summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2010-05-23 19:01:00 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2010-06-03 19:54:53 +0200
commitc4460a9921013a9700656d55f3c701e0fed5cd2d (patch)
tree483b2af65bc81c4d3e257c097536675fb4d14b65 /doc
parentd4a4643dbe1bd739e55706fa4affaf10aae1dfa9 (diff)
downloadgnutls-c4460a9921013a9700656d55f3c701e0fed5cd2d.tar.gz
Documentation updates. Separated big gnutls.texi to chapter to allow easier
maintainance.
Diffstat (limited to 'doc')
-rw-r--r--doc/cha-auth.texi462
-rw-r--r--doc/cha-bib.texi143
-rw-r--r--doc/cha-cert-auth.texi626
-rw-r--r--doc/cha-ciphersuites.texi44
-rw-r--r--doc/cha-copying.texi29
-rw-r--r--doc/cha-functions.texi120
-rw-r--r--doc/cha-internals.texi336
-rw-r--r--doc/cha-intro-tls.texi783
-rw-r--r--doc/cha-library.texi188
-rw-r--r--doc/cha-preface.texi257
-rw-r--r--doc/cha-programs.texi853
-rw-r--r--doc/cha-tls-app.texi130
-rw-r--r--doc/gnutls.texi4281
13 files changed, 3983 insertions, 4269 deletions
diff --git a/doc/cha-auth.texi b/doc/cha-auth.texi
new file mode 100644
index 0000000000..39da7a5c9a
--- /dev/null
+++ b/doc/cha-auth.texi
@@ -0,0 +1,462 @@
+@node Authentication methods
+@chapter Authentication Methods
+
+The @acronym{TLS} protocol provides confidentiality and encryption,
+but also offers authentication, which is a prerequisite for a secure
+connection. The available authentication methods in @acronym{GnuTLS}
+are:
+
+@itemize
+
+@item Certificate authentication
+
+@item Anonymous authentication
+
+@item @acronym{SRP} authentication
+
+@item @acronym{PSK} authentication
+
+@end itemize
+
+@menu
+* Certificate authentication::
+* Anonymous authentication::
+* Authentication using SRP::
+* Authentication using PSK::
+* Authentication and credentials::
+* Parameters stored in credentials::
+@end menu
+
+@node Certificate authentication
+@section Certificate Authentication
+
+@subsection Authentication Using @acronym{X.509} Certificates
+@cindex @acronym{X.509} certificates
+
+@acronym{X.509} certificates contain the public parameters, of a
+public key algorithm, and an authority's signature, which proves the
+authenticity of the parameters. @xref{The X.509 trust model}, for
+more information on @acronym{X.509} protocols.
+
+@subsection Authentication Using @acronym{OpenPGP} Keys
+@cindex @acronym{OpenPGP} Keys
+
+@acronym{OpenPGP} keys also contain public parameters of a public key
+algorithm, and signatures from several other parties. Depending on
+whether a signer is trusted the key is considered trusted or not.
+@acronym{GnuTLS}'s @acronym{OpenPGP} authentication implementation is
+based on the @xcite{TLSPGP} proposal.
+
+@xref{The OpenPGP trust model}, for more information about the
+@acronym{OpenPGP} trust model. For a more detailed introduction to
+@acronym{OpenPGP} and @acronym{GnuPG} see @xcite{GPGH}.
+
+@subsection Using Certificate Authentication
+
+In @acronym{GnuTLS} both the @acronym{OpenPGP} and @acronym{X.509}
+certificates are part of the certificate authentication and thus are
+handled using a common API.
+
+When using certificates the server is required to have at least one
+certificate and private key pair. A client may or may not have such a
+pair. The certificate and key pair should be loaded, before any
+@acronym{TLS} session is initialized, in a certificate credentials
+structure. This should be done by using
+@ref{gnutls_certificate_set_x509_key_file} or
+@ref{gnutls_certificate_set_openpgp_key_file} depending on the
+certificate type. In the @acronym{X.509} case, the functions will
+also accept and use a certificate list that leads to a trusted
+authority. The certificate list must be ordered in such way that every
+certificate certifies the one before it. The trusted authority's
+certificate need not to be included, since the peer should possess it
+already.
+
+As an alternative, a callback may be used so the server or the client
+specify the certificate and the key at the handshake time. That
+callback can be set using the functions:
+
+@itemize
+
+@item @ref{gnutls_certificate_server_set_retrieve_function}
+
+@item @ref{gnutls_certificate_client_set_retrieve_function}
+
+@end itemize
+
+Clients and servers that will select certificates using callback
+functions should select a certificate according the peer's signature
+algorithm preferences. To get those preferences use
+@ref{gnutls_sign_algorithm_get_requested}.
+
+Certificate verification is possible by loading the trusted
+authorities into the credentials structure by using
+@ref{gnutls_certificate_set_x509_trust_file} or
+@ref{gnutls_certificate_set_openpgp_keyring_file} for openpgp
+keys. Note however that the peer's certificate is not automatically
+verified, you should call @ref{gnutls_certificate_verify_peers2},
+after a successful handshake, to verify the signatures of the
+certificate. An alternative way, which reports a more detailed
+verification output, is to use @ref{gnutls_certificate_get_peers} to
+obtain the raw certificate of the peer and verify it using the
+functions discussed in @ref{The X.509 trust model}.
+
+In a handshake, the negotiated cipher suite depends on the
+certificate's parameters, so not all key exchange methods will be
+available with some certificates. @acronym{GnuTLS} will disable
+ciphersuites that are not compatible with the key, or the enabled
+authentication methods. For example keys marked as sign-only, will
+not be able to access the plain RSA ciphersuites, but only the
+@code{DHE_RSA} ones. It is recommended not to use RSA keys for both
+signing and encryption. If possible use the same key for the
+@code{DHE_RSA} and @code{RSA_EXPORT} ciphersuites, which use signing,
+and a different key for the plain RSA ciphersuites, which use
+encryption. All the key exchange methods shown below are available in
+certificate authentication.
+
+Note that the DHE key exchange methods are generally
+slower@footnote{It really depends on the group used. Primes with
+lesser bits are always faster, but also easier to break. Values less
+than 768 should not be used today} than plain RSA and require Diffie
+Hellman parameters to be generated and associated with a credentials
+structure, by the server. The @code{RSA-EXPORT} method also requires
+512 bit RSA parameters, that should also be generated and associated
+with the credentials structure. See the functions:
+
+@itemize
+
+@item @ref{gnutls_dh_params_generate2}
+
+@item @ref{gnutls_certificate_set_dh_params}
+
+@item @ref{gnutls_rsa_params_generate2}
+
+@item @ref{gnutls_certificate_set_rsa_export_params}
+
+@end itemize
+
+Sometimes in order to avoid bottlenecks in programs it is usefull to
+store and read parameters from formats that can be generated by
+external programs such as @code{certtool}. This is possible with
+@acronym{GnuTLS} by using the following functions:
+
+@itemize
+
+@item @ref{gnutls_dh_params_import_pkcs3}
+
+@item @ref{gnutls_rsa_params_import_pkcs1}
+
+@item @ref{gnutls_dh_params_export_pkcs3}
+
+@item @ref{gnutls_rsa_params_export_pkcs1}
+
+@end itemize
+
+Key exchange algorithms for @acronym{OpenPGP} and @acronym{X.509}
+certificates:
+
+@table @code
+
+@item RSA:
+The RSA algorithm is used to encrypt a key and send it to the peer.
+The certificate must allow the key to be used for encryption.
+
+@item RSA_EXPORT:
+The RSA algorithm is used to encrypt a key and send it to the peer.
+In the EXPORT algorithm, the server signs temporary RSA parameters of
+512 bits --- which are considered weak --- and sends them to the
+client.
+
+@item DHE_RSA:
+The RSA algorithm is used to sign Ephemeral Diffie-Hellman parameters
+which are sent to the peer. The key in the certificate must allow the
+key to be used for signing. Note that key exchange algorithms which
+use Ephemeral Diffie-Hellman parameters, offer perfect forward
+secrecy. That means that even if the private key used for signing is
+compromised, it cannot be used to reveal past session data.
+
+@item DHE_DSS:
+The DSS algorithm is used to sign Ephemeral Diffie-Hellman parameters
+which are sent to the peer. The certificate must contain DSA
+parameters to use this key exchange algorithm. DSS stands for Digital
+Signature Standard.
+
+@end table
+
+@node Anonymous authentication
+@section Anonymous Authentication
+@cindex Anonymous authentication
+
+The anonymous key exchange performs encryption but there is no
+indication of the identity of the peer. This kind of authentication
+is vulnerable to a man in the middle attack, but this protocol can be
+used even if there is no prior communication and trusted parties with
+the peer, or when full anonymity is required. Unless really required,
+do not use anonymous authentication. Available key exchange methods
+are shown below.
+
+Note that the key exchange methods for anonymous authentication
+require Diffie-Hellman parameters to be generated by the server and
+associated with an anonymous credentials structure.
+
+Supported anonymous key exchange algorithms:
+
+@table @code
+
+@item ANON_DH:
+This algorithm exchanges Diffie-Hellman parameters.
+
+@end table
+
+@node Authentication using SRP
+@section Authentication using @acronym{SRP}
+@cindex @acronym{SRP} authentication
+
+Authentication via the Secure Remote Password protocol,
+@acronym{SRP}@footnote{@acronym{SRP} is described in @xcite{RFC2945}},
+is supported. The @acronym{SRP} key exchange is an extension to the
+@acronym{TLS} protocol, and it is a password based authentication
+(unlike @acronym{X.509} or @acronym{OpenPGP} that use certificates).
+The two peers can be identified using a single password, or there can
+be combinations where the client is authenticated using @acronym{SRP}
+and the server using a certificate.
+
+The advantage of @acronym{SRP} authentication, over other proposed
+secure password authentication schemes, is that @acronym{SRP} does not
+require the server to hold the user's password. This kind of
+protection is similar to the one used traditionally in the @emph{UNIX}
+@file{/etc/passwd} file, where the contents of this file did not cause
+harm to the system security if they were revealed. The @acronym{SRP}
+needs instead of the plain password something called a verifier, which
+is calculated using the user's password, and if stolen cannot be used
+to impersonate the user. Check @xcite{TOMSRP} for a detailed
+description of the @acronym{SRP} protocol and the Stanford
+@acronym{SRP} libraries, which includes a PAM module that synchronizes
+the system's users passwords with the @acronym{SRP} password
+files. That way @acronym{SRP} authentication could be used for all the
+system's users.
+
+The implementation in @acronym{GnuTLS} is based on paper
+@xcite{TLSSRP}. The supported @acronym{SRP} key exchange methods are:
+
+@table @code
+
+@item SRP:
+Authentication using the @acronym{SRP} protocol.
+
+@item SRP_DSS:
+Client authentication using the @acronym{SRP} protocol. Server is
+authenticated using a certificate with DSA parameters.
+
+@item SRP_RSA:
+Client authentication using the @acronym{SRP} protocol. Server is
+authenticated using a certificate with RSA parameters.
+
+@end table
+
+If clients supporting @acronym{SRP} know the username and password
+before the connection, should initialize the client credentials and
+call the function @ref{gnutls_srp_set_client_credentials}.
+Alternatively they could specify a callback function by using the
+function @ref{gnutls_srp_set_client_credentials_function}. This has
+the advantage that allows probing the server for @acronym{SRP}
+support. In that case the callback function will be called twice per
+handshake. The first time is before the ciphersuite is negotiated,
+and if the callback returns a negative error code, the callback will
+be called again if @acronym{SRP} has been negotiated. This uses a
+special @acronym{TLS}-@acronym{SRP} handshake idiom in order to avoid,
+in interactive applications, to ask the user for @acronym{SRP}
+password and username if the server does not negotiate an
+@acronym{SRP} ciphersuite.
+
+In server side the default behaviour of @acronym{GnuTLS} is to read
+the usernames and @acronym{SRP} verifiers from password files. These
+password files are the ones used by the @emph{Stanford srp libraries}
+and can be specified using the
+@ref{gnutls_srp_set_server_credentials_file}. If a different
+password file format is to be used, then the function
+@ref{gnutls_srp_set_server_credentials_function}, should be called,
+in order to set an appropriate callback.
+
+Some helper functions such as
+
+@itemize
+
+@item @ref{gnutls_srp_verifier}
+
+@item @ref{gnutls_srp_base64_encode}
+
+@item @ref{gnutls_srp_base64_decode}
+
+@end itemize
+
+are included in @acronym{GnuTLS}, and can be used to generate and
+maintain @acronym{SRP} verifiers and password files. A program to
+manipulate the required parameters for @acronym{SRP} authentication is
+also included. @xref{srptool}, for more information.
+
+
+@node Authentication using PSK
+@section Authentication using @acronym{PSK}
+@cindex @acronym{PSK} authentication
+
+Authentication using Pre-shared keys is a method to authenticate using
+usernames and binary keys. This protocol avoids making use of public
+key infrastructure and expensive calculations, thus it is suitable for
+constraint clients.
+
+The implementation in @acronym{GnuTLS} is based on paper
+@xcite{TLSPSK}. The supported @acronym{PSK} key exchange methods are:
+
+@table @code
+
+@item PSK:
+Authentication using the @acronym{PSK} protocol.
+
+@item DHE-PSK:
+Authentication using the @acronym{PSK} protocol and Diffie-Hellman key
+exchange. This method offers perfect forward secrecy.
