[SCM] GNU gnutls branch, master, updated. gnutls-3_0_12-66-g6431d64

[Nikos Mavrogiannopoulos]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=6431d64b6115b150353dfbac84e9d7c4a753ab96

The branch, master has been updated
       via  6431d64b6115b150353dfbac84e9d7c4a753ab96 (commit)
       via  7d06de5d362e8139b4bf1be0562d2018a18cfc50 (commit)
       via  194a008547ff01e12bcc6800f2ff338ca4903c09 (commit)
       via  37933d6a256b5a4cd09b42aef09bd5dddca919f4 (commit)
       via  36332e90424423fc6858e616bb144e9dbf3c1ebb (commit)
       via  34e453f4be2a56ae088b9244f736055b6fa2225b (commit)
      from  f7a5b448e2060905f408b1cfd6bd8797605b0293 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6431d64b6115b150353dfbac84e9d7c4a753ab96
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Jan 24 19:10:49 2012 +0100

    it seems libopts does not want completely empty templates.

commit 7d06de5d362e8139b4bf1be0562d2018a18cfc50
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Jan 24 19:05:58 2012 +0100

    correct typo

commit 194a008547ff01e12bcc6800f2ff338ca4903c09
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Jan 24 19:05:29 2012 +0100

    Do not print the same things twice.

commit 37933d6a256b5a4cd09b42aef09bd5dddca919f4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Jan 24 18:34:32 2012 +0100

    libcfg is no longer required.

commit 36332e90424423fc6858e616bb144e9dbf3c1ebb
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Jan 24 00:12:33 2012 +0100

    updated interoperability and priority strings sections.

commit 34e453f4be2a56ae088b9244f736055b6fa2225b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Mon Jan 23 23:13:30 2012 +0100

    Added more text on interoperability

-----------------------------------------------------------------------

Summary of changes:
 configure.ac           |   21 -------------
 doc/cha-gtls-app.texi  |   78 +++++++++++++++++++++++++++++++++--------------
 doc/cha-intro-tls.texi |    3 +-
 src/cli.c              |    3 --
 src/common.c           |    8 -----
 tests/key-id/key-id    |    2 +-
 6 files changed, 58 insertions(+), 57 deletions(-)

diff --git a/configure.ac b/configure.ac
index 0a31ae0..7531ae5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -150,27 +150,6 @@ AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
 dnl Checks for programs in src/ 
 LIBOPTS_CHECK([src/libopts])
 
-dnl Check for libcfg+
-SAVED_LIBS=$LIBS
-AC_ARG_WITH(included-libcfg,
-       AS_HELP_STRING([--with-included-libcfg],
-               [use the included libcfg+ (certtool only)]),
-       libcfg_enabled=$withval, 
-       libcfg_enabled=no
-dnl We search for libcfg+ which is used by certtool
-dnl
-       AC_CHECK_LIB(cfg+, cfg_get_context,:,
-                     libcfg_enabled=yes
-                     AC_MSG_WARN([[
-*** 
-*** Libcfg+ was not found. Will use the included one.]])))
-
-AM_CONDITIONAL(HAVE_LIBCFG, test "$libcfg_enabled" = "no")
-LIBS=$SAVED_LIBS
-
-AC_MSG_CHECKING([whether to use the included libcfg])
-AC_MSG_RESULT($libcfg_enabled)
-
 AC_CHECK_TYPE(ssize_t,
   [
     DEFINE_SSIZE_T="#include <sys/types.h>"
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index c9d8e8e..7f3d338 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -734,9 +734,9 @@ Alerts messages may be sent to the peer using 
@funcref{gnutls_alert_send}.
 In order to specify cipher suite preferences on a TLS session
 there are priority functions that accept a string
 specifying the enabled for the handshake algorithms.
-That string may contain a high level keyword such as
-in @ref{tab:prio-keywords} or combination of a high level
-keyword, additional algorithm keywords and special keywords.
+That string may contain a single initial keyword such as
+in @ref{tab:prio-keywords} and may be followed by
+additional algorithm or special keywords.
 
