[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_3-12-gdff2364
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_3-12-gdff2364 |
Date: |
Tue, 21 Jun 2011 06:58:40 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=dff23649552500f42e4c9cfb3ce491f26dce33e6
The branch, master has been updated
via dff23649552500f42e4c9cfb3ce491f26dce33e6 (commit)
via 272a6df983073ebd6329b4aaa831b617f8a66514 (commit)
via e7a9875b7232b81af32c16258f89c663f455a3e7 (commit)
via dbed6d02bd3f271d59628279a4ac5cf23bca1ca7 (commit)
via a31c9a76e769a8b365ed1998eb8247ffee006fd7 (commit)
from b679178e1c1b08286068462c9bbbbb4f303351e5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit dff23649552500f42e4c9cfb3ce491f26dce33e6
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Jun 21 01:42:39 2011 +0200
documentation updates.
commit 272a6df983073ebd6329b4aaa831b617f8a66514
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Jun 21 01:02:20 2011 +0200
gnutls_srp_verifier() returns data allocated with gnutls_malloc()
for consistency.
commit e7a9875b7232b81af32c16258f89c663f455a3e7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Jun 21 01:01:15 2011 +0200
reduced error message.
commit dbed6d02bd3f271d59628279a4ac5cf23bca1ca7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Jun 20 21:01:46 2011 +0200
simplified text.
commit a31c9a76e769a8b365ed1998eb8247ffee006fd7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Jun 20 20:47:29 2011 +0200
FDL is now included using a tiny font.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 9 +++
doc/cha-auth.texi | 74 ++++++++++------------
doc/cha-cert-auth.texi | 120 +++++++++++++++++++++--------------
doc/cha-gtls-app.texi | 5 +-
doc/cha-intro-tls.texi | 155 ++++++++++++++++++++++++++-------------------
doc/cha-library.texi | 10 ++--
doc/cha-programs.texi | 8 +-
doc/latex/fdl.tex | 72 +++++++++++++--------
doc/latex/gnutls.tex | 2 +-
doc/scripts/mytexi2latex | 25 +++++---
lib/gnutls_errors.c | 3 +-
lib/gnutls_srp.c | 10 ++--
lib/gnutls_srp.h | 2 -
13 files changed, 286 insertions(+), 209 deletions(-)
diff --git a/NEWS b/NEWS
index c37c36a..c58b213 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,15 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005,
2006, 2007, 2008, 2009, 2010 Free Software Foundation, Inc.
See the end for copying conditions.
+* Version (unreleased)
+
+** libgnutls: gnutls_srp_verifier() returns data allocated with gnutls_malloc()
+for consistency.
+
+** API and ABI modifications:
+No changes since last version.
+
+
* Version 2.99.3 (released 2011-06-18)
** libgnutls: Added new PKCS #11 flags to force an object being private or
diff --git a/doc/cha-auth.texi b/doc/cha-auth.texi
index edfb36d..9f85e2f 100644
--- a/doc/cha-auth.texi
+++ b/doc/cha-auth.texi
@@ -114,28 +114,29 @@ certificate authentication.
Note that the DHE key exchange methods are generally
address@hidden really depends on the group used. Primes with
-lesser bits are always faster, but also easier to break. Values less
-than 1024 should not be used today} than plain RSA and require Diffie
+lesser bits are always faster, but also easier to break. See @ref{Selecting
cryptographic key sizes}
+for the acceptable security levels.} than plain RSA and require Diffie
Hellman parameters to be generated and associated with a credentials
structure, by the server. For more information check the @ref{Parameter
generation}
-section.
+section. The key exchange algorithms for @acronym{OpenPGP} and @acronym{X.509}
+certificates are shown in @ref{tab:key-exchange}.
-Key exchange algorithms for @acronym{OpenPGP} and @acronym{X.509}
-certificates:
address@hidden Table,tab:key-exchange
address@hidden @columnfractions .3 .7
address@hidden @code
address@hidden Key exchange @tab Description
address@hidden RSA:
address@hidden RSA @tab
The RSA algorithm is used to encrypt a key and send it to the peer.
The certificate must allow the key to be used for encryption.
address@hidden RSA_EXPORT:
address@hidden RSA_EXPORT @tab
The RSA algorithm is used to encrypt a key and send it to the peer.
In the EXPORT algorithm, the server signs temporary RSA parameters of
512 bits --- which are considered weak --- and sends them to the
client.
address@hidden DHE_RSA:
address@hidden DHE_RSA @tab
The RSA algorithm is used to sign ephemeral Diffie-Hellman parameters
which are sent to the peer. The key in the certificate must allow the
key to be used for signing. Note that key exchange algorithms which
@@ -143,26 +144,28 @@ use ephemeral Diffie-Hellman parameters, offer perfect
forward
secrecy. That means that even if the private key used for signing is
compromised, it cannot be used to reveal past session data.
address@hidden ECDHE_RSA:
address@hidden ECDHE_RSA @tab
The RSA algorithm is used to sign ephemeral elliptic curve Diffie-Hellman
parameters which are sent to the peer. The key in the certificate must allow
the key to be used for signing. It also offers perfect forward
secrecy. That means that even if the private key used for signing is
compromised, it cannot be used to reveal past session data.
address@hidden DHE_DSS:
address@hidden DHE_DSS @tab
The DSA algorithm is used to sign ephemeral Diffie-Hellman parameters
which are sent to the peer. The certificate must contain DSA
parameters to use this key exchange algorithm. DSA is the algorithm
of the Digital Signature Standard (DSS).
address@hidden ECDHE_ECDSA:
address@hidden ECDHE_ECDSA @tab
The Elliptic curve DSA algorithm is used to sign ephemeral elliptic
curve Diffie-Hellman parameters which are sent to the peer. The
certificate must contain ECDSA parameters to use this key exchange
algorithm.
address@hidden table
address@hidden multitable
address@hidden key exchange algorithms.}
address@hidden float
@node Anonymous authentication
@section Anonymous Authentication
@@ -241,28 +244,20 @@ authenticated using a certificate with RSA parameters.
@end table
If clients supporting @acronym{SRP} know the username and password
-before the connection, should initialize the client credentials and
-call the function @funcref{gnutls_srp_set_client_credentials}.