+
+@end table
+
+Clients supporting @acronym{PSK} should supply the username and key
+before the connection to the client credentials by calling the
+function @ref{gnutls_psk_set_client_credentials}. Alternatively they
+could specify a callback function by using the function
+@ref{gnutls_psk_set_client_credentials_function}. This has the
+advantage that the callback will be called only if @acronym{PSK} has
+been negotiated.
+
+In server side the default behaviour of @acronym{GnuTLS} is to read
+the usernames and @acronym{PSK} keys from a password file. The
+password file should contain usernames and keys in hexadecimal
+format. The name of the password file can be stored to the credentials
+structure by calling @ref{gnutls_psk_set_server_credentials_file}. If
+a different password file format is to be used, then the function
+@ref{gnutls_psk_set_server_credentials_function}, should be used
+instead.
+
+The server can help the client chose a suitable username and password,
+by sending a hint. In the server, specify the hint by calling
+@ref{gnutls_psk_set_server_credentials_hint}. The client can retrieve
+the hint, for example in the callback function, using
+@ref{gnutls_psk_client_get_hint}.
+
+There is no standard mechanism to derive a PSK key from a password
+specified by the TLS PSK document. However, GnuTLS provides
+@ref{gnutls_psk_netconf_derive_key} which follows the algorithm
+specified in @file{draft-ietf-netconf-tls-02.txt}.
+
+Some helper functions such as:
+
+@itemize
+
+@item @ref{gnutls_hex_encode}
+
+@item @ref{gnutls_hex_decode}
+
+@end itemize
+
+are included in @acronym{GnuTLS}, and may be used to generate and
+maintain @acronym{PSK} keys.
+
+
+@node Authentication and credentials
+@section Authentication and Credentials
+
+In @acronym{GnuTLS} every key exchange method is associated with a
+credentials type. So in order to enable to enable a specific method,
+the corresponding credentials type should be initialized and set using
+@ref{gnutls_credentials_set}. A mapping is shown below.
+
+Key exchange algorithms and the corresponding credential types:
+
+@multitable @columnfractions .3 .3 .3
+
+@headitem Key exchange @tab Client credentials @tab Server credentials
+
+@item @code{KX_RSA}
+@item @code{KX_DHE_RSA}
+@item @code{KX_DHE_DSS}
+@item @code{KX_RSA_EXPORT}
+@tab @code{CRD_CERTIFICATE}
+@tab @code{CRD_CERTIFICATE}
+
+@item @code{KX_SRP_RSA}
+@tab @code{CRD_SRP}
+@tab @code{CRD_SRP}
+@item @code{KX_SRP_DSS}
+@tab
+@tab @code{CRD_CERTIFICATE}
+
+@item @code{KX_SRP}
+@tab @code{CRD_SRP}
+@tab @code{CRD_SRP}
+
+@item @code{KX_ANON_DH}
+@tab @code{CRD_ANON}
+@tab @code{CRD_ANON}
+
+@item @code{KX_PSK}
+@tab @code{CRD_PSK}
+@tab @code{CRD_PSK}
+
+@end multitable
+
+@node Parameters stored in credentials
+@section Parameters Stored in Credentials
+
+Several parameters such as the ones used for Diffie-Hellman
+authentication are stored within the credentials structures, so all
+sessions can access them. Those parameters are stored in structures
+such as @code{gnutls_dh_params_t} and @code{gnutls_rsa_params_t}, and
+functions like @ref{gnutls_certificate_set_dh_params} and
+@ref{gnutls_certificate_set_rsa_export_params} can be used to
+associate those parameters with the given credentials structure.
+
+Since those parameters need to be renewed from time to time and a
+global structure such as the credentials, may not be easy to modify
+since it is accessible by all sessions, an alternative interface is
+available using a callback function. This can be set using the
+@ref{gnutls_certificate_set_params_function}. An example is shown
+below.
+
+@example
+#include <gnutls.h>
+
+gnutls_rsa_params_t rsa_params;
+gnutls_dh_params_t dh_params;
+
+/* This function will be called once a session requests DH
+ * or RSA parameters. The parameters returned (if any) will
+ * be used for the first handshake only.
+ */
+static int get_params( gnutls_session_t session,
+ gnutls_params_type_t type,
+ gnutls_params_st *st)
+@{
+ if (type == GNUTLS_PARAMS_RSA_EXPORT)
+ st->params.rsa_export = rsa_params;
+ else if (type == GNUTLS_PARAMS_DH)
+ st->params.dh = dh_params;
+ else return -1;
+
+ st->type = type;
+ /* do not deinitialize those parameters.
+ */
+ st->deinit = 0;
+
+ return 0;
+@}
+
+int main()
+@{
+ gnutls_certificate_credentials_t cert_cred;
+
+ initialize_params();
+
+ /* ...
+ */
+
+ gnutls_certificate_set_params_function( cert_cred, get_params);
+@}
+@end example
diff --git a/doc/cha-bib.texi b/doc/cha-bib.texi
new file mode 100644
index 0000000000..d52744e867
--- /dev/null
+++ b/doc/cha-bib.texi
@@ -0,0 +1,143 @@
+@node Bibliography
+@unnumbered Bibliography
+
+@table @asis
+
+@item @anchor{CBCATT}[CBCATT]
+Bodo Moeller, "Security of CBC Ciphersuites in SSL/TLS: Problems and
+Countermeasures", 2002, available from
+@url{http://www.openssl.org/~bodo/tls-cbc.txt}.
+
+@item @anchor{GPGH}[GPGH]
+Mike Ashley, "The GNU Privacy Handbook", 2002, available from
+@url{http://www.gnupg.org/gph/en/manual.pdf}.
+
+@item @anchor{GUTPKI}[GUTPKI]
+Peter Gutmann, "Everything you never wanted to know about PKI but were
+forced to find out", Available from
+@url{http://www.cs.auckland.ac.nz/~pgut001/}.
+
+@item @anchor{NISTSP80057}[NISTSP80057]
+NIST Special Publication 800-57, "Recommendation for Key Management -
+Part 1: General (Revised)", March 2007, available from
+@url{http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf}.
+
+@item @anchor{RFC2246}[RFC2246]
+Tim Dierks and Christopher Allen, "The TLS Protocol Version 1.0",
+January 1999, Available from
+@url{http://www.ietf.org/rfc/rfc2246.txt}.
+
+@item @anchor{RFC4346}[RFC4346]
+Tim Dierks and Eric Rescorla, "The TLS Protocol Version 1.1", Match
+2006, Available from @url{http://www.ietf.org/rfc/rfc4346.txt}.
+
+@item @anchor{RFC2440}[RFC2440]
+Jon Callas, Lutz Donnerhacke, Hal Finney and Rodney Thayer, "OpenPGP
+Message Format", November 1998, Available from
+@url{http://www.ietf.org/rfc/rfc2440.txt}.
+
+@item @anchor{RFC4880}[RFC4880]
+Jon Callas, Lutz Donnerhacke, Hal Finney, David Shaw and Rodney
+Thayer, "OpenPGP Message Format", November 2007, Available from
+@url{http://www.ietf.org/rfc/rfc4880.txt}.
+
+@item @anchor{RFC4211}[RFC4211]
+J. Schaad, "Internet X.509 Public Key Infrastructure Certificate
+Request Message Format (CRMF)", September 2005, Available from
+@url{http://www.ietf.org/rfc/rfc4211.txt}.
+
+@item @anchor{RFC2817}[RFC2817]
+Rohit Khare and Scott Lawrence, "Upgrading to TLS Within HTTP/1.1",
+May 2000, Available from @url{http://www.ietf.org/rfc/rfc2817.txt}
+
+@item @anchor{RFC2818}[RFC2818]
+Eric Rescorla, "HTTP Over TLS", May 2000, Available from
+@url{http://www.ietf/rfc/rfc2818.txt}.
+
+@item @anchor{RFC2945}[RFC2945]
+Tom Wu, "The SRP Authentication and Key Exchange System", September
+2000, Available from @url{http://www.ietf.org/rfc/rfc2945.txt}.
+
+@item @anchor{RFC2986}[RFC2986]
+Magnus Nystrom and Burt Kaliski, "PKCS 10 v1.7: Certification Request
+Syntax Specification", November 2000, Available from
+@url{http://www.ietf.org/rfc/rfc2986.txt}.
+
+@item @anchor{PKIX}[PKIX]
+D. Cooper, S. Santesson, S. Farrel, S. Boeyen, R. Housley, W. Polk,
+"Internet X.509 Public Key Infrastructure Certificate and Certificate
+Revocation List (CRL) Profile", May 2008, available from
+@url{http://www.ietf.org/rfc/rfc5280.txt}.
+
+@item @anchor{RFC3749}[RFC3749]
+Scott Hollenbeck, "Transport Layer Security Protocol Compression
+Methods", May 2004, available from
+@url{http://www.ietf.org/rfc/rfc3749.txt}.
+
+@item @anchor{RFC3820}[RFC3820]
+Steven Tuecke, Von Welch, Doug Engert, Laura Pearlman, and Mary
+Thompson, "Internet X.509 Public Key Infrastructure (PKI) Proxy
+Certificate Profile", June 2004, available from
+@url{http://www.ietf.org/rfc/rfc3820}.
+
+@item @anchor{RFC5746}[RFC5746]
+E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "Transport Layer
+Security (TLS) Renegotiation Indication Extension", February 2010,
+available from @url{http://www.ietf.org/rfc/rfc5746}.
+
+@item @anchor{TLSTKT}[TLSTKT]
+Joseph Salowey, Hao Zhou, Pasi Eronen, Hannes Tschofenig, "Transport
+Layer Security (TLS) Session Resumption without Server-Side State",
+January 2008, available from @url{http://www.ietf.org/rfc/rfc5077}.
+
+@item @anchor{PKCS12}[PKCS12]
+RSA Laboratories, "PKCS 12 v1.0: Personal Information Exchange
+Syntax", June 1999, Available from @url{http://www.rsa.com}.
+
+@item @anchor{RESCORLA}[RESCORLA]
+Eric Rescorla, "SSL and TLS: Designing and Building Secure Systems",
+2001
+
+@item @anchor{SELKEY}[SELKEY]
+Arjen Lenstra and Eric Verheul, "Selecting Cryptographic Key Sizes",
+2003, available from @url{http://www.win.tue.nl/~klenstra/key.pdf}.
+
+@item @anchor{SSL3}[SSL3]
+Alan Freier, Philip Karlton and Paul Kocher, "The SSL Protocol Version
+3.0", November 1996, Available from
+@url{http://wp.netscape.com/eng/ssl3/draft302.txt}.
+
+@item @anchor{STEVENS}[STEVENS]
+Richard Stevens, "UNIX Network Programming, Volume 1", Prentice Hall
+PTR, January 1998
+
+@item @anchor{TLSEXT}[TLSEXT]
+Simon Blake-Wilson, Magnus Nystrom, David Hopwood, Jan Mikkelsen and
+Tim Wright, "Transport Layer Security (TLS) Extensions", June 2003,
+Available from @url{http://www.ietf.org/rfc/rfc3546.txt}.
+
+@item @anchor{TLSPGP}[TLSPGP]
+Nikos Mavrogiannopoulos, "Using OpenPGP keys for TLS authentication",
+April 2004, November 2007. Available from
+@url{http://www.ietf.org/rfc/rfc5081.txt}.
+
+@item @anchor{TLSSRP}[TLSSRP]
+David Taylor, Trevor Perrin, Tom Wu and Nikos Mavrogiannopoulos,
+"Using SRP for TLS Authentication", November 2007. Available from
+@url{http://www.ietf.org/rfc/rfc5054.txt}.
+
+@item @anchor{TLSPSK}[TLSPSK]
+Pasi Eronen and Hannes Tschofenig, "Pre-shared key Ciphersuites for
+TLS", December 2005, Available from
+@url{http://www.ietf.org/rfc/rfc4279.txt}.
+
+@item @anchor{TOMSRP}[TOMSRP]
+Tom Wu, "The Stanford SRP Authentication Project", Available at
+@url{http://srp.stanford.edu/}.
+
+@item @anchor{WEGER}[WEGER]
+Arjen Lenstra and Xiaoyun Wang and Benne de Weger, "Colliding X.509
+Certificates", Cryptology ePrint Archive, Report 2005/067, Available
+at @url{http://eprint.iacr.org/}.
+
+@end table
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
new file mode 100644
index 0000000000..7b76857eff
--- /dev/null
+++ b/doc/cha-cert-auth.texi
@@ -0,0 +1,626 @@
+@node More on certificate authentication
+@chapter More on Certificate Authentication
+@anchor{Certificate Authentication}
+@cindex Certificate authentication
+
+@menu
+* The X.509 trust model::
+* The OpenPGP trust model::
+* Digital signatures::
+* PKCS #11 tokens::
+@end menu
+
+@node The X.509 trust model
+@section The @acronym{X.509} Trust Model
+@cindex @acronym{X.509} certificates
+
+The @acronym{X.509} protocols rely on a hierarchical trust model. In
+this trust model Certification Authorities (CAs) are used to certify
+entities. Usually more than one certification authorities exist, and
+certification authorities may certify other authorities to issue
+certificates as well, following a hierarchical model.
+
+@image{gnutls-x509,7cm,9.5cm}
+
+One needs to trust one or more CAs for his secure communications. In
+that case only the certificates issued by the trusted authorities are
+acceptable. See the figure above for a typical example. The API for
+handling @acronym{X.509} certificates is described at section
+@ref{sec:x509api}. Some examples are listed below.
