[SCM] GNU gnutls branch, master, updated. gnutls_3_0

gnutls-commit
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_15-17-gdf2b654

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, master, updated. gnutls_3_0_15-17-gdf2b654
Date:	Tue, 06 Mar 2012 17:07:32 +0000
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=df2b6546b2a5ab7280470a0a8148e014cc6abfc6

The branch, master has been updated
       via  df2b6546b2a5ab7280470a0a8148e014cc6abfc6 (commit)
       via  84cb745c39ed8bec9fd22920a36b31f0acf3fe93 (commit)
       via  15c2eb673385bfc9eb79d6479b414bfd5524a13a (commit)
       via  addee7cdf78578a0717725157a62dec948bf76a9 (commit)
       via  b779464e99e7af4993617d9100877aad8c79dd41 (commit)
       via  ab2f709f9f49a0bc2abec4a980e4ef013ea292a3 (commit)
       via  6afa51a52324f8d9bcb7271008a8b3b1d7adf7e3 (commit)
       via  37791cbe4ed9bafbe6190d3b3429a664a90f8e82 (commit)
       via  b4ba291dbad85afb27d804d9163c801bd6fd4fc4 (commit)
       via  c8048f6a8ce756bdae450c266077510f19120096 (commit)
      from  84fdabbb9661960caf3ddfd99678d2febd50d124 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit df2b6546b2a5ab7280470a0a8148e014cc6abfc6
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Mar 6 18:13:19 2012 +0100

    Added a real key purpose OID as example

commit 84cb745c39ed8bec9fd22920a36b31f0acf3fe93
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Mar 6 11:43:09 2012 +0100

    updated p11tool documentation.

commit 15c2eb673385bfc9eb79d6479b414bfd5524a13a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Mar 6 10:05:29 2012 +0100

    Only set the private status if it has been explicitly specified. That is 
because some tokens don't want it set.

commit addee7cdf78578a0717725157a62dec948bf76a9
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Mar 6 09:39:06 2012 +0100

    The default cipher when encrypting with PKCS12 is AES.

commit b779464e99e7af4993617d9100877aad8c79dd41
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue Mar 6 09:38:47 2012 +0100

    to-p12 requires the load-certificate and load-privkey.

commit ab2f709f9f49a0bc2abec4a980e4ef013ea292a3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Mon Mar 5 23:10:45 2012 +0100

    updated front-page to include all contributors.

commit 6afa51a52324f8d9bcb7271008a8b3b1d7adf7e3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Mon Mar 5 22:51:04 2012 +0100

    Some updates on supplemental data handling.

commit 37791cbe4ed9bafbe6190d3b3429a664a90f8e82
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Mon Mar 5 22:20:17 2012 +0100

    safe renegotiation tests only run under valgrind in the devel environment.

commit b4ba291dbad85afb27d804d9163c801bd6fd4fc4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sat Mar 3 14:09:47 2012 +0100

    updated

commit c8048f6a8ce756bdae450c266077510f19120096
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sat Mar 3 14:08:04 2012 +0100

    changes in asynchronous documentation

-----------------------------------------------------------------------

Summary of changes:
 NEWS                                 |    3 +++
 doc/cha-bib.texi                     |    5 +++++
 doc/cha-gtls-app.texi                |   25 +++++++++++++++----------
 doc/cha-internals.texi               |   23 ++++++++++++++---------
 doc/latex/cover.tex                  |    8 ++++++++
 doc/latex/gnutls.bib                 |    9 +++++++++
 doc/latex/gnutls.tex                 |    2 +-
 doc/scripts/mytexi2latex             |    1 +
 lib/includes/gnutls/x509.h           |    1 +
 src/certtool-args.def                |   14 ++++++++++----
 src/certtool.c                       |    6 +++++-
 src/p11tool-args.def                 |    4 +++-
 src/p11tool.c                        |   13 ++++++++++---
 tests/safe-renegotiation/Makefile.am |    3 +++
 14 files changed, 88 insertions(+), 29 deletions(-)

diff --git a/NEWS b/NEWS
index 1280e3c..1c89635 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ See the end for copying conditions.
 
