[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-109-g7f97d06
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-109-g7f97d06 |
|
Date: |
Wed, 24 Aug 2011 19:32:52 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7f97d06161f257b0bb8b1106d1b64cbb58d29a3c
The branch, master has been updated
via 7f97d06161f257b0bb8b1106d1b64cbb58d29a3c (commit)
via 7b74c80ed124af1de0d2d52f3c3b80d36b3a97bc (commit)
via c9cbbb5fd29dd1ab338a20487360cb6c36e73a6c (commit)
from 08d1b02784517fbe5353e2732cd1937ae9b35bb7 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
doc/cha-auth.texi | 2 +-
doc/cha-cert-auth.texi | 19 ++++++++-----------
doc/cha-gtls-app.texi | 8 ++++----
doc/cha-intro-tls.texi | 12 ++++--------
doc/examples/ex-cert-select-pkcs11.c | 3 +--
doc/examples/ex-client-srp.c | 1 -
doc/examples/ex-serv-srp.c | 1 -
doc/latex/gnutls.tex | 2 ++
lib/gnutls_buffers.c | 8 +++++---
lib/gnutls_pubkey.c | 24 +++++++++++-------------
lib/gnutls_record.c | 15 +++++++--------
11 files changed, 43 insertions(+), 52 deletions(-)
diff --git a/doc/cha-auth.texi b/doc/cha-auth.texi
index c7d4dfe..78bcfc3 100644
--- a/doc/cha-auth.texi
+++ b/doc/cha-auth.texi
@@ -397,7 +397,7 @@ with the credential types is shown in
@ref{tab:key-exchange-cred}.
@item @code{KX_SRP_RSA}, @code{KX_SRP_DSS}
@tab @code{CRD_SRP}
address@hidden @code{CRD_CERTIFICATE}
address@hidden @code{CRD_CERTIFICATE}, @code{CRD_SRP}
@item @code{KX_SRP}
@tab @code{CRD_SRP}
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index 1d5357a..aeef061 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -775,19 +775,17 @@ certificate chain, and get a
@code{GNUTLS_CERT_INSECURE_ALGORITHM}
validation error (see @ref{Verifying X.509 certificate paths}), it means
that somewhere in the certificate chain there is a certificate signed
using @code{RSA-MD2} or @code{RSA-MD5}. These two digital signature
-algorithms are considered broken, so GnuTLS fail when attempting to
-verify the certificate. In some situations, it may be useful to be
+algorithms are considered broken, so GnuTLS fails verifying
+the certificate. In some situations, it may be useful to be
able to verify the certificate chain anyway, assuming an attacker did
not utilize the fact that these signatures algorithms are broken.
This section will give help on how to achieve that.
-First, it is important to know that you do not have to enable any of
+It is important to know that you do not have to enable any of
the flags discussed here to be able to use trusted root CA
-certificates signed using @code{RSA-MD2} or @code{RSA-MD5}. The only
-attack today is that it is possible to generate certificates with
-colliding signatures (collision resistance); you cannot generate a
-certificate that has the same signature as an already existing
-signature (2nd preimage resistance).
+certificates self-signed using @code{RSA-MD2} or @code{RSA-MD5}. The
+certificates in the trusted list are considered trusted irrespective
+of the signature.
If you are using @funcref{gnutls_certificate_verify_peers2} to verify the
certificate chain, you can call
@@ -816,9 +814,8 @@ user when verification failure occur for this reason. The
simplest is
to not use the flags by default, and only fall back to using them
after warning the user. If you wish to inspect the certificate chain
yourself, you can use @funcref{gnutls_certificate_get_peers} to extract
-the raw server's certificate chain, then use
address@hidden to parse each of the certificates, and
-then use @funcref{gnutls_x509_crt_get_signature_algorithm} to find out the
+the raw server's certificate chain, @funcref{gnutls_x509_crt_list_import} to
parse each of the certificates, and
+then @funcref{gnutls_x509_crt_get_signature_algorithm} to find out the
signing algorithm used for each certificate. If any of the
intermediary certificates are using @code{GNUTLS_SIGN_RSA_MD2} or
@code{GNUTLS_SIGN_RSA_MD5}, you could present a warning.
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 814d722..3d115bb 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -214,6 +214,7 @@ functions resemble the POSIX @code{recv} and @code{send}
functions.
@showfuncdesc{gnutls_record_send}
+
@showfuncdesc{gnutls_record_recv}
In DTLS it is adviceable to use the extended receive
@@ -225,8 +226,7 @@ messages may arrive out of order.
A helper function is available to check whether data
to be read are pending in a @acronym{GnuTLS} session.
