Corrected the return values of gnutls_x509_crt_check_hostname().

10 files changed, 12 insertions, 15 deletions

diff --git a/NEWS b/NEWS
index 3a012da943..75cfb0b021 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 Version 1.1.6
 - Several bug fixes, by Arne Thomassen.
 - Fixed a bug where 'server name' extension was always sent.
+- Corrected the return values of gnutls_x509_crt_check_hostname().
 
 Version 1.1.5 (06/01/2004)
 - Added the gnutls_sign_algorithm type.
diff --git a/doc/tex/alert.tex b/doc/tex/alert.tex
index 3c1f13df27..58ae1727c1 100644
--- a/doc/tex/alert.tex
+++ b/doc/tex/alert.tex
@@ -14,8 +14,8 @@ and prevent future renegotiations using the current session ID.
 
 \par The alert messages are protected by the record protocol, thus
 the information that is included does not leak. You must take
-extreme care for the alert information not to leak to a possible attacker
-(via public log files etc).
+extreme care for the alert information not to leak to a possible attacker, 
+via public log files etc.
 
 \par
 \begin{itemize}
@@ -26,5 +26,5 @@ to map a gnutls error number to an alert signal.
 \item \printfunc{gnutls_alert_get}{gnutls\_alert\_get}:
 returns the last received alert.
 \item \printfunc{gnutls_alert_get_name}{gnutls\_alert\_get\_name}:
-returns the name (in a character array) of the given alert.
+returns the name, in a character array, of the given alert.
 \end{itemize}
diff --git a/doc/tex/ciphers.tex b/doc/tex/ciphers.tex
index a1d9c30950..bf297e32ac 100644
--- a/doc/tex/ciphers.tex
+++ b/doc/tex/ciphers.tex
@@ -6,7 +6,7 @@ Encryption Standard is actually the RIJNDAEL algorithm. This is the
 algorithm that replaced DES.}}, or
 stream algorithms like {\bf ARCFOUR\_128\footnote{ARCFOUR\_128 is a compatible
 algorithm with RSA's RC4 algorithm, which is considered to be a trade secret.}} See \hyperref{fig:ciphers}{figure }{}{fig:ciphers} for a complete list. 
-Ciphers are encryption algorithms that use a single (secret) key
+Ciphers are encryption algorithms that use a single, secret, key
 to encrypt and decrypt data. Block algorithms in TLS also provide protection
 against statistical analysis of the data. \gnutls{} makes use of this property
 thus, if you're using the \tlsI{} protocol, a random number of blocks will be
diff --git a/doc/tex/howto.tex b/doc/tex/howto.tex
index 19997ace22..365d64cdf1 100644
--- a/doc/tex/howto.tex
+++ b/doc/tex/howto.tex
@@ -26,8 +26,7 @@ That way the \tls{} protocol does not know anything
 about the client, and popular methods like the host advertising in 
 HTTP do not work. There is no way for the client to say ``I connected
 to YYY server'' before the Handshake starts, so the server cannot
-possibly know which certificate to use\footnote{There is some effort to solve
-this problem within \tls{}}.
+possibly know which certificate to use.
 
 \par
 Other than that it requires two separate ports to run a single service, which is 
@@ -117,7 +116,7 @@ CLIENT: BYE
 \par
 This method, if implemented properly, is far better than the
 traditional method, and the security properties remain the same, since only
-denial of service is possible. The benefit is the server may request
+denial of service is possible. The benefit is that the server may request
 additional data before the \tls{} Handshake protocol
 starts, in order to send the correct certificate, use the correct
 password file\footnote{in SRP authentication}, or anything else!
diff --git a/doc/tex/srp.tex b/doc/tex/srp.tex
index f1e15a85ee..e7cbb59b09 100644
--- a/doc/tex/srp.tex
+++ b/doc/tex/srp.tex
@@ -1,7 +1,7 @@
 \section{Authentication using SRP\index{SRP authentication}}
 