 ** Corrected SRP-RSA ciphersuites when used under TLS 1.2.
 
+** Small fixes in p11tool handling of the --private command 
+line option.
+
 ** API and ABI modifications:
 No changes since last version.
 
diff --git a/doc/cha-bib.texi b/doc/cha-bib.texi
index 965eeaf..7f975e5 100644
--- a/doc/cha-bib.texi
+++ b/doc/cha-bib.texi
@@ -31,6 +31,11 @@ Tim Dierks and Christopher Allen, "The TLS Protocol Version 
1.0",
 January 1999, Available from
 @url{http://www.ietf.org/rfc/rfc2246.txt}.
 
address@hidden @anchor{RFC4680}[RFC4680]
+S. Santesson, "TLS Handshake Message for Supplemental Data",
+September 2006, Available from
address@hidden://www.ietf.org/rfc/rfc4680.txt}.
+
 @item @anchor{RFC4514}[RFC4514]
 Kurt D.  Zeilenga, "Lightweight Directory Access Protocol (LDAP): String 
Representation of Distinguished Names",
 June 2006, Available from
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index c02f095..9846896 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -596,13 +596,18 @@ remaining until the next retransmission, or better the 
time until
 @node Asynchronous operation
 @subsection Asynchronous operation
 @acronym{GnuTLS} can be used with asynchronous socket or event-driven 
programming.
-During a TLS protocol session @acronym{GnuTLS} does not block for anything 
except
-calculations. The only blocking operations are due to the transport layer 
(sockets) functions.
-Those, however, in an asynchronous scenario are typically set to
-non-blocking mode, which forces them to return @code{EAGAIN} error code 
instead of blocking. 
-In that case @acronym{GnuTLS} functions
-will return the @code{GNUTLS_E_AGAIN} error code and can be resumed the
-same way as a system call would. The only exception is 
@funcref{gnutls_record_send},
+The approach is similar to using Berkeley sockets under such an environment.
+The blocking, due to network interaction, calls such as
address@hidden, @funcref{gnutls_record_recv},
+can be set to non-blocking by setting the underlying sockets to non-blocking.
+If other push and pull functions are setup, then they should behave the same
+way as @funcintref{recv} and @funcintref{send} when used in a non-blocking
+way, i.e., set errno to @code{EAGAIN}. Since, during a TLS protocol session 
address@hidden does not block except for network interaction, the non blocking
address@hidden errno will be propagated and @acronym{GnuTLS} functions 
+will return the @code{GNUTLS_E_AGAIN} error code. Such calls can be resumed 
the 
+same way as a system call would. 
+The only exception is @funcref{gnutls_record_send},
 which if interrupted subsequent calls need not to include the data to be
 sent (can be called with NULL argument).
 
@@ -612,13 +617,13 @@ and notifies on them being ready for reading or writing 
data. Note however
 that this system call cannot notify on data present in @acronym{GnuTLS}
 read buffers, it is only applicable to the kernel sockets API. Thus if
 you are using it for reading from a @acronym{GnuTLS} session, make sure
-the session is read completely. That can be achieved by checking there 
+that any cached data are read completely. That can be achieved by checking 
there 
 are no data waiting to be read (using @funcref{gnutls_record_check_pending}), 
 either before the @funcintref{select} system call, or after a call to
 @funcref{gnutls_record_recv}. @acronym{GnuTLS} does not keep a write buffer,
-thus when writing @funcintref{select} need only to be consulted.
+thus when writing no additional actions are required.
 
