Following on the recent thread, I would like to know how to run the tests after a successful compile while in FIPS mode. ?Currently there are over 80 failures when running 'make check' so something is wrong. ?
Thanks.