* Corrected a bug in 64 bit architectures, which affected the

  serial number calculation in the record layer.
* Added gnutls_certificate_free_keys() which deletes all the
  private keys and certificates from the credentials structure.

14 files changed, 81 insertions, 92 deletions

diff --git a/NEWS b/NEWS
index 4b6319ead0..2ab1acc321 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,10 @@
-Version 0.9.0
+Version 0.9.1
+- Corrected a bug in 64 bit architectures, which affected the
+  serial number calculation in the record layer.
+- Added gnutls_certificate_free_keys() which deletes all the
+  private keys and certificates from the credentials structure.
+
+Version 0.9.0 (03/03/2003)
 - This version is not binary compatible with the previous ones.
 - The library notifies the application on empty and illegal SRP usernames, 
   so that proper notification (via an alert) is sent to the peer.
diff --git a/configure.in b/configure.in
index c194437e3b..6faa5dd5fa 100644
--- a/configure.in
+++ b/configure.in
@@ -12,7 +12,7 @@ AC_DEFINE_UNQUOTED(T_OS, "$target_os", [OS name])
 dnl Gnutls Version
 GNUTLS_MAJOR_VERSION=0
 GNUTLS_MINOR_VERSION=9
-GNUTLS_MICRO_VERSION=0
+GNUTLS_MICRO_VERSION=1
 GNUTLS_VERSION=$GNUTLS_MAJOR_VERSION.$GNUTLS_MINOR_VERSION.$GNUTLS_MICRO_VERSION
 
 AC_DEFINE_UNQUOTED(GNUTLS_VERSION, "$GNUTLS_VERSION", [version of gnutls])
diff --git a/lib/defines.h b/lib/defines.h
index 17b3add903..8afb31450f 100644
--- a/lib/defines.h
+++ b/lib/defines.h
@@ -96,19 +96,12 @@ typedef signed int sint;
 
 #define SIZEOF_UNSIGNED_LONG_INT SIZEOF_UNSIGNED_LONG
 
-#if SIZEOF_UNSIGNED_LONG == 8
-# define HAVE_UINT64
-/* only used native uint64 in 64 bit machines */
-typedef unsigned long int uint64;
-#else
 /* some systems had problems with long long int, thus,
  * it is not used.
  */
 typedef struct {
 	unsigned char i[8];
 } uint64;
-#endif
-
 
 #if SIZEOF_UNSIGNED_LONG == 4
 typedef unsigned long int uint32;
diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in
index 43ad152d41..f189001741 100644
--- a/lib/gnutls.h.in.in
+++ b/lib/gnutls.h.in.in
@@ -301,6 +301,8 @@ int gnutls_anon_allocate_client_credentials( gnutls_anon_server_credentials *sc)
 void gnutls_certificate_free_credentials( gnutls_certificate_credentials sc);
 int gnutls_certificate_allocate_credentials( gnutls_certificate_credentials *sc);
 
+void gnutls_certificate_free_keys(gnutls_certificate_credentials sc);
+
 void gnutls_certificate_set_dh_params(gnutls_certificate_credentials res, gnutls_dh_params);
 void gnutls_certificate_set_rsa_params(gnutls_certificate_credentials res, gnutls_rsa_params rsa_params);
 void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials res, unsigned int flags);
diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c
index 8a8b7924e4..7740d121e0 100644
--- a/lib/gnutls_alert.c
+++ b/lib/gnutls_alert.c
@@ -94,6 +94,10 @@ const char* ret = NULL;
   * him of something important (eg. his Certificate could not be verified).
   * If the alert level is Fatal then the peer is expected to close the
   * connection, otherwise he may ignore the alert and continue.
+  *
+  * The error code of the underlying record send function will be returned,
+  * so you may also receive GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN as well.
+  *
   * Returns 0 on success.
   *
   **/
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index c31ac04da5..120bbfff71 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -241,7 +241,6 @@ int _gnutls_compressed2ciphertext(gnutls_session session,
 	uint8 MAC[MAX_HASH_SIZE];
 	uint16 c_length;
 	uint8 pad;
-	uint64 seq_num;
 	int length,ret;
 	GNUTLS_MAC_HANDLE td;
 	uint8 type = _type;
@@ -271,11 +270,9 @@ int _gnutls_compressed2ciphertext(gnutls_session session,
 	}
 
