[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_11-123-g7a6bcf8
From: |
Simon Josefsson |
Subject: |
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_11-123-g7a6bcf8 |
Date: |
Fri, 20 Jan 2012 12:22:10 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7a6bcf809f5303482711d84fe50fa47a2383e2ac
The branch, ocsp has been updated
via 7a6bcf809f5303482711d84fe50fa47a2383e2ac (commit)
via d384881e20be7c36e7c1399c0a647de709283cb7 (commit)
via 21523a6035c36f8516c2577d3f7d6034883c5ce5 (commit)
via 63cd0dc560bc45607b711da503119805352a0857 (commit)
via df895da2766c27b7e4858ed98efbc08555902c44 (commit)
via 1597d60f0bc63f9c5d820a931390df5ec5994d92 (commit)
via 4dcb8057054b748d3affff99323bb9d42a88c64e (commit)
via b2172d5aff8c7f18352fd6a3d2c17755b8f1eaf2 (commit)
via 2ed79fc10959551ec998052e9fc293a1e97279aa (commit)
via 5780af89e13da06a44b61f6215c03283cf660474 (commit)
via 55cafc084c03c70830e4da83a5167e6f15bbe0dd (commit)
via 37e86de195d6c24bb349e0213dd528c5ceb89688 (commit)
via c3bc5634e570a58ad7e3cb6fdadcd3a67bf090ea (commit)
via f02628b3c9577e9a5a1fcaa87bdd2759fbd7011c (commit)
from 3dacaab91d3540d2c919e43cb5610444dee35f1f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7a6bcf809f5303482711d84fe50fa47a2383e2ac
Merge: 3dacaab d384881
Author: Simon Josefsson <address@hidden>
Date: Fri Jan 20 13:21:35 2012 +0100
Merge branches 'master' and 'ocsp' into ocsp
-----------------------------------------------------------------------
Summary of changes:
NEWS | 3 +
doc/Makefile.am | 78 ++++++++++++++++++++++++++++++++-----
doc/cha-gtls-app.texi | 20 +++++-----
doc/cha-internals.texi | 13 +++++-
doc/examples/ex-client-x509.c | 7 +++
doc/examples/ex-pkcs11-list.c | 2 +
doc/examples/print-ciphersuites.c | 2 +
doc/printlist.c | 39 +++++++++---------
doc/texinfo.css | 2 +-
guile/pre-inst-guile.in | 3 +-
guile/tests/Makefile.am | 1 +
lib/gnutls_errors.c | 2 +
lib/gnutls_handshake.c | 5 ++
lib/gnutls_priority.c | 7 +++
lib/includes/gnutls/gnutls.h.in | 1 +
src/cli.c | 7 ++-
16 files changed, 146 insertions(+), 46 deletions(-)
diff --git a/NEWS b/NEWS
index 1cfadfa..8e417b0 100644
--- a/NEWS
+++ b/NEWS
@@ -57,6 +57,9 @@ gnutls_ocsp_req_randomize_nonce: Added.
** certtool: --outder option now works for private
and public keys as well.
+** libgnutls: Added error code GNUTLS_E_NO_PRIORITIES_WERE_SET
+to warn when no or insufficient priorities were set.
+
** libgnutls: Corrected an alignment issue in ECDH
key generation which prevented some keys from being
correctly aligned in rare circumstances.
diff --git a/doc/Makefile.am b/doc/Makefile.am
index fa6d9d8..0d05b88 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -210,10 +210,10 @@ ocsp-api.texi: $(top_srcdir)/lib/includes/gnutls/ocsp.h