-Alternatively they could specify a callback function by using the
-function @funcref{gnutls_srp_set_client_credentials_function}. This has
-the advantage that allows probing the server for @acronym{SRP}
-support. In that case the callback function will be called twice per
-handshake. The first time is before the ciphersuite is negotiated,
-and if the callback returns a negative error code, the callback will
-be called again if @acronym{SRP} has been negotiated. This uses a
-special @address@hidden handshake idiom in order to avoid,
-in interactive applications, to ask the user for @acronym{SRP}
-password and username if the server does not negotiate an
address@hidden ciphersuite.
+before the connection, should initialize client credentials and
+call @funcref{gnutls_srp_set_client_credentials}.
+Alternatively @funcref{gnutls_srp_set_client_credentials_function}
+may be used to specify a callback function.
+The callback will be called once during the @acronym{TLS} handshake.
In server side the default behaviour of @acronym{GnuTLS} is to read
the usernames and @acronym{SRP} verifiers from password files. These
password files are the ones used by the @emph{Stanford srp libraries}
-and can be specified using the
address@hidden If a different
-password file format is to be used, then the function
address@hidden, should be called,
-in order to set an appropriate callback.
+and @funcref{gnutls_srp_set_server_credentials_file} can be used to
+specify them. If a different
+password file format is to be used, then
address@hidden should be called,
+to set an appropriate callback.
Some helper functions such as
@@ -306,10 +301,10 @@ exchange. This method offers perfect forward secrecy.
@end table
Clients supporting @acronym{PSK} should supply the username and key
-before the connection to the client credentials by calling the
-function @funcref{gnutls_psk_set_client_credentials}. Alternatively they
-could specify a callback function by using the function
address@hidden This has the
+before the TLS session is established by calling
address@hidden Alternatively
address@hidden can be used to
+specify a callback function. This has the
advantage that the callback will be called only if @acronym{PSK} has
been negotiated.
@@ -318,12 +313,13 @@ the usernames and @acronym{PSK} keys from a password
file. The
password file should contain usernames and keys in hexadecimal
format. The name of the password file can be stored to the credentials
structure by calling @funcref{gnutls_psk_set_server_credentials_file}. If
-a different password file format is to be used, then the function
address@hidden, should be used
-instead.
+a different password file format is to be used, then
+a callback should be set instead by
@funcref{gnutls_psk_set_server_credentials_function}.
The server can help the client chose a suitable username and password,
-by sending a hint. In the server, specify the hint by calling
+by sending a hint. Note that there is no common profile for the PSK hint and
applications
+are discouraged to use it.
+A server, may specify the hint by calling
@funcref{gnutls_psk_set_server_credentials_hint}. The client can retrieve
the hint, for example in the callback function, using
@funcref{gnutls_psk_client_get_hint}.
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index c4675ae..26ca9fd 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -42,29 +42,34 @@ Detailed examples involving X.509 certificates are listed
below.
An @acronym{X.509} certificate usually contains information about the
certificate holder, the signer, a unique serial number, expiration
-dates and some other fields @xcite{PKIX} as shown in the table below.
+dates and some other fields @xcite{PKIX} as shown in @ref{tab:x509}.
address@hidden @code
address@hidden Table,tab:x509
address@hidden @columnfractions .3 .7
+
address@hidden Field @tab Description
address@hidden version:
address@hidden version @tab
The field that indicates the version of the certificate.
address@hidden serialNumber:
address@hidden serialNumber @tab
This field holds a unique serial number per certificate.
address@hidden issuer:
address@hidden issuer @tab
Holds the issuer's distinguished name.
address@hidden validity:
address@hidden validity @tab
The activation and expiration dates.
address@hidden subject:
address@hidden subject @tab
The subject's distinguished name of the certificate.
address@hidden extensions:
address@hidden extensions @tab
The extensions are fields only present in version 3 certificates.
address@hidden table
address@hidden multitable
address@hidden certificate fields.}
address@hidden float
The certificate's @emph{subject or issuer name} is not just a single
string. It is a Distinguished name and in the @acronym{ASN.1}
@@ -85,40 +90,45 @@ Certificate @emph{extensions} are there to include
information about
the certificate's subject that did not fit in the typical certificate
fields. Those may be e-mail addresses, flags that indicate whether the
belongs to a CA etc. All the supported @acronym{X.509} version 3
-extensions are shown in the table below.
+extensions are shown in @ref{tab:x509-ext}.
address@hidden @code
address@hidden Table,tab:x509-ext
address@hidden @columnfractions .3 .2 .5
address@hidden subject key id (2.5.29.14):
address@hidden Extension @tab OID @tab Description
+
address@hidden Subject key id @tab 2.5.29.14 @tab
An identifier of the key of the subject.
address@hidden authority key id (2.5.29.35):
address@hidden Authority key id @tab 2.5.29.35 @tab
An identifier of the authority's key used to sign the certificate.
address@hidden subject alternative name (2.5.29.17):
address@hidden Subject alternative name @tab 2.5.29.17 @tab
Alternative names to subject's distinguished name.
address@hidden key usage (2.5.29.15):
address@hidden Key usage @tab 2.5.29.15 @tab
Constraints the key's usage of the certificate.
address@hidden extended key usage (2.5.29.37):
address@hidden Extended key usage @tab 2.5.29.37 @tab
Constraints the purpose of the certificate.
address@hidden basic constraints (2.5.29.19):
address@hidden Basic constraints @tab 2.5.29.19 @tab
Indicates whether this is a CA certificate or not, and specify the
maximum path lengths of certificate chains.
address@hidden CRL distribution points (2.5.29.31):
address@hidden CRL distribution points @tab 2.5.29.31 @tab
This extension is set by the CA, in order to inform about the issued
CRLs.
address@hidden Proxy Certification Information (1.3.6.1.5.5.7.1.14):
address@hidden Proxy Certification Information @tab 1.3.6.1.5.5.7.1.14 @tab
Proxy Certificates includes this extension that contains the OID of
the proxy policy language used, and can specify limits on the maximum
lengths of proxy chains. Proxy Certificates are specified in
@xcite{RFC3820}.
address@hidden table
address@hidden multitable
address@hidden certificate extensions.}
address@hidden float
In @acronym{GnuTLS} the @acronym{X.509} certificate structures are
handled using the @code{gnutls_x509_crt_t} type and the corresponding
@@ -185,31 +195,37 @@ authority list has been set via the
thus it is not required to setup a trusted list as above.
