[SCM] GNU gnutls branch, master, updated. gnutls_3_0_11-21-g2cac1ae

[Nikos Mavrogiannopoulos]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=2cac1ae6f667a9bbba8fd090a7d560cb6a64db80

The branch, master has been updated
       via  2cac1ae6f667a9bbba8fd090a7d560cb6a64db80 (commit)
       via  2aa6a1eb270188f99caaaa25f44af042f8e9a4f7 (commit)
       via  f773453757b61bae4a1a76ff413e1525d0aff630 (commit)
      from  204f8b3dbf658bdbc418227d14e400725d2646e5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2cac1ae6f667a9bbba8fd090a7d560cb6a64db80
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Mon Jan 9 21:38:33 2012 +0100

    Defined more precisely the SECURE levels.

commit 2aa6a1eb270188f99caaaa25f44af042f8e9a4f7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Mon Jan 9 21:21:28 2012 +0100

    updated for pkg-config autoconf macro and added gnutls_pubkey_encrypt_data.

commit f773453757b61bae4a1a76ff413e1525d0aff630
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Mon Jan 9 21:03:47 2012 +0100

    updated descriptions

-----------------------------------------------------------------------

Summary of changes:
 doc/cha-cert-auth2.texi |    3 +++
 doc/cha-gtls-app.texi   |   32 ++++++++++++++++++++++++++------
 lib/gnutls_priority.c   |    5 ++++-
 lib/x509/x509.c         |   31 ++++++++++++++++++++++---------
 4 files changed, 55 insertions(+), 16 deletions(-)

diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index 3036bc7..a2f4f35 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -858,8 +858,11 @@ signature verification operations with the underlying keys.
 
 @showfuncdesc{gnutls_pubkey_verify_data2}
 @showfuncdesc{gnutls_pubkey_verify_hash}
address@hidden
+
 @showfuncdesc{gnutls_privkey_sign_data}
 @showfuncdesc{gnutls_privkey_sign_hash}
address@hidden
 
 Signing existing structures, such as certificates, CRLs,
 or certificate requests, as well as associating public
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 3a9d4f7..6b40811 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -267,6 +267,16 @@ specifying both options to @command{pkg-config}:
 gcc -o foo foo.c `pkg-config gnutls --cflags --libs`
 @end example
 
+When a program uses the GNU autoconf system, then the following
+line or similar can be used to detect the presence of GnuTLS.
+
address@hidden
+PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.0.0])
+
+AC_SUBST([LIBGNUTLS_CFLAGS])
+AC_SUBST([LIBGNUTLS_LIBS])
address@hidden example
+
 @node Session initialization
 @section Session initialization
 
@@ -689,12 +699,14 @@ included as a fallback only.  The ciphers are sorted by 
security
 margin.
 
 @item SECURE128 @tab
-Means all "secure" ciphersuites of security level 128-bit
-or more.
+Means all "secure" ciphersuites that offer a 
+security level 128-bit or more and a message authenticity
+security level of 80 bits or more.
 
 @item SECURE192 @tab
-Means all "secure" ciphersuites of security level 192-bit
-or more.
+Means all "secure" ciphersuites that offer a 
+security level 192-bit or more and a message authenticity
+security level of 128 bits or more.
 
 @item SECURE256 @tab
 Currently alias for SECURE192.
@@ -726,8 +738,16 @@ compression NULL; for certificate types X.509.
 In key exchange algorithms when in NORMAL or SECURE levels the
 perfect forward secrecy algorithms take precedence of the other
 protocols.  In all cases all the supported key exchange algorithms
- are enabled (except for the RSA-EXPORT which is only enabled in
-EXPORT level).
+are address@hidden for the RSA-EXPORT which is only enabled in
+EXPORT level.}.
+
+Note that the SECURE levels distinguish between overall security level and
+message authenticity security level. That is because the message
+authenticity security level requires the adversary to break
+the algorithms at real-time during the protocol run, whilst 
+the overall security level refers to off-line adversaries 
+(e.g. adversaries breaking the ciphertext years after it was captured).
+
 The NONE keyword, if used, must followed by the algorithms to be enabled,
 and is used to provide the exact list of requested address@hidden avoid 
collisions in order to specify a compression algorithm in
 this string you have to prefix it with "COMP-", protocol versions
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 0a79b67..79573ed 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -370,7 +370,9 @@ static const int cipher_priority_secure128[] = {
   GNUTLS_CIPHER_AES_128_CBC,
   GNUTLS_CIPHER_CAMELLIA_128_CBC,
   GNUTLS_CIPHER_AES_128_GCM,
-  GNUTLS_CIPHER_3DES_CBC,
+  GNUTLS_CIPHER_AES_256_CBC,
+  GNUTLS_CIPHER_CAMELLIA_256_CBC,
+  GNUTLS_CIPHER_AES_256_GCM,
   0
 };
 