# Generated texinfos.
# for some reason it does not work when cross compiling
if !WINDOWS
-gnutls_TEXINFOS += error_codes.texi algorithms.texi alerts.texi enums.texi
+gnutls_TEXINFOS += error_codes.texi algorithms.texi alerts.texi enums.texi
endif
-MAINTAINERCLEANFILES += error_codes.texi algorithms.texi enums.texi
+DISTCLEANFILES = error_codes.texi algorithms.texi alerts.texi enums.texi
AM_CPPFLAGS = \
-I$(top_builddir)/lib/includes -I$(top_srcdir)/lib/includes \
@@ -231,15 +231,17 @@ alert_printlist_SOURCES = alert-printlist.c
alert_printlist_LDADD = ../lib/libgnutls.la ../gl/libgnu.la
error_codes.texi: $(top_srcdir)/lib/gnutls_errors.c $(srcdir)/errcodes.c
- make $(builddir)/errcodes
+ $(MAKE) $(builddir)/errcodes
$(builddir)/errcodes > address@hidden
mv -f address@hidden $@
-algorithms.texi: printlist
+algorithms.texi: $(top_srcdir)/lib/algorithms/ciphers.c $(srcdir)/printlist.c
+ $(MAKE) $(builddir)/printlist
$(builddir)/printlist > address@hidden
mv -f address@hidden $@
-alerts.texi: alert-printlist
+alerts.texi: $(top_srcdir)/lib/gnutls_alert.c $(srcdir)/alert-printlist.c
+ $(MAKE) $(builddir)/alert-printlist
$(builddir)/alert-printlist > address@hidden
mv -f address@hidden $@
@@ -250,9 +252,69 @@ enums.texi: $(srcdir)/../lib/includes/gnutls/*.h
$(builddir)/../lib/includes/gnu
$(srcdir)/scripts/gdoc -texinfo $$i >> address@hidden && \
echo "ok"; \
done
- $(srcdir)/scripts/split-texi.pl enums enum < address@hidden
mv -f address@hidden $@
+ENUMS =
+ENUMS += enums/gnutls_alert_description_t
+ENUMS += enums/gnutls_alert_level_t
+ENUMS += enums/gnutls_certificate_import_flags
+ENUMS += enums/gnutls_certificate_print_formats_t
+ENUMS += enums/gnutls_certificate_request_t
+ENUMS += enums/gnutls_certificate_status_t
+ENUMS += enums/gnutls_certificate_type_t
+ENUMS += enums/gnutls_certificate_verify_flags
+ENUMS += enums/gnutls_channel_binding_t
+ENUMS += enums/gnutls_cipher_algorithm_t
+ENUMS += enums/gnutls_close_request_t
+ENUMS += enums/gnutls_compression_method_t
+ENUMS += enums/gnutls_credentials_type_t
+ENUMS += enums/gnutls_digest_algorithm_t
+ENUMS += enums/gnutls_ecc_curve_t
+ENUMS += enums/gnutls_handshake_description_t
+ENUMS += enums/gnutls_kx_algorithm_t
+ENUMS += enums/gnutls_mac_algorithm_t
+ENUMS += enums/gnutls_openpgp_crt_fmt_t
+ENUMS += enums/gnutls_openpgp_crt_status_t
+ENUMS += enums/gnutls_params_type_t
+ENUMS += enums/gnutls_pk_algorithm_t
+ENUMS += enums/gnutls_pkcs11_obj_attr_t
+ENUMS += enums/gnutls_pkcs11_obj_info_t
+ENUMS += enums/gnutls_pkcs11_obj_type_t
+ENUMS += enums/gnutls_pkcs11_token_info_t
+ENUMS += enums/gnutls_pkcs12_bag_type_t
+ENUMS += enums/gnutls_pkcs_encrypt_flags_t
+ENUMS += enums/gnutls_privkey_type_t
+ENUMS += enums/gnutls_protocol_t
+ENUMS += enums/gnutls_psk_key_flags
+ENUMS += enums/gnutls_rnd_level_t
+ENUMS += enums/gnutls_sec_param_t
+ENUMS += enums/gnutls_server_name_type_t
+ENUMS += enums/gnutls_sign_algorithm_t
+ENUMS += enums/gnutls_supplemental_data_format_type_t
+ENUMS += enums/gnutls_x509_crt_fmt_t
+ENUMS += enums/gnutls_x509_subject_alt_name_t
+
+gnutls_TEXINFOS += $(ENUMS)
+DISTCLEANFILES += $(ENUMS)
+
+$(ENUMS): enums.texi
+ $(MAKE) compare-makefile
+ -mkdir enums
+ $(srcdir)/scripts/split-texi.pl enums enum < enums.texi
+
+compare-makefile:
+ ENUMS=`grep 'address@hidden ' enums.texi | sed 's/@c //g' | sort`; \
+ STR=""; \
+ for i in $$ENUMS; do \
+ STR="$$STR\nENUMS += enums/$$i"; \
+ done; \
+ grep -v -e '^ENUMS += ' $(srcdir)/Makefile.am | \
+ perl -p -e "s,^ENUMS =,ENUMS =$$STR," > tmp-$@; \
+ diff -u $(srcdir)/Makefile.am tmp-$@
+ rm -f tmp-$@
+
+.PHONY: compare-makefile
+
# Guile texinfos.
guile_texi = core.c.texi
@@ -286,7 +348,3 @@ core.c.texi:
echo "(Guile not available, documentation not generated.)" > $@
endif !HAVE_GUILE
-
-clean-am:
- rm -rf enums gnutls.info gnutls.html gnutls.pdf enums.texi
-
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 1a9f08a..733dda1 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -141,11 +141,11 @@ non-native thread usage is shown below.
