[SCM] GNU gnutls branch, master, updated. gnutls_2_11

gnutls-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU gnutls branch, master, updated. gnutls_2_11_3-19-g3b6dec3

From:	Simon Josefsson
Subject:	[SCM] GNU gnutls branch, master, updated. gnutls_2_11_3-19-g3b6dec3
Date:	Fri, 15 Oct 2010 12:51:02 +0000

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=3b6dec348851af3a34b9d121c0636f87f946a012

The branch, master has been updated
       via  3b6dec348851af3a34b9d121c0636f87f946a012 (commit)
      from  3f86e31a554d02a2d92b5423942915554af7fc59 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 3b6dec348851af3a34b9d121c0636f87f946a012
Author: Simon Josefsson <address@hidden>
Date:   Fri Oct 15 14:50:58 2010 +0200

    Document channel binding API.

-----------------------------------------------------------------------

Summary of changes:
 NEWS                  |    3 ++-
 doc/cha-bib.texi      |    8 ++++++++
 doc/cha-gtls-app.texi |   43 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 53 insertions(+), 1 deletions(-)

diff --git a/NEWS b/NEWS
index 2134b80..997d201 100644
--- a/NEWS
+++ b/NEWS
@@ -8,7 +8,8 @@ See the end for copying conditions.
 ** libgnutls: Add new API gnutls_session_channel_binding.
 The function is used to get the channel binding data.  Currently only
 the "tls-unique" (RFC 5929) channel binding type is supported, through
-the GNUTLS_CB_TLS_UNIQUE type.
+the GNUTLS_CB_TLS_UNIQUE type.  See new section "Channel Bindings" in
+the manual.
 
 ** doc: Added pkcs11.h header file to GTK-DOC manual.
 
diff --git a/doc/cha-bib.texi b/doc/cha-bib.texi
index 840af87..9664dd9 100644
--- a/doc/cha-bib.texi
+++ b/doc/cha-bib.texi
@@ -149,4 +149,12 @@ European Network of Excellence in Cryptology II, "ECRYPT 
II Yearly
 Report on Algorithms and Keysizes (2009-2010)", Available
 at @url{http://www.ecrypt.eu.org/documents/D.SPA.13.pdf}.
 
address@hidden @anchor{RFC5056}[RFC5056]
+N. Williams, "On the Use of Channel Bindings to Secure Channels",
+November 2007, available from @url{http://www.ietf.org/rfc/rfc5056}.
+
address@hidden @anchor{RFC5929}[RFC5929]
+J. Altman, N. Williams, L. Zhu, "Channel Bindings for TLS", July 2010,
+available from @url{http://www.ietf.org/rfc/rfc5929}.
+
 @end table
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 6512e3b..2dfa871 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -11,6 +11,7 @@
 * Miscellaneous examples::
 * Compatibility with the OpenSSL library::
 * Keying Material Exporters::
+* Channel Bindings::
 @end menu
 
 @node Preparation
@@ -450,3 +451,45 @@ rc = gnutls_prf (session, strlen (MYLABEL), MYLABEL, 0,
 
 If you don't want to mix in the client/server random, there is a more
 low-level TLS PRF interface called @ref{gnutls_prf_raw}.
+
address@hidden Channel Bindings
address@hidden Channel Bindings
address@hidden Channel Bindings
+
+In user authentication protocols (e.g., EAP or SASL mechanisms) it is
+useful to have a unique string that identifies the secure channel that
+is used, to bind together the user authentication with the secure
+channel.  This can protect against man-in-the-middle attacks in some
+situations.  The unique strings is a ``channel bindings''.  For
+background and more discussion see @xcite{RFC5056}.
+
+You can extract a channel bindings using the
address@hidden function.  Currently only the
address@hidden type is supported, which corresponds to
+the @code{tls-unique} channel bindings for TLS defined in
address@hidden
+
+The following example describes how to print the channel binding data.
+Note that it must be run after a successful TLS handshake.
+
address@hidden
address@hidden
+  gnutls_datum cb;
+  int rc;
+
+  rc = gnutls_session_channel_binding (session,
+                                       GNUTLS_CB_TLS_UNIQUE,
+                                       &cb);
+  if (rc)
+    fprintf (stderr, "Channel binding error: %s\n",
+             gnutls_strerror (rc));
+  else
+    @{
+      size_t i;
+      printf ("- Channel binding 'tls-unique': ");
+      for (i = 0; i < cb.size; i++)
+        printf ("%02x", cb.data[i]);
+      printf ("\n");
+    @}
address@hidden
address@hidden smallexample


hooks/post-receive
-- 
GNU gnutls

[Prev in Thread]

Current Thread

[Next in Thread]

[SCM] GNU gnutls branch, master, updated. gnutls_2_11_3-19-g3b6dec3, Simon Josefsson <=

Prev by Date: [SCM] GNU gnutls branch, master, updated. gnutls_2_11_3-17-g3e9cfe6
Next by Date: [SCM] GNU gnutls branch, master, updated. gnutls_2_11_3-18-g3f86e31
Previous by thread: [SCM] GNU gnutls branch, master, updated. gnutls_2_11_3-17-g3e9cfe6
Next by thread: [SCM] GNU gnutls branch, master, updated. gnutls_2_11_3-18-g3f86e31
Index(es):
- Date
- Thread