 @showfuncB{gnutls_priority_set_direct,gnutls_priority_set}
 
@@ -784,10 +784,10 @@ compression methods. It should be followed by the
 algorithms to be enabled.
 
 @end multitable
address@hidden priority string keywords.}
address@hidden initial keywords.}
 @end float
 
-Unless the first keyword is "NONE" the defaults (in preference
+Unless the initial keyword is "NONE" the defaults (in preference
 order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0, SSL3.0; for
 compression NULL; for certificate types X.509.
 In key exchange algorithms when in NORMAL or SECURE levels the
@@ -803,15 +803,19 @@ the algorithms at real-time during the protocol run, 
whilst
 the overall security level refers to off-line adversaries 
 (e.g. adversaries breaking the ciphertext years after it was captured).
 
-The NONE keyword, if used, must followed by the algorithms to be enabled,
-and is used to provide the exact list of requested address@hidden avoid 
collisions in order to specify a compression algorithm in
-this string you have to prefix it with "COMP-", protocol versions
-with "VERS-", signature algorithms with "SIGN-" and certificate types with 
"CTYPE-". All other
-algorithms don't need a prefix.}. The order with which every algorithm
-is specified is significant. Similar algorithms specified before others
-will take precedence. The individual algorithms are shown in 
@ref{tab:prio-algorithms}
-and special keywords are in @ref{tab:prio-special}.
-The prefixes for individual algorithms are:
+The NONE keyword, if used, must followed by keywords specifying 
+the algorithms and protocols to be enabled. The other initial keywords may be 
+followed by such keywords.
+The order with which every algorithm or protocol
+is specified is significant. Algorithms specified before others
+will take precedence. The supported algorithms and protocols
+are shown in @ref{tab:prio-algorithms}. 
+To avoid collisions in order to specify a compression algorithm in
+the priority string you have to prefix it with "COMP-", protocol versions
+with "VERS-", signature algorithms with "SIGN-" and certificate types with 
"CTYPE-". 
+All other algorithms don't need a prefix. Each specified keyword can
+be prefixed with any of the following characters.
+
 @table @asis
 @item '!' or '-' 
 appended with an algorithm will remove this algorithm.
@@ -866,6 +870,8 @@ for the acceptable security levels.} than their elliptic 
curves counterpart
 requires parameters to be generated and associated with a credentials
 structure by the server (see @ref{Parameter generation}). 
 
+The available special keywords are shown in @ref{tab:prio-special}. 
+
 @float Table,tab:prio-special
 @multitable @columnfractions .45 .45
 @headitem Keyword @tab Description
@@ -873,7 +879,9 @@ structure by the server (see @ref{Parameter generation}).
 @item %COMPAT @tab
 will enable compatibility mode. It might mean that violations
 of the protocols are allowed as long as maximum compatibility with
-problematic clients and servers is achieved.
+problematic clients and servers is achieved. More specifically this
+string would disable TLS record random padding and tolerate packets
+over the maximum allowed TLS record.
 
 @item %NO_EXTENSIONS @tab
 will prevent the sending of any TLS extensions in client side. Note
@@ -930,6 +938,21 @@ Finally the ciphersuites enabled by any priority string 
can be
 listed using the @code{gnutls-cli} application (see @ref{The gnutls-cli 
tool}), 
 or by using the priority functions as in @ref{Listing the ciphersuites in a 
priority string}.
 