Convenience functions such as @funcref{gnutls_certificate_verify_peers2}
are equivalent and will verify the peer's certificate chain
-in a TLS session.
+in a TLS session. The certificate verification functions output
+codes as in @ref{tab:cert-verify}.
address@hidden @code
address@hidden Table,tab:cert-verify
address@hidden @columnfractions .55 .45
+
address@hidden Flag @tab Description
address@hidden GNUTLS_CERT_INVALID:
address@hidden GNUTLS_CERT_INVALID @tab
The certificate is not signed by one of the known authorities, or
the signature is invalid.
address@hidden GNUTLS_CERT_REVOKED:
address@hidden GNUTLS_CERT_REVOKED @tab
The certificate has been revoked by its CA.
address@hidden GNUTLS_CERT_SIGNER_NOT_FOUND:
address@hidden GNUTLS_CERT_SIGNER_NOT_FOUND @tab
The certificate's issuer is not known. This is the case when the
issuer is not in the trusted certificates list.
address@hidden GNUTLS_CERT_SIGNER_NOT_CA:
address@hidden GNUTLS_CERT_SIGNER_NOT_CA @tab
The certificate's signer was not a CA. This may happen if
this was a version 1 certificate, which is common with some CAs, or
a version 3 certificate without the basic constrains extension.
address@hidden GNUTLS_CERT_INSECURE_ALGORITHM:
address@hidden GNUTLS_CERT_INSECURE_ALGORITHM @tab
The certificate was signed using an insecure algorithm such as MD2 or
MD5. These algorithms have been broken and should not be trusted.
address@hidden table
address@hidden multitable
address@hidden verification output flags.}
address@hidden float
There is also to possibility to pass some input to the verification
functions in the form of flags. For
@funcref{gnutls_x509_trust_list_verify_crt} the
@@ -217,48 +233,53 @@ flags are passed straightforward, but
@funcref{gnutls_certificate_verify_peers2} depends on the flags set by
calling @funcref{gnutls_certificate_set_verify_flags}. All the available
flags are part of the enumeration
address@hidden and are explained in the table
-below.
address@hidden and are explained in @ref{tab:cert-flags}.
address@hidden @code
address@hidden GNUTLS_VERIFY_DISABLE_CA_SIGN:
address@hidden Table,tab:cert-flags
address@hidden @columnfractions .5 .5
+
address@hidden Flag @tab Description
address@hidden GNUTLS_VERIFY_\-DISABLE_CA_SIGN @tab
If set a signer does not have to be a certificate authority. This
flag should normaly be disabled, unless you know what this means.
address@hidden GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT:
address@hidden GNUTLS_VERIFY_\-ALLOW_X509_V1_CA_CRT @tab
Allow only trusted CA certificates that have version 1. This is
-safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be
+safer than GNUTLS_VERIFY_\-ALLOW_ANY_X509_V1_CA_CRT, and should be
used instead. That way only signers in your trusted list will be
allowed to have certificates of version 1. This is the default.
address@hidden GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT:
address@hidden GNUTLS_VERIFY_\-DO_NOT_ALLOW_X509_V1_CA_CRT @tab
Do not allow trusted version 1 CA certificates. This option is to be used
in order consider all V1 certificates as deprecated.
address@hidden GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT:
address@hidden GNUTLS_VERIFY_\-ALLOW_ANY_X509_V1_CA_CRT @tab
Allow CA certificates that have version 1 (both root and
intermediate). This is dangerous since those haven't the
basicConstraints extension. Must be used in combination with
-GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.
+GNUTLS_VERIFY_\-ALLOW_X509_V1_CA_CRT.
address@hidden GNUTLS_VERIFY_DO_NOT_ALLOW_SAME:
address@hidden GNUTLS_VERIFY_\-DO_NOT_ALLOW_SAME @tab
If a certificate is not signed by anyone trusted but exists in
the trusted CA list do not treat it as trusted.
address@hidden GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2:
address@hidden GNUTLS_VERIFY_\-ALLOW_SIGN_RSA_MD2 @tab
Allow certificates to be signed using the old MD2 algorithm.
address@hidden GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5:
address@hidden GNUTLS_VERIFY_\-ALLOW_SIGN_RSA_MD5 @tab
Allow certificates to be signed using the broken MD5 algorithm.
address@hidden GNUTLS_VERIFY_DISABLE_TIME_CHECKS:
address@hidden GNUTLS_VERIFY_\-DISABLE_TIME_CHECKS @tab
Disable checking of activation
and expiration validity periods of certificate chains. Don't set
this unless you understand the security implications.
address@hidden GNUTLS_VERIFY_DISABLE_CRL_CHECKS:
address@hidden GNUTLS_VERIFY_\-DISABLE_CRL_CHECKS @tab
Disables checking for validity using certificate revocation lists.
address@hidden table
+
address@hidden multitable
address@hidden verification flags.}
address@hidden float
Although the verification of a certificate path indicates that the
certificate is signed by trusted authority, does not reveal anything
@@ -431,7 +452,7 @@ the user to insert the token. All the initialization
functions are below.
@end itemize
Note that due to limitations of @acronym{PKCS} #11 there are issues when
multiple libraries
-are sharing a module. To avoid this problem GnuTLS uses
address@hidden://p11-glue.freedesktop.org/}
+are sharing a module. To avoid this problem GnuTLS uses
address@hidden@url{http://p11-glue.freedesktop.org/}}
that provides a middleware to control access to resources over the
multiple users.
@@ -444,7 +465,7 @@ key on a smart card may be referenced as:
@example
pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315; \
manufacturer=EnterSafe;object=test1;objecttype=public;\
-id=32:f1:53:f3:e3:79:90:b0:86:24:14:10:77:ca:5d:ec:2d:15:fa:ed
+id=32f153f3e37990b08624141077ca5dec2d15faed
@end example
while the smart card itself can be referenced as:
@@ -680,9 +701,12 @@ signature (2nd preimage resistance).
If you are using @funcref{gnutls_certificate_verify_peers2} to verify the
certificate chain, you can call
address@hidden with the
address@hidden or
address@hidden flag, as in:
address@hidden with the flags:
address@hidden
address@hidden @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2}
address@hidden @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5}
address@hidden itemize
+as in the following example:
@smallexample
gnutls_certificate_set_verify_flags (x509cred,
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 632b70e..c30d2be 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -76,8 +76,9 @@ verbose information on the @acronym{GnuTLS} functions
internal flow.