-This is the equivalent in POSIX systems to using @code{select}
-for data waiting to be read by @code{recv}.
+This is the equivalent of @code{select} in @acronym{POSIX} systems.
@showfuncdesc{gnutls_record_check_pending}
@@ -496,8 +496,8 @@ redefining them.
@subsection Simple datagram @acronym{TLS} client example
This is a client that uses @acronym{UDP} to connect to a
-server. This is the @acronym{DTLS} equivalent to
address@hidden client example with X.509 certificate support} above.
+server. This is the @acronym{DTLS} equivalent to the example
+in @ref{Simple client example with X.509 certificate support}.
@verbatiminclude examples/ex-client-udp.c
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index f71b305..ab117ba 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -584,14 +584,10 @@ Changing this default behavior would prevent
interoperability against
the majority of deployed servers out there. We will reconsider this
default behavior in the future when more servers have been upgraded.
Note that it is easy to configure clients to always require the safe
-renegotiation extension from servers (see below on the
address@hidden priority string).
+renegotiation extension from servers.
To modify the default behavior, we have introduced some new priority
-strings. The priority strings can be used by applications
-(@funcref{gnutls_priority_set}) and end users (e.g., @code{--priority}
-parameter to @code{gnutls-cli} and @code{gnutls-serv}).
-
+strings (see @ref{Priority Strings}).
The @code{%UNSAFE_RENEGOTIATION} priority string permits
(re-)handshakes even when the safe renegotiation extension was not
negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will
@@ -629,7 +625,7 @@ can be used both by clients and servers.
@section Selecting cryptographic key sizes
@cindex Key sizes
-In TLS, since a lot of algorithms are involved, it is not easy to set
+Because many algorithms are involved in TLS, it is not easy to set
a consistent security level. For this reason in @ref{tab:key-sizes} we
present some correspondence between key sizes of symmetric algorithms
and public key algorithms based on @xcite{ECRYPT}.
@@ -685,7 +681,7 @@ parameter with actual bit sizes of parameters for DH, RSA,
SRP and ECC algorithm
A mapping to @code{gnutls_sec_param_t} value is given for each security
parameter, on
the next column, and finally a brief description of the level.
-Note however that the values suggested here are nothing more than an
+Note, however, that the values suggested here are nothing more than an
educated guess that is valid today. There are no guarantees that an
algorithm will remain unbreakable or that these values will remain
constant in time. There could be scientific breakthroughs that cannot
diff --git a/doc/examples/ex-cert-select-pkcs11.c
b/doc/examples/ex-cert-select-pkcs11.c
index 492cd5a..bd7851c 100644
--- a/doc/examples/ex-cert-select-pkcs11.c
+++ b/doc/examples/ex-cert-select-pkcs11.c
@@ -4,8 +4,6 @@
#include <config.h>
#endif
-#include <getpass.h>
-
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -19,6 +17,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
+#include <getpass.h> /* for getpass() */
/* A TLS client that loads the certificate and key.
*/
diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c
index 905aab1..b8ecc2b 100644
--- a/doc/examples/ex-client-srp.c
+++ b/doc/examples/ex-client-srp.c
@@ -8,7 +8,6 @@
#include <stdlib.h>
#include <string.h>
#include <gnutls/gnutls.h>
-#include <gnutls/extra.h>
/* Those functions are defined in other examples.
*/
diff --git a/doc/examples/ex-serv-srp.c b/doc/examples/ex-serv-srp.c
index 880c429..c5300fb 100644
--- a/doc/examples/ex-serv-srp.c
+++ b/doc/examples/ex-serv-srp.c
@@ -14,7 +14,6 @@
#include <string.h>
#include <unistd.h>
#include <gnutls/gnutls.h>
-#include <gnutls/extra.h>
#define SRP_PASSWD "tpasswd"
#define SRP_PASSWD_CONF "tpasswd.conf"
diff --git a/doc/latex/gnutls.tex b/doc/latex/gnutls.tex
index 7be1cc6..65207ec 100644
--- a/doc/latex/gnutls.tex
+++ b/doc/latex/gnutls.tex
@@ -81,5 +81,7 @@
\bibliography{gnutls}
+\cleardoublepage
+
\end{document}
diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c
index 38e9828..4f946f4 100644
--- a/lib/gnutls_buffers.c
+++ b/lib/gnutls_buffers.c
@@ -84,10 +84,12 @@ _gnutls_record_buffer_put (gnutls_session_t session,
* gnutls_record_check_pending:
* @session: is a #gnutls_session_t structure.
*
- * This function checks if there are any data to receive in the gnutls
- * buffers.