@example
#include <gnutls.h>
-/* Other thread packages
- */
-
int main()
@{
+ /* When the system mutexes are not to be used
+ * gnutls_global_set_mutex() must be called explicitly
+ */
gnutls_global_set_mutex (mutex_init, mutex_deinit,
mutex_lock, mutex_unlock);
gnutls_global_init();
@@ -744,22 +744,22 @@ keyword, additional algorithm keywords and special
keywords.
@multitable @columnfractions .20 .70
@headitem Keyword @tab Description
@item PERFORMANCE @tab
-All the "secure" ciphersuites are enabled,
+All the known to be secure ciphersuites are enabled,
limited to 128 bit ciphers and sorted by terms of speed
-performance.
+performance. The message authenticity security level is of 64 bits or more.
@item NORMAL @tab
-Means all "secure" ciphersuites. The 256-bit ciphers are
-included as a fallback only. The ciphers are sorted by security
-margin.
+Means all the known to be secure ciphersuites. The ciphers are sorted by
security
+margin, although the 256-bit ciphers are included as a fallback only.
+The message authenticity security level is of 64 bits or more.
@item SECURE128 @tab
-Means all "secure" ciphersuites that offer a
+Means all known to be secure ciphersuites that offer a
security level 128-bit or more and a message authenticity
security level of 80 bits or more.
@item SECURE192 @tab
-Means all "secure" ciphersuites that offer a
+Means all the known to be secure ciphersuites that offer a
security level 192-bit or more and a message authenticity
security level of 128 bits or more.
diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi
index 649144e..8eebd97 100644
--- a/doc/cha-internals.texi
+++ b/doc/cha-internals.texi
@@ -339,12 +339,19 @@ cryptographic operations as in @ref{fig:crypto-layers}.
The TLS layer uses a cryptographic provider layer, that will in turn either
use the default crypto provider -- a software crypto library, or use an
external
-crypto provider, if available.
+crypto provider, if available in the local system. The reason of handling
+the external cryptographic provider in GnuTLS and not delegating it to
+the cryptographic libraries, is that none of the supported cryptographic
+libraries support @code{/dev/crypto} or CPU-optimized cryptography in
+an efficient way.
@subheading Cryptographic library layer
The Cryptographic library layer, currently supports only
-libnettle. Other cryptographic libraries might be supported
-in the future.
+libnettle. Older versions of GnuTLS used to support libgcrypt,
+but it was switched with nettle mainly for performance address@hidden
address@hidden://lists.gnu.org/archive/html/gnutls-devel/2011-02/msg00079.html}.}
+and secondary because it is a simpler library to use.
+In the future other cryptographic libraries might be supported as well.