+
+@menu
+* X.509 certificates::
+* Verifying X.509 certificate paths::
+* PKCS #10 certificate requests::
+* PKCS #12 structures::
+@end menu
+
+@node X.509 certificates
+@subsection @acronym{X.509} Certificates
+
+An @acronym{X.509} certificate usually contains information about the
+certificate holder, the signer, a unique serial number, expiration
+dates and some other fields @xcite{PKIX} as shown in the table below.
+
+@table @code
+
+@item version:
+The field that indicates the version of the certificate.
+
+@item serialNumber:
+This field holds a unique serial number per certificate.
+
+@item issuer:
+Holds the issuer's distinguished name.
+
+@item validity:
+The activation and expiration dates.
+
+@item subject:
+The subject's distinguished name of the certificate.
+
+@item extensions:
+The extensions are fields only present in version 3 certificates.
+
+@end table
+
+The certificate's @emph{subject or issuer name} is not just a single
+string. It is a Distinguished name and in the @acronym{ASN.1}
+notation is a sequence of several object IDs with their corresponding
+values. Some of available OIDs to be used in an @acronym{X.509}
+distinguished name are defined in @file{gnutls/x509.h}.
+
+The @emph{Version} field in a certificate has values either 1 or 3 for
+version 3 certificates. Version 1 certificates do not support the
+extensions field so it is not possible to distinguish a CA from a
+person, thus their usage should be avoided.
+
+The @emph{validity} dates are there to indicate the date that the
+specific certificate was activated and the date the certificate's key
+would be considered invalid.
+
+Certificate @emph{extensions} are there to include information about
+the certificate's subject that did not fit in the typical certificate
+fields. Those may be e-mail addresses, flags that indicate whether the
+belongs to a CA etc. All the supported @acronym{X.509} version 3
+extensions are shown in the table below.
+
+@table @code
+
+@item subject key id (2.5.29.14):
+An identifier of the key of the subject.
+
+@item authority key id (2.5.29.35):
+An identifier of the authority's key used to sign the certificate.
+
+@item subject alternative name (2.5.29.17):
+Alternative names to subject's distinguished name.
+
+@item key usage (2.5.29.15):
+Constraints the key's usage of the certificate.
+
+@item extended key usage (2.5.29.37):
+Constraints the purpose of the certificate.
+
+@item basic constraints (2.5.29.19):
+Indicates whether this is a CA certificate or not, and specify the
+maximum path lengths of certificate chains.
+
+@item CRL distribution points (2.5.29.31):
+This extension is set by the CA, in order to inform about the issued
+CRLs.
+
+@item Proxy Certification Information (1.3.6.1.5.5.7.1.14):
+Proxy Certificates includes this extension that contains the OID of
+the proxy policy language used, and can specify limits on the maximum
+lengths of proxy chains. Proxy Certificates are specified in
+@xcite{RFC3820}.
+
+@end table
+
+In @acronym{GnuTLS} the @acronym{X.509} certificate structures are
+handled using the @code{gnutls_x509_crt_t} type and the corresponding
+private keys with the @code{gnutls_x509_privkey_t} type. All the
+available functions for @acronym{X.509} certificate handling have
+their prototypes in @file{gnutls/x509.h}. An example program to
+demonstrate the @acronym{X.509} parsing capabilities can be found at
+section @ref{ex:x509-info}.
+
+@node Verifying X.509 certificate paths
+@subsection Verifying @acronym{X.509} Certificate Paths
+@cindex Verifying certificate paths
+
+Verifying certificate paths is important in @acronym{X.509}
+authentication. For this purpose the function
+@ref{gnutls_x509_crt_verify} is provided. The output of this function
+is the bitwise OR of the elements of the
+@code{gnutls_certificate_status_t} enumeration. A detailed
+description of these elements can be found in figure below. The
+function @ref{gnutls_certificate_verify_peers2} is equivalent to the
+previous one, and will verify the peer's certificate in a TLS session.
+
+@table @code
+
+@item GNUTLS_CERT_INVALID:
+The certificate is not signed by one of the known authorities, or
+the signature is invalid.
+
+@item GNUTLS_CERT_REVOKED:
+The certificate has been revoked by its CA.
+
+@item GNUTLS_CERT_SIGNER_NOT_FOUND:
+The certificate's issuer is not known. This is the case when the
+issuer is not in the trusted certificates list.
+
+@item GNUTLS_CERT_SIGNER_NOT_CA:
+The certificate's signer was not a CA. This may happen if
+this was a version 1 certificate, which is common with some CAs, or
+a version 3 certificate without the basic constrains extension.
+
+@anchor{GNUTLS_CERT_INSECURE_ALGORITHM}
+@item GNUTLS_CERT_INSECURE_ALGORITHM:
+The certificate was signed using an insecure algorithm such as MD2 or
+MD5. These algorithms have been broken and should not be trusted.
+
+@end table
+
+There is also to possibility to pass some input to the verification
+functions in the form of flags. For @ref{gnutls_x509_crt_verify} the
+flags are passed straightforward, but
+@ref{gnutls_certificate_verify_peers2} depends on the flags set by
+calling @ref{gnutls_certificate_set_verify_flags}. All the available
+flags are part of the enumeration
+@ref{gnutls_certificate_verify_flags} and are explained in the table
+below.
+
+@anchor{gnutls_certificate_verify_flags}
+@tindex gnutls_certificate_verify_flags
+@table @code
+@item GNUTLS_VERIFY_DISABLE_CA_SIGN:
+If set a signer does not have to be a certificate authority. This
+flag should normaly be disabled, unless you know what this means.
+
+@item GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT:
+Allow only trusted CA certificates that have version 1. This is
+safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be
+used instead. That way only signers in your trusted list will be
+allowed to have certificates of version 1.
+
+@item GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT:
+Allow CA certificates that have version 1 (both root and
+intermediate). This is dangerous since those haven't the
+basicConstraints extension. Must be used in combination with
+GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.
+
+@item GNUTLS_VERIFY_DO_NOT_ALLOW_SAME:
+If a certificate is not signed by anyone trusted but exists in
+the trusted CA list do not treat it as trusted.
+
+@item GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2:
+Allow certificates to be signed using the old MD2 algorithm.
+
+@item GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5:
+Allow certificates to be signed using the broken MD5 algorithm.
+@end table
+
+Although the verification of a certificate path indicates that the
+certificate is signed by trusted authority, does not reveal anything
+about the peer's identity. It is required to verify if the
+certificate's owner is the one you expect. For more information
+consult @xcite{RFC2818} and section @ref{ex:verify} for an example.
+
+@node PKCS #10 certificate requests
+@subsection @acronym{PKCS} #10 Certificate Requests
+@cindex Certificate requests
+@cindex @acronym{PKCS} #10
+
+A certificate request is a structure, which contain information about
+an applicant of a certificate service. It usually contains a private
+key, a distinguished name and secondary data such as a challenge
+password. @acronym{GnuTLS} supports the requests defined in
+@acronym{PKCS} #10 @xcite{RFC2986}. Other certificate request's format
+such as PKIX's @xcite{RFC4211} are not currently supported.
+
+In @acronym{GnuTLS} the @acronym{PKCS} #10 structures are handled
+using the @code{gnutls_x509_crq_t} type. An example of a certificate
+request generation can be found at section @ref{ex:crq}.
+
+@node PKCS #12 structures
+@subsection @acronym{PKCS} #12 Structures
+@cindex @acronym{PKCS} #12
+
+A @acronym{PKCS} #12 structure @xcite{PKCS12} usually contains a user's
+private keys and certificates. It is commonly used in browsers to
+export and import the user's identities.
+
+In @acronym{GnuTLS} the @acronym{PKCS} #12 structures are handled
+using the @code{gnutls_pkcs12_t} type. This is an abstract type that
+may hold several @code{gnutls_pkcs12_bag_t} types. The Bag types are
+the holders of the actual data, which may be certificates, private
+keys or encrypted data. An Bag of type encrypted should be decrypted
+in order for its data to be accessed.
+
+An example of a @acronym{PKCS} #12 structure generation can be found
+at section @ref{ex:pkcs12}.
+
+@node The OpenPGP trust model
+@section The @acronym{OpenPGP} Trust Model
+@cindex @acronym{OpenPGP} Keys
+
+The @acronym{OpenPGP} key authentication relies on a distributed trust
+model, called the ``web of trust''. The ``web of trust'' uses a
+decentralized system of trusted introducers, which are the same as a
+CA. @acronym{OpenPGP} allows anyone to sign anyone's else public
+key. When Alice signs Bob's key, she is introducing Bob's key to
+anyone who trusts Alice. If someone trusts Alice to introduce keys,
+then Alice is a trusted introducer in the mind of that observer.
+
+@image{gnutls-pgp,11cm,9cm}
+
+For example: If David trusts Alice to be an introducer, and Alice
+signed Bob's key, Dave also trusts Bob's key to be the real one.
+
+There are some key points that are important in that model. In the
+example Alice has to sign Bob's key, only if she is sure that the key
+belongs to Bob. Otherwise she may also make Dave falsely believe that
+this is Bob's key. Dave has also the responsibility to know who to
+trust. This model is similar to real life relations.
+
+Just see how Charlie behaves in the previous example. Although he has
+signed Bob's key - because he knows, somehow, that it belongs to Bob -
+he does not trust Bob to be an introducer. Charlie decided to trust
+only Kevin, for some reason. A reason could be that Bob is lazy
+enough, and signs other people's keys without being sure that they
+belong to the actual owner.
+
+@subsection @acronym{OpenPGP} Keys
+
+In @acronym{GnuTLS} the @acronym{OpenPGP} key structures
+@xcite{RFC2440} are handled using the @code{gnutls_openpgp_crt_t} type
+and the corresponding private keys with the
+@code{gnutls_openpgp_privkey_t} type. All the prototypes for the key
+handling functions can be found at @file{gnutls/openpgp.h}.
+
+@subsection Verifying an @acronym{OpenPGP} Key
+
+The verification functions of @acronym{OpenPGP} keys, included in
+@acronym{GnuTLS}, are simple ones, and do not use the features of the
+``web of trust''. For that reason, if the verification needs are
+complex, the assistance of external tools like @acronym{GnuPG} and
+GPGME (@url{http://www.gnupg.org/related_software/gpgme/}) is
+recommended.
+
+There is one verification function in @acronym{GnuTLS}, the
+@ref{gnutls_openpgp_crt_verify_ring}. This checks an
+@acronym{OpenPGP} key against a given set of public keys (keyring) and
+returns the key status. The key verification status is the same as in
+@acronym{X.509} certificates, although the meaning and interpretation
+are different. For example an @acronym{OpenPGP} key may be valid, if
+the self signature is ok, even if no signers were found. The meaning
+of verification status is shown in the figure below.
+
+@table @code
+
+@item CERT_INVALID:
+A signature on the key is invalid. That means that the key was
+modified by somebody, or corrupted during transport.
+
+@item CERT_REVOKED:
+The key has been revoked by its owner.
+
+@item CERT_SIGNER_NOT_FOUND:
+The key was not signed by a known signer.
+
+@item GNUTLS_CERT_INSECURE_ALGORITHM:
+The certificate was signed using an insecure algorithm such as MD2 or
+MD5. These algorithms have been broken and should not be trusted.
+
+@end table
+
+@node Digital signatures
+@section Digital Signatures
+@cindex Digital signatures
+
+In this section we will provide some information about digital
+signatures, how they work, and give the rationale for disabling some
+of the algorithms used.
+
+Digital signatures work by using somebody's secret key to sign some
+arbitrary data. Then anybody else could use the public key of that
+person to verify the signature. Since the data may be arbitrary it is
+not suitable input to a cryptographic digital signature algorithm. For
+this reason and also for performance cryptographic hash algorithms are
+used to preprocess the input to the signature algorithm. This works as
+long as it is difficult enough to generate two different messages with
+the same hash algorithm output. In that case the same signature could
+be used as a proof for both messages. Nobody wants to sign an innocent
+message of donating 1 @euro{} to Greenpeace and find out that he
+donated 1.000.000 @euro{} to Bad Inc.
+
+For a hash algorithm to be called cryptographic the following three
+requirements must hold:
+
+@enumerate
+@item Preimage resistance.
+That means the algorithm must be one way and given the output of the
+hash function @math{H(x)}, it is impossible to calculate @math{x}.
+
+@item 2nd preimage resistance.
+That means that given a pair @math{x,y} with @math{y=H(x)} it is
+impossible to calculate an @math{x'} such that @math{y=H(x')}.
+
+@item Collision resistance.
+That means that it is impossible to calculate random @math{x} and
+@math{x'} such @math{H(x')=H(x)}.
+@end enumerate
+
+The last two requirements in the list are the most important in
+digital signatures. These protect against somebody who would like to
+generate two messages with the same hash output. When an algorithm is
+considered broken usually it means that the Collision resistance of
+the algorithm is less than brute force. Using the birthday paradox the
+brute force attack takes
+@iftex
+@math{2^{(\rm{hash\ size}) / 2}}
+@end iftex
+@ifnottex
+@math{2^{((hash size) / 2)}}
+@end ifnottex
+operations. Today colliding certificates using the MD5 hash algorithm
+have been generated as shown in @xcite{WEGER}.