When debugging is not required, important issues, such as detected
attacks on the protocol still need to be logged. This is provided
-by @funcref{gnutls_global_set_audit_log_function}, that uses a logging
-function that accepts the detected error message and the corresponding
+by the logging function set by
address@hidden The set function
+accepts the detected error message and the corresponding
TLS session. The session information might be used to derive IP addresses
or other information about the peer involved.
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index b45551e..8a2cf55 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -85,9 +85,12 @@ you, call @code{gnutls_transport_set_errno} with the
intended errno
value instead of setting @code{errno} directly.
@acronym{GnuTLS} currently only interprets the EINTR and EAGAIN errno
-values and returns the corresponding @acronym{GnuTLS} error codes
address@hidden and @code{GNUTLS_E_AGAIN}. These values
-are usually returned by interrupted system calls, or when non blocking
+values and returns the corresponding @acronym{GnuTLS} error codes:
address@hidden
address@hidden @code{GNUTLS_E_INTERRUPTED}
address@hidden @code{GNUTLS_E_AGAIN}
address@hidden itemize
+These values are usually returned by interrupted system calls, or when non
blocking
IO is used. All @acronym{GnuTLS} functions can be resumed (called
again), if any of these error codes is returned. The error codes
above refer to the system call, not the @acronym{GnuTLS} function,
@@ -158,69 +161,75 @@ just after the handshake protocol has finished.
@cindex Symmetric encryption algorithms
Confidentiality in the record layer is achieved by using symmetric
-block encryption algorithms like @code{3DES}, @address@hidden,
-or Advanced Encryption Standard, is actually the RIJNDAEL algorithm.
-This is the algorithm that replaced DES.}, or stream algorithms like
address@hidden@address@hidden is a compatible
-algorithm with RSA's RC4 algorithm, which is considered to be a trade
-secret.}. Ciphers are encryption algorithms that use a single, secret,
+block encryption algorithms like @code{3DES}, @code{AES}
+or stream algorithms like @code{ARCFOUR_128}.
+ Ciphers are encryption algorithms that use a single, secret,
key to encrypt and decrypt data. Block algorithms in TLS also provide
protection against statistical analysis of the data. Thus, if you're
using the @acronym{TLS} protocol, a random number of blocks will be
appended to data, to prevent eavesdroppers from guessing the actual
data size.
-Supported cipher algorithms:
+The supported in @acronym{GnuTLS} ciphers and MAC algorithms are shown in
@ref{tab:ciphers} and
address@hidden:macs}.
address@hidden @code
address@hidden 3DES_CBC:
address@hidden Table,tab:ciphers
address@hidden @columnfractions .30 .70
address@hidden Algorithm @tab Description
address@hidden 3DES_CBC @tab
This is the DES block cipher algorithm used with triple
encryption (EDE). Has 64 bits block size and is used in CBC mode.
address@hidden ARCFOUR_128:
-A fast stream cipher.
address@hidden ARCFOUR_128 @tab
+ARCFOUR_128 is a compatible algorithm with RSA's RC4 algorithm, which is
considered to be a trade
+secret. It is a fast cipher but considered weak today.
address@hidden ARCFOUR_40:
address@hidden ARCFOUR_40 @tab
This is the ARCFOUR cipher fed with a 40 bit key,
which is considered weak.
address@hidden AES_CBC:
address@hidden AES_CBC @tab
AES or RIJNDAEL is the block cipher algorithm that replaces the old
DES algorithm. Has 128 bits block size and is used in CBC mode.
address@hidden AES_GCM:
address@hidden AES_GCM @tab
This is the AES algorithm in the authenticated encryption GCM mode.
This mode combines message authentication and encryption and can
be extremely fast on CPUs that support hardware acceleration.
address@hidden CAMELLIA_CBC:
address@hidden CAMELLIA_CBC @tab
This is an 128-bit block cipher developed by Mitsubish and NTT. It
is one of the approved ciphers of the European NESSIE and Japanese
CRYPTREC projects.
address@hidden table
-
address@hidden multitable
address@hidden ciphers.}
address@hidden float
-Supported MAC algorithms:
address@hidden @code
address@hidden MAC_MD5:
address@hidden Table,tab:macs
address@hidden @columnfractions .30 .70
address@hidden Algorithm @tab Description
address@hidden MAC_MD5 @tab
This is a cryptographic hash algorithm designed by Ron Rivest. Outputs
128 bits of data.
address@hidden MAC_SHA1:
address@hidden MAC_SHA1 @tab
A cryptographic hash algorithm designed by NSA. Outputs 160
bits of data.
address@hidden MAC_SHA256:
address@hidden MAC_SHA256 @tab
A cryptographic hash algorithm designed by NSA. Outputs 256
bits of data.
address@hidden MAC_AEAD:
address@hidden MAC_AEAD @tab
This indicates that an authenticated encryption algorithm, such as
GCM, is in use.
address@hidden table
address@hidden multitable
address@hidden MAC algorithms.}
address@hidden float
+
@node Compression algorithms used in the record layer
@subsection Compression Algorithms Used in the Record Layer
@@ -272,8 +281,7 @@ encrypted packet.
Those weaknesses were solved in @acronym{TLS} 1.1 @xcite{RFC4346}
which is implemented in @acronym{GnuTLS}. For a detailed discussion
-see the archives of the TLS Working Group mailing list and the paper
address@hidden
+see the archives of the TLS Working Group mailing list and @xcite{CBCATT}.
@node On Record Padding
@subsection On Record Padding
@@ -308,7 +316,7 @@ different incoming IP addresses.
To enable the workaround in the @command{gnutls-cli} client or the
@command{gnutls-serv} server, for testing of other implementations, use
-the following parameter: @option{--priority "NORMAL:%COMPAT"}.
+the parameter: @option{--priority "NORMAL:%COMPAT"}.
@node The TLS Alert Protocol
@@ -393,8 +401,8 @@ To initiate the handshake.
@subsection TLS Cipher Suites
The Handshake Protocol of @acronym{TLS} negotiates cipher suites of
-the form @code{TLS_DHE_RSA_WITH_3DES_CBC_SHA}. The usual cipher
-suites contain these parameters:
+a special form illustrated by the @code{TLS_DHE_RSA_WITH_3DES_CBC_SHA} cipher
suite name. A typical cipher
+suite contains these parameters:
@itemize
@@ -423,45 +431,50 @@ All the supported ciphersuites are shown in
@ref{ciphersuites}.
