gnutls-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU gnutls branch, master, updated. gnutls_2_99_3-12-gdff2364


From: Nikos Mavrogiannopoulos
Subject: [SCM] GNU gnutls branch, master, updated. gnutls_2_99_3-12-gdff2364
Date: Tue, 21 Jun 2011 06:58:40 +0000

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=dff23649552500f42e4c9cfb3ce491f26dce33e6

The branch, master has been updated
       via  dff23649552500f42e4c9cfb3ce491f26dce33e6 (commit)
       via  272a6df983073ebd6329b4aaa831b617f8a66514 (commit)
       via  e7a9875b7232b81af32c16258f89c663f455a3e7 (commit)
       via  dbed6d02bd3f271d59628279a4ac5cf23bca1ca7 (commit)
       via  a31c9a76e769a8b365ed1998eb8247ffee006fd7 (commit)
      from  b679178e1c1b08286068462c9bbbbb4f303351e5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit dff23649552500f42e4c9cfb3ce491f26dce33e6
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Jun 21 01:42:39 2011 +0200

    documentation updates.

commit 272a6df983073ebd6329b4aaa831b617f8a66514
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Jun 21 01:02:20 2011 +0200

    gnutls_srp_verifier() returns data allocated with gnutls_malloc()
    for consistency.

commit e7a9875b7232b81af32c16258f89c663f455a3e7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Jun 21 01:01:15 2011 +0200

    reduced error message.

commit dbed6d02bd3f271d59628279a4ac5cf23bca1ca7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Mon Jun 20 21:01:46 2011 +0200

    simplified text.

commit a31c9a76e769a8b365ed1998eb8247ffee006fd7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Mon Jun 20 20:47:29 2011 +0200

    FDL is now included using a tiny font.

-----------------------------------------------------------------------

Summary of changes:
 NEWS                     |    9 +++
 doc/cha-auth.texi        |   74 ++++++++++------------
 doc/cha-cert-auth.texi   |  120 +++++++++++++++++++++--------------
 doc/cha-gtls-app.texi    |    5 +-
 doc/cha-intro-tls.texi   |  155 ++++++++++++++++++++++++++-------------------
 doc/cha-library.texi     |   10 ++--
 doc/cha-programs.texi    |    8 +-
 doc/latex/fdl.tex        |   72 +++++++++++++--------
 doc/latex/gnutls.tex     |    2 +-
 doc/scripts/mytexi2latex |   25 +++++---
 lib/gnutls_errors.c      |    3 +-
 lib/gnutls_srp.c         |   10 ++--
 lib/gnutls_srp.h         |    2 -
 13 files changed, 286 insertions(+), 209 deletions(-)

diff --git a/NEWS b/NEWS
index c37c36a..c58b213 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,15 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005,
               2006, 2007, 2008, 2009, 2010 Free Software Foundation, Inc.
 See the end for copying conditions.
 
+* Version (unreleased)
+
+** libgnutls: gnutls_srp_verifier() returns data allocated with gnutls_malloc()
+for consistency.
+
+** API and ABI modifications:
+No changes since last version.
+
+
 * Version 2.99.3 (released 2011-06-18)
 
 ** libgnutls: Added new PKCS #11 flags to force an object being private or
diff --git a/doc/cha-auth.texi b/doc/cha-auth.texi
index edfb36d..9f85e2f 100644
--- a/doc/cha-auth.texi
+++ b/doc/cha-auth.texi
@@ -114,28 +114,29 @@ certificate authentication.
 
 Note that the DHE key exchange methods are generally
 address@hidden really depends on the group used.  Primes with
-lesser bits are always faster, but also easier to break.  Values less
-than 1024 should not be used today} than plain RSA and require Diffie
+lesser bits are always faster, but also easier to break.  See @ref{Selecting 
cryptographic key sizes}
+for the acceptable security levels.} than plain RSA and require Diffie
 Hellman parameters to be generated and associated with a credentials
 structure, by the server. For more information check the @ref{Parameter 
generation}
-section.
+section. The key exchange algorithms for @acronym{OpenPGP} and @acronym{X.509}
+certificates are shown in @ref{tab:key-exchange}.
 
-Key exchange algorithms for @acronym{OpenPGP} and @acronym{X.509}
-certificates:
address@hidden Table,tab:key-exchange
address@hidden @columnfractions .3 .7
 
address@hidden @code
address@hidden Key exchange @tab Description
 
address@hidden RSA:
address@hidden RSA @tab
 The RSA algorithm is used to encrypt a key and send it to the peer.
 The certificate must allow the key to be used for encryption.
 
address@hidden RSA_EXPORT:
address@hidden RSA_EXPORT @tab
 The RSA algorithm is used to encrypt a key and send it to the peer.
 In the EXPORT algorithm, the server signs temporary RSA parameters of
 512 bits --- which are considered weak --- and sends them to the
 client.
 
address@hidden DHE_RSA:
address@hidden DHE_RSA @tab
 The RSA algorithm is used to sign ephemeral Diffie-Hellman parameters
 which are sent to the peer. The key in the certificate must allow the
 key to be used for signing. Note that key exchange algorithms which
@@ -143,26 +144,28 @@ use ephemeral Diffie-Hellman parameters, offer perfect 
forward
 secrecy. That means that even if the private key used for signing is
 compromised, it cannot be used to reveal past session data.
 
address@hidden ECDHE_RSA:
address@hidden ECDHE_RSA @tab
 The RSA algorithm is used to sign ephemeral elliptic curve Diffie-Hellman 
 parameters which are sent to the peer. The key in the certificate must allow 
 the key to be used for signing. It also offers perfect forward
 secrecy. That means that even if the private key used for signing is
 compromised, it cannot be used to reveal past session data.
 
address@hidden DHE_DSS:
address@hidden DHE_DSS @tab
 The DSA algorithm is used to sign ephemeral Diffie-Hellman parameters
 which are sent to the peer. The certificate must contain DSA
 parameters to use this key exchange algorithm. DSA is the algorithm
 of the Digital Signature Standard (DSS).
 
address@hidden ECDHE_ECDSA:
address@hidden ECDHE_ECDSA @tab
 The Elliptic curve DSA algorithm is used to sign ephemeral elliptic
 curve Diffie-Hellman parameters which are sent to the peer. The 
 certificate must contain ECDSA parameters to use this key exchange 
 algorithm. 
 
address@hidden table
address@hidden multitable
address@hidden key exchange algorithms.}
address@hidden float
 
 @node Anonymous authentication
 @section Anonymous Authentication
@@ -241,28 +244,20 @@ authenticated using a certificate with RSA parameters.
 @end table
 
 If clients supporting @acronym{SRP} know the username and password
-before the connection, should initialize the client credentials and
-call the function @funcref{gnutls_srp_set_client_credentials}.
-Alternatively they could specify a callback function by using the
-function @funcref{gnutls_srp_set_client_credentials_function}.  This has
-the advantage that allows probing the server for @acronym{SRP}
-support.  In that case the callback function will be called twice per
-handshake.  The first time is before the ciphersuite is negotiated,
-and if the callback returns a negative error code, the callback will
-be called again if @acronym{SRP} has been negotiated.  This uses a
-special @address@hidden handshake idiom in order to avoid,
-in interactive applications, to ask the user for @acronym{SRP}
-password and username if the server does not negotiate an
address@hidden ciphersuite.
+before the connection, should initialize client credentials and
+call @funcref{gnutls_srp_set_client_credentials}.
+Alternatively @funcref{gnutls_srp_set_client_credentials_function}
+may be used to specify a callback function.
+The callback will be called once during the @acronym{TLS} handshake.
 