-In the DTLS, however, @acronym{GnuTLS} might block due to timers
+In the DTLS, however, @acronym{GnuTLS} may block due to retransmission timers
 required by the protocol. To prevent those timers from blocking a DTLS 
handshake,
 the @funcref{gnutls_init} should be called with the
 @code{GNUTLS_NONBLOCK} flag (see @ref{Session initialization}).
diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi
index 2bdb629..69ac8fa 100644
--- a/doc/cha-internals.texi
+++ b/doc/cha-internals.texi
@@ -203,7 +203,7 @@ will be called to deinitialize the extension's private 
parameters, if any.
 Note that the conditional @code{ENABLE_FOOBAR} definition should only be 
 used if step 1 with the @code{configure} options has taken place.
 
address@hidden Add new files  that implement the extension.
address@hidden Add new files that implement the extension.
 
 The functions you are responsible to add are those mentioned in the
 previous step.  They should be added in a file such as @code{ext/@-foobar.c} 
@@ -324,8 +324,8 @@ API was introduced in.
 @subheading Adding a new Supplemental Data Handshake Message
 
 TLS handshake extensions allow to send so called supplemental data
-handshake messages. This short section explains how to implement a
-supplemental data handshake message for a given TLS extension.
+handshake messages @xcite{RFC4680}. This short section explains how to 
+implement a supplemental data handshake message for a given TLS extension.
 
 First of all, modify your extension @code{foobar} in the way, the that
 flags
@@ -360,25 +360,30 @@ and @funcintref{_foobar_supp_send_params} to 
@code{_foobar.h} and
 
 @example
 int 
-_foobar_supp_recv_params(gnutls_session_t session,const opaque *data,size_t 
_data_size)
+_foobar_supp_recv_params(gnutls_session_t session, const opaque *data, size_t 
_data_size)
 @{
-   uint8_t len = (int) _data_size;
+   uint8_t len = _data_size;
    unsigned char *msg;
 
-   msg = (unsigned char *)malloc(len*sizeof(unsigned char));
-   memcpy(msg,data,len);
+   msg = gnutls_malloc(len);
+   if (msg == NULL) return GNUTLS_E_MEMORY_ERROR;
+
+   memcpy(msg, data, len);
    msg[len]='\0';
 
+   /* do something with msg */
+   gnutls_free(msg);
+
    return len;
 @}
 
 int 
-_foobar_supp_send_params(gnutls_session_t session,gnutls_buffer_st *buf)
+_foobar_supp_send_params(gnutls_session_t session, gnutls_buffer_st *buf)
 @{
    unsigned char *msg = "hello world";
    int len = strlen(msg);
 
-   _gnutls_buffer_append_data_prefix(buf,8,msg,(uint8_t) len);
+   _gnutls_buffer_append_data_prefix(buf, 8, msg, len);
 
    return len;
 @}
diff --git a/doc/latex/cover.tex b/doc/latex/cover.tex
index 78ba0f5..7cc8880 100644
--- a/doc/latex/cover.tex
+++ b/doc/latex/cover.tex
@@ -1,4 +1,12 @@
 \thispagestyle{empty}
+
+\begin{quotation}
+This document includes text contributed by
+Nikos Mavrogiannopoulos, Simon Josefsson, Daiki Ueno, 
+Carolin Latze and Andrew McDonald. Several corrections are due
+to Patrick Pelletier and Andreas Metzler.
+\end{quotation}
+
 \vspace*{\stretch{2}}
 
 
diff --git a/doc/latex/gnutls.bib b/doc/latex/gnutls.bib
index 68c7e1f..685075e 100644
--- a/doc/latex/gnutls.bib
+++ b/doc/latex/gnutls.bib
@@ -16,6 +16,15 @@
        url = "http://www.ietf.org/rfc/rfc2246";
 }
 
address@hidden RFC4680,
+       author = "S. Santesson",
+       title = "{TLS Handshake Message for Supplemental Data}",
+       month = "September",
+       year = "2006",
+       note = "Available from \url{http://www.ietf.org/rfc/rfc4680}";,
+       url = "http://www.ietf.org/rfc/rfc4680";
+}
+
 @Misc{ RFC4514,
        author = "Kurt D.  Zeilenga",
        title = "{Lightweight Directory Access Protocol (LDAP): String 
Representation of Distinguished Names}",
diff --git a/doc/latex/gnutls.tex b/doc/latex/gnutls.tex
index a041ac4..36e59a1 100644
--- a/doc/latex/gnutls.tex
+++ b/doc/latex/gnutls.tex
@@ -43,7 +43,7 @@
 