+ * This function checks if there are unread data
+ * in the gnutls buffers. If the return value is
+ * non-zero the next call to gnutls_record_recv()
+ * is guarranteed not to block.
*
- * Returns: The size of that data or 0.
+ * Returns: Returns the size of the data or zero.
**/
size_t
gnutls_record_check_pending (gnutls_session_t session)
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index d672309..baea500 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -406,7 +406,7 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
* certificate corresponds to the given public key.
*
* If the buffer provided is not long enough to hold the output, then
- * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
+ * *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
* be returned. The output will normally be a SHA-1 hash output,
* which is 20 bytes.
*
@@ -461,7 +461,7 @@ gnutls_pubkey_get_openpgp_key_id (gnutls_pubkey_t key,
unsigned int flags,
* This function will export the certificate to DER or PEM format.
*
* If the buffer provided is not long enough to hold the output, then
- * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
+ * *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
* be returned.
*
* If the structure is PEM encoded, it will have a header
@@ -535,7 +535,7 @@ cleanup:
* certificate corresponds to the given public key.
*
* If the buffer provided is not long enough to hold the output, then
- * *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
+ * *output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will
* be returned. The output will normally be a SHA-1 hash output,
* which is 20 bytes.
*
@@ -1145,9 +1145,8 @@ gnutls_pubkey_import_dsa_raw (gnutls_pubkey_t key,
* This function will verify the given signed data, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure
- * %GNUTLS_E_PK_SIG_VERIFY_FAILED is returned, and a positive code
- * on success.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value (%GNUTLS_E_PK_SIG_VERIFY_FAILED in verification
failure).
*
* Since: 2.12.0
**/
@@ -1185,9 +1184,8 @@ gnutls_pubkey_verify_data (gnutls_pubkey_t pubkey,
unsigned int flags,
* This function will verify the given signed data, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure
- * %GNUTLS_E_PK_SIG_VERIFY_FAILED is returned, and a positive code
- * on success.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value (%GNUTLS_E_PK_SIG_VERIFY_FAILED in verification
failure).
*
* Since: 3.0.0
**/
@@ -1227,8 +1225,8 @@ gnutls_pubkey_verify_data2 (gnutls_pubkey_t pubkey,
* This function will verify the given signed digest, using the
* parameters from the certificate.
*
- * Returns: In case of a verification failure %GNUTLS_E_PK_SIG_VERIFY_FAILED
- * is returned, and a positive code on success.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value (%GNUTLS_E_PK_SIG_VERIFY_FAILED in verification
failure).
*
* Since: 2.12.0
**/
@@ -1261,8 +1259,8 @@ gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned
int flags,
* This function will read the certifcate and the signed data to
* determine the hash algorithm used to generate the signature.
*
- * Returns: the 0 if the hash algorithm is found. A negative error code is
- * returned on error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
*
* Since: 2.12.0
**/
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index 72e3f76..1cd87a4 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -180,23 +180,22 @@ gnutls_transport_get_ptr2 (gnutls_session_t session,
* have been initiated using gnutls_handshake(). @how should be one
* of %GNUTLS_SHUT_RDWR, %GNUTLS_SHUT_WR.
*
- * In case of %GNUTLS_SHUT_RDWR then the TLS connection gets
+ * In case of %GNUTLS_SHUT_RDWR the TLS session gets
* terminated and further receives and sends will be disallowed. If
- * the return value is zero you may continue using the connection.
- * %GNUTLS_SHUT_RDWR actually sends an alert containing a close
+ * the return value is zero you may continue using the underlying
+ * transport layer. %GNUTLS_SHUT_RDWR sends an alert containing a close
* request and waits for the peer to reply with the same message.
*
- * In case of %GNUTLS_SHUT_WR then the TLS connection gets terminated
+ * In case of %GNUTLS_SHUT_WR the TLS session gets terminated
* and further sends will be disallowed. In order to reuse the
* connection you should wait for an EOF from the peer.
* %GNUTLS_SHUT_WR sends an alert containing a close request.
*
* Note that not all implementations will properly terminate a TLS
* connection. Some of them, usually for performance reasons, will
- * terminate only the underlying transport layer, thus causing a
- * transmission error to the peer. This error cannot be
- * distinguished from a malicious party prematurely terminating the
- * session, thus this behavior is not recommended.
+ * terminate only the underlying transport layer, and thus not
+ * distinguishing between a malicious party prematurely terminating
+ * the connection and normal termination.
*
* This function may also return %GNUTLS_E_AGAIN or
* %GNUTLS_E_INTERRUPTED; cf. gnutls_record_get_direction().
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-109-g7f97d06,
Nikos Mavrogiannopoulos <=