 In server side the default behaviour of @acronym{GnuTLS} is to read
 the usernames and @acronym{SRP} verifiers from password files. These
 password files are the ones used by the @emph{Stanford srp libraries}
-and can be specified using the
address@hidden  If a different
-password file format is to be used, then the function
address@hidden, should be called,
-in order to set an appropriate callback.
+and @funcref{gnutls_srp_set_server_credentials_file} can be used to
+specify them. If a different
+password file format is to be used, then 
address@hidden should be called,
+to set an appropriate callback.
 
 Some helper functions such as
 
@@ -306,10 +301,10 @@ exchange.  This method offers perfect forward secrecy.
 @end table
 
 Clients supporting @acronym{PSK} should supply the username and key
-before the connection to the client credentials by calling the
-function @funcref{gnutls_psk_set_client_credentials}.  Alternatively they
-could specify a callback function by using the function
address@hidden  This has the
+before the TLS session is established by calling 
address@hidden  Alternatively 
address@hidden can be used to
+specify a callback function. This has the
 advantage that the callback will be called only if @acronym{PSK} has
 been negotiated.
 
@@ -318,12 +313,13 @@ the usernames and @acronym{PSK} keys from a password 
file. The
 password file should contain usernames and keys in hexadecimal
 format. The name of the password file can be stored to the credentials
 structure by calling @funcref{gnutls_psk_set_server_credentials_file}.  If
-a different password file format is to be used, then the function
address@hidden, should be used
-instead.
+a different password file format is to be used, then
+a callback should be set instead by 
@funcref{gnutls_psk_set_server_credentials_function}.
 
 The server can help the client chose a suitable username and password,
-by sending a hint.  In the server, specify the hint by calling
+by sending a hint. Note that there is no common profile for the PSK hint and 
applications
+are discouraged to use it.
+A server, may specify the hint by calling
 @funcref{gnutls_psk_set_server_credentials_hint}.  The client can retrieve
 the hint, for example in the callback function, using
 @funcref{gnutls_psk_client_get_hint}.
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index c4675ae..26ca9fd 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -42,29 +42,34 @@ Detailed examples involving X.509 certificates are listed 
below.
 
 An @acronym{X.509} certificate usually contains information about the
 certificate holder, the signer, a unique serial number, expiration
-dates and some other fields @xcite{PKIX} as shown in the table below.
+dates and some other fields @xcite{PKIX} as shown in @ref{tab:x509}.
 
address@hidden @code
address@hidden Table,tab:x509
address@hidden @columnfractions .3 .7
+
address@hidden Field @tab Description
 
address@hidden version:
address@hidden version @tab
 The field that indicates the version of the certificate.
 
address@hidden serialNumber:
address@hidden serialNumber @tab
 This field holds a unique serial number per certificate.
 
address@hidden issuer:
address@hidden issuer @tab
 Holds the issuer's distinguished name.
 
address@hidden validity:
address@hidden validity @tab
 The activation and expiration dates.
 
address@hidden subject:
address@hidden subject @tab
 The subject's distinguished name of the certificate.
 
address@hidden extensions:
address@hidden extensions @tab
 The extensions are fields only present in version 3 certificates.
 
address@hidden table
address@hidden multitable
address@hidden certificate fields.}
address@hidden float
 
 The certificate's @emph{subject or issuer name} is not just a single
 string.  It is a Distinguished name and in the @acronym{ASN.1}
@@ -85,40 +90,45 @@ Certificate @emph{extensions} are there to include 
information about
 the certificate's subject that did not fit in the typical certificate
 fields. Those may be e-mail addresses, flags that indicate whether the
 belongs to a CA etc.  All the supported @acronym{X.509} version 3
-extensions are shown in the table below.
+extensions are shown in @ref{tab:x509-ext}.
 
address@hidden @code
address@hidden Table,tab:x509-ext
address@hidden @columnfractions .3 .2 .5
 
address@hidden subject key id (2.5.29.14):
address@hidden Extension @tab OID @tab Description
+
address@hidden Subject key id @tab 2.5.29.14 @tab
 An identifier of the key of the subject.
 
address@hidden authority key id (2.5.29.35):
address@hidden Authority key id @tab 2.5.29.35 @tab
 An identifier of the authority's key used to sign the certificate.
 
address@hidden subject alternative name (2.5.29.17):
address@hidden Subject alternative name @tab 2.5.29.17 @tab
 Alternative names to subject's distinguished name.
 
address@hidden key usage (2.5.29.15):
address@hidden Key usage @tab 2.5.29.15 @tab
 Constraints the key's usage of the certificate.
 
address@hidden extended key usage (2.5.29.37):
address@hidden Extended key usage @tab 2.5.29.37 @tab
 Constraints the purpose of the certificate.
 
address@hidden basic constraints (2.5.29.19):
address@hidden Basic constraints @tab 2.5.29.19 @tab
 Indicates whether this is a CA certificate or not, and specify the
 maximum path lengths of certificate chains.
 
address@hidden CRL distribution points (2.5.29.31):
address@hidden CRL distribution points @tab 2.5.29.31 @tab
 This extension is set by the CA, in order to inform about the issued
 CRLs.
 
address@hidden Proxy Certification Information (1.3.6.1.5.5.7.1.14):
address@hidden Proxy Certification Information @tab 1.3.6.1.5.5.7.1.14 @tab
 Proxy Certificates includes this extension that contains the OID of
 the proxy policy language used, and can specify limits on the maximum
 lengths of proxy chains.  Proxy Certificates are specified in
 @xcite{RFC3820}.
 
address@hidden table
address@hidden multitable
address@hidden certificate extensions.}
address@hidden float
 