+
+There has been cryptographic results for the SHA-1 hash algorithms as
+well, although they are not yet critical. Before 2004, MD5 had a
+presumed collision strength of @math{2^{64}}, but it has been showed
+to have a collision strength well under @math{2^{50}}. As of November
+2005, it is believed that SHA-1's collision strength is around
+@math{2^{63}}. We consider this sufficiently hard so that we still
+support SHA-1. We anticipate that SHA-256/386/512 will be used in
+publicly-distributed certificates in the future. When @math{2^{63}}
+can be considered too weak compared to the computer power available
+sometime in the future, SHA-1 will be disabled as well. The collision
+attacks on SHA-1 may also get better, given the new interest in tools
+for creating them.
+
+@subsection Trading Security for Interoperability
+
+If you connect to a server and use GnuTLS' functions to verify the
+certificate chain, and get a @ref{GNUTLS_CERT_INSECURE_ALGORITHM}
+validation error (@pxref{Verifying X.509 certificate paths}), it means
+that somewhere in the certificate chain there is a certificate signed
+using @code{RSA-MD2} or @code{RSA-MD5}. These two digital signature
+algorithms are considered broken, so GnuTLS fail when attempting to
+verify the certificate. In some situations, it may be useful to be
+able to verify the certificate chain anyway, assuming an attacker did
+not utilize the fact that these signatures algorithms are broken.
+This section will give help on how to achieve that.
+
+First, it is important to know that you do not have to enable any of
+the flags discussed here to be able to use trusted root CA
+certificates signed using @code{RSA-MD2} or @code{RSA-MD5}. The only
+attack today is that it is possible to generate certificates with
+colliding signatures (collision resistance); you cannot generate a
+certificate that has the same signature as an already existing
+signature (2nd preimage resistance).
+
+If you are using @ref{gnutls_certificate_verify_peers2} to verify the
+certificate chain, you can call
+@ref{gnutls_certificate_set_verify_flags} with the
+@code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2} or
+@code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5} flag, as in:
+
+@example
+ gnutls_certificate_set_verify_flags (x509cred,
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
+@end example
+
+This will tell the verifier algorithm to enable @code{RSA-MD5} when
+verifying the certificates.
+
+If you are using @ref{gnutls_x509_crt_verify} or
+@ref{gnutls_x509_crt_list_verify}, you can pass the
+@code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5} parameter directly in the
+@code{flags} parameter.
+
+If you are using these flags, it may also be a good idea to warn the
+user when verification failure occur for this reason. The simplest is
+to not use the flags by default, and only fall back to using them
+after warning the user. If you wish to inspect the certificate chain
+yourself, you can use @ref{gnutls_certificate_get_peers} to extract
+the raw server's certificate chain, then use
+@ref{gnutls_x509_crt_import} to parse each of the certificates, and
+then use @ref{gnutls_x509_crt_get_signature_algorithm} to find out the
+signing algorithm used for each certificate. If any of the
+intermediary certificates are using @code{GNUTLS_SIGN_RSA_MD2} or
+@code{GNUTLS_SIGN_RSA_MD5}, you could present a warning.
+
+
+@node PKCS #11 tokens
+@section @acronym{PKCS #11} tokens
+@anchor{sec:pkcs11}
+@cindex @acronym{PKCS #11} tokens
+
+@subsection Introduction
+This section copes with the @acronym{PKCS #11} support in @acronym{GnuTLS}.
+@acronym{PKCS #11} is plugin API allowing applications to access cryptographic
+operations on a token, as well as to objects residing on the token. A token can
+be a real hardware token such as a smart card, or it can be a software component
+such as @acronym{Gnome Keyring}. The objects residing on such token can be
+certificates, public keys, private keys or even plain data or secret keys. Of those
+certificates and public/private key pairs can be used with @acronym{GnuTLS}. It's
+main advantage is that it allows operations on private key objects such as decryption
+and signing without accessing the key itself.
+
+@subsection Initialization
+To allow all the @acronym{GnuTLS} applications to access @acronym{PKCS #11} tokens
+it is adviceable to use @code{/etc/gnutls/pkcs11.conf}. This file has the following
+format:
+
+@verbatim
+load=/usr/lib/opensc-pkcs11.so
+load=/usr/lib/gnome-keyring/gnome-keyring-pkcs11.so
+@end verbatim
+
+If you use this file, then there is no need for other initialization in
+@acronym{GnuTLS}, except for the PIN and token functions, to allow retrieving a PIN
+when accessing a protected object, such as a private key, or allowing probing
+the user to insert the token. All the initialization functions are below.
+
+@itemize
+
+@item @ref{gnutls_pkcs11_init}: Global initialization
+
+@item @ref{gnutls_pkcs11_deinit}: Global deinitialization
+
+@item @ref{gnutls_pkcs11_set_token_function}: Sets the token insertion function
+
+@item @ref{gnutls_pkcs11_set_pin_function}: Sets the PIN request function
+
+@item @ref{gnutls_pkcs11_add_provider}: Adds an additional @acronym{PKCS #11} provider
+
+@end itemize
+
+@subsection Reading Objects
+
+All @acronym{PKCS #11} objects are referenced by @acronym{GnuTLS} functions by
+URLs as described in @code{draft-pechanec-pkcs11uri-01}. For example a public
+key on a smart card may be referenced as:
+
+@example
+pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315;manufacturer=EnterSafe;\
+object=test1;objecttype=public;\
+id=32:f1:53:f3:e3:79:90:b0:86:24:14:10:77:ca:5d:ec:2d:15:fa:ed
+@end example
+
+while the smart card itself can be referenced as:
+@example
+pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315;manufacturer=EnterSafe
+@end example
+
+
+Objects can be accessed with the following functions
+@itemize
+
+@item @ref{gnutls_pkcs11_obj_init}: Initializes an object
+
+@item @ref{gnutls_pkcs11_obj_import_url}: To import an object from a url
+
+@item @ref{gnutls_pkcs11_obj_export_url}: To export the URL of the object
+
+@item @ref{gnutls_pkcs11_obj_deinit}: To deinitialize an object
+
+@item @ref{gnutls_pkcs11_obj_export}: To export data associated with object
+
+@item @ref{gnutls_pkcs11_obj_get_info}: To obtain information about an object
+
+@item @ref{gnutls_pkcs11_obj_list_import_url}: To mass load of objects
+
+@item @ref{gnutls_x509_crt_import_pkcs11}: Import a certificate object
+
+@item @ref{gnutls_x509_crt_import_pkcs11_url}: Helper function to directly import a URL into a certificate
+
+@item @ref{gnutls_x509_crt_list_import_pkcs11}: Mass import of certificates
+
+@end itemize
+
+
+Functions that relate to token handling are shown below
+@itemize
+
+@item @ref{gnutls_pkcs11_token_get_url}: Returns the URL of a token
+
+@item @ref{gnutls_pkcs11_token_get_info}: Obtain information about a token
+
+@item @ref{gnutls_pkcs11_token_get_flags}: Returns flags about a token (i.e. hardware or software)
+
+@end itemize
+
+The following example will list all tokens.
+@verbatim
+int i;
+char* url;
+
+ gnutls_global_init();
+
+ for (i=0;;i++) {
+ ret = gnutls_pkcs11_token_get_url(i, &url);
+ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ break;
+
+ if (ret < 0)
+ exit(1);
+
+ fprintf(stdout, "Token[%d]: URL: %s\n", i, url);
+ }
+ gnutls_global_deinit();
+@end verbatim
+
+
+The next one will list all objects in a token:
+@verbatim
+gnutls_pkcs11_obj_t *obj_list;
+unsigned int obj_list_size = 0;
+gnutls_datum_t cinfo;
+int i;
+
+ crt_list_size = 0;
+ ret = gnutls_pkcs11_obj_list_import_url( crt_list, NULL, url, \
+ GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY);
+ if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ exit(1);
+
+ crt_list = malloc(sizeof(*crt_list)*crt_list_size);
+ if (crt_list == NULL)
+ exit(1);
+
+ ret = gnutls_pkcs11_obj_list_import_url( crt_list, &crt_list_size, url, flags);
+ if (ret < 0)
+ exit(1);
+
+ /* now all certificates are in crt_list */
+
+ for (i=0;i<crt_list_size;i++) {
+
+ ret = gnutls_x509_crt_init(&xcrt);
+ if (ret < 0)
+ exit(1);
+
+ ret = gnutls_x509_crt_import_pkcs11(xcrt, crt_list[i]);
+ if (ret < 0)
+ exit(1);
+
+ ret = gnutls_x509_crt_print (xcrt, GNUTLS_CRT_PRINT_FULL, &cinfo);
+ if (ret < 0)
+ exit(1);
+
+ fprintf(stdout, "cert[%d]:\n %s\n\n", cinfo.data);
+
+ gnutls_free(cinfo.data);
+ gnutls_x509_crt_deinit(&xcrt);
+ }
+@end verbatim
+
+
+@subsection Writing Objects
+
+With @acronym{GnuTLS} you can copy existing private keys and certificates
+to a token. This can be achieved with the following functions
+
+@itemize
+
+@item @ref{gnutls_pkcs11_delete_url}: To delete an object
+
+@item @ref{gnutls_pkcs11_copy_x509_privkey}: To copy a private key to a token
+
+@item @ref{gnutls_pkcs11_copy_x509_crt}: To copy a certificate to a token
+
+@end itemize
+
+
+@subsection Using a @acronym{PKCS #11} token with TLS
+
+This example will demonstrate how to load keys and certificates
+from a @acronym{PKCS} #11 token, and use it with a TLS connection.
+
+@verbatiminclude examples/ex-cert-select-pkcs11.c
+
diff --git a/doc/cha-ciphersuites.texi b/doc/cha-ciphersuites.texi
new file mode 100644
index 0000000000..e0fad2218f
--- /dev/null
+++ b/doc/cha-ciphersuites.texi
@@ -0,0 +1,44 @@
+@node All the supported ciphersuites in GnuTLS
+@chapter All the Supported Ciphersuites in @acronym{GnuTLS}
+@anchor{ciphersuites}
+@cindex Ciphersuites
+
+@include algorithms.texi
+
+Some additional information regarding some of the algorithms:
+
+@table @code
+@item RSA
+RSA is public key cryptosystem designed by Ronald Rivest, Adi Shamir
+and Leonard Adleman. It can be used with any hash functions.
+
+@item DSA
+DSA is the USA's Digital Signature Standard. It uses only the SHA-1
+hash algorithm.
+
+@item MD2
+MD2 is a cryptographic hash algorithm designed by Ron Rivest. It is
+optimized for 8-bit processors. Outputs 128 bits of data. There are
+no known weaknesses of this algorithm but since this algorithm is
+rarely used and not really studied it should not be used today.
+
+@item MD5
+MD5 is a cryptographic hash algorithm designed by Ron Rivest. Outputs
+128 bits of data. It is considered to be broken.
+
+@item SHA-1
+SHA is a cryptographic hash algorithm designed by NSA. Outputs 160
+bits of data. It is also considered to be broken, though no practical
+attacks have been found.
+
+@item RMD160
+RIPEMD is a cryptographic hash algorithm developed in the framework of
+the EU project RIPE. Outputs 160 bits of data.
+
+@end table
+
+@c
+@c Guile Bindings
+@c
+
+@include guile.texi
diff --git a/doc/cha-copying.texi b/doc/cha-copying.texi
new file mode 100644
index 0000000000..d35dd92e55
--- /dev/null
+++ b/doc/cha-copying.texi
@@ -0,0 +1,29 @@
+@node Copying Information
+@appendix Copying Information
+
+@menu
+* GNU Free Documentation License:: License for copying this manual.
+* GNU LGPL:: License for copying the core GnuTLS library.
+* GNU GPL:: License for copying GnuTLS-extra and tools.
+@end menu
+
+@node GNU Free Documentation License
+@appendixsec GNU Free Documentation License
+
+@cindex FDL, GNU Free Documentation License
+
+@include fdl-1.3.texi
+
+@node GNU LGPL
+@appendixsec GNU Lesser General Public License
+@cindex LGPL, GNU Lesser General Public License
+@cindex License, GNU LGPL
+
+@include lgpl-2.1.texi
+
+@node GNU GPL
+@appendixsec GNU General Public License
+@cindex GPL, GNU General Public License
+@cindex License, GNU GPL
+
+@include gpl-3.0.texi
diff --git a/doc/cha-functions.texi b/doc/cha-functions.texi
new file mode 100644
index 0000000000..f73bc571e9
--- /dev/null
+++ b/doc/cha-functions.texi
@@ -0,0 +1,120 @@
+@node Function reference
+@chapter Function Reference
+@cindex Function reference
+
+@menu
+* Core functions::
+* X.509 certificate functions::
+* GnuTLS-extra functions::
+* OpenPGP functions::
+* TLS Inner Application (TLS/IA) functions::
+* Error codes and descriptions::
+@end menu
+
+@node Core functions
+@section Core Functions
+
+The prototypes for the following functions lie in
+@file{gnutls/gnutls.h}.
+
+@include gnutls-api.texi
+
+@node X.509 certificate functions
+@section @acronym{X.509} Certificate Functions
+@anchor{sec:x509api}
+@cindex @acronym{X.509} Functions
+
+The following functions are to be used for @acronym{X.509} certificate handling.
+Their prototypes lie in @file{gnutls/x509.h}.
+
+@include x509-api.texi
+
+@node GnuTLS-extra functions
+@section @acronym{GnuTLS-extra} Functions
+@cindex @acronym{GnuTLS-extra} functions
+
+These functions are only available in the GPLv3+ version of the
+library called @code{gnutls-extra}. The prototypes for this library
+lie in @file{gnutls/extra.h}.