In order to specify cipher suite preferences, the
previously shown priority functions accept a string
that specifies the algorithms to be enabled in a TLS handshake.
-That string may contain some high level keyword such as:
+That string may contain some high level keyword such as
+the keywords in @ref{tab:prio-keywords}.
address@hidden @asis
address@hidden PERFORMANCE:
address@hidden Table,tab:prio-keywords
address@hidden @columnfractions .30 .70
address@hidden Keyword @tab Description
address@hidden PERFORMANCE @tab
All the "secure" ciphersuites are enabled,
limited to 128 bit ciphers and sorted by terms of speed
performance.
address@hidden NORMAL:
address@hidden NORMAL @tab
Means all "secure" ciphersuites. The 256-bit ciphers are
included as a fallback only. The ciphers are sorted by security
margin.
address@hidden SECURE128:
address@hidden SECURE128 @tab
Means all "secure" ciphersuites of security level 128-bit
or more.
address@hidden SECURE192:
address@hidden SECURE192 @tab
Means all "secure" ciphersuites of security level 192-bit
or more.
address@hidden SUITEB128:
address@hidden SUITEB128 @tab
Means all the NSA Suite B cryptography (RFC5430) ciphersuites
with an 128 bit security level.
address@hidden SUITEB192:
address@hidden SUITEB192 @tab
Means all the NSA Suite B cryptography (RFC5430) ciphersuites
with an 192 bit security level.
address@hidden EXPORT:
address@hidden EXPORT @tab
Means all ciphersuites are enabled, including the
low-security 40 bit ciphers.
address@hidden NONE:
address@hidden NONE @tab
Means nothing is enabled. This disables even protocols and
compression methods. It should be followed by the
algorithms to be enabled.
address@hidden table
address@hidden multitable
address@hidden priority string keywords.}
address@hidden float
or it might contain special keywords, that will be explained
later on.
@@ -482,7 +495,9 @@ this string you have to prefix it with "COMP-", protocol
versions
with "VERS-", signature algorithms with "SIGN-" and certificate types with
"CTYPE-". All other
algorithms don't need a prefix.}. The order with which every algorithm
is specified is significant. Similar algorithms specified before others
-will take precedence.
+will take precedence. The individual algorithms are shown in
@ref{tab:prio-algorithms}
+and special keywords are in @ref{tab:prio-special}.
+
Keywords prepended to individual algorithms:
@table @asis
@@ -495,57 +510,63 @@ appended with an algorithm will add this algorithm.
@end table
-Individual algorithms:
address@hidden @asis
address@hidden Ciphers:
+
address@hidden Table,tab:prio-algorithms
address@hidden @columnfractions .30 .70
address@hidden Type @tab Keywords
address@hidden Ciphers @tab
AES-128-CBC, AES-256-CBC, AES-128-GCM, CAMELLIA-128-CBC,
CAMELLIA-256-CBC, ARCFOUR-128, 3DES-CBC ARCFOUR-40. Catch all
name is CIPHER-ALL which will add all the algorithms from NORMAL
priority.
address@hidden Key exchange:
address@hidden Key exchange @tab
RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS,
PSK, DHE-PSK, ECDHE-RSA, ANON-ECDH, ANON-DH, RSA-EXPORT. The
Catch all name is KX-ALL which will add all the algorithms from NORMAL
priority.
address@hidden MAC:
address@hidden MAC @tab
MD5, SHA1, SHA256, AEAD (used with
GCM ciphers only). All algorithms from NORMAL priority can be accessed with
MAC-ALL.
address@hidden Compression algorithms:
address@hidden Compression algorithms @tab
COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL.
address@hidden TLS versions:
address@hidden TLS versions @tab
VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1,
VERS-TLS1.2. Catch all is VERS-TLS-ALL.
address@hidden Signature algorithms:
address@hidden Signature algorithms @tab
SIGN-RSA-SHA1, SIGN-RSA-SHA224,
SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-DSA-SHA1,
SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5. Catch all
is SIGN-ALL. This is only valid for TLS 1.2 and later.
address@hidden Elliptic curves:
address@hidden Elliptic curves @tab
CURVE-SECP224R1, CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1. Catch all
is CURVE-ALL.
address@hidden table
address@hidden multitable
address@hidden supported priority strings.}
address@hidden float
-Special keywords:
address@hidden @asis
address@hidden %COMPAT:
address@hidden Table,tab:prio-special
address@hidden @columnfractions .50 .50
address@hidden Keyword @tab Description
+
address@hidden %COMPAT @tab
will enable compatibility mode. It might mean that violations
of the protocols are allowed as long as maximum compatibility with
problematic clients and servers is achieved.
address@hidden %DISABLE_SAFE_RENEGOTIATION:
address@hidden %DISABLE_SAFE_RENEGOTIATION @tab
will disable safe renegotiation
completely. Do not use unless you know what you are doing.
Testing purposes only.
address@hidden %UNSAFE_RENEGOTIATION:
address@hidden %UNSAFE_RENEGOTIATION @tab
will allow handshakes and rehandshakes
without the safe renegotiation extension. Note that for clients
this mode is insecure (you may be under attack), and for servers it
@@ -553,32 +574,34 @@ will allow insecure clients to connect (which could be
fooled by an
attacker). Do not use unless you know what you are doing and want
maximum compatibility.
address@hidden %PARTIAL_RENEGOTIATION:
address@hidden %PARTIAL_RENEGOTIATION @tab
will allow initial handshakes to proceed,
but not rehandshakes. This leaves the client vulnerable to attack,
and servers will be compatible with non-upgraded clients for
initial handshakes. This is currently the default for clients and
servers, for compatibility reasons.
address@hidden %SAFE_RENEGOTIATION:
address@hidden %SAFE_RENEGOTIATION @tab
will enforce safe renegotiation. Clients and
servers will refuse to talk to an insecure peer. Currently this
causes operability problems, but is required for full protection.
address@hidden %SSL3_RECORD_VERSION:
address@hidden %SSL3_RECORD_VERSION @tab
will use SSL3.0 record version in client hello.