 In @acronym{GnuTLS} the @acronym{X.509} certificate structures are
 handled using the @code{gnutls_x509_crt_t} type and the corresponding
@@ -185,31 +195,37 @@ authority list has been set via the
 thus it is not required to setup a trusted list as above.
 Convenience functions such as @funcref{gnutls_certificate_verify_peers2} 
 are equivalent and will verify the peer's certificate chain
-in a TLS session.
+in a TLS session. The certificate verification functions output
+codes as in @ref{tab:cert-verify}.
 
address@hidden @code
address@hidden Table,tab:cert-verify
address@hidden @columnfractions .55 .45
+
address@hidden Flag @tab Description
 
address@hidden GNUTLS_CERT_INVALID:
address@hidden GNUTLS_CERT_INVALID @tab
 The certificate is not signed by one of the known authorities, or
 the signature is invalid.
 
address@hidden GNUTLS_CERT_REVOKED:
address@hidden GNUTLS_CERT_REVOKED @tab
 The certificate has been revoked by its CA.
 
address@hidden GNUTLS_CERT_SIGNER_NOT_FOUND:
address@hidden GNUTLS_CERT_SIGNER_NOT_FOUND @tab
 The certificate's issuer is not known. This is the case when the
 issuer is not in the trusted certificates list.
 
address@hidden GNUTLS_CERT_SIGNER_NOT_CA:
address@hidden GNUTLS_CERT_SIGNER_NOT_CA @tab
 The certificate's signer was not a CA. This may happen if
 this was a version 1 certificate, which is common with some CAs, or
 a version 3 certificate without the basic constrains extension.
 
address@hidden GNUTLS_CERT_INSECURE_ALGORITHM:
address@hidden GNUTLS_CERT_INSECURE_ALGORITHM @tab
 The certificate was signed using an insecure algorithm such as MD2 or
 MD5.  These algorithms have been broken and should not be trusted.
 
address@hidden table
address@hidden multitable
address@hidden verification output flags.}
address@hidden float
 
 There is also to possibility to pass some input to the verification
 functions in the form of flags. For 
@funcref{gnutls_x509_trust_list_verify_crt} the
@@ -217,48 +233,53 @@ flags are passed straightforward, but
 @funcref{gnutls_certificate_verify_peers2} depends on the flags set by
 calling @funcref{gnutls_certificate_set_verify_flags}.  All the available
 flags are part of the enumeration
address@hidden and are explained in the table
-below.
address@hidden and are explained in @ref{tab:cert-flags}.
 
address@hidden @code
address@hidden GNUTLS_VERIFY_DISABLE_CA_SIGN:
address@hidden Table,tab:cert-flags
address@hidden @columnfractions .5 .5
+
address@hidden Flag @tab Description
address@hidden GNUTLS_VERIFY_\-DISABLE_CA_SIGN @tab
 If set a signer does not have to be a certificate authority. This
 flag should normaly be disabled, unless you know what this means.
 
address@hidden GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT:
address@hidden GNUTLS_VERIFY_\-ALLOW_X509_V1_CA_CRT @tab
 Allow only trusted CA certificates that have version 1.  This is
-safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be
+safer than GNUTLS_VERIFY_\-ALLOW_ANY_X509_V1_CA_CRT, and should be
 used instead. That way only signers in your trusted list will be
 allowed to have certificates of version 1. This is the default.
 
address@hidden GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT:
address@hidden GNUTLS_VERIFY_\-DO_NOT_ALLOW_X509_V1_CA_CRT @tab
 Do not allow trusted version 1 CA certificates.  This option is to be used
 in order consider all V1 certificates as deprecated.
 
address@hidden GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT:
address@hidden GNUTLS_VERIFY_\-ALLOW_ANY_X509_V1_CA_CRT @tab
 Allow CA certificates that have version 1 (both root and
 intermediate). This is dangerous since those haven't the
 basicConstraints extension. Must be used in combination with
-GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.
+GNUTLS_VERIFY_\-ALLOW_X509_V1_CA_CRT.
 
address@hidden GNUTLS_VERIFY_DO_NOT_ALLOW_SAME:
address@hidden GNUTLS_VERIFY_\-DO_NOT_ALLOW_SAME @tab
 If a certificate is not signed by anyone trusted but exists in
 the trusted CA list do not treat it as trusted.
 
address@hidden GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2:
address@hidden GNUTLS_VERIFY_\-ALLOW_SIGN_RSA_MD2 @tab
 Allow certificates to be signed using the old MD2 algorithm.
 
address@hidden GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5:
address@hidden GNUTLS_VERIFY_\-ALLOW_SIGN_RSA_MD5 @tab
 Allow certificates to be signed using the broken MD5 algorithm.
 
address@hidden GNUTLS_VERIFY_DISABLE_TIME_CHECKS:
address@hidden GNUTLS_VERIFY_\-DISABLE_TIME_CHECKS @tab
 Disable checking of activation
 and expiration validity periods of certificate chains. Don't set
 this unless you understand the security implications.
 
address@hidden GNUTLS_VERIFY_DISABLE_CRL_CHECKS:
address@hidden GNUTLS_VERIFY_\-DISABLE_CRL_CHECKS @tab
 Disables checking for validity using certificate revocation lists.
address@hidden table
+
address@hidden multitable
address@hidden verification flags.}
address@hidden float
 
 Although the verification of a certificate path indicates that the
 certificate is signed by trusted authority, does not reveal anything
@@ -431,7 +452,7 @@ the user to insert the token. All the initialization 
functions are below.
 @end itemize
 
 Note that due to limitations of @acronym{PKCS} #11 there are issues when 
multiple libraries 
-are sharing a module. To avoid this problem GnuTLS uses 
address@hidden://p11-glue.freedesktop.org/}
+are sharing a module. To avoid this problem GnuTLS uses 
address@hidden@url{http://p11-glue.freedesktop.org/}}
 that provides a middleware to control access to resources over the
 multiple users.
 
@@ -444,7 +465,7 @@ key on a smart card may be referenced as:
 @example
 pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315; \
 manufacturer=EnterSafe;object=test1;objecttype=public;\
-id=32:f1:53:f3:e3:79:90:b0:86:24:14:10:77:ca:5d:ec:2d:15:fa:ed
+id=32f153f3e37990b08624141077ca5dec2d15faed
 @end example
 
 while the smart card itself can be referenced as:
@@ -680,9 +701,12 @@ signature (2nd preimage resistance).
 
 If you are using @funcref{gnutls_certificate_verify_peers2} to verify the
 certificate chain, you can call
address@hidden with the
address@hidden or
address@hidden flag, as in:
address@hidden with the flags:
address@hidden
address@hidden @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2}
address@hidden @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5}
address@hidden itemize
+as in the following example:
 
 @smallexample
   gnutls_certificate_set_verify_flags (x509cred,
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 632b70e..c30d2be 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -76,8 +76,9 @@ verbose information on the @acronym{GnuTLS} functions 
internal flow.
 