+
+@include extra-api.texi
+
+@node OpenPGP functions
+@section @acronym{OpenPGP} Functions
+@cindex @acronym{OpenPGP} functions
+@anchor{sec:openpgpapi}
+
+The following functions are to be used for @acronym{OpenPGP}
+certificate handling. Their prototypes lie in
+@file{gnutls/openpgp.h}.
+
+@include pgp-api.texi
+
+@node TLS Inner Application (TLS/IA) functions
+@section @acronym{TLS} Inner Application (@acronym{TLS/IA}) Functions
+@cindex @acronym{TLS} Inner Application (@acronym{TLS/IA}) functions
+@cindex Inner Application (@acronym{TLS/IA}) functions
+
+The following functions are used for @acronym{TLS} Inner Application
+(@acronym{TLS/IA}). Their prototypes lie in @file{gnutls/extra.h}.
+You need to link with @file{libgnutls-extra} to be able to use these
+functions (@pxref{GnuTLS-extra functions}).
+
+The typical control flow in an TLS/IA client (that would not require
+an Application Phase for resumed sessions) would be similar to the
+following:
+
+@example
+int client_avp (gnuls_session_t *session, void *ptr,
+ const char *last, size_t lastlen,
+ char **new, size_t *newlen)
+@{
+...
+@}
+...
+int main ()
+@{
+ gnutls_ia_client_credentials_t iacred;
+...
+ gnutls_init (&session, GNUTLS_CLIENT);
+...
+ /* Enable TLS/IA. */
+ gnutls_ia_allocate_client_credentials(&iacred);
+ gnutls_ia_set_client_avp_function(iacred, client_avp);
+ gnutls_credentials_set (session, GNUTLS_CRD_IA, iacred);
+...
+ ret = gnutls_handshake (session);
+ // Error handling...
+...
+ if (gnutls_ia_handshake_p (session))
+ @{
+ ret = gnutls_ia_handshake (session);
+ // Error handling...
+...
+@end example
+
+See below for detailed descriptions of all the functions used above.
+
+The function @code{client_avp} would have to be implemented by your
+application. The function is responsible for handling the AVP data.
+See @code{gnutls_ia_set_client_avp_function} below for more
+information on how that function should be implemented.
+
+The control flow in a typical server is similar to the above, use
+@code{gnutls_ia_server_credentials_t} instead of
+@code{gnutls_ia_client_credentials_t}, and replace the call to the
+client functions with the corresponding server functions.
+
+@include ia-api.texi
+
+@node Error codes and descriptions
+@section Error Codes and Descriptions
+@anchor{Error Codes}
+@cindex Error codes
+
+The error codes used throughout the library are described below. The
+return code @code{GNUTLS_E_SUCCESS} indicate successful operation, and
+is guaranteed to have the value 0, so you can use it in logical
+expressions.
+
+@include error_codes.texi
diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi
new file mode 100644
index 0000000000..fda6221699
--- /dev/null
+++ b/doc/cha-internals.texi
@@ -0,0 +1,336 @@
+@node Internal architecture of GnuTLS
+@chapter Internal Architecture of GnuTLS
+@cindex Internal architecture
+
+This chapter is to give a brief description of the
+way @acronym{GnuTLS} works. The focus is to give an idea
+to potential developers and those who want to know what
+happens inside the black box.
+
+@menu
+* The TLS Protocol::
+* TLS Handshake Protocol::
+* TLS Authentication Methods::
+* TLS Extension Handling::
+* Certificate Handling::
+* Cryptographic Backend::
+@end menu
+
+@node The TLS Protocol
+@section The TLS Protocol
+The main needs for the TLS protocol to be used are
+shown in the image below.
+
+@image{gnutls-client-server-use-case,9cm}
+
+This is being accomplished by the following object diagram.
+Note that since @acronym{GnuTLS} is being developed in C
+object are just structures with attributes. The operations listed
+are functions that require the first parameter to be that object.
+@image{gnutls-objects,15cm}
+
+@node TLS Handshake Protocol
+@section TLS Handshake Protocol
+The @acronym{GnuTLS} handshake protocol is implemented as a state
+machine that waits for input or returns immediately when the non-blocking
+transport layer functions are used. The main idea is shown in the following
+figure.
+
+@image{gnutls-handshake-state,9cm}
+
+Also the way the input is processed varies per ciphersuite. Several
+implementations of the internal handlers are available and
+@ref{gnutls_handshake} only multiplexes the input to the appropriate
+handler. For example a @acronym{PSK} ciphersuite has a different
+implementation of the @code{process_client_key_exchange} than a
+certificate ciphersuite.
+
+@image{gnutls-handshake-sequence,12cm}
+
+@node TLS Authentication Methods
+@section TLS Authentication Methods
+In @acronym{GnuTLS} authentication methods can be implemented quite
+easily. Since the required changes to add a new authentication method
+affect only the handshake protocol, a simple interface is used. An
+authentication method needs only to implement the functions as seen in
+the figure below.
+
+@image{gnutls-mod_auth_st,12cm}
+
+The functions that need to be implemented are the ones responsible for
+interpreting the handshake protocol messages. It is common for such
+functions to read data from one or more @code{credentials_t}
+structures@footnote{such as the
+@code{gnutls_certificate_credentials_t} structures} and write data,
+such as certificates, usernames etc. to @code{auth_info_t} structures.
+
+Simple examples of existing authentication methods can be seen in
+@code{auth_psk.c} for PSK ciphersuites and @code{auth_srp.c} for SRP
+ciphersuites. After implementing these functions the structure holding
+its pointers has to be registered in @code{gnutls_algorithms.c} in the
+@code{_gnutls_kx_algorithms} structure.
+
+@node TLS Extension Handling
+@section TLS Extension Handling
+As with authentication methods, the TLS extensions handlers can be
+implemented using the following interface.
+
+@image{gnutls-extensions_st,12cm}
+
+Here there are two functions, one for receiving the extension data
+and one for sending. These functions have to check internally whether
+they operate in client or server side.
+
+A simple example of an extension handler can be seen in
+@code{ext_srp.c} After implementing these functions, together with the
+extension number they handle, they have to be registered in
+@code{gnutls_extensions.c} in the @code{_gnutls_extensions} structure.
+
+@subsection Adding a New TLS Extension
+
+Adding support for a new TLS extension is done from time to time, and
+the process to do so is not difficult. Here are the steps you need to
+follow if you wish to do this yourself. For sake of discussion, let's
+consider adding support for the hypothetical TLS extension
+@code{foobar}.
+
+@enumerate
+
+@item Add @code{configure} option like @code{--enable-foobar} or @code{--disable-foobar}.
+
+Which to chose depends on whether you intend to make the extension be
+enabled by default. Look at existing checks (i.e., SRP, authz) for
+how to model the code. For example:
+
+@example
+AC_MSG_CHECKING([whether to disable foobar support])
+AC_ARG_ENABLE(foobar,
+ AS_HELP_STRING([--disable-foobar],
+ [disable foobar support]),
+ ac_enable_foobar=no)
+if test x$ac_enable_foobar != xno; then
+ AC_MSG_RESULT(no)
+ AC_DEFINE(ENABLE_FOOBAR, 1, [enable foobar])
+else
+ ac_full=0
+ AC_MSG_RESULT(yes)
+fi
+AM_CONDITIONAL(ENABLE_FOOBAR, test "$ac_enable_foobar" != "no")
+@end example
+
+These lines should go in @code{lib/m4/hooks.m4}.
+
+@item Add IANA extension value to @code{extensions_t} in @code{gnutls_int.h}.
+
+A good name for the value would be GNUTLS_EXTENSION_FOOBAR. Check
+with @url{http://www.iana.org/assignments/tls-extensiontype-values}
+for allocated values. For experiments, you could pick a number but
+remember that some consider it a bad idea to deploy such modified
+version since it will lead to interoperability problems in the future
+when the IANA allocates that number to someone else, or when the
+foobar protocol is allocated another number.
+
+@item Add an entry to @code{_gnutls_extensions} in @code{gnutls_extensions.c}.
+
+A typical entry would be:
+
+@example
+ int ret;
+
+ /* ...
+ */
+
+#if ENABLE_FOOBAR
+ ret = gnutls_ext_register (GNUTLS_EXTENSION_FOOBAR,
+ "FOOBAR",
+ GNUTLS_EXT_TLS,
+ _gnutls_foobar_recv_params,
+ _gnutls_foobar_send_params);
+ if (ret != GNUTLS_E_SUCCESS)
+ return ret;
+#endif
+@end example
+
+The GNUTLS_EXTENSION_FOOBAR is the integer value you added to
+@code{gnutls_int.h} earlier. The two functions are new functions that
+you will need to implement, most likely you'll need to add an
+@code{#include "ext_foobar.h"} as well.
+
+@item Add new files @code{ext_foobar.c} and @code{ext_foobar.h} that implements the extension.
+
+The functions you are responsible to add are those mentioned in the
+previous step. As a starter, you could add this:
+
+@example
+int
+_gnutls_foobar_recv_params (gnutls_session_t session,
+ const opaque * data,
+ size_t data_size)
+@{
+ return 0;
+@}
+
+int
+_gnutls_foobar_send_params (gnutls_session_t session,
+ opaque * data,
+ size_t _data_size)
+@{
+ return 0;
+@}
+@end example
+
+The @code{_gnutls_foobar_recv_params} function is responsible for
+parsing incoming extension data (both in the client and server).
+
+The @code{_gnutls_foobar_send_params} function is responsible for
+sending extension data (both in the client and server).
+
+If you receive length fields that doesn't match, return
+@code{GNUTLS_E_UNEXPECTED_PACKET_LENGTH}. If you receive invalid
+data, return @code{GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER}. You can use
+other error codes too. Return 0 on success.
+
+The function typically store some information in the @code{session}
+variable for later usage. If you need to add new fields there, check
+@code{tls_ext_st} in @code{gnutls_int.h} and compare with existing TLS
+extension specific variables.
+
+Recall that both the client and server both send and receives
+parameters, and your code most likely will need to do different things
+depending on which mode it is in. It may be useful to make this
+distinction explicit in the code. Thus, for example, a better
+template than above would be:
+
+@example
+int
+_gnutls_foobar_recv_params (gnutls_session_t session,
+ const opaque * data,
+ size_t data_size)
+@{
+ if (session->security_parameters.entity == GNUTLS_CLIENT)
+ return foobar_recv_client (session, data, data_size);
+ else
+ return foobar_recv_server (session, data, data_size);
+@}
+
+int
+_gnutls_foobar_send_params (gnutls_session_t session,
+ opaque * data,
+ size_t data_size)
+@{
+ if (session->security_parameters.entity == GNUTLS_CLIENT)
+ return foobar_send_client (session, data, data_size);
+ else
+ return foobar_send_server (session, data, data_size);
+@}
+@end example
+
+The functions used would be declared as @code{static} functions, of
+the appropriate prototype, in the same file.
+
+When adding the files, you'll need to add them to @code{Makefile.am}
+as well, for example:
+
+@example
+if ENABLE_FOOBAR
+COBJECTS += ext_foobar.c
+HFILES += ext_foobar.h
+endif
+@end example
+
+@item Add API functions to enable/disable the extension.
+
+Normally the client will have one API to request use of the extension,
+and setting some extension specific data. The server will have one
+API to let the library know that it is willing to accept the
+extension, often this is implemented through a callback but it doesn't
+have to.
+
+The APIs need to be added to @code{includes/gnutls/gnutls.h} or
+@code{includes/gnutls/extra.h} as appropriate. It is recommended that
+if you don't have a requirement to use the LGPLv2.1+ license for your
+extension, that you place your work under the GPLv3+ license and thus
+in the libgnutls-extra library.
+
+You can implement the API function in the @code{ext_foobar.c} file, or
+if that file ends up becoming rather larger, add a
+@code{gnutls_foobar.c} file.
+
+To make the API available in the shared library you need to add the
+symbol in @code{lib/libgnutls.map} or
+@code{libextra/libgnutls-extra.map} as appropriate, so that the symbol
+is exported properly.
+
+When writing GTK-DOC style documentation for your new APIs, don't
+forget to add @code{Since:} tags to indicate the GnuTLS version the
+API was introduced in.
+
+@end enumerate
+
+@node Certificate Handling
+@section Certificate Handling
+What is provided by the certificate handling functions
+is summarized in the following diagram.
+
+@image{gnutls-certificate-user-use-case,12cm}
+
+@node Cryptographic Backend
+@section Cryptographic Backend
+Several new systems provide hardware assisted cryptographic algorithm
+implementations that offer implementations some orders of magnitude
+faster than the software. For this reason GnuTLS supports by default
+the /dev/crypto device usually found in FreeBSD and OpenBSD system, to
+take advantage of installed hardware.
+
+In addition it is possible to override parts of the crypto backend or the
+whole. It is possible to override them both at runtime and compile
+time, however here we will discuss the runtime possibility. The API
+available for this functionality is in @code{gnutls/crypto.h} header
+file.
+
+@subsection Override specific algorithms
+When an optimized implementation of a single algorithm is available,
+say a hardware assisted version of @acronym{AES-CBC} then the
+following functions can be used to register those algorithms.
+
+@itemize
+
+@item @ref{gnutls_crypto_single_cipher_register2}
+To register a cipher algorithm.
+
+@ref{gnutls_crypto_single_digest_register2}
+To register a hash (digest) or MAC algorithm.