This is the default.
address@hidden %LATEST_RECORD_VERSION:
address@hidden %LATEST_RECORD_VERSION @tab
will use the latest TLS version record version in client hello.
address@hidden %VERIFY_ALLOW_SIGN_RSA_MD5:
address@hidden %VERIFY_ALLOW_SIGN_RSA_MD5 @tab
will allow RSA-MD5 signatures in certificate chains.
address@hidden %VERIFY_ALLOW_X509_V1_CA_CRT:
address@hidden %VERIFY_ALLOW_X509_V1_CA_CRT @tab
will allow V1 CAs in chains.
address@hidden table
address@hidden multitable
address@hidden priority string keywords.}
address@hidden float
@node Client Authentication
@subsection Client Authentication
diff --git a/doc/cha-library.texi b/doc/cha-library.texi
index 84e88e8..7486523 100644
--- a/doc/cha-library.texi
+++ b/doc/cha-library.texi
@@ -115,7 +115,7 @@ negative number indicates failure, or a situation that some
action has
to be taken. Thus negative error codes may be fatal or not.
Fatal errors terminate the connection immediately and further sends
-and receives will be disallowed. An example of a fatal error code is
+and receives will be disallowed. Such an example is
@code{GNUTLS_E_DECRYPTION_FAILED}. Non-fatal errors may warn about
something, i.e., a warning alert was received, or indicate the some
action has to be taken. This is the case with the error code
@@ -206,10 +206,10 @@ data to the transport layer.
@end itemize
-Other callback functions such as the one set by
address@hidden, may require more
-complicated input, including data to be allocated. These callbacks
-should allocate and free memory using the functions shown below.
+Other callback functions may require more complicated input and data
+to be allocated. Such an example is
address@hidden
+All callbacks should allocate and free memory using the functions shown below.
@itemize
diff --git a/doc/cha-programs.texi b/doc/cha-programs.texi
index e8f7e62..bbdfade 100644
--- a/doc/cha-programs.texi
+++ b/doc/cha-programs.texi
@@ -417,7 +417,7 @@ like:
@smallexample
$ gnutls-cli -p 5556 test.gnutls.org --pskusername jas \
--pskkey 9e32cf7786321a828ef7668f09fb35db \
- --priority NORMAL:+DHE-PSK:+PSK:-RSA:-DHE-RSA
+ --priority NORMAL:-KX-ALL:+ECDHE-PSK:DHE-PSK:+PSK
@end smallexample
@menu
@@ -450,13 +450,13 @@ Enter password:
@end smallexample
If the server supports several cipher suites, you may need to force it
-to chose PSK by using a cipher priority parameter such as
address@hidden NORMAL:+PSK:-RSA:-DHE-RSA:-DHE-PSK}.
+to chose PSK by using a cipher priority parameter such as in the
+example below:
@smallexample
$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
--pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
- --priority NORMAL:+DHE-PSK:+PSK
+ --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
Resolving 'localhost'...
Connecting to '127.0.0.1:5556'...
- PSK authentication.
diff --git a/doc/latex/fdl.tex b/doc/latex/fdl.tex
index 40a4a68..21d0f44 100644
--- a/doc/latex/fdl.tex
+++ b/doc/latex/fdl.tex
@@ -4,8 +4,8 @@
\addcontentsline{toc}{chapter}{GNU Free Documentation License}
%\label{label_fdl}
- \begin{center}
-
+\begin{center}
+{\small
Version 1.3, 3 November 2008
@@ -13,18 +13,20 @@
\bigskip
- <http://fsf.org/>
+ http://fsf.org/
\bigskip
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
+}
\end{center}
\begin{center}
-{\bf\large Preamble}
+{\bf\small Preamble}
\end{center}
+{\tiny
The purpose of this License is to make a manual, textbook, or other
functional and useful document ``free'' in the sense of freedom: to
@@ -47,13 +49,15 @@ it can be used for any textual work, regardless of subject
matter or
whether it is published as a printed book. We recommend this License
principally for works whose purpose is instruction or reference.
-
+}
\begin{center}
-{\Large\bf 1. APPLICABILITY AND DEFINITIONS\par}
+{\small\bf 1. APPLICABILITY AND DEFINITIONS\par}
\phantomsection
\addcontentsline{toc}{section}{1. APPLICABILITY AND DEFINITIONS}
\end{center}
+{\tiny
+
This License applies to any manual or other work, in any medium, that
contains a notice placed by the copyright holder saying it can be
distributed under the terms of this License. Such a notice grants a
@@ -141,14 +145,15 @@ Disclaimers are considered to be included by reference in
this
License, but only as regards disclaiming warranties: any other
implication that these Warranty Disclaimers may have is void and has
no effect on the meaning of this License.
-
+}
\begin{center}
-{\Large\bf 2. VERBATIM COPYING\par}
+{\small\bf 2. VERBATIM COPYING\par}
\phantomsection
\addcontentsline{toc}{section}{2. VERBATIM COPYING}
\end{center}
+{\tiny
You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the
copyright notices, and the license notice saying this License applies
@@ -161,14 +166,15 @@ number of copies you must also follow the conditions in
section~3.
You may also lend copies, under the same conditions stated above, and
you may publicly display copies.
-
+}
\begin{center}
-{\Large\bf 3. COPYING IN QUANTITY\par}
+{\small\bf 3. COPYING IN QUANTITY\par}
\phantomsection
\addcontentsline{toc}{section}{3. COPYING IN QUANTITY}
\end{center}
+{\tiny
If you publish printed copies (or copies in media that commonly have
printed covers) of the Document, numbering more than 100, and the
@@ -205,13 +211,15 @@ It is requested, but not required, that you contact the
authors of the
Document well before redistributing any large number of copies, to give
them a chance to provide you with an updated version of the Document.
-
+}
\begin{center}
-{\Large\bf 4. MODIFICATIONS\par}
+{\small\bf 4. MODIFICATIONS\par}
\phantomsection
\addcontentsline{toc}{section}{4. MODIFICATIONS}
\end{center}
+{\tiny
+
You may copy and distribute a Modified Version of the Document under
the conditions of sections 2 and 3 above, provided that you release
the Modified Version under precisely this License, with the Modified
@@ -324,14 +332,15 @@ permission from the previous publisher that added the old
one.
The author(s) and publisher(s) of the Document do not by this License
give permission to use their names for publicity for or to assert or
imply endorsement of any Modified Version.