 When debugging is not required, important issues, such as detected
 attacks on the protocol still need to be logged. This is provided
-by @funcref{gnutls_global_set_audit_log_function}, that uses a logging
-function that accepts the detected error message and the corresponding
+by the logging function set by
address@hidden The set function
+accepts the detected error message and the corresponding
 TLS session. The session information might be used to derive IP addresses
 or other information about the peer involved.
 
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index b45551e..8a2cf55 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -85,9 +85,12 @@ you, call @code{gnutls_transport_set_errno} with the 
intended errno
 value instead of setting @code{errno} directly.
 
 @acronym{GnuTLS} currently only interprets the EINTR and EAGAIN errno
-values and returns the corresponding @acronym{GnuTLS} error codes
address@hidden and @code{GNUTLS_E_AGAIN}.  These values
-are usually returned by interrupted system calls, or when non blocking
+values and returns the corresponding @acronym{GnuTLS} error codes:
address@hidden
address@hidden @code{GNUTLS_E_INTERRUPTED} 
address@hidden @code{GNUTLS_E_AGAIN}
address@hidden itemize
+These values are usually returned by interrupted system calls, or when non 
blocking
 IO is used.  All @acronym{GnuTLS} functions can be resumed (called
 again), if any of these error codes is returned.  The error codes
 above refer to the system call, not the @acronym{GnuTLS} function,
@@ -158,69 +161,75 @@ just after the handshake protocol has finished.
 @cindex Symmetric encryption algorithms
 
 Confidentiality in the record layer is achieved by using symmetric
-block encryption algorithms like @code{3DES}, @address@hidden,
-or Advanced Encryption Standard, is actually the RIJNDAEL algorithm.
-This is the algorithm that replaced DES.}, or stream algorithms like
address@hidden@address@hidden is a compatible
-algorithm with RSA's RC4 algorithm, which is considered to be a trade
-secret.}. Ciphers are encryption algorithms that use a single, secret,
+block encryption algorithms like @code{3DES}, @code{AES}
+or stream algorithms like @code{ARCFOUR_128}.
+ Ciphers are encryption algorithms that use a single, secret,
 key to encrypt and decrypt data. Block algorithms in TLS also provide
 protection against statistical analysis of the data.  Thus, if you're
 using the @acronym{TLS} protocol, a random number of blocks will be
 appended to data, to prevent eavesdroppers from guessing the actual
 data size.
 
-Supported cipher algorithms:
+The supported in @acronym{GnuTLS} ciphers and MAC algorithms are shown in 
@ref{tab:ciphers} and
address@hidden:macs}.
 
address@hidden @code
address@hidden 3DES_CBC:
address@hidden Table,tab:ciphers
address@hidden @columnfractions .30 .70
address@hidden Algorithm @tab Description
address@hidden 3DES_CBC @tab
 This is the DES block cipher algorithm used with triple
 encryption (EDE). Has 64 bits block size and is used in CBC mode.
 
address@hidden ARCFOUR_128:
-A fast stream cipher.
address@hidden ARCFOUR_128 @tab
+ARCFOUR_128 is a compatible algorithm with RSA's RC4 algorithm, which is 
considered to be a trade
+secret. It is a fast cipher but considered weak today.
 
address@hidden ARCFOUR_40:
address@hidden ARCFOUR_40 @tab
 This is the ARCFOUR cipher fed with a 40 bit key,
 which is considered weak.
 
address@hidden AES_CBC:
address@hidden AES_CBC @tab
 AES or RIJNDAEL is the block cipher algorithm that replaces the old
 DES algorithm.  Has 128 bits block size and is used in CBC mode.
 
address@hidden AES_GCM:
address@hidden AES_GCM @tab
 This is the AES algorithm in the authenticated encryption GCM mode.
 This mode combines message authentication and encryption and can
 be extremely fast on CPUs that support hardware acceleration.
 
address@hidden CAMELLIA_CBC:
address@hidden CAMELLIA_CBC @tab
 This is an 128-bit block cipher developed by Mitsubish and NTT. It
 is one of the approved ciphers of the European NESSIE and Japanese
 CRYPTREC projects.
 
address@hidden table
-
address@hidden multitable
address@hidden ciphers.}
address@hidden float
 
-Supported MAC algorithms:
 
address@hidden @code
address@hidden MAC_MD5:
address@hidden Table,tab:macs
address@hidden @columnfractions .30 .70
address@hidden Algorithm @tab Description
address@hidden MAC_MD5 @tab
 This is a cryptographic hash algorithm designed by Ron Rivest. Outputs
 128 bits of data.
 
address@hidden MAC_SHA1:
address@hidden MAC_SHA1 @tab
 A cryptographic hash algorithm designed by NSA. Outputs 160
 bits of data.
 
address@hidden MAC_SHA256:
address@hidden MAC_SHA256 @tab
 A cryptographic hash algorithm designed by NSA. Outputs 256
 bits of data.
 
address@hidden MAC_AEAD:
address@hidden MAC_AEAD @tab
 This indicates that an authenticated encryption algorithm, such as
 GCM, is in use.
 
address@hidden table
address@hidden multitable
address@hidden MAC algorithms.}
address@hidden float
+
 
 @node Compression algorithms used in the record layer
 @subsection Compression Algorithms Used in the Record Layer
@@ -272,8 +281,7 @@ encrypted packet.
 
 Those weaknesses were solved in @acronym{TLS} 1.1 @xcite{RFC4346}
 which is implemented in @acronym{GnuTLS}. For a detailed discussion
-see the archives of the TLS Working Group mailing list and the paper
address@hidden
+see the archives of the TLS Working Group mailing list and @xcite{CBCATT}.
 
 @node On Record Padding
 @subsection On Record Padding
@@ -308,7 +316,7 @@ different incoming IP addresses.
 
 To enable the workaround in the @command{gnutls-cli} client or the
 @command{gnutls-serv} server, for testing of other implementations, use
-the following parameter: @option{--priority "NORMAL:%COMPAT"}.
+the parameter: @option{--priority "NORMAL:%COMPAT"}.
 