+
+@end itemize
+
+Those registration functions will only replace the specified algorithm
+and leave the rest of subsystem intact.
+
+@subsection Override parts of the backend
+In some systems, such as embedded ones, it might be desirable to
+override big parts of the cryptographic backend, or even all of
+them. For this reason the following functions are provided.
+
+@itemize
+
+@item @ref{gnutls_crypto_cipher_register2}
+To override the cryptographic algorithms backend.
+
+@item @ref{gnutls_crypto_digest_register2}
+To override the digest algorithms backend.
+
+@item @ref{gnutls_crypto_rnd_register2}
+To override the random number generator backend.
+
+@item @ref{gnutls_crypto_bigint_register2}
+To override the big number number operations backend.
+
+@item @ref{gnutls_crypto_pk_register2}
+To override the public key encryption backend. This is tight to the
+big number operations so either both of them should be updated or care
+must be taken to use the same format.
+
+@end itemize
+
+If all of them are used then GnuTLS will no longer use libgcrypt.
+
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
new file mode 100644
index 0000000000..f7b88d07a1
--- /dev/null
+++ b/doc/cha-intro-tls.texi
@@ -0,0 +1,783 @@
+@node Introduction to TLS
+@chapter Introduction to @acronym{TLS}
+
+@acronym{TLS} stands for ``Transport Layer Security'' and is the
+successor of SSL, the Secure Sockets Layer protocol @xcite{SSL3}
+designed by Netscape. @acronym{TLS} is an Internet protocol, defined
+by @acronym{IETF}@footnote{IETF, or Internet Engineering Task Force,
+is a large open international community of network designers,
+operators, vendors, and researchers concerned with the evolution of
+the Internet architecture and the smooth operation of the Internet.
+It is open to any interested individual.}, described in @acronym{RFC}
+4346 and also in @xcite{RESCORLA}. The protocol provides
+confidentiality, and authentication layers over any reliable transport
+layer. The description, below, refers to @acronym{TLS} 1.0 but also
+applies to @acronym{TLS} 1.1 @xcite{RFC4346} and @acronym{SSL} 3.0,
+since the differences of these protocols are minor. Older protocols
+such as @acronym{SSL} 2.0 are not discussed nor implemented in
+@acronym{GnuTLS} since they are not considered secure today. GnuTLS
+also supports @acronym{X.509} and @acronym{OpenPGP} @xcite{RFC4880}.
+
+@menu
+* TLS layers::
+* The transport layer::
+* The TLS record protocol::
+* The TLS Alert Protocol::
+* The TLS Handshake Protocol::
+* TLS Extensions::
+* Selecting cryptographic key sizes::
+* On SSL 2 and older protocols::
+* On Record Padding::
+* Safe Renegotiation::
+@end menu
+
+@node TLS layers
+@section TLS Layers
+@cindex TLS Layers
+
+@acronym{TLS} is a layered protocol, and consists of the Record
+Protocol, the Handshake Protocol and the Alert Protocol. The Record
+Protocol is to serve all other protocols and is above the transport
+layer. The Record protocol offers symmetric encryption, data
+authenticity, and optionally compression.
+
+The Alert protocol offers some signaling to the other protocols. It
+can help informing the peer for the cause of failures and other error
+conditions. @xref{The Alert Protocol}, for more information. The
+alert protocol is above the record protocol.
+
+The Handshake protocol is responsible for the security parameters'
+negotiation, the initial key exchange and authentication. @xref{The
+Handshake Protocol}, for more information about the handshake
+protocol. The protocol layering in TLS is shown in the figure below.
+
+@image{gnutls-layers,12cm,8cm}
+
+@node The transport layer
+@section The Transport Layer
+@cindex Transport protocol
+
+@acronym{TLS} is not limited to one transport layer, it can be used
+above any transport layer, as long as it is a reliable one. A set of
+functions is provided and their purpose is to load to @acronym{GnuTLS} the
+required callbacks to access the transport layer.
+
+@itemize
+@item @ref{gnutls_transport_set_push_function}
+@item @ref{gnutls_transport_set_pull_function}
+@item @ref{gnutls_transport_set_ptr}
+@item @ref{gnutls_transport_set_lowat}
+@item @ref{gnutls_transport_set_errno}
+@end itemize
+
+These functions accept a callback function as a parameter. The
+callback functions should return the number of bytes written, or -1 on
+error and should set @code{errno} appropriately.
+
+In some environments, setting @code{errno} is unreliable, for example
+Windows have several errno variables in different CRTs, or it may be
+that errno is not a thread-local variable. If this is a concern to
+you, call @code{gnutls_transport_set_errno} with the intended errno
+value instead of setting @code{errno} directly.
+
+@acronym{GnuTLS} currently only interprets the EINTR and EAGAIN errno
+values and returns the corresponding @acronym{GnuTLS} error codes
+@code{GNUTLS_E_INTERRUPTED} and @code{GNUTLS_E_AGAIN}. These values
+are usually returned by interrupted system calls, or when non blocking
+IO is used. All @acronym{GnuTLS} functions can be resumed (called
+again), if any of these error codes is returned. The error codes
+above refer to the system call, not the @acronym{GnuTLS} function,
+since signals do not interrupt @acronym{GnuTLS}' functions.
+
+For non blocking sockets or other custom made pull/push functions
+the @ref{gnutls_transport_set_lowat} must be called, with a zero
+low water mark value.
+
+By default, if the transport functions are not set, @acronym{GnuTLS}
+will use the Berkeley Sockets functions. In this case
+@acronym{GnuTLS} will use some hacks in order for @code{select} to
+work, thus making it easy to add @acronym{TLS} support to existing
+TCP/IP servers.
+
+@node The TLS record protocol
+@section The TLS Record Protocol
+@cindex Record protocol
+
+The Record protocol is the secure communications provider. Its purpose
+is to encrypt, authenticate and ---optionally--- compress packets.
+The following functions are available:
+
+@table @asis
+
+@item @ref{gnutls_record_send}:
+To send a record packet (with application data).
+
+@item @ref{gnutls_record_recv}:
+To receive a record packet (with application data).
+
+@item @ref{gnutls_record_get_direction}:
+To get the direction of the last interrupted function call.
+@end table
+
+As you may have already noticed, the functions which access the Record
+protocol, are quite limited, given the importance of this protocol in
+@acronym{TLS}. This is because the Record protocol's parameters are
+all set by the Handshake protocol.
+
+The Record protocol initially starts with NULL parameters, which means
+no encryption, and no MAC is used. Encryption and authentication begin
+just after the handshake protocol has finished.
+
+@menu
+* Encryption algorithms used in the record layer::
+* Compression algorithms used in the record layer::
+* Weaknesses and countermeasures::
+@end menu
+
+@node Encryption algorithms used in the record layer
+@subsection Encryption Algorithms Used in the Record Layer
+@cindex Symmetric encryption algorithms
+
+Confidentiality in the record layer is achieved by using symmetric
+block encryption algorithms like @code{3DES}, @code{AES}@footnote{AES,
+or Advanced Encryption Standard, is actually the RIJNDAEL algorithm.
+This is the algorithm that replaced DES.}, or stream algorithms like
+@code{ARCFOUR_128}@footnote{@code{ARCFOUR_128} is a compatible
+algorithm with RSA's RC4 algorithm, which is considered to be a trade
+secret.}. Ciphers are encryption algorithms that use a single, secret,
+key to encrypt and decrypt data. Block algorithms in TLS also provide
+protection against statistical analysis of the data. Thus, if you're
+using the @acronym{TLS} protocol, a random number of blocks will be
+appended to data, to prevent eavesdroppers from guessing the actual
+data size.
+
+Supported cipher algorithms:
+
+@table @code
+@item 3DES_CBC
+@code{3DES_CBC} is the DES block cipher algorithm used with triple
+encryption (EDE). Has 64 bits block size and is used in CBC mode.
+
+@item ARCFOUR_128
+ARCFOUR is a fast stream cipher.
+
+@item ARCFOUR_40
+This is the ARCFOUR cipher that is fed with a 40 bit key,
+which is considered weak.
+
+@item AES_CBC
+AES or RIJNDAEL is the block cipher algorithm that replaces the old
+DES algorithm. Has 128 bits block size and is used in CBC mode. This
+is not officially supported in TLS.
+@end table
+
+Supported MAC algorithms:
+
+@table @code
+@item MAC_MD5
+MD5 is a cryptographic hash algorithm designed by Ron Rivest. Outputs
+128 bits of data.
+
+@item MAC_SHA
+SHA is a cryptographic hash algorithm designed by NSA. Outputs 160
+bits of data.
+
+@end table
+
+@node Compression algorithms used in the record layer
+@subsection Compression Algorithms Used in the Record Layer
+@cindex Compression algorithms
+
+The TLS record layer also supports compression. The algorithms
+implemented in @acronym{GnuTLS} can be found in the table below.
+All the algorithms except for DEFLATE which is
+referenced in @xcite{RFC3749}, should be considered as
+@acronym{GnuTLS}' extensions@footnote{You should use
+@ref{gnutls_handshake_set_private_extensions} to enable private
+extensions.}, and should be advertised only when the peer is known to
+have a compliant client, to avoid interoperability problems.
+
+The included algorithms perform really good when text, or other
+compressible data are to be transfered, but offer nothing on already
+compressed data, such as compressed images, zipped archives etc.
+These compression algorithms, may be useful in high bandwidth TLS
+tunnels, and in cases where network usage has to be minimized. As a
+drawback, compression increases latency.
+
+The record layer compression in @acronym{GnuTLS} is implemented based
+on the proposal @xcite{RFC3749}.
+The supported compression algorithms are:
+
+@table @code
+@item DEFLATE
+Zlib compression, using the deflate algorithm.
+
+@item LZO
+LZO is a very fast compression algorithm. This algorithm is only
+available if the @acronym{GnuTLS-extra} library has been initialized
+and the private extensions are enabled, and if GnuTLS was built with
+LZO support.
+
+@end table
+
+@node Weaknesses and countermeasures
+@subsection Weaknesses and Countermeasures
+
+Some weaknesses that may affect the security of the Record layer have
+been found in @acronym{TLS} 1.0 protocol. These weaknesses can be
+exploited by active attackers, and exploit the facts that
+
+@enumerate
+
+@item
+@acronym{TLS} has separate alerts for ``decryption_failed'' and
+``bad_record_mac''
+
+@item
+The decryption failure reason can be detected by timing the response
+time.
+
+@item
+The IV for CBC encrypted packets is the last block of the previous
+encrypted packet.
+
+@end enumerate
+
+Those weaknesses were solved in @acronym{TLS} 1.1 @xcite{RFC4346}
+which is implemented in @acronym{GnuTLS}. For a detailed discussion
+see the archives of the TLS Working Group mailing list and the paper
+@xcite{CBCATT}.
+
+@node The TLS Alert Protocol
+@section The TLS Alert Protocol
+@anchor{The Alert Protocol}
+@cindex Alert protocol
+
+The Alert protocol is there to allow signals to be sent between peers.
+These signals are mostly used to inform the peer about the cause of a
+protocol failure. Some of these signals are used internally by the
+protocol and the application protocol does not have to cope with them
+(see @code{GNUTLS_A_CLOSE_NOTIFY}), and others refer to the
+application protocol solely (see @code{GNUTLS_A_USER_CANCELLED}). An
+alert signal includes a level indication which may be either fatal or
+warning. Fatal alerts always terminate the current connection, and
+prevent future renegotiations using the current session ID.
+
+The alert messages are protected by the record protocol, thus the
+information that is included does not leak. You must take extreme care
+for the alert information not to leak to a possible attacker, via
+public log files etc.
+
+@table @asis
+@item @ref{gnutls_alert_send}:
+To send an alert signal.
+
+@item @ref{gnutls_error_to_alert}:
+To map a gnutls error number to an alert signal.
+
+@item @ref{gnutls_alert_get}:
+Returns the last received alert.
+
+@item @ref{gnutls_alert_get_name}:
+Returns the name, in a character array, of the given alert.
+
+@end table
+
+@node The TLS Handshake Protocol
+@section The TLS Handshake Protocol
+@anchor{The Handshake Protocol}
+@cindex Handshake protocol
+
+The Handshake protocol is responsible for the ciphersuite negotiation,
+the initial key exchange, and the authentication of the two peers.
+This is fully controlled by the application layer, thus your program
+has to set up the required parameters. Available functions to control
+the handshake protocol include:
+
+@table @asis
+@item @ref{gnutls_priority_init}:
+To initialize a priority set of ciphers.
+
+@item @ref{gnutls_priority_deinit}:
+To deinitialize a priority set of ciphers.
+
+@item @ref{gnutls_priority_set}:
+To associate a priority set with a @acronym{TLS} session.
+
+@item @ref{gnutls_priority_set_direct}:
+To directly associate a session with a given priority string.
+
+@item @ref{gnutls_credentials_set}:
+To set the appropriate credentials structures.
+
+@item @ref{gnutls_certificate_server_set_request}:
+To set whether client certificate is required or not.
+
+@item @ref{gnutls_handshake}:
+To initiate the handshake.
+@end table
+
+@subsection TLS Cipher Suites
+
+The Handshake Protocol of @acronym{TLS} negotiates cipher suites of
+the form @code{TLS_DHE_RSA_WITH_3DES_CBC_SHA}. The usual cipher
+suites contain these parameters:
+
+@itemize
+
+@item The key exchange algorithm.
+@code{DHE_RSA} in the example.