 Authentication using the SRP\footnote{SRP stands for Secure Remote Password and 
-is described in \cite{RFC2945}. The SRP key exchange is not a part of the \tlsI{} protocol}
+is described in \cite{RFC2945}. The SRP key exchange is an extension to the \tlsI{} protocol}
 protocol is actually password authentication. The two peers can be identified using a
 single password, or there can be combinations where the client is 
 authenticated using SRP and the server using a certificate.
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 390e713104..c68239e28c 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -55,7 +55,6 @@ static gnutls_error_entry error_algorithms[] = {
 	ERROR_ENTRY("The Diffie Hellman prime sent by the server is not acceptable (not long enough).", GNUTLS_E_DH_PRIME_UNACCEPTABLE, 1 ), 
 	ERROR_ENTRY("A TLS packet with unexpected length was received.", GNUTLS_E_UNEXPECTED_PACKET_LENGTH, 1 ), 
 	ERROR_ENTRY("The specified session has been invalidated for some reason.", GNUTLS_E_INVALID_SESSION, 1 ), 
-	ERROR_ENTRY("The specified name does not match the name in the certificate.", GNUTLS_E_NAME_DOES_NOT_MATCH, 1 ), 
 
 	ERROR_ENTRY("GnuTLS internal error.", GNUTLS_E_INTERNAL_ERROR, 1 ), 
 	ERROR_ENTRY("An illegal TLS extension was received.", GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION, 1 ), 
diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h
index e5d181e01f..3f64c626d7 100644
--- a/lib/gnutls_errors_int.h
+++ b/lib/gnutls_errors_int.h
@@ -122,7 +122,6 @@
 
 #define GNUTLS_E_OPENPGP_KEYRING_ERROR -204
 #define GNUTLS_E_X509_UNSUPPORTED_OID -205
-#define GNUTLS_E_NAME_DOES_NOT_MATCH -206
 
 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
 
diff --git a/lib/x509/Makefile.am b/lib/x509/Makefile.am
index c01fff705d..45e8656c01 100644
--- a/lib/x509/Makefile.am
+++ b/lib/x509/Makefile.am
@@ -1,4 +1,4 @@
-INCLUDES = -I../ -I../../includes/ -I../../lib -I../../lib/minitasn1 $(LIBOPENCDK_CFLAGS) $(LIBGCRYPT_CFLAGS)
+INCLUDES = -I../ -I../../includes/ -I../../lib/minitasn1 $(LIBOPENCDK_CFLAGS) $(LIBGCRYPT_CFLAGS)
 EXTRA_DIST = dn.h common.h x509.h extensions.h pkcs7.h \
 	x509-api.tex compat.h verify.h mpi.h crq.h sign.h pkcs5.h \
 	privkey.h pkcs12.h rc2.h rfc2818.h dsa.h
diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c
index d07b113e9c..b6229719c2 100644
--- a/lib/x509/rfc2818_hostname.c
+++ b/lib/x509/rfc2818_hostname.c
@@ -113,7 +113,7 @@ int gnutls_x509_crt_check_hostname(gnutls_x509_crt cert,
       if (ret == GNUTLS_SAN_DNSNAME) {
          found_dnsname = 1;
          if (_gnutls_hostname_compare(dnsname, hostname)) {
-            return GNUTLS_E_NAME_DOES_NOT_MATCH;
+            return 1;
          }
       }
 
@@ -127,11 +127,11 @@ int gnutls_x509_crt_check_hostname(gnutls_x509_crt cert,
       		0, dnsname, &dnsnamesize) < 0) {
          /* got an error, can't find a name 
           */
-         return GNUTLS_E_NAME_DOES_NOT_MATCH;
+         return 1;
       }
 
       if (_gnutls_hostname_compare(dnsname, hostname)) {
-         return GNUTLS_E_NAME_DOES_NOT_MATCH;
+         return 1;
       }
    }
 
diff --git a/opencdk.m4 b/opencdk.m4
index 89687c9102..ca51e8075a 100644
--- a/opencdk.m4
+++ b/opencdk.m4
@@ -89,7 +89,6 @@ main ()
         printf("*** You need a version of LIBOPENCDK newer than %s. The latest version of\n",
                "$min_libopencdk_version" );
         printf("*** LIBOPENCDK is always available from ftp://ftp.gnutls.org/pub/gnutls/opencdk/.\n");
-        printf("*** (It is distributed along with GnuPG).\n");
         printf("*** \n");
         printf("*** If you have already installed a sufficiently new version, this error\n");
         printf("*** probably means that the wrong copy of the opencdk-config shell script is\n");