@subheading External cryptography provider
Systems that include a cryptographic co-processor, typically come with
diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c
index c82df65..0ea151d 100644
--- a/doc/examples/ex-client-x509.c
+++ b/doc/examples/ex-client-x509.c
@@ -40,6 +40,13 @@ int main (void)
*/
gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function (xcred, _verify_certificate_callback);
+
+ /* If client holds a certificate it can be set using the following:
+ *
+ gnutls_certificate_set_x509_key_file (xcred,
+ "cert.pem", "key.pem",
+ GNUTLS_X509_FMT_PEM);
+ */
/* Initialize TLS session
*/
diff --git a/doc/examples/ex-pkcs11-list.c b/doc/examples/ex-pkcs11-list.c
index 650ccf8..35ef196 100644
--- a/doc/examples/ex-pkcs11-list.c
+++ b/doc/examples/ex-pkcs11-list.c
@@ -1,3 +1,5 @@
+/* This example code is placed in the public domain. */
+
#include <config.h>
#include <gnutls/gnutls.h>
#include <gnutls/pkcs11.h>
diff --git a/doc/examples/print-ciphersuites.c
b/doc/examples/print-ciphersuites.c
index 8bfdb2a..7b91c3b 100644
--- a/doc/examples/print-ciphersuites.c
+++ b/doc/examples/print-ciphersuites.c
@@ -1,3 +1,5 @@
+/* This example code is placed in the public domain. */
+
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
diff --git a/doc/printlist.c b/doc/printlist.c
index 3335c97..d52b5c8 100644
--- a/doc/printlist.c
+++ b/doc/printlist.c
@@ -51,9 +51,9 @@ static void main_texinfo (void)
gnutls_mac_algorithm_t mac;
gnutls_protocol_t version;
- printf ("Available cipher suites:\n");
-
+ printf ("@heading Ciphersuites\n");
printf ("@multitable @columnfractions .60 .20 .20\n");
+ printf("@headitem Ciphersuite name @tab TLS ID @tab Since\n");
for (i = 0; (name = gnutls_cipher_suite_info
(i, id, &kx, &cipher, &mac, &version)); i++)
{
@@ -69,95 +69,96 @@ static void main_texinfo (void)
{
const gnutls_certificate_type_t *p = gnutls_certificate_type_list ();
- printf ("\n\nAvailable certificate types:address@hidden");
+ printf ("address@hidden Certificate types\n");
+ printf ("@table @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_certificate_type_get_name (*p));
}
- printf ("@end itemize\n");
+ printf ("@end table\n");
}
{
const gnutls_protocol_t *p = gnutls_protocol_list ();
- printf ("\nAvailable protocols:address@hidden");
+ printf ("address@hidden address@hidden @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_protocol_get_name (*p));
}
- printf ("@end itemize\n");
+ printf ("@end table\n");
}
{
const gnutls_cipher_algorithm_t *p = gnutls_cipher_list ();
- printf ("\nAvailable ciphers:address@hidden");
+ printf ("address@hidden address@hidden @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_cipher_get_name (*p));
}
- printf ("@end itemize\n");
+ printf ("@end table\n");
}
{
const gnutls_mac_algorithm_t *p = gnutls_mac_list ();
- printf ("\nAvailable MAC algorithms:address@hidden");
+ printf ("address@hidden MAC address@hidden @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_mac_get_name (*p));
}
- printf ("@end itemize\n");
+ printf ("@end table\n");
}
{
const gnutls_kx_algorithm_t *p = gnutls_kx_list ();
- printf ("\nAvailable key exchange methods:address@hidden");
+ printf ("address@hidden Key exchange address@hidden @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_kx_get_name (*p));
}
- printf ("@end itemize\n");
+ printf ("@end table\n");
}
{
const gnutls_pk_algorithm_t *p = gnutls_pk_list ();
- printf ("\nAvailable public key algorithms:address@hidden");
+ printf ("address@hidden Public key address@hidden @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_pk_get_name (*p));
}
- printf ("@end itemize\n");
+ printf ("@end table\n");
}
{
const gnutls_sign_algorithm_t *p = gnutls_sign_list ();
- printf ("\nAvailable public key signature algorithms:address@hidden");
+ printf ("address@hidden Public key signature address@hidden @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_sign_get_name (*p));
}
- printf ("@end itemize\n");
+ printf ("@end table\n");
}
{
const gnutls_compression_method_t *p = gnutls_compression_list ();
- printf ("\nAvailable compression methods:address@hidden");
+ printf ("address@hidden Compression address@hidden @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_compression_get_name (*p));
}
- printf ("@end itemize\n");
+ printf ("@end table\n");
}
}