+
+@item The Symmetric encryption algorithm and mode
+@code{3DES_CBC} in this example.
+
+@item The MAC@footnote{MAC stands for Message Authentication Code. It can be described as a keyed hash algorithm. See RFC2104.} algorithm used for authentication.
+@code{MAC_SHA} is used in the above example.
+
+@end itemize
+
+The cipher suite negotiated in the handshake protocol will affect the
+Record Protocol, by enabling encryption and data authentication. Note
+that you should not over rely on @acronym{TLS} to negotiate the
+strongest available cipher suite. Do not enable ciphers and algorithms
+that you consider weak.
+
+The priority functions, dicussed above, allow the application layer to
+enable and set priorities on the individual ciphers. It may imply that
+all combinations of ciphersuites are allowed, but this is not
+true. For several reasons, not discussed here, some combinations were
+not defined in the @acronym{TLS} protocol. The supported ciphersuites
+are shown in @ref{ciphersuites}.
+
+@subsection Client Authentication
+@cindex Client Certificate authentication
+
+In the case of ciphersuites that use certificate authentication, the
+authentication of the client is optional in @acronym{TLS}. A server
+may request a certificate from the client --- using the
+@ref{gnutls_certificate_server_set_request} function. If a certificate
+is to be requested from the client during the handshake, the server
+will send a certificate request message that contains a list of
+acceptable certificate signers. In @acronym{GnuTLS} the certificate
+signers list is constructed using the trusted Certificate Authorities
+by the server. That is the ones set using
+@itemize
+@item @ref{gnutls_certificate_set_x509_trust_file}
+@item @ref{gnutls_certificate_set_x509_trust_mem}
+@end itemize
+
+Sending of the names of the CAs can be controlled using
+@ref{gnutls_certificate_send_x509_rdn_sequence}. The client, then, may
+send a certificate, signed by one of the server's acceptable signers.
+
+@subsection Resuming Sessions
+@anchor{resume}
+@cindex Resuming sessions
+
+The @ref{gnutls_handshake} function, is expensive since a lot of
+calculations are performed. In order to support many fast connections
+to the same server a client may use session resuming. @strong{Session
+resuming} is a feature of the @acronym{TLS} protocol which allows a
+client to connect to a server, after a successful handshake, without
+the expensive calculations. This is achieved by using the previously
+established keys. @acronym{GnuTLS} supports this feature, and the
+example (@pxref{ex:resume-client}) illustrates a typical use of it.
+
+Keep in mind that sessions are expired after some time, for security
+reasons, thus it may be normal for a server not to resume a session
+even if you requested that. Also note that you must enable, using the
+priority functions, at least the algorithms used in the last session.
+
+@subsection Resuming Internals
+
+The resuming capability, mostly in the server side, is one of the
+problems of a thread-safe TLS implementations. The problem is that all
+threads must share information in order to be able to resume
+sessions. The gnutls approach is, in case of a client, to leave all
+the burden of resuming to the client. I.e., copy and keep the
+necessary parameters. See the functions:
+
+@itemize
+
+@item @ref{gnutls_session_get_data}
+
+@item @ref{gnutls_session_get_id}
+
+@item @ref{gnutls_session_set_data}
+
+@end itemize
+
+The server side is different. A server has to specify some callback
+functions which store, retrieve and delete session data. These can be
+registered with:
+
+@itemize
+
+@item @ref{gnutls_db_set_remove_function}
+
+@item @ref{gnutls_db_set_store_function}
+
+@item @ref{gnutls_db_set_retrieve_function}
+
+@item @ref{gnutls_db_set_ptr}
+
+@end itemize
+
+It might also be useful to be able to check for expired sessions in
+order to remove them, and save space. The function
+@ref{gnutls_db_check_entry} is provided for that reason.
+
+@node TLS Extensions
+@section TLS Extensions
+@cindex TLS Extensions
+
+A number of extensions to the @acronym{TLS} protocol have been
+proposed mainly in @xcite{TLSEXT}. The extensions supported
+in @acronym{GnuTLS} are:
+
+@itemize
+@item Maximum fragment length negotiation
+@item Server name indication
+@item Session tickets
+@end itemize
+
+and they will be discussed in the subsections that follow.
+
+@subsection Maximum Fragment Length Negotiation
+@cindex TLS Extensions
+@cindex Maximum fragment length
+
+This extension allows a @acronym{TLS} implementation to negotiate a
+smaller value for record packet maximum length. This extension may be
+useful to clients with constrained capabilities. See the
+@ref{gnutls_record_set_max_size} and the
+@ref{gnutls_record_get_max_size} functions.
+
+@subsection Server Name Indication
+@anchor{serverind}
+@cindex TLS Extensions
+@cindex Server name indication
+
+A common problem in @acronym{HTTPS} servers is the fact that the
+@acronym{TLS} protocol is not aware of the hostname that a client
+connects to, when the handshake procedure begins. For that reason the
+@acronym{TLS} server has no way to know which certificate to send.
+
+This extension solves that problem within the @acronym{TLS} protocol,
+and allows a client to send the HTTP hostname before the handshake
+begins within the first handshake packet. The functions
+@ref{gnutls_server_name_set} and @ref{gnutls_server_name_get} can be
+used to enable this extension, or to retrieve the name sent by a
+client.
+
+@subsection Session Tickets
+@cindex TLS Extensions
+@cindex Session Tickets
+@cindex Ticket
+
+To resume a TLS session the server normally store some state. This
+complicates deployment, and typical situations the client can cache
+information and send it to the server instead. The Session Ticket
+extension implements this idea, and it is documented in
+RFC 5077 @xcite{TLSTKT}.
+
+Clients can enable support for TLS tickets with
+@ref{gnutls_session_ticket_enable_client} and servers use
+@ref{gnutls_session_ticket_key_generate} to generate a key and
+@ref{gnutls_session_ticket_enable_server} to enable the extension.
+Clients resume sessions using the ticket using the normal session
+resume functions, @ref{resume}.
+
+@node Selecting cryptographic key sizes
+@section Selecting Cryptographic Key Sizes
+@cindex key sizes
+
+In TLS, since a lot of algorithms are involved, it is not easy to set
+a consistent security level. For this reason this section will
+present some correspondance between key sizes of symmetric algorithms
+and public key algorithms based on the most conservative values of
+@xcite{SELKEY}. Those can be used to generate certificates with
+appropriate key sizes as well as parameters for Diffie-Hellman and SRP
+authentication.
+
+@multitable @columnfractions .15 .20 .20 .20
+
+@item Year
+@tab Symmetric key size
+@tab RSA key size, DH and SRP prime size
+@tab ECC key size
+
+@item 1982
+@tab 56
+@tab 417
+@tab 105
+
+@item 1988
+@tab 61
+@tab 566
+@tab 114
+
+@item 2002
+@tab 72
+@tab 1028
+@tab 139
+
+@item 2015
+@tab 82
+@tab 1613
+@tab 173
+
+@item 2028
+@tab 92
+@tab 2362
+@tab 210
+
+@item 2040
+@tab 101
+@tab 3214
+@tab 244
+
+@item 2050
+@tab 109
+@tab 4047
+@tab 272
+
+@end multitable
+
+The first column provides an estimation of the year until these
+parameters are considered safe and the rest of the columns list the
+parameters for the various algorithms.
+
+Note however that the values suggested here are nothing more than an
+educated guess that is valid today. There are no guarrantees that an
+algorithm will remain unbreakable or that these values will remain
+constant in time. There could be scientific breakthroughs that cannot
+be predicted or total failure of the current public key systems by
+quantum computers. On the other hand though the cryptosystems used in
+TLS are selected in a conservative way and such catastrophic
+breakthroughs or failures are believed to be unlikely.
+
+NIST publication SP 800-57 @xcite{NISTSP80057} contains a similar
+table that extends beyond the key sizes given above.
+
+@multitable @columnfractions .15 .20 .20 .20
+
+@item Bits of security
+@tab Symmetric key algorithms
+@tab RSA key size, DSA, DH and SRP prime size
+@tab ECC key size
+
+@item 80
+@tab 2TDEA
+@tab 1024
+@tab 160-223
+
+@item 112
+@tab 3DES
+@tab 2048
+@tab 224-255
+
+@item 128
+@tab AES-128
+@tab 3072
+@tab 256-383
+
+@item 192
+@tab AES-192
+@tab 7680
+@tab 384-511
+
+@item 256
+@tab AES-256
+@tab 15360
+@tab 512+
+
+@end multitable
+
+The recommendations are fairly consistent.
+
+@node On SSL 2 and older protocols
+@section On SSL 2 and Older Protocols
+@cindex SSL 2
+
+One of the initial decisions in the @acronym{GnuTLS} development was
+to implement the known security protocols for the transport layer.
+Initially @acronym{TLS} 1.0 was implemented since it was the latest at
+that time, and was considered to be the most advanced in security
+properties. Later the @acronym{SSL} 3.0 protocol was implemented
+since it is still the only protocol supported by several servers and
+there are no serious security vulnerabilities known.
+
+One question that may arise is why we didn't implement @acronym{SSL}
+2.0 in the library. There are several reasons, most important being
+that it has serious security flaws, unacceptable for a modern security
+library. Other than that, this protocol is barely used by anyone
+these days since it has been deprecated since 1996. The security
+problems in @acronym{SSL} 2.0 include:
+
+@itemize
+
+@item Message integrity compromised.
+The @acronym{SSLv2} message authentication uses the MD5 function, and
+is insecure.
+
+@item Man-in-the-middle attack.
+There is no protection of the handshake in @acronym{SSLv2}, which
+permits a man-in-the-middle attack.
+
+@item Truncation attack.
+@acronym{SSLv2} relies on TCP FIN to close the session, so the
+attacker can forge a TCP FIN, and the peer cannot tell if it was a
+legitimate end of data or not.
+
+@item Weak message integrity for export ciphers.
+The cryptographic keys in @acronym{SSLv2} are used for both message
+authentication and encryption, so if weak encryption schemes are
+negotiated (say 40-bit keys) the message authentication code use the
+same weak key, which isn't necessary.
+
+@end itemize
+
+@cindex PCT
+Other protocols such as Microsoft's @acronym{PCT} 1 and @acronym{PCT}
+2 were not implemented because they were also abandoned and deprecated
+by @acronym{SSL} 3.0 and later @acronym{TLS} 1.0.
+
+@node On Record Padding
+@section On Record Padding
+@cindex Record padding
+@cindex Bad record MAC
+
+The TLS protocol allows for random padding of records, to make it more
+difficult to perform analysis on the length of exchanged messages.
+(In RFC 4346 this is specified in section 6.2.3.2.) GnuTLS appears to
+be one of few implementation that take advantage of this text, and pad
+records by a random length.
+
+The TLS implementation in the Symbian operating system, frequently
+used by Nokia and Sony-Ericsson mobile phones, cannot handle
+non-minimal record padding. What happens when one of these clients
+handshake with a GnuTLS server is that the client will fail to compute
+the correct MAC for the record. The client sends a TLS alert
+(@code{bad_record_mac}) and disconnects. Typically this will result
+in error messages such as 'A TLS fatal alert has been received', 'Bad
+record MAC', or both, on the GnuTLS server side.
+
+GnuTLS implements a work around for this problem. However, it has to
+be enabled specifically. It can be enabled by using
+@ref{gnutls_record_disable_padding}, or @ref{gnutls_priority_set} with
+the @code{%COMPAT} priority string.
+
+If you implement an application that have a configuration file, we
+recommend that you make it possible for users or administrators to
+specify a GnuTLS protocol priority string, which is used by your
+application via @ref{gnutls_priority_set}. To allow the best
+flexibility, make it possible to have a different priority string for
+different incoming IP addresses.
+
+To enable the workaround in the @code{gnutls-cli} client or the
+@code{gnutls-serv} server, for testing of other implementations, use
+the following parameter: @code{--priority "%COMPAT"}.
+
+This problem has been discussed on mailing lists and in bug reports.
+This section tries to collect all pieces of information that we know
+about the problem. If you wish to go back to the old discussions,
+here are some links:
+
+@url{http://bugs.debian.org/390712}
+
+@url{http://bugs.debian.org/402861}
+
+@url{http://bugs.debian.org/438137}
+
+@url{http://thread.gmane.org/gmane.ietf.tls/3079}
+
+@node Safe Renegotiation
+@section Safe Renegotiation
+@cindex renegotiation
+
+Some application protocols and implementations uses the TLS
+renegotiation feature in a manner that enables attackers to insert
+content of his choice in the beginning of a TLS session.
+
+One easy to understand vulnerability is HTTPS when servers request
+client certificates optionally for certain parts of a web site. The
+attack works by having the attacker simulate a client and connect to a
+server, with server-only authentication, and send some data intended
+to cause harm. When the proper client attempts to contact the server,
+the attacker hijacks that connection and uses the TLS renegotiation
+feature with the server and splices in the client connection to the
+already established connection between the attacker and server. The
+attacker will not be able to read the data exchanged between the
+client and the server. However, the server will (incorrectly) assume
+that the data sent by the attacker was sent by the now authenticated
+client. The result is a prefix plain-text injection attack.
+
+The above is just one example. Other vulnerabilities exists that do
+not rely on the TLS renegotiation to change the client's authenticated
+status (either TLS or application layer).
+
+While fixing these application protocols and implementations would be
+one natural reaction, an extension to TLS has been designed that
+cryptographically binds together any renegotiated handshakes with the
+initial negotiation. When the extension is used, the attack is
+detected and the session can be terminated. The extension is
+specified in @xcite{RFC5746}.