 
 @node The TLS Alert Protocol
@@ -393,8 +401,8 @@ To initiate the handshake.
 @subsection TLS Cipher Suites
 
 The Handshake Protocol of @acronym{TLS} negotiates cipher suites of
-the form @code{TLS_DHE_RSA_WITH_3DES_CBC_SHA}.  The usual cipher
-suites contain these parameters:
+a special form illustrated by the @code{TLS_DHE_RSA_WITH_3DES_CBC_SHA} cipher 
suite name.  A typical cipher
+suite contains these parameters:
 
 @itemize
 
@@ -423,45 +431,50 @@ All the supported ciphersuites are shown in 
@ref{ciphersuites}.
 In order to specify cipher suite preferences, the
 previously shown priority functions accept a string
 that specifies the algorithms to be enabled in a TLS handshake.
-That string may contain some high level keyword such as:
+That string may contain some high level keyword such as
+the keywords in @ref{tab:prio-keywords}.
 
address@hidden @asis
address@hidden PERFORMANCE:
address@hidden Table,tab:prio-keywords
address@hidden @columnfractions .30 .70
address@hidden Keyword @tab Description
address@hidden PERFORMANCE @tab
 All the "secure" ciphersuites are enabled,
 limited to 128 bit ciphers and sorted by terms of speed
 performance.
 
address@hidden NORMAL:
address@hidden NORMAL @tab
 Means all "secure" ciphersuites. The 256-bit ciphers are
 included as a fallback only.  The ciphers are sorted by security
 margin.
 
address@hidden SECURE128: 
address@hidden SECURE128 @tab
 Means all "secure" ciphersuites of security level 128-bit
 or more.
 
address@hidden SECURE192:
address@hidden SECURE192 @tab
 Means all "secure" ciphersuites of security level 192-bit
 or more.
 
address@hidden SUITEB128: 
address@hidden SUITEB128 @tab
 Means all the NSA Suite B cryptography (RFC5430) ciphersuites
 with an 128 bit security level.
 
address@hidden SUITEB192:
address@hidden SUITEB192 @tab
 Means all the NSA Suite B cryptography (RFC5430) ciphersuites
 with an 192 bit security level.
 
address@hidden EXPORT:
address@hidden EXPORT @tab
 Means all ciphersuites are enabled, including the
 low-security 40 bit ciphers.
 
address@hidden NONE:
address@hidden NONE @tab
 Means nothing is enabled.  This disables even protocols and
 compression methods. It should be followed by the
 algorithms to be enabled.
 
address@hidden table
address@hidden multitable
address@hidden priority string keywords.}
address@hidden float
 
 or it might contain special keywords, that will be explained
 later on.
@@ -482,7 +495,9 @@ this string you have to prefix it with "COMP-", protocol 
versions
 with "VERS-", signature algorithms with "SIGN-" and certificate types with 
"CTYPE-". All other
 algorithms don't need a prefix.}. The order with which every algorithm
 is specified is significant. Similar algorithms specified before others
-will take precedence.
+will take precedence. The individual algorithms are shown in 
@ref{tab:prio-algorithms}
+and special keywords are in @ref{tab:prio-special}.
+
 
 Keywords prepended to individual algorithms:
 @table @asis
@@ -495,57 +510,63 @@ appended with an algorithm will add this algorithm.
 
 @end table
 
-Individual algorithms:
address@hidden @asis
address@hidden Ciphers: 
+
address@hidden Table,tab:prio-algorithms
address@hidden @columnfractions .30 .70
address@hidden Type @tab Keywords
address@hidden Ciphers @tab
 AES-128-CBC, AES-256-CBC, AES-128-GCM, CAMELLIA-128-CBC,
 CAMELLIA-256-CBC, ARCFOUR-128, 3DES-CBC ARCFOUR-40. Catch all
 name is CIPHER-ALL which will add all the algorithms from NORMAL
 priority.
 
address@hidden Key exchange: 
address@hidden Key exchange @tab
 RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS,
 PSK, DHE-PSK, ECDHE-RSA, ANON-ECDH, ANON-DH, RSA-EXPORT. The
 Catch all name is KX-ALL which will add all the algorithms from NORMAL
 priority.
 
address@hidden MAC: 
address@hidden MAC @tab
 MD5, SHA1, SHA256, AEAD (used with
 GCM ciphers only). All algorithms from NORMAL priority can be accessed with 
MAC-ALL.
 
address@hidden Compression algorithms: 
address@hidden Compression algorithms @tab
 COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL.
 
address@hidden TLS versions: 
address@hidden TLS versions @tab
 VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1,
 VERS-TLS1.2. Catch all is VERS-TLS-ALL.
 
address@hidden Signature algorithms: 
address@hidden Signature algorithms @tab
 SIGN-RSA-SHA1, SIGN-RSA-SHA224, 
 SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-DSA-SHA1, 
 SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5. Catch all
 is SIGN-ALL. This is only valid for TLS 1.2 and later.
 
address@hidden Elliptic curves:
address@hidden Elliptic curves @tab
 CURVE-SECP224R1, CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1. Catch all 
is CURVE-ALL.
 
address@hidden table
address@hidden multitable
address@hidden supported priority strings.}
address@hidden float
 
 
-Special keywords:
address@hidden @asis
 
address@hidden %COMPAT:
address@hidden Table,tab:prio-special
address@hidden @columnfractions .50 .50
address@hidden Keyword @tab Description
+
address@hidden %COMPAT @tab
 will enable compatibility mode. It might mean that violations
 of the protocols are allowed as long as maximum compatibility with
 problematic clients and servers is achieved.
 
address@hidden %DISABLE_SAFE_RENEGOTIATION:
address@hidden %DISABLE_SAFE_RENEGOTIATION @tab
 will disable safe renegotiation
 completely.  Do not use unless you know what you are doing.
 Testing purposes only.
 
address@hidden %UNSAFE_RENEGOTIATION:
address@hidden %UNSAFE_RENEGOTIATION @tab
 will allow handshakes and rehandshakes
 without the safe renegotiation extension.  Note that for clients
 this mode is insecure (you may be under attack), and for servers it
@@ -553,32 +574,34 @@ will allow insecure clients to connect (which could be 
fooled by an
 attacker).  Do not use unless you know what you are doing and want
 maximum compatibility.
 
address@hidden %PARTIAL_RENEGOTIATION:
address@hidden %PARTIAL_RENEGOTIATION @tab
 will allow initial handshakes to proceed,
 but not rehandshakes.  This leaves the client vulnerable to attack,
 and servers will be compatible with non-upgraded clients for
 initial handshakes.  This is currently the default for clients and
 servers, for compatibility reasons.
 
address@hidden %SAFE_RENEGOTIATION:
address@hidden %SAFE_RENEGOTIATION @tab
 will enforce safe renegotiation.  Clients and
 servers will refuse to talk to an insecure peer.  Currently this
 causes operability problems, but is required for full protection.
 
address@hidden %SSL3_RECORD_VERSION:
address@hidden %SSL3_RECORD_VERSION @tab
 will use SSL3.0 record version in client hello.
 This is the default.
 
address@hidden %LATEST_RECORD_VERSION:
address@hidden %LATEST_RECORD_VERSION @tab
 will use the latest TLS version record version in client hello.
 
address@hidden %VERIFY_ALLOW_SIGN_RSA_MD5:
address@hidden %VERIFY_ALLOW_SIGN_RSA_MD5 @tab
 will allow RSA-MD5 signatures in certificate chains.
 
address@hidden %VERIFY_ALLOW_X509_V1_CA_CRT:
address@hidden %VERIFY_ALLOW_X509_V1_CA_CRT @tab
 will allow V1 CAs in chains.
 
address@hidden table
address@hidden multitable
address@hidden priority string keywords.}
address@hidden float
 
 @node Client Authentication
 @subsection Client Authentication
diff --git a/doc/cha-library.texi b/doc/cha-library.texi
index 84e88e8..7486523 100644
--- a/doc/cha-library.texi
+++ b/doc/cha-library.texi
@@ -115,7 +115,7 @@ negative number indicates failure, or a situation that some 
action has
 to be taken. Thus negative error codes may be fatal or not.
 
 Fatal errors terminate the connection immediately and further sends
-and receives will be disallowed. An example of a fatal error code is
+and receives will be disallowed.  Such an example is
 @code{GNUTLS_E_DECRYPTION_FAILED}. Non-fatal errors may warn about
 something, i.e., a warning alert was received, or indicate the some
 action has to be taken. This is the case with the error code
@@ -206,10 +206,10 @@ data to the transport layer.
 
 @end itemize
 
-Other callback functions such as the one set by
address@hidden, may require more
-complicated input, including data to be allocated.  These callbacks
-should allocate and free memory using the functions shown below.
+Other callback functions may require more complicated input and data
+to be allocated. Such an example is 
address@hidden
+All callbacks should allocate and free memory using the functions shown below.
 
 @itemize
 
diff --git a/doc/cha-programs.texi b/doc/cha-programs.texi
index e8f7e62..bbdfade 100644
--- a/doc/cha-programs.texi
+++ b/doc/cha-programs.texi
@@ -417,7 +417,7 @@ like:
 @smallexample
 $ gnutls-cli -p 5556 test.gnutls.org --pskusername jas \
   --pskkey 9e32cf7786321a828ef7668f09fb35db \
-  --priority NORMAL:+DHE-PSK:+PSK:-RSA:-DHE-RSA
+  --priority NORMAL:-KX-ALL:+ECDHE-PSK:DHE-PSK:+PSK
 @end smallexample
 
 @menu
@@ -450,13 +450,13 @@ Enter password:
 @end smallexample
 
 If the server supports several cipher suites, you may need to force it
-to chose PSK by using a cipher priority parameter such as
address@hidden NORMAL:+PSK:-RSA:-DHE-RSA:-DHE-PSK}.
+to chose PSK by using a cipher priority parameter such as in the
+example below:
 
 @smallexample
 $ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
   --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
-  --priority NORMAL:+DHE-PSK:+PSK
+  --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
 Resolving 'localhost'...
 Connecting to '127.0.0.1:5556'...
 - PSK authentication.
diff --git a/doc/latex/fdl.tex b/doc/latex/fdl.tex
index 40a4a68..21d0f44 100644
--- a/doc/latex/fdl.tex
+++ b/doc/latex/fdl.tex
@@ -4,8 +4,8 @@
 \addcontentsline{toc}{chapter}{GNU Free Documentation License}
 %\label{label_fdl}
 
- \begin{center}
-
+\begin{center}
+{\small
        Version 1.3, 3 November 2008
 
 
@@ -13,18 +13,20 @@
  
  \bigskip
  
-     <http://fsf.org/>
+     http://fsf.org/
   
  \bigskip
  
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
+}
 \end{center}
 
 
 \begin{center}
-{\bf\large Preamble}
+{\bf\small Preamble}
 \end{center}
+{\tiny 
 
 The purpose of this License is to make a manual, textbook, or other
 functional and useful document ``free'' in the sense of freedom: to
@@ -47,13 +49,15 @@ it can be used for any textual work, regardless of subject 
matter or
 whether it is published as a printed book.  We recommend this License
 principally for works whose purpose is instruction or reference.
 
-
+}
 \begin{center}
-{\Large\bf 1. APPLICABILITY AND DEFINITIONS\par}
+{\small\bf 1. APPLICABILITY AND DEFINITIONS\par}
 \phantomsection
 \addcontentsline{toc}{section}{1. APPLICABILITY AND DEFINITIONS}
 \end{center}
 
+{\tiny 
+
 This License applies to any manual or other work, in any medium, that
 contains a notice placed by the copyright holder saying it can be
 distributed under the terms of this License.  Such a notice grants a
@@ -141,14 +145,15 @@ Disclaimers are considered to be included by reference in 
this
 License, but only as regards disclaiming warranties: any other
 implication that these Warranty Disclaimers may have is void and has
 no effect on the meaning of this License.
-
+}
 
 \begin{center}
-{\Large\bf 2. VERBATIM COPYING\par}
+{\small\bf 2. VERBATIM COPYING\par}
 \phantomsection
 \addcontentsline{toc}{section}{2. VERBATIM COPYING}
 \end{center}
 
+{\tiny
 You may copy and distribute the Document in any medium, either
 commercially or noncommercially, provided that this License, the
 copyright notices, and the license notice saying this License applies
@@ -161,14 +166,15 @@ number of copies you must also follow the conditions in 
section~3.
 
 You may also lend copies, under the same conditions stated above, and
 you may publicly display copies.
-
+}
 
 \begin{center}
-{\Large\bf 3. COPYING IN QUANTITY\par}
+{\small\bf 3. COPYING IN QUANTITY\par}
 \phantomsection
 \addcontentsline{toc}{section}{3. COPYING IN QUANTITY}
 \end{center}
 
+{\tiny
 
 If you publish printed copies (or copies in media that commonly have
 printed covers) of the Document, numbering more than 100, and the
@@ -205,13 +211,15 @@ It is requested, but not required, that you contact the 
authors of the
 Document well before redistributing any large number of copies, to give
 them a chance to provide you with an updated version of the Document.
 
-
+}
 \begin{center}
-{\Large\bf 4. MODIFICATIONS\par}
+{\small\bf 4. MODIFICATIONS\par}
 \phantomsection
 \addcontentsline{toc}{section}{4. MODIFICATIONS}
 \end{center}
 
+{\tiny
+
 You may copy and distribute a Modified Version of the Document under
 the conditions of sections 2 and 3 above, provided that you release
 the Modified Version under precisely this License, with the Modified
@@ -324,14 +332,15 @@ permission from the previous publisher that added the old 
one.
 The author(s) and publisher(s) of the Document do not by this License
 give permission to use their names for publicity for or to assert or
 imply endorsement of any Modified Version.
-
+}
 
 \begin{center}
-{\Large\bf 5. COMBINING DOCUMENTS\par}
+{\small\bf 5. COMBINING DOCUMENTS\par}
 \phantomsection
 \addcontentsline{toc}{section}{5. COMBINING DOCUMENTS}
 \end{center}
 
+{\tiny
 
 You may combine the Document with other documents released under this
 License, under the terms defined in section~4 above for modified
@@ -354,13 +363,15 @@ in the various original documents, forming one section 
Entitled
 ``History''; likewise combine any sections Entitled ``Acknowledgements'',
 and any sections Entitled ``Dedications''.  You must delete all sections
 Entitled ``Endorsements''.
+}
 
 \begin{center}
-{\Large\bf 6. COLLECTIONS OF DOCUMENTS\par}
+{\small\bf 6. COLLECTIONS OF DOCUMENTS\par}
 \phantomsection
 \addcontentsline{toc}{section}{6. COLLECTIONS OF DOCUMENTS}
 \end{center}
 
+{\tiny
 You may make a collection consisting of the Document and other documents
 released under this License, and replace the individual copies of this
 License in the various documents with a single copy that is included in
@@ -371,14 +382,15 @@ You may extract a single document from such a collection, 
and distribute
 it individually under this License, provided you insert a copy of this
 License into the extracted document, and follow this License in all
 other respects regarding verbatim copying of that document.
-
+}
 
 \begin{center}
-{\Large\bf 7. AGGREGATION WITH INDEPENDENT WORKS\par}
+{\small\bf 7. AGGREGATION WITH INDEPENDENT WORKS\par}
 \phantomsection
 \addcontentsline{toc}{section}{7. AGGREGATION WITH INDEPENDENT WORKS}
 \end{center}
 
+{\tiny
 
 A compilation of the Document or its derivatives with other separate
 and independent documents or works, in or on a volume of a storage or
@@ -396,14 +408,15 @@ covers that bracket the Document within the aggregate, or 
the
 electronic equivalent of covers if the Document is in electronic form.
 Otherwise they must appear on printed covers that bracket the whole
 aggregate.
-
+}
 
 \begin{center}
-{\Large\bf 8. TRANSLATION\par}
+{\small\bf 8. TRANSLATION\par}
 \phantomsection
 \addcontentsline{toc}{section}{8. TRANSLATION}
 \end{center}
 
+{\tiny
 
 Translation is considered a kind of modification, so you may
 distribute translations of the Document under the terms of section~4.
@@ -422,15 +435,16 @@ If a section in the Document is Entitled 
``Acknowledgements'',
 ``Dedications'', or ``History'', the requirement (section~4) to Preserve
 its Title (section~1) will typically require changing the actual
 title.
-
+}
 
 \begin{center}
-{\Large\bf 9. TERMINATION\par}
+{\small\bf 9. TERMINATION\par}
 \phantomsection
 \addcontentsline{toc}{section}{9. TERMINATION}
 \end{center}
 
 
+{\tiny
 You may not copy, modify, sublicense, or distribute the Document
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense, or distribute it is void, and
@@ -455,15 +469,16 @@ licenses of parties who have received copies or rights 
from you under
 this License.  If your rights have been terminated and not permanently
 reinstated, receipt of a copy of some or all of the same material does
 not give you any rights to use it.
-
+}
 
 \begin{center}
-{\Large\bf 10. FUTURE REVISIONS OF THIS LICENSE\par}
+{\small\bf 10. FUTURE REVISIONS OF THIS LICENSE\par}
 \phantomsection
 \addcontentsline{toc}{section}{10. FUTURE REVISIONS OF THIS LICENSE}
 \end{center}
 
 
+{\tiny
 The Free Software Foundation may publish new, revised versions
 of the GNU Free Documentation License from time to time.  Such new
 versions will be similar in spirit to the present version, but may
@@ -482,14 +497,15 @@ specifies that a proxy can decide which future versions 
of this
 License can be used, that proxy's public statement of acceptance of a
 version permanently authorizes you to choose that version for the
 Document.
-
+}
 
 \begin{center}
-{\Large\bf 11. RELICENSING\par}
+{\small\bf 11. RELICENSING\par}
 \phantomsection
 \addcontentsline{toc}{section}{11. RELICENSING}
 \end{center}
 
+{\tiny
 
 ``Massive Multiauthor Collaboration Site'' (or ``MMC Site'') means any
 World Wide Web server that publishes copyrightable works and also
@@ -517,14 +533,15 @@ and (2) were thus incorporated prior to November 1, 2008.
 The operator of an MMC Site may republish an MMC contained in the site
 under CC-BY-SA on the same site at any time before August 1, 2009,
 provided the MMC is eligible for relicensing.
-
+}
 
 \begin{center}
-{\Large\bf ADDENDUM: How to use this License for your documents\par}
+{\small\bf ADDENDUM: How to use this License for your documents\par}
 \phantomsection
 \addcontentsline{toc}{section}{ADDENDUM: How to use this License for your 
documents}
 \end{center}
 
+{\tiny
 To use this License in a document you have written, include a copy of
 the License in the document and put the following copyright and
 license notices just after the title page:
@@ -560,4 +577,5 @@ recommend releasing these examples in parallel under your 
choice of
 free software license, such as the GNU General Public License,
 to permit their use in free software.
 
+}
 %---------------------------------------------------------------------
diff --git a/doc/latex/gnutls.tex b/doc/latex/gnutls.tex
index 870b82e..973eb54 100644
--- a/doc/latex/gnutls.tex
+++ b/doc/latex/gnutls.tex
@@ -67,7 +67,7 @@
 
 %\input{cha-functions}
 
-%\input{fdl}
+\input{fdl}
 
 \backmatter
 
diff --git a/doc/scripts/mytexi2latex b/doc/scripts/mytexi2latex
index aa54766..fe7ea2d 100755
--- a/doc/scripts/mytexi2latex
+++ b/doc/scripts/mytexi2latex
@@ -88,9 +88,14 @@ while ($line = <FILE>) {
                         $mode = pop(@stack);
                 } else {
                        $line =~ s/address@hidden/\\caption\{/g;
-                       $line =~ s/address@hidden address@hidden ([\.\d]+) 
([\.\d]+) 
([\.\d]+)$/\n\\begin{tabular}{|p{3.3cm}|p{3.3cm}|p{4.3cm}|}\n\\hline\n/g;
-                       $line =~ s/address@hidden address@hidden ([\.\d]+) 
([\.\d]+) ([\.\d]+) ([\.\d]+) 
([\.\d]+)$/\n\\begin{tabular}{|p{2cm}|p{2cm}|p{2cm}|p{2cm}|p{3cm}|}\n\\hline\n/g;
-                       push(@stack, FLOAT_TABLE);
+
+                       if ($line =~ m/address@hidden/) {
+                               push(@stack, FLOAT_TABLE);
+                               $line =~ s/address@hidden address@hidden 
([\.\d]+) 
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|}\n\\hline\n/g;
+                               $line =~ s/address@hidden address@hidden 
([\.\d]+) ([\.\d]+) 
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|p{$3\\linewidth}|}\n\\hline\n/g;
+                               $line =~ s/address@hidden address@hidden 
([\.\d]+) ([\.\d]+) ([\.\d]+) ([\.\d]+) 
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|p{$3\\linewidth}|p{$4\\linewidth}|p{$5\\linewidth}|}\n\\hline\n/g;
+                       }
+                       
                        goto multitable;
                }
                $prev_mode = $mode;
@@ -166,8 +171,8 @@ multitable:
         } else {
                $prev_mode = $mode;
 