 	c_length = _gnutls_conv_uint16(compressed.size);
-	seq_num =
-	    _gnutls_conv_uint64(&session->connection_state.write_sequence_number);
 
 	if (td != GNUTLS_MAC_FAILED) {	/* actually when the algorithm in not the NULL one */
-		_gnutls_hmac(td, UINT64DATA(seq_num), 8);
+		_gnutls_hmac(td, UINT64DATA(session->connection_state.write_sequence_number), 8);
 		
 		_gnutls_hmac(td, &type, 1);
 		if ( ver != GNUTLS_SSL3) { /* TLS 1.0 only */
@@ -332,7 +329,6 @@ int _gnutls_ciphertext2compressed(gnutls_session session,
 	uint8 MAC[MAX_HASH_SIZE];
 	uint16 c_length;
 	uint8 pad;
-	uint64 seq_num;
 	uint16 length;
 	GNUTLS_MAC_HANDLE td;
 	uint16 blocksize;
@@ -431,13 +427,12 @@ int _gnutls_ciphertext2compressed(gnutls_session session,
 
 
 	c_length = _gnutls_conv_uint16((uint16) length);
-	seq_num = _gnutls_conv_uint64( &session->connection_state.read_sequence_number);
 
 	/* Pass the type, version, length and compressed through
 	 * MAC.
 	 */
 	if (td != GNUTLS_MAC_FAILED) {
-		_gnutls_hmac(td, UINT64DATA(seq_num), 8);
+		_gnutls_hmac(td, UINT64DATA(session->connection_state.read_sequence_number), 8);
 		
 		_gnutls_hmac(td, &type, 1);
 		if ( ver != GNUTLS_SSL3) { /* TLS 1.0 only */
diff --git a/lib/gnutls_constate.c b/lib/gnutls_constate.c
index 4d49af2440..fc75d27832 100644
--- a/lib/gnutls_constate.c
+++ b/lib/gnutls_constate.c
@@ -450,7 +450,7 @@ int _gnutls_read_connection_state_init(gnutls_session session)
 	int mac_size;
 	int rc;
 
-	_gnutls_uint64zero(&session->connection_state.read_sequence_number);
+	_gnutls_uint64zero(session->connection_state.read_sequence_number);
 
 /* Update internals from CipherSuite selected.
  * If we are resuming just copy the connection session
@@ -632,7 +632,7 @@ int _gnutls_write_connection_state_init(gnutls_session session)
 	int mac_size;
 	int rc;
 
-	_gnutls_uint64zero(&session->connection_state.write_sequence_number);
+	_gnutls_uint64zero(session->connection_state.write_sequence_number);
 
 /* Update internals from CipherSuite selected.
  * If we are resuming just copy the connection session
diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c
index e1540bc41a..865b93d178 100644
--- a/lib/gnutls_dh_primes.c
+++ b/lib/gnutls_dh_primes.c
@@ -397,7 +397,6 @@ int gnutls_dh_params_export_pkcs3( gnutls_dh_params params,
 	}
 
 	if (format == GNUTLS_X509_FMT_DER) {
-#warning FIX THIS
 		if ((result=asn1_der_coding( c2, "", params_data, params_data_size, NULL)) != ASN1_SUCCESS) {
 			gnutls_assert();
 			asn1_delete_structure(&c2);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 4fd336172f..f27e36d75f 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -34,9 +34,9 @@
 #define HANDSHAKE_DEBUG // Prints some information on handshake 
 #define X509_DEBUG
 #define RECORD_DEBUG
-#define COMPRESSION_DEBUG*/
+#define COMPRESSION_DEBUG
 #define DEBUG
-
+*/
 
 /* It might be a good idea to replace int with void*
  * here.
diff --git a/lib/gnutls_num.c b/lib/gnutls_num.c
index f747d4454e..8e078bb098 100644
--- a/lib/gnutls_num.c
+++ b/lib/gnutls_num.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2000,2001,2002 Nikos Mavroyanopoulos
+ *  Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos
  *
- * This file is part of GNUTLS.
+ *  This file is part of GNUTLS.
  *
  *  The GNUTLS library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public   
@@ -27,16 +27,8 @@
 #include <gnutls_num.h>
 #include <gnutls_errors.h>
 
-
-#ifndef HAVE_UINT64
-
 /* This function will set the uint64 x to zero 
  */
-int _gnutls_uint64zero( uint64 *x) {
-
-	memset( x->i, 0, 8);
-	return 0;
-}
 
 /* This function will add one to uint64 x.
  * Returns 0 on success, or -1 if the uint64 max limit
@@ -59,8 +51,6 @@ register int i, y=0;
 	return 0;
 }
 
-#endif /* HAVE_UINT64 */
-
 uint32 _gnutls_uint24touint32( uint24 num) {
 uint32 ret=0;
 
@@ -163,34 +153,13 @@ uint16 _gnutls_conv_uint16( uint16 data) {
 #endif
 }
 
-uint64 _gnutls_conv_uint64( const uint64* data) {
-#ifdef HAVE_UINT64
-# ifndef WORDS_BIGENDIAN
-	return byteswap64(*data);
-# else
-	return *data;
-# endif /* WORDS_BIGENDIAN */
-#else
-	uint64 ret;
-
-	memcpy( ret.i, data->i, 8);
-	return ret;
-#endif /* HAVE_UINT64 */
-}
-
 uint32 _gnutls_uint64touint32( const uint64* num) {
 uint32 ret;
 
-#ifdef HAVE_UINT64
-	ret = (uint32) *num;
-
-#else /* no native uint64 */
-
 	memcpy( &ret, &num->i[4], 4);
-# ifndef WORDS_BIGENDIAN
+#ifndef WORDS_BIGENDIAN
 	ret = byteswap32(ret);
-# endif
-#endif /* HAVE_UINT64 */
+#endif
 
  return ret;
 }
diff --git a/lib/gnutls_num.h b/lib/gnutls_num.h
index a8f0ebae48..91a54a4073 100644
--- a/lib/gnutls_num.h
+++ b/lib/gnutls_num.h
@@ -1,21 +1,21 @@
 /*
- *      Copyright (C) 2000 Nikos Mavroyanopoulos
+ *  Copyright (C) 2000,2003 Nikos Mavroyanopoulos
  *
- * This file is part of GNUTLS.
+ *  This file is part of GNUTLS.
  *
- * GNUTLS is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
+ *  GNUTLS is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
  *
- * GNUTLS is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
+ *  GNUTLS is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
  */
 
 #include <gnutls_int.h>
@@ -37,25 +37,12 @@ uint32 _gnutls_read_uint32( const opaque* data);
 uint16 _gnutls_read_uint16( const opaque* data);
 uint32 _gnutls_conv_uint32( uint32 data);
 uint16 _gnutls_conv_uint16( uint16 data);
-uint64 _gnutls_conv_uint64( const uint64 *data);
 uint32 _gnutls_read_uint24( const opaque* data);
 void _gnutls_write_uint24( uint32 num, opaque* data);
 void _gnutls_write_uint32( uint32 num, opaque* data);
 void _gnutls_write_uint16( uint16 num, opaque* data);
 uint32 _gnutls_uint64touint32( const uint64*);
 