+
+GnuTLS supports the safe renegotiation extension. The default
+behavior is as follows. Clients will attempt to negotiate the safe
+renegotiation extension when talking to servers. Servers will accept
+the extension when presented by clients. Clients and servers will
+permit an initial handshake to complete even when the other side does
+not support the safe renegotiation extension. Clients and servers
+will refuse renegotiation attempts when the extension has not been
+negotiated.
+
+Note that permitting clients to connect to servers even when the safe
+renegotiation extension is not negotiated open up for some attacks.
+Changing this default behaviour would prevent interoperability against
+the majority of deployed servers out there. We will reconsider this
+default behaviour in the future when more servers have been upgraded.
+Note that it is easy to configure clients to always require the safe
+renegotiation extension from servers (see below on the
+%SAFE_RENEGOTIATION priority string).
+
+
+To modify the default behaviour, we have introduced some new priority
+strings. The priority strings can be used by applications
+(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority}
+parameter to @code{gnutls-cli} and @code{gnutls-serv}).
+
+The @code{%UNSAFE_RENEGOTIATION} priority string permits
+(re-)handshakes even when the safe renegotiation extension was not
+negotiated. The @code{%SAFE_RENEGOTIATION} priority string makes
+client require the extension for every handshake and servers will refuse
+renegotiation without it.
+
+To enforce your clients to upgrade to a version that supports safe
+renegotiation the %INITIAL_SAFE_RENEGOTIATION priority string should
+be used at server side. This will deny any (re-)handshakes unless the
+client supports the extension. This however will prevent all clients
+that do not support the extension from connecting to server, even if
+they do not use renegotiation.
+
+It is possible to disable use of the extension completely, in both
+clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION}
+priority string however we strongly recommend you to only do this for
+debugging and test purposes.
+
+The default values if the flags above are not specified are:
+@table @code
+
+@item Server:
+%SAFE_RENEGOTIATION
+
+@item Client:
+%UNSAFE_RENEGOTIATION
+
+@end table
+
+For applications we have introduced a new API related to safe
+renegotiation. The @ref{gnutls_safe_renegotiation_status} function is
+used to check if the extension has been negotiated on a session, and
+can be used both by clients and servers.
diff --git a/doc/cha-library.texi b/doc/cha-library.texi
new file mode 100644
index 0000000000..9213ea69d7
--- /dev/null
+++ b/doc/cha-library.texi
@@ -0,0 +1,188 @@
+@node The Library
+@chapter The Library
+
+In brief @acronym{GnuTLS} can be described as a library which offers an API
+to access secure communication protocols. These protocols provide
+privacy over insecure lines, and were designed to prevent
+eavesdropping, tampering, or message forgery.
+
+Technically @acronym{GnuTLS} is a portable ANSI C based library which
+implements the TLS 1.1 and SSL 3.0 protocols (@xref{Introduction to
+TLS}, for a more detailed description of the protocols), accompanied
+with the required framework for authentication and public key
+infrastructure. Important features of the @acronym{GnuTLS} library
+include:
+
+@itemize
+
+@item Support for TLS 1.0, TLS 1.1, and SSL 3.0 protocols.
+
+@item Support for both @acronym{X.509} and @acronym{OpenPGP} certificates.
+
+@item Support for handling and verification of certificates.
+
+@item Support for @acronym{SRP} for TLS authentication.
+
+@item Support for @acronym{PSK} for TLS authentication.
+
+@item Support for TLS Extension mechanism.
+
+@item Support for TLS Compression Methods.
+
+@end itemize
+
+Additionally @acronym{GnuTLS} provides a limited emulation API for the
+widely used OpenSSL@footnote{@url{http://www.openssl.org/}} library,
+to ease integration with existing applications.
+
+@acronym{GnuTLS} consists of three independent parts, namely the ``TLS
+protocol part'', the ``Certificate part'', and the ``Cryptographic
+backend'' part. The `TLS protocol part' is the actual protocol
+implementation, and is entirely implemented within the
+@acronym{GnuTLS} library. The `Certificate part' consists of the
+certificate parsing, and verification functions which is partially
+implemented in the @acronym{GnuTLS} library. The
+@acronym{Libtasn1}@footnote{@url{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/libtasn1/}},
+a library which offers @acronym{ASN.1} parsing capabilities, is used
+for the @acronym{X.509} certificate parsing functions. A smaller
+version of
+@acronym{OpenCDK}@footnote{@url{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/opencdk/}}
+is used for the @acronym{OpenPGP} key support in @acronym{GnuTLS}.
+The ``Cryptographic backend'' is provided by the
+@acronym{Libgcrypt}@footnote{@url{ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/}}
+library@footnote{On current versions of GnuTLS it is possible to
+override the default crypto backend. Check @pxref{Cryptographic
+Backend} for details}.
+
+In order to ease integration in embedded systems, parts of the
+@acronym{GnuTLS} library can be disabled at compile time. That way a
+small library, with the required features, can be generated.
+
+@menu
+* General Idea::
+* Error handling::
+* Memory handling::
+* Callback functions::
+@end menu
+
+@node General Idea
+@section General Idea
+
+A brief description of how @acronym{GnuTLS} works internally is shown
+at the figure below. This section may be easier to understand after
+having seen the examples (@pxref{examples}).
+
+@image{gnutls-internals,12cm,8cm}
+
+As shown in the figure, there is a read-only global state that is
+initialized once by the global initialization function. This global
+structure, among others, contains the memory allocation functions
+used, and some structures needed for the @acronym{ASN.1} parser. This
+structure is never modified by any @acronym{GnuTLS} function, except
+for the deinitialization function which frees all memory allocated in
+the global structure and is called after the program has permanently
+finished using @acronym{GnuTLS}.
+
+The credentials structure is used by some authentication methods, such
+as certificate authentication (@pxref{Certificate Authentication}). A
+credentials structure may contain certificates, private keys,
+temporary parameters for Diffie-Hellman or RSA key exchange, and other
+stuff that may be shared between several TLS sessions.
+
+This structure should be initialized using the appropriate
+initialization functions. For example an application which uses
+certificate authentication would probably initialize the credentials,
+using the appropriate functions, and put its trusted certificates in
+this structure. The next step is to associate the credentials
+structure with each @acronym{TLS} session.
+
+A @acronym{GnuTLS} session contains all the required stuff for a
+session to handle one secure connection. This session calls directly
+to the transport layer functions, in order to communicate with the
+peer. Every session has a unique session ID shared with the peer.
+
+Since TLS sessions can be resumed, servers would probably need a
+database backend to hold the session's parameters. Every
+@acronym{GnuTLS} session after a successful handshake calls the
+appropriate backend function (@xref{resume}, for information on
+initialization) to store the newly negotiated session. The session
+database is examined by the server just after having received the
+client hello@footnote{The first message in a @acronym{TLS} handshake},
+and if the session ID sent by the client, matches a stored session,
+the stored session will be retrieved, and the new session will be a
+resumed one, and will share the same session ID with the previous one.
+
+@node Error handling
+@section Error Handling
+
+In @acronym{GnuTLS} most functions return an integer type as a result.
+In almost all cases a zero or a positive number means success, and a
+negative number indicates failure, or a situation that some action has
+to be taken. Thus negative error codes may be fatal or not.
+
+Fatal errors terminate the connection immediately and further sends
+and receives will be disallowed. An example of a fatal error code is
+@code{GNUTLS_E_DECRYPTION_FAILED}. Non-fatal errors may warn about
+something, i.e., a warning alert was received, or indicate the some
+action has to be taken. This is the case with the error code
+@code{GNUTLS_E_REHANDSHAKE} returned by @ref{gnutls_record_recv}.
+This error code indicates that the server requests a re-handshake. The
+client may ignore this request, or may reply with an alert. You can
+test if an error code is a fatal one by using the
+@ref{gnutls_error_is_fatal}.
+
+If any non fatal errors, that require an action, are to be returned by
+a function, these error codes will be documented in the function's
+reference. @xref{Error Codes}, for all the error codes.
+
+@node Memory handling
+@section Memory Handling
+
+@acronym{GnuTLS} internally handles heap allocated objects
+differently, depending on the sensitivity of the data they
+contain. However for performance reasons, the default memory functions
+do not overwrite sensitive data from memory, nor protect such objects
+from being written to the swap. In order to change the default
+behavior the @ref{gnutls_global_set_mem_functions} function is
+available which can be used to set other memory handlers than the
+defaults.
+
+The @acronym{Libgcrypt} library on which @acronym{GnuTLS} depends, has
+such secure memory allocation functions available. These should be
+used in cases where even the system's swap memory is not considered
+secure. See the documentation of @acronym{Libgcrypt} for more
+information.
+
+@node Callback functions
+@section Callback Functions
+@cindex Callback functions
+
+There are several cases where @acronym{GnuTLS} may need some out of
+band input from your program. This is now implemented using some
+callback functions, which your program is expected to register.
+
+An example of this type of functions are the push and pull callbacks
+which are used to specify the functions that will retrieve and send
+data to the transport layer.
+
+@itemize
+
+@item @ref{gnutls_transport_set_push_function}
+
+@item @ref{gnutls_transport_set_pull_function}
+
+@end itemize
+
+Other callback functions such as the one set by
+@ref{gnutls_srp_set_server_credentials_function}, may require more
+complicated input, including data to be allocated. These callbacks
+should allocate and free memory using the functions shown below.
+
+@itemize
+
+@item @ref{gnutls_malloc}
+
+@item @ref{gnutls_free}
+
+@end itemize
+
diff --git a/doc/cha-preface.texi b/doc/cha-preface.texi
new file mode 100644
index 0000000000..1c4058bf45
--- /dev/null
+++ b/doc/cha-preface.texi
@@ -0,0 +1,257 @@
+@node Preface
+@chapter Preface
+
+This document tries to demonstrate and explain the @acronym{GnuTLS}
+library API. A brief introduction to the protocols and the technology
+involved, is also included so that an application programmer can
+better understand the @acronym{GnuTLS} purpose and actual offerings.
+Even if @acronym{GnuTLS} is a typical library software, it operates
+over several security and cryptographic protocols, which require the
+programmer to make careful and correct usage of them, otherwise he
+risks to offer just a false sense of security. Security and the
+network security terms are very general terms even for computer
+software thus cannot be easily restricted to a single cryptographic
+library. For that reason, do not consider a program secure just
+because it uses @acronym{GnuTLS}; there are several ways to compromise
+a program or a communication line and @acronym{GnuTLS} only helps with
+some of them.
+
+Although this document tries to be self contained, basic network
+programming and PKI knowlegde is assumed in most of it. A good
+introduction to networking can be found in @xcite{STEVENS} and for
+Public Key Infrastructure in @xcite{GUTPKI}.
+
+@anchor{Availability}
+
+Updated versions of the @acronym{GnuTLS} software and this document
+will be available from @url{http://www.gnutls.org/} and
+@url{http://www.gnu.org/software/gnutls/}.
+
+@menu
+* Getting help::
+* Commercial Support::
+* Downloading and Installing::
+* Bug Reports::
+* Contributing::
+@end menu
+
+@node Getting help
+@section Getting Help
+
+A mailing list where users may help each other exists, and you can
+reach it by sending e-mail to @email{help-gnutls@@gnu.org}. Archives
+of the mailing list discussions, and an interface to manage
+subscriptions, is available through the World Wide Web at
+@url{http://lists.gnu.org/mailman/listinfo/help-gnutls}.
+
+A mailing list for developers are also available, see
+@url{http://www.gnu.org/software/gnutls/lists.html}.
+
+Bug reports should be sent to @email{bug-gnutls@@gnu.org}, see
+@xref{Bug Reports}.
+
+@node Commercial Support
+@section Commercial Support
+
+Commercial support is available for users of GnuTLS. The kind of
+support that can be purchased may include:
+
+@itemize
+
+@item Implement new features.
+Such as a new TLS extension.
+
+@item Port GnuTLS to new platforms.
+This could include porting to an embedded platforms that may need
+memory or size optimization.
+
+@item Integrating TLS as a security environment in your existing project.
+
+@item System design of components related to TLS.
+
+@end itemize
+
+If you are interested, please write to:
+
+@verbatim
+Simon Josefsson Datakonsult
+Hagagatan 24
+113 47 Stockholm
+Sweden
+
+E-mail: simon@josefsson.org
+@end verbatim
+
+If your company provides support related to GnuTLS and would like to
+be mentioned here, contact the author (@pxref{Bug Reports}).
+
+@node Downloading and Installing
+@section Downloading and Installing
+@cindex Installation
+@cindex Download
+
+GnuTLS is available for download from the following URL:
+
+@url{http://www.gnutls.org/download.html}
+
+The latest version is stored in a file, e.g.,
+@samp{gnutls-@value{VERSION}.tar.gz} where the @samp{@value{VERSION}}
+value is the highest version number in the directory.
+
+GnuTLS uses a Linux-like development cycle: even minor version numbers
+indicate a stable release and a odd minor version number indicates a
+development release. For example, GnuTLS 1.6.3 denote a stable
+release since 6 is even, and GnuTLS 1.7.11 denote a development
+release since 7 is odd.
+
+GnuTLS depends on Libgcrypt,
+and you will need to install Libgcrypt
+before installing GnuTLS. Libgcrypt is available from
+@url{ftp://ftp.gnupg.org/gcrypt/libgcrypt}. Libgcrypