*** empty log message ***

5 files changed, 76 insertions, 57 deletions

diff --git a/NEWS b/NEWS
index 4a35b7e2b0..01d81e61ce 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,8 @@
+Version 1.1.8
+- Implemented all the tests for the SRP group parameters in
+  client side. This may lead to incompatibility with very
+  old gnutls servers.
+
 Version 1.1.7 (29/03/2004)
 - Added gnutls_certificate_set_params_function() and 
   gnutls_anon_set_params_function() that set the RSA or DH
diff --git a/doc/tex/library.tex b/doc/tex/library.tex
index 9955ca37b9..6600aff909 100644
--- a/doc/tex/library.tex
+++ b/doc/tex/library.tex
@@ -24,7 +24,6 @@ Important features of the \gnutls{} library include:
 \item Support for {\bf SRP} for \tls{} authentication.
 \item Support for \tls{} {\bf Extension mechanism}.
 \item Support for \tls{} {\bf Compression Methods}.
-\item Thread safety
 \end{itemize}
 
 Additionally \gnutls{} provides a limited emulation API for the widely used
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index e54051254f..c0de1ed568 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -123,9 +123,55 @@ static int _gnutls_check_pk_algo_in_list(const gnutls_pk_algorithm *pk_algos,
 }
 
 
+/* Returns the issuer's Distinguished name in odn, of the certificate 
+ * specified in cert.
+ */
+static int _gnutls_cert_get_issuer_dn(gnutls_cert * cert, gnutls_datum * odn)
+{
+	ASN1_TYPE dn;
+	int len, result;
+	int start, end;
+
+	if ((result=asn1_create_element
+	    (_gnutls_get_pkix(), "PKIX1.Certificate", &dn)) != ASN1_SUCCESS) {
+		gnutls_assert();
+		return _gnutls_asn2err(result);
+	}
+
+	result = asn1_der_decoding(&dn, cert->raw.data, cert->raw.size, NULL);
+	if (result != ASN1_SUCCESS) {
+		/* couldn't decode DER */
+		gnutls_assert();
+		asn1_delete_structure(&dn);
+		return _gnutls_asn2err(result);
+	}
+
+	result = asn1_der_decoding_startEnd(dn, cert->raw.data, cert->raw.size,
+					"tbsCertificate.issuer", &start,
+					&end);
+
+	if (result != ASN1_SUCCESS) {
+		/* couldn't decode DER */
+		gnutls_assert();
+		asn1_delete_structure(&dn);
+		return _gnutls_asn2err(result);
+	}
+	asn1_delete_structure(&dn);
+
+	len = end - start + 1;
+
+	odn->size = len;
+	odn->data = &cert->raw.data[start];
+
+	return 0;
+}
+
 
 /* Locates the most appropriate x509 certificate using the
  * given DN. If indx == -1 then no certificate was found.
+ *
+ * That is to guess which certificate to use, based on the 
+ * CAs and sign algorithms supported by the peer server.
  */
 static int _find_x509_cert(const gnutls_certificate_credentials cred,
 			   opaque * _data, size_t _data_size,
@@ -151,7 +197,7 @@ static int _find_x509_cert(const gnutls_certificate_credentials cred,
 		for (i = 0; i < cred->ncerts; i++) {
 			for (j = 0; j < cred->cert_list_length[i]; j++) {
 				if ((result =
-				     _gnutls_cert_get_dn(&cred->
+				     _gnutls_cert_get_issuer_dn(&cred->
 							 cert_list[i][j],
 							 &odn)) < 0) {
 					gnutls_assert();
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index b611a9b9a5..3c78a21056 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -637,27 +637,40 @@ int _gnutls_x509_crt_to_gcert(gnutls_cert * gcert, gnutls_x509_crt cert,
 	gcert->cert_type = GNUTLS_CRT_X509;
 
 	if ( !(flags & CERT_NO_COPY)) {
+		#define SMALL_DER 512
 		opaque* der;
-		size_t der_size = 0;
-		
-		ret = gnutls_x509_crt_export( cert, GNUTLS_X509_FMT_DER, NULL, &der_size);
-		if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) {
-			gnutls_assert();
-			return ret;
-		}
-		
-		der = gnutls_malloc( der_size);
+		size_t der_size = SMALL_DER;
+
+		/* initially allocate a bogus size, just in case the certificate
+		 * fits in it. That way we minimize the DER encodings performed.
+		 */
+		der = gnutls_malloc( SMALL_DER);
 		if (der == NULL) {
 			gnutls_assert();
 			return GNUTLS_E_MEMORY_ERROR;
 		}
-
+		
 		ret = gnutls_x509_crt_export( cert, GNUTLS_X509_FMT_DER, der, &der_size);
-		if (ret < 0) {
+		if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) {
 			gnutls_assert();
 			gnutls_free(der);
 			return ret;
 		}
+		
+		if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
+			der = gnutls_realloc( der, der_size);
+			if (der == NULL) {
+				gnutls_assert();
+				return GNUTLS_E_MEMORY_ERROR;
+			}
+
+			ret = gnutls_x509_crt_export( cert, GNUTLS_X509_FMT_DER, der, &der_size);
+			if (ret < 0) {
+				gnutls_assert();
+				gnutls_free(der);
+				return ret;
+			}
+		}
 
 		gcert->raw.data = der;
 		gcert->raw.size = der_size;
@@ -698,45 +711,3 @@ void _gnutls_gcert_deinit(gnutls_cert *cert)
 	_gnutls_free_datum(&cert->raw);
 }
 
-/* Returns the issuer's Distinguished name in odn, of the certificate 
- * specified in cert.
- */
-int _gnutls_cert_get_dn(gnutls_cert * cert, gnutls_datum * odn )
-{
-	ASN1_TYPE dn;
-	int len, result;
-	int start, end;
-
-	if ((result=asn1_create_element
-	    (_gnutls_get_pkix(), "PKIX1.Certificate", &dn)) != ASN1_SUCCESS) {
-		gnutls_assert();
-		return _gnutls_asn2err(result);
-	}
-
-	result = asn1_der_decoding(&dn, cert->raw.data, cert->raw.size, NULL);
-	if (result != ASN1_SUCCESS) {
-		/* couldn't decode DER */
-		gnutls_assert();
-		asn1_delete_structure(&dn);
-		return _gnutls_asn2err(result);
-	}
-
-	result = asn1_der_decoding_startEnd(dn, cert->raw.data, cert->raw.size,
-					"tbsCertificate.issuer", &start,
-					&end);
-
-	if (result != ASN1_SUCCESS) {
-		/* couldn't decode DER */
-		gnutls_assert();
-		asn1_delete_structure(&dn);
-		return _gnutls_asn2err(result);
-	}
-	asn1_delete_structure(&dn);
-
-	len = end - start + 1;
-
-	odn->size = len;
-	odn->data = &cert->raw.data[start];
-
-	return 0;
-}
diff --git a/lib/gnutls_cert.h b/lib/gnutls_cert.h
index c1384f17b3..803eca5033 100644
--- a/lib/gnutls_cert.h
+++ b/lib/gnutls_cert.h
@@ -86,8 +86,6 @@ int _gnutls_x509_raw_cert_to_gcert(gnutls_cert * gcert, const gnutls_datum *derC
 int _gnutls_x509_crt_to_gcert(gnutls_cert * gcert, gnutls_x509_crt cert,
 	unsigned int flags);
 
-int _gnutls_cert_get_dn(gnutls_cert * cert, gnutls_datum * odn);
-
 void _gnutls_gkey_deinit(gnutls_privkey *key);
 void _gnutls_gcert_deinit(gnutls_cert *cert);