-               $line =~ s/address@hidden/% /g;
-               $line =~ s/address@hidden iftex/% /g;
+               $line =~ s/address@hidden/%c /g;
+               $line =~ s/address@hidden iftex/%c /g;
                 $line =~ s/address@hidden (.+)/\\label{$1}/g;
                $line =~ s/address@hidden($spacematch+)\}/\\label{$1}/g;
                if ($line =~ s/address@hidden (.+)/\\subsection{$1}/g) {
@@ -235,11 +240,15 @@ multitable:
                         push(@stack, NORMAL);
                         $mode = TABLE_ITEMIZE;
                 }
-                if ($line =~ s/address@hidden address@hidden ([\.\d]+) 
([\.\d]+) 
([\.\d]+)$/\n\\begin{tabular}{|p{3.3cm}|p{3.3cm}|p{4.3cm}|}\n\\hline\n/g) {
+                if ($line =~ s/address@hidden address@hidden ([\.\d]+) 
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|}\n\\hline\n/g)
 {
+                        push(@stack, NORMAL);
+                        $mode = MULTITABLE;
+                }
+                if ($line =~ s/address@hidden address@hidden ([\.\d]+) 
([\.\d]+) 
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|p{$3\\linewidth}|}\n\\hline\n/g)
 {
                         push(@stack, NORMAL);
                         $mode = MULTITABLE;
                 }
-                if ($line =~ s/address@hidden address@hidden ([\.\d]+) 
([\.\d]+) ([\.\d]+) ([\.\d]+) 
([\.\d]+)$/\n\\begin{tabular}{|p{2cm}|p{2cm}|p{2cm}|p{2cm}|p{3cm}|}\n\\hline\n/g)
 {
+                if ($line =~ s/address@hidden address@hidden ([\.\d]+) 
([\.\d]+) ([\.\d]+) ([\.\d]+) 
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|p{$3\\linewidth}|p{$4\\linewidth}|p{$5\\linewidth}|}\n\\hline\n/g)
 {
                         push(@stack, NORMAL);
                         $mode = MULTITABLE;
                 }
@@ -264,7 +273,7 @@ multitable:
        if ($verbatim == 0) {
                $line =~ s/\_/\\_/g;
                $line =~ s/\~/\\~/g;
-               $line =~ s/\%/\\%/g;
+               $line =~ s/\%(?!c)/\\%/g;
                $line =~ s/\#/\\\#/g;
                 $line =~ s/address@hidden (.*)/\\examplefile{\.\.\/$1}/g;
                $line =~ 
s/address@hidden($match+)\,($match+)\}/\\includegraphics\[width\=$2\]\{\.\.\/$1\.pdf\}/g;
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 21d8297..b8d0e0b 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -275,8 +275,7 @@ static const gnutls_error_entry error_algorithms[] = {
   ERROR_ENTRY (N_("The specified algorithm or protocol is unknown."),
                GNUTLS_E_UNKNOWN_ALGORITHM, 1),
 
-  ERROR_ENTRY (N_("The handshake data size is too large (DoS?), "
-                  "check gnutls_handshake_set_max_packet_length()."),
+  ERROR_ENTRY (N_("The handshake data size is too large."),
                GNUTLS_E_HANDSHAKE_TOO_LARGE, 1),
 
   ERROR_ENTRY (N_("Error opening /dev/crypto"),
diff --git a/lib/gnutls_srp.c b/lib/gnutls_srp.c
index be35949..e4cab2e 100644
--- a/lib/gnutls_srp.c
+++ b/lib/gnutls_srp.c
@@ -42,9 +42,9 @@
 /* Here functions for SRP (like g^x mod n) are defined 
  */
 
-int
+static int
 _gnutls_srp_gx (opaque * text, size_t textsize, opaque ** result,
-                bigint_t g, bigint_t prime, gnutls_alloc_function galloc_func)
+                bigint_t g, bigint_t prime)
 {
   bigint_t x, e;
   size_t result_size;
@@ -71,7 +71,7 @@ _gnutls_srp_gx (opaque * text, size_t textsize, opaque ** 
result,
   ret = _gnutls_mpi_print (e, NULL, &result_size);
   if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
     {
-      *result = galloc_func (result_size);
+      *result = gnutls_malloc (result_size);
       if ((*result) == NULL)
         return GNUTLS_E_MEMORY_ERROR;
 
@@ -680,7 +680,7 @@ gnutls_srp_server_get_username (gnutls_session_t session)
  * libgcrypt functions gcry_prime_generate() and
  * gcry_prime_group_generator().
  *
- * The verifier will be allocated with @malloc and will be stored in
+ * The verifier will be allocated with @gnutls_malloc() and will be stored in
  * @res using binary format.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or an
@@ -719,7 +719,7 @@ gnutls_srp_verifier (const char *username, const char 
*password,
       return GNUTLS_E_MPI_SCAN_FAILED;
     }
 
-  ret = _gnutls_srp_gx (digest, 20, &res->data, _g, _n, malloc);
+  ret = _gnutls_srp_gx (digest, 20, &res->data, _g, _n);
   if (ret < 0)
     {
       gnutls_assert ();
diff --git a/lib/gnutls_srp.h b/lib/gnutls_srp.h
index 76a257d..1f9fce7 100644
--- a/lib/gnutls_srp.h
+++ b/lib/gnutls_srp.h
@@ -25,8 +25,6 @@
 
 #ifdef ENABLE_SRP
 
-int _gnutls_srp_gx (opaque * text, size_t textsize, opaque ** result,
-                    bigint_t g, bigint_t prime, gnutls_alloc_function);
 bigint_t _gnutls_calc_srp_B (bigint_t * ret_b, bigint_t g, bigint_t n,
                              bigint_t v);
 bigint_t _gnutls_calc_srp_u (bigint_t A, bigint_t B, bigint_t N);


hooks/post-receive
-- 
GNU gnutls



reply via email to

[Prev in Thread] Current Thread [Next in Thread]