+Example priority strings are:
address@hidden
+The default priority:
+    "NORMAL"
+
+Specifying RSA with AES-128-CBC:
+    "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
+
+Specifying the defaults except ARCFOUR-128:
+    "NORMAL:-ARCFOUR-128"
+
+Enabling the 128-bit secure ciphers, while disabling SSL 3.0 and enabling 
compression:
+    "SECURE128:-VERS-SSL3.0:+COMP-DEFLATE"
address@hidden example
+
 @node Advanced and other topics
 @section Advanced and other topics
 
@@ -1130,17 +1153,26 @@ Because there is no way to achieve maximum 
interoperability with broken peers
 without sacrificing security, @acronym{GnuTLS} ignores such peers by default. 
 This might not be acceptable in cases where maximum compatibility
 is required. Thus we allow enabling compatibility with broken peers using
-priority strings (see @ref{Priority Strings}). An example priority string that
-is known to provide wide compatibility even with broken peers
-is shown below:
+priority strings (see @ref{Priority Strings}). A conservative priority
+string that would disable certain @acronym{TLS} protocol
+options that are known to cause compatibility problems, is shown below. 
address@hidden
+NORMAL:%COMPAT
address@hidden verbatim
+
+For broken peers that do not tolerate TLS version numbers over TLS 1.0
+another priority string is:
 @verbatim
 NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT
 @end verbatim
-This priority string will only enable SSL 3.0 and TLS 1.0 as protocols and
-will disable, via the @code{%COMPAT} keyword, several @acronym{TLS} protocol
-options that are known to cause compatibility problems. Note however that
-there are known attacks against those protocol versions and
-this mode trades security for compatibility.
+This priority string will in addition to above, only enable SSL 3.0 and 
+TLS 1.0 as protocols. Note however that
+there are known attacks against those protocol versions, especially over
+the CBC-mode ciphersuites. To mitigate them another priority string
+that only allows the stream cipher ARCFOUR is below.
address@hidden
+NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128:%COMPAT
address@hidden verbatim
 
 @node Compatibility with the OpenSSL library
 @subsection Compatibility with the OpenSSL library
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index f0063bf..6aaa201 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -219,7 +219,8 @@ encrypted packet.
 
 Those weaknesses were solved in @acronym{TLS} 1.1 @xcite{RFC4346}
 which is implemented in @acronym{GnuTLS}. For this reason we suggest
-to always negotiate the highest supported TLS version with the peer.
+to always negotiate the highest supported TLS version with the 
address@hidden this is not possible then please consult 
@ref{Interoperability}.}.
 For a detailed discussion of the issues see the archives of the TLS 
 Working Group mailing list and @xcite{CBCATT}.
 
diff --git a/src/cli.c b/src/cli.c
index b533d9a..ac0a02f 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -828,9 +828,6 @@ main (int argc, char **argv)
           session_id = malloc (session_id_size);
           gnutls_session_get_id (hd.session, session_id, &session_id_size);
 
-          /* print some information */
-          print_info (hd.session, hostname, HAVE_OPT(INSECURE));
-
           printf ("- Disconnecting\n");
           socket_bye (&hd);
 
diff --git a/src/common.c b/src/common.c
index 4c1ed32..bd03a54 100644
--- a/src/common.c
+++ b/src/common.c
@@ -505,14 +505,6 @@ print_info (gnutls_session_t session, const char 
*hostname, int insecure)
 
   if (verbose)
     {
-      unsigned char id[32];
-      size_t id_size = sizeof (id);
-      gnutls_session_get_id (session, id, &id_size);
-      printf ("- Session ID: %s\n", raw_to_string (id, id_size));
-    }
-
-  if (verbose)
-    {
       gnutls_datum_t cb;
       int rc;
 
diff --git a/tests/key-id/key-id b/tests/key-id/key-id
index a6c7dcf..2bee9b8 100755
--- a/tests/key-id/key-id
+++ b/tests/key-id/key-id
@@ -27,7 +27,7 @@ CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT}
 
 PARAMS="--generate-certificate --load-privkey $srcdir/key-user.pem 
--load-ca-privkey $srcdir/key-ca.pem --template tmpl"
 
-echo > tmpl
+echo "#empty" > tmpl
 
 #$CERTTOOL $PARAMS --load-ca-certificate $srcdir/ca-gnutls-keyid.pem \
 #    --outfile user-gnutls-keyid.pem 2> /dev/null


hooks/post-receive
-- 
GNU gnutls