-
+}
\begin{center}
-{\Large\bf 5. COMBINING DOCUMENTS\par}
+{\small\bf 5. COMBINING DOCUMENTS\par}
\phantomsection
\addcontentsline{toc}{section}{5. COMBINING DOCUMENTS}
\end{center}
+{\tiny
You may combine the Document with other documents released under this
License, under the terms defined in section~4 above for modified
@@ -354,13 +363,15 @@ in the various original documents, forming one section
Entitled
``History''; likewise combine any sections Entitled ``Acknowledgements'',
and any sections Entitled ``Dedications''. You must delete all sections
Entitled ``Endorsements''.
+}
\begin{center}
-{\Large\bf 6. COLLECTIONS OF DOCUMENTS\par}
+{\small\bf 6. COLLECTIONS OF DOCUMENTS\par}
\phantomsection
\addcontentsline{toc}{section}{6. COLLECTIONS OF DOCUMENTS}
\end{center}
+{\tiny
You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this
License in the various documents with a single copy that is included in
@@ -371,14 +382,15 @@ You may extract a single document from such a collection,
and distribute
it individually under this License, provided you insert a copy of this
License into the extracted document, and follow this License in all
other respects regarding verbatim copying of that document.
-
+}
\begin{center}
-{\Large\bf 7. AGGREGATION WITH INDEPENDENT WORKS\par}
+{\small\bf 7. AGGREGATION WITH INDEPENDENT WORKS\par}
\phantomsection
\addcontentsline{toc}{section}{7. AGGREGATION WITH INDEPENDENT WORKS}
\end{center}
+{\tiny
A compilation of the Document or its derivatives with other separate
and independent documents or works, in or on a volume of a storage or
@@ -396,14 +408,15 @@ covers that bracket the Document within the aggregate, or
the
electronic equivalent of covers if the Document is in electronic form.
Otherwise they must appear on printed covers that bracket the whole
aggregate.
-
+}
\begin{center}
-{\Large\bf 8. TRANSLATION\par}
+{\small\bf 8. TRANSLATION\par}
\phantomsection
\addcontentsline{toc}{section}{8. TRANSLATION}
\end{center}
+{\tiny
Translation is considered a kind of modification, so you may
distribute translations of the Document under the terms of section~4.
@@ -422,15 +435,16 @@ If a section in the Document is Entitled
``Acknowledgements'',
``Dedications'', or ``History'', the requirement (section~4) to Preserve
its Title (section~1) will typically require changing the actual
title.
-
+}
\begin{center}
-{\Large\bf 9. TERMINATION\par}
+{\small\bf 9. TERMINATION\par}
\phantomsection
\addcontentsline{toc}{section}{9. TERMINATION}
\end{center}
+{\tiny
You may not copy, modify, sublicense, or distribute the Document
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense, or distribute it is void, and
@@ -455,15 +469,16 @@ licenses of parties who have received copies or rights
from you under
this License. If your rights have been terminated and not permanently
reinstated, receipt of a copy of some or all of the same material does
not give you any rights to use it.
-
+}
\begin{center}
-{\Large\bf 10. FUTURE REVISIONS OF THIS LICENSE\par}
+{\small\bf 10. FUTURE REVISIONS OF THIS LICENSE\par}
\phantomsection
\addcontentsline{toc}{section}{10. FUTURE REVISIONS OF THIS LICENSE}
\end{center}
+{\tiny
The Free Software Foundation may publish new, revised versions
of the GNU Free Documentation License from time to time. Such new
versions will be similar in spirit to the present version, but may
@@ -482,14 +497,15 @@ specifies that a proxy can decide which future versions
of this
License can be used, that proxy's public statement of acceptance of a
version permanently authorizes you to choose that version for the
Document.
-
+}
\begin{center}
-{\Large\bf 11. RELICENSING\par}
+{\small\bf 11. RELICENSING\par}
\phantomsection
\addcontentsline{toc}{section}{11. RELICENSING}
\end{center}
+{\tiny
``Massive Multiauthor Collaboration Site'' (or ``MMC Site'') means any
World Wide Web server that publishes copyrightable works and also
@@ -517,14 +533,15 @@ and (2) were thus incorporated prior to November 1, 2008.
The operator of an MMC Site may republish an MMC contained in the site
under CC-BY-SA on the same site at any time before August 1, 2009,
provided the MMC is eligible for relicensing.
-
+}
\begin{center}
-{\Large\bf ADDENDUM: How to use this License for your documents\par}
+{\small\bf ADDENDUM: How to use this License for your documents\par}
\phantomsection
\addcontentsline{toc}{section}{ADDENDUM: How to use this License for your
documents}
\end{center}
+{\tiny
To use this License in a document you have written, include a copy of
the License in the document and put the following copyright and
license notices just after the title page:
@@ -560,4 +577,5 @@ recommend releasing these examples in parallel under your
choice of
free software license, such as the GNU General Public License,
to permit their use in free software.