-#ifndef HAVE_UINT64
-int _gnutls_uint64zero( uint64 *);
 int _gnutls_uint64pp( uint64 *);
+# define _gnutls_uint64zero(x) x.i[0] = x.i[1] = x.i[2] = x.i[3] = x.i[4] = x.i[5] = x.i[6] = x.i[7] = 0
 # define UINT64DATA(x) x.i
-
-#else
-# define UINT64DATA(x) &x
-# define rotl64(x,n)   (((x) << ((uint16)(n))) | ((x) >> (64 - (uint16)(n))))
-# define rotr64(x,n)   (((x) >> ((uint16)(n))) | ((x) << (64 - (uint16)(n))))
-# define byteswap64(x)  ((rotl64(x, 8) & 0x00ff00ff00ff00ffUL) | (rotr64(x, 8) & 0xff00ff00ff00ff00UL))
-
-# define _gnutls_uint64pp(x) ((++(*x)==0) ? -1 : 0)
-# define _gnutls_uint64zero(x) (*x) = 0
-
-#endif
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 36b21eb33b..aa5df95c06 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -212,7 +212,9 @@ const gnutls_datum *gnutls_certificate_get_ours(gnutls_session session)
 	   return NULL; /* no certificate */
 	}
 	
-	return &cred->cert_list[index][0].raw;
+	if (cred->ncerts > index)
+		return &cred->cert_list[index][0].raw;
+	return NULL;
 }
 
 /**
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 971d16e72e..5e970a7acc 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -714,12 +714,50 @@ static int read_key_file(gnutls_certificate_credentials res, const char *keyfile
 	}
 
 	ret = read_key_mem( res, x, size, type);
+	memset( x, 0, size);
 	gnutls_free(x);
 	
 	return ret;
 }
 
 /**
+  * gnutls_certificate_free_keys - Used to free all the keys from a gnutls_certificate_credentials structure
+  * @sc: is an &gnutls_certificate_credentials structure.
+  *
+  * This function will delete all the keys and the certificates associated
+  * with the given credentials. This function must not be called when a
+  * TLS negotiation that uses the credentials is in progress.
+  *
+  **/
+void gnutls_certificate_free_keys(gnutls_certificate_credentials sc)
+{
+	uint i, j;
+
+	for (i = 0; i < sc->ncerts; i++) {
+		for (j = 0; j < sc->cert_list_length[i]; j++) {
+			_gnutls_free_cert( &sc->cert_list[i][j]);
+		}
+		gnutls_free( sc->cert_list[i]);
+	}
+
+	gnutls_free(sc->cert_list_length);
+	sc->cert_list_length = NULL;
+
+	gnutls_free(sc->cert_list);
+	sc->cert_list = NULL;
+
+	for (i = 0; i < sc->ncerts; i++) {
+		_gnutls_free_private_key(sc->pkey[i]);
+	}
+
+	gnutls_free( sc->pkey);
+	sc->pkey = NULL;
+	
+	sc->ncerts = 0;
+
+}
+
+/**
   * gnutls_certificate_set_x509_key_mem - Used to set keys in a gnutls_certificate_credentials structure
   * @res: is an &gnutls_certificate_credentials structure.
   * @CERT: contains a certificate list (path) for the specified private key
diff --git a/src/serv.c b/src/serv.c
index e6a49d5d43..68b28b4e42 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -620,14 +620,8 @@ int main(int argc, char **argv)
       }
 
    if (generate != 0 || read_dh_params != NULL) {
-      if (gnutls_certificate_set_dh_params(cert_cred, dh_params) < 0) {
-	 fprintf(stderr, "Error while setting DH parameters\n");
-	 exit(1);
-      }
-      if (gnutls_certificate_set_rsa_params(cert_cred, rsa_params) < 0) {
-	 fprintf(stderr, "Error while setting RSA parameters\n");
-	 exit(1);
-      }
+      gnutls_certificate_set_dh_params(cert_cred, dh_params);
+      gnutls_certificate_set_rsa_params(cert_cred, rsa_params);
    }
 
    /* this is a password file (created with the included srpcrypt utility)