static const char headers[] = "\\tablefirsthead{%\n"
"\\hline\n"
- "Ciphersuite name & TLS ID & since\\\\\n"
+ "Ciphersuite name & TLS ID & Since\\\\\n"
"\\hline}\n"
"\\tablehead{%\n"
"\\hline\n"
diff --git a/doc/texinfo.css b/doc/texinfo.css
index 14eb6f3..ce3d130 100644
--- a/doc/texinfo.css
+++ b/doc/texinfo.css
@@ -88,6 +88,6 @@ dl {
padding-left: 1em;
border: solid #c2e0ff;
background: #f0faff;
- border-width: 1px 1px 1px 5px;
+ border-width: 5px 1px 1px 1px;
margin: 1em auto;
}
diff --git a/guile/pre-inst-guile.in b/guile/pre-inst-guile.in
index b22310d..9dd409d 100644
--- a/guile/pre-inst-guile.in
+++ b/guile/pre-inst-guile.in
@@ -21,9 +21,10 @@
GUILE_LOAD_PATH="@abs_top_srcdir@/guile/modules:$GUILE_LOAD_PATH"
+GUILE_LOAD_PATH="@abs_top_builddir@/guile/modules:$GUILE_LOAD_PATH"
export GUILE_LOAD_PATH
-GNUTLS_GUILE_EXTENSION_DIR="@abs_top_srcdir@/guile/src"
+GNUTLS_GUILE_EXTENSION_DIR="@abs_top_builddir@/guile/src"
export GNUTLS_GUILE_EXTENSION_DIR
exec @abs_top_builddir@/libtool --mode=execute \
diff --git a/guile/tests/Makefile.am b/guile/tests/Makefile.am
index 7107dd9..1ef2381 100644
--- a/guile/tests/Makefile.am
+++ b/guile/tests/Makefile.am
@@ -31,6 +31,7 @@ endif
TESTS_ENVIRONMENT = \
GUILE_AUTO_COMPILE=0 \
+ GUILE_WARN_DEPRECATED=detailed \
$(top_builddir)/guile/pre-inst-guile -L $(srcdir)
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 72209ab..d228cc3 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -51,6 +51,8 @@ static const gnutls_error_entry error_algorithms[] = {
ERROR_ENTRY (N_("Success."), GNUTLS_E_SUCCESS, 0),
ERROR_ENTRY (N_("Could not negotiate a supported cipher suite."),
GNUTLS_E_UNKNOWN_CIPHER_SUITE, 1),
+ ERROR_ENTRY (N_("No or insufficient priorities were set."),
+ GNUTLS_E_NO_PRIORITIES_WERE_SET, 1),
ERROR_ENTRY (N_("The cipher type is unsupported."),
GNUTLS_E_UNKNOWN_CIPHER_TYPE, 1),
ERROR_ENTRY (N_("The certificate and the given key do not match."),
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index a304551..b002122 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -2344,6 +2344,11 @@ gnutls_handshake (gnutls_session_t session)
{
int ret;
record_parameters_st *params;
+
+ /* sanity check. Verify that there are priorities setup.
+ */
+ if (session->internals.priorities.protocol.algorithms == 0)
+ return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
ret = _gnutls_epoch_get (session, session->security_parameters.epoch_next,
¶ms);
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 1c2964e..29fc363 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -576,6 +576,13 @@ gnutls_priority_set (gnutls_session_t session,
gnutls_priority_t priority)
session->internals.priorities.protocol.
priority[0]);
+ if (session->internals.priorities.protocol.algorithms == 0 ||
+ session->internals.priorities.cipher.algorithms == 0 ||
+ session->internals.priorities.mac.algorithms == 0 ||
+ session->internals.priorities.kx.algorithms == 0 ||
+ session->internals.priorities.compression.algorithms == 0)
+ return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
+
return 0;
}
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 0f4aa04..2af7ae5 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1811,6 +1811,7 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
#define GNUTLS_E_PKCS11_REQUESTED_OBJECT_NOT_AVAILBLE -323
#define GNUTLS_E_CERTIFICATE_LIST_UNSORTED -324
#define GNUTLS_E_ILLEGAL_PARAMETER -325
+#define GNUTLS_E_NO_PRIORITIES_WERE_SET -326
#define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
diff --git a/src/cli.c b/src/cli.c
index bde68eb..722f85f 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -545,6 +545,7 @@ static gnutls_session_t
init_tls_session (const char *hostname)
{
const char *err;
+ int ret;
gnutls_session_t session;
@@ -558,9 +559,11 @@ init_tls_session (const char *hostname)
gnutls_init (&session, GNUTLS_CLIENT);
- if (gnutls_priority_set_direct (session, info.priorities, &err) < 0)
+ if ((ret = gnutls_priority_set_direct (session, info.priorities, &err)) < 0)
{
- fprintf (stderr, "Syntax error at: %s\n", err);
+ if (ret == GNUTLS_E_INVALID_REQUEST) fprintf (stderr, "Syntax error at:
%s\n", err);
+ else
+ fprintf(stderr, "Error in priorities: %s\n", gnutls_strerror(ret));
exit (1);
}
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_11-123-g7a6bcf8,
Simon Josefsson <=