 \input{cover}
 
-\setcounter{tocdepth}{1}
+\setcounter{tocdepth}{2}
 \tableofcontents
 \listoftables
 \listoffigures
diff --git a/doc/scripts/mytexi2latex b/doc/scripts/mytexi2latex
index 688c041..80ca3ce 100755
--- a/doc/scripts/mytexi2latex
+++ b/doc/scripts/mytexi2latex
@@ -379,6 +379,7 @@ multitable:
                $line =~ 
s/address@hidden([A-Z])\{($codematch+)\}/$pshowfunc->($1,$2)/ge;
                $line =~ 
s/address@hidden($codematch+)\}/$pshowfuncdesc->($1)/ge;
                $line =~ 
s/address@hidden($codematch+),($extcodematch+)\}/$pshowenumdesc->($1,$2)/ge;
+               $line 
=~s/address@hidden($spacematch+),($spacematch+)\}/\\myref\{$1\}/g;
                $line =~ s/address@hidden/\\myref\{/g;
                $line =~ s/address@hidden 
(.*)/\\begin{center}\n$1\n\\end{center}/g;
                if ($line =~ m/address@hidden/) {
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index b54832a..a0b11f1 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -72,6 +72,7 @@ extern "C"
 #define GNUTLS_KP_TLS_WWW_SERVER               "1.3.6.1.5.5.7.3.1"
 #define GNUTLS_KP_TLS_WWW_CLIENT                "1.3.6.1.5.5.7.3.2"
 #define GNUTLS_KP_CODE_SIGNING                 "1.3.6.1.5.5.7.3.3"
+#define GNUTLS_KP_MS_SMART_CARD_LOGON          "1.3.6.1.4.1.311.20.2.2"
 #define GNUTLS_KP_EMAIL_PROTECTION             "1.3.6.1.5.5.7.3.4"
 #define GNUTLS_KP_TIME_STAMPING                        "1.3.6.1.5.5.7.3.8"
 #define GNUTLS_KP_OCSP_SIGNING                 "1.3.6.1.5.5.7.3.9"
diff --git a/src/certtool-args.def b/src/certtool-args.def
index ca9d944..6dcb11d 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -240,7 +240,9 @@ flag = {
 flag = {
     name      = to-p12;
     descrip   = "Generate a PKCS #12 structure";
-    doc = "";
+    doc = "It requires a certificate, a private key and possibly a CA 
certificate to be specified.";
+    flags-must = load-certificate;
+    flags-must = load-privkey;
 };
 
 flag = {
@@ -552,9 +554,6 @@ email = "none@@none.org"
 # Challenge password used in certificate requests
 challenge_passwd = 123456
 
-# key_purpose_oid = 1.2.3.4.5.6.7
-# key_purpose_oid = 1.2.3.4.5.6.7.9
-
 # An URL that has CRLs (certificate revocation lists)
 # available. Needed in CA certificates.
 #crl_dist_points = "http://www.getcrl.crl/getcrl/";
@@ -562,6 +561,11 @@ challenge_passwd = 123456
 # Whether this is a CA certificate or not
 #ca
 
+# for microsoft smart card logon
+# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
+
+### Other predefined key purpose OIDs
+
 # Whether this certificate will be used for a TLS client
 #tls_www_client
 
@@ -595,6 +599,8 @@ signing_key
 # Whether this key will be used for IPsec IKE operations.
 #ipsec_ike_key
 