@@ -474,6 +476,7 @@ static const int mac_priority_suiteb192[] = {
 };
 
 static const int mac_priority_secure128[] = {
+  GNUTLS_MAC_SHA1,
   GNUTLS_MAC_SHA256,
   GNUTLS_MAC_SHA384,
   GNUTLS_MAC_AEAD,
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 37f5a8c..9ed1764 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
- * Software Foundation, Inc.
+ * Copyright (C) 2003-2012 Free Software Foundation, Inc.
  * Author: Nikos Mavrogiannopoulos, Simon Josefsson, Howard Chu
  *
  * This file is part of GnuTLS.
@@ -334,7 +333,9 @@ gnutls_x509_crt_get_issuer_dn_by_oid (gnutls_x509_crt_t 
cert,
  * This function will extract the OIDs of the name of the Certificate
  * issuer specified by the given index.
  *
- * If @oid is null then only the size will be filled. 
+ * If @oid is null then only the size will be filled. The @oid
+ * returned will be null terminated, although @oid_size will not
+ * account for the trailing null.
  *
  * Returns: GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not
  *   long enough, and in that case the @oid_size will be updated
@@ -441,7 +442,9 @@ gnutls_x509_crt_get_dn_by_oid (gnutls_x509_crt_t cert, 
const char *oid,
  * This function will extract the OIDs of the name of the Certificate
  * subject specified by the given index.
  *
- * If @oid is null then only the size will be filled. 
+ * If @oid is null then only the size will be filled. The @oid
+ * returned will be null terminated, although @oid_size will not
+ * account for the trailing null.
  *
  * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
  *   not long enough, and in that case the @oid_size will be updated
@@ -1328,7 +1331,9 @@ gnutls_x509_crt_get_issuer_alt_name2 (gnutls_x509_crt_t 
cert,
  * gnutls_x509_crt_get_subject_alt_name() returned
  * %GNUTLS_SAN_OTHERNAME.
  *
- * If @oid is null then only the size will be filled. 
+ * If @oid is null then only the size will be filled. The @oid
+ * returned will be null terminated, although @oid_size will not
+ * account for the trailing null.
  *
  * Returns: the alternative subject name type on success, one of the
  * enumerated gnutls_x509_subject_alt_name_t.  For supported OIDs, it
@@ -1360,7 +1365,9 @@ gnutls_x509_crt_get_subject_alt_othername_oid 
(gnutls_x509_crt_t cert,
  * Alternative Name, contained in the given certificate, and return
  * the type as an enumerated element.
  *
- * If @oid is null then only the size will be filled. 
+ * If @oid is null then only the size will be filled. The @oid
+ * returned will be null terminated, although @oid_size will not
+ * account for the trailing null.
  *
  * This function is only useful if
  * gnutls_x509_crt_get_issuer_alt_name() returned
@@ -1678,6 +1685,9 @@ gnutls_x509_crt_get_extension_by_oid (gnutls_x509_crt_t 
cert,
  * This function will return the requested extension OID in the certificate.
  * The extension OID will be stored as a string in the provided buffer.
  *
+ * The @oid returned will be null terminated, although @oid_size will not
+ * account for the trailing null.
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
  *   otherwise a negative error code is returned.  If you have reached the
  *   last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
@@ -1720,8 +1730,9 @@ gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t 
cert, int indx,
  * gnutls_x509_crt_get_extension_data() to extract the data.
  *
  * If the buffer provided is not long enough to hold the output, then
- * address@hidden is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
- * returned.
+ * @oid_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
+ * returned. The @oid returned will be null terminated, although 
+ * @oid_size will not account for the trailing null.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
  *   otherwise a negative error code is returned.  If you have reached the
@@ -2707,7 +2718,9 @@ gnutls_x509_crt_get_crl_dist_points (gnutls_x509_crt_t 
cert,
  * Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for
  * human readable names.
  *
- * If @oid is null then only the size will be filled. 
+ * If @oid is null then only the size will be filled. The @oid
+ * returned will be null terminated, although @oid_size will not
+ * account for the trailing null.
  *
  * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
  *   not long enough, and in that case the *oid_size will be updated


hooks/post-receive
-- 
GNU gnutls