+}
%---------------------------------------------------------------------
diff --git a/doc/latex/gnutls.tex b/doc/latex/gnutls.tex
index 870b82e..973eb54 100644
--- a/doc/latex/gnutls.tex
+++ b/doc/latex/gnutls.tex
@@ -67,7 +67,7 @@
%\input{cha-functions}
-%\input{fdl}
+\input{fdl}
\backmatter
diff --git a/doc/scripts/mytexi2latex b/doc/scripts/mytexi2latex
index aa54766..fe7ea2d 100755
--- a/doc/scripts/mytexi2latex
+++ b/doc/scripts/mytexi2latex
@@ -88,9 +88,14 @@ while ($line = <FILE>) {
$mode = pop(@stack);
} else {
$line =~ s/address@hidden/\\caption\{/g;
- $line =~ s/address@hidden address@hidden ([\.\d]+)
([\.\d]+)
([\.\d]+)$/\n\\begin{tabular}{|p{3.3cm}|p{3.3cm}|p{4.3cm}|}\n\\hline\n/g;
- $line =~ s/address@hidden address@hidden ([\.\d]+)
([\.\d]+) ([\.\d]+) ([\.\d]+)
([\.\d]+)$/\n\\begin{tabular}{|p{2cm}|p{2cm}|p{2cm}|p{2cm}|p{3cm}|}\n\\hline\n/g;
- push(@stack, FLOAT_TABLE);
+
+ if ($line =~ m/address@hidden/) {
+ push(@stack, FLOAT_TABLE);
+ $line =~ s/address@hidden address@hidden
([\.\d]+)
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|}\n\\hline\n/g;
+ $line =~ s/address@hidden address@hidden
([\.\d]+) ([\.\d]+)
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|p{$3\\linewidth}|}\n\\hline\n/g;
+ $line =~ s/address@hidden address@hidden
([\.\d]+) ([\.\d]+) ([\.\d]+) ([\.\d]+)
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|p{$3\\linewidth}|p{$4\\linewidth}|p{$5\\linewidth}|}\n\\hline\n/g;
+ }
+
goto multitable;
}
$prev_mode = $mode;
@@ -166,8 +171,8 @@ multitable:
} else {
$prev_mode = $mode;
- $line =~ s/address@hidden/% /g;
- $line =~ s/address@hidden iftex/% /g;
+ $line =~ s/address@hidden/%c /g;
+ $line =~ s/address@hidden iftex/%c /g;
$line =~ s/address@hidden (.+)/\\label{$1}/g;
$line =~ s/address@hidden($spacematch+)\}/\\label{$1}/g;
if ($line =~ s/address@hidden (.+)/\\subsection{$1}/g) {
@@ -235,11 +240,15 @@ multitable:
push(@stack, NORMAL);
$mode = TABLE_ITEMIZE;
}
- if ($line =~ s/address@hidden address@hidden ([\.\d]+)
([\.\d]+)
([\.\d]+)$/\n\\begin{tabular}{|p{3.3cm}|p{3.3cm}|p{4.3cm}|}\n\\hline\n/g) {
+ if ($line =~ s/address@hidden address@hidden ([\.\d]+)
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|}\n\\hline\n/g)
{
+ push(@stack, NORMAL);
+ $mode = MULTITABLE;
+ }
+ if ($line =~ s/address@hidden address@hidden ([\.\d]+)
([\.\d]+)
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|p{$3\\linewidth}|}\n\\hline\n/g)
{
push(@stack, NORMAL);
$mode = MULTITABLE;
}
- if ($line =~ s/address@hidden address@hidden ([\.\d]+)
([\.\d]+) ([\.\d]+) ([\.\d]+)
([\.\d]+)$/\n\\begin{tabular}{|p{2cm}|p{2cm}|p{2cm}|p{2cm}|p{3cm}|}\n\\hline\n/g)
{
+ if ($line =~ s/address@hidden address@hidden ([\.\d]+)
([\.\d]+) ([\.\d]+) ([\.\d]+)
([\.\d]+)$/\n\\begin{tabular}{|p{$1\\linewidth}|p{$2\\linewidth}|p{$3\\linewidth}|p{$4\\linewidth}|p{$5\\linewidth}|}\n\\hline\n/g)
{
push(@stack, NORMAL);
$mode = MULTITABLE;
}
@@ -264,7 +273,7 @@ multitable:
if ($verbatim == 0) {
$line =~ s/\_/\\_/g;
$line =~ s/\~/\\~/g;
- $line =~ s/\%/\\%/g;
+ $line =~ s/\%(?!c)/\\%/g;
$line =~ s/\#/\\\#/g;
$line =~ s/address@hidden (.*)/\\examplefile{\.\.\/$1}/g;
$line =~
s/address@hidden($match+)\,($match+)\}/\\includegraphics\[width\=$2\]\{\.\.\/$1\.pdf\}/g;
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 21d8297..b8d0e0b 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -275,8 +275,7 @@ static const gnutls_error_entry error_algorithms[] = {
ERROR_ENTRY (N_("The specified algorithm or protocol is unknown."),
GNUTLS_E_UNKNOWN_ALGORITHM, 1),
- ERROR_ENTRY (N_("The handshake data size is too large (DoS?), "
- "check gnutls_handshake_set_max_packet_length()."),
+ ERROR_ENTRY (N_("The handshake data size is too large."),
GNUTLS_E_HANDSHAKE_TOO_LARGE, 1),
ERROR_ENTRY (N_("Error opening /dev/crypto"),
diff --git a/lib/gnutls_srp.c b/lib/gnutls_srp.c
index be35949..e4cab2e 100644
--- a/lib/gnutls_srp.c
+++ b/lib/gnutls_srp.c
@@ -42,9 +42,9 @@
/* Here functions for SRP (like g^x mod n) are defined
*/
-int
+static int
_gnutls_srp_gx (opaque * text, size_t textsize, opaque ** result,
- bigint_t g, bigint_t prime, gnutls_alloc_function galloc_func)
+ bigint_t g, bigint_t prime)
{
bigint_t x, e;
size_t result_size;
@@ -71,7 +71,7 @@ _gnutls_srp_gx (opaque * text, size_t textsize, opaque **
result,
ret = _gnutls_mpi_print (e, NULL, &result_size);
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
- *result = galloc_func (result_size);
+ *result = gnutls_malloc (result_size);
if ((*result) == NULL)
return GNUTLS_E_MEMORY_ERROR;
@@ -680,7 +680,7 @@ gnutls_srp_server_get_username (gnutls_session_t session)
* libgcrypt functions gcry_prime_generate() and
* gcry_prime_group_generator().
*
- * The verifier will be allocated with @malloc and will be stored in
+ * The verifier will be allocated with @gnutls_malloc() and will be stored in
* @res using binary format.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or an
@@ -719,7 +719,7 @@ gnutls_srp_verifier (const char *username, const char
*password,
return GNUTLS_E_MPI_SCAN_FAILED;
}
- ret = _gnutls_srp_gx (digest, 20, &res->data, _g, _n, malloc);
+ ret = _gnutls_srp_gx (digest, 20, &res->data, _g, _n);
if (ret < 0)
{
gnutls_assert ();
diff --git a/lib/gnutls_srp.h b/lib/gnutls_srp.h
index 76a257d..1f9fce7 100644
--- a/lib/gnutls_srp.h
+++ b/lib/gnutls_srp.h
@@ -25,8 +25,6 @@
#ifdef ENABLE_SRP
-int _gnutls_srp_gx (opaque * text, size_t textsize, opaque ** result,
- bigint_t g, bigint_t prime, gnutls_alloc_function);
bigint_t _gnutls_calc_srp_B (bigint_t * ret_b, bigint_t g, bigint_t n,
bigint_t v);
bigint_t _gnutls_calc_srp_u (bigint_t A, bigint_t B, bigint_t N);
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_99_3-12-gdff2364,
Nikos Mavrogiannopoulos <=