+### end of key purpose OIDs
+
 # When generating a certificate from a certificate
 # request, then honor the extensions stored in the request
 # and store them in the real certificate.
diff --git a/src/certtool.c b/src/certtool.c
index 0bf1609..036aef5 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -223,7 +223,11 @@ generate_private_key_int (common_info_st * cinfo)
 static int
 cipher_to_flags (const char *cipher)
 {
-  if (strcasecmp (cipher, "3des") == 0)
+  if (cipher == NULL)
+    {
+      return GNUTLS_PKCS_USE_PBES2_AES_128;
+    }
+  else if (strcasecmp (cipher, "3des") == 0)
     {
       return GNUTLS_PKCS_USE_PBES2_3DES;
     }
diff --git a/src/p11tool-args.def b/src/p11tool-args.def
index b45d044..cc850d5 100644
--- a/src/p11tool-args.def
+++ b/src/p11tool-args.def
@@ -242,8 +242,10 @@ To store a private key and a certificate in a token run:
 $ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \
           --label "Mykey"
 $ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \
-          --label "MyCert"
+          --label "Mykey"
 @end example
+Note that some tokens require the same label to be used for the certificate
+and its corresponding private key.
 _EOT_;
 };
 
diff --git a/src/p11tool.c b/src/p11tool.c
index a4e4913..1ee3edf 100644
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -176,7 +176,7 @@ cmd_parser (int argc, char **argv)
 
   if (debug > 0)
     {
-      fprintf(stderr, "Private: %s\n", ENABLED_OPT(PRIVATE)?"yes":"no");
+      if (HAVE_OPT(PRIVATE)) fprintf(stderr, "Private: %s\n", 
ENABLED_OPT(PRIVATE)?"yes":"no");
       fprintf(stderr, "Trusted: %s\n", ENABLED_OPT(TRUSTED)?"yes":"no");
       fprintf(stderr, "Login: %s\n", ENABLED_OPT(LOGIN)?"yes":"no");
       fprintf(stderr, "Detailed URLs: %s\n", 
ENABLED_OPT(DETAILED_URL)?"yes":"no");
@@ -225,8 +225,15 @@ cmd_parser (int argc, char **argv)
       pkcs11_export (outfile, url, login, &cinfo);
     }
   else if (HAVE_OPT(WRITE))
-    pkcs11_write (outfile, url, label,
-                    ENABLED_OPT(TRUSTED), ENABLED_OPT(PRIVATE), login, &cinfo);
+    {
+      int priv;
+
+      if (HAVE_OPT(PRIVATE))
+        priv = ENABLED_OPT(PRIVATE);
+      else priv = -1;
+      pkcs11_write (outfile, url, label,
+                    ENABLED_OPT(TRUSTED), priv, login, &cinfo);
+    }
   else if (HAVE_OPT(INITIALIZE))
     pkcs11_init (outfile, url, label, &cinfo);
   else if (HAVE_OPT(DELETE))
diff --git a/tests/safe-renegotiation/Makefile.am 
b/tests/safe-renegotiation/Makefile.am
index 4d084cb..b19aed5 100644
--- a/tests/safe-renegotiation/Makefile.am
+++ b/tests/safe-renegotiation/Makefile.am
@@ -30,6 +30,9 @@ ctests = srn0 srn1 srn2 srn3 srn4 srn5
 
 check_PROGRAMS = $(ctests)
 TESTS = $(ctests)
+
+if WANT_TEST_SUITE
 TESTS_ENVIRONMENT = $(VALGRIND)
+endif
 
 EXTRA_DIST = README suppressions.valgrind


hooks/post-receive
-- 
GNU gnutls
[Prev in Thread]
Current Thread
[Next in Thread]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_15-17-gdf2b654, Nikos Mavrogiannopoulos <=
Prev by Date: [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_17-1-g2e5b226
Next by Date: Hydra job gnu:gnutls-master:tarball build 2230866: Dependency failed
Previous by thread: [SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_17-1-g2e5b226
Next by thread: Hydra job gnu:gnutls-master:tarball build 2230866: Dependency failed
Index(es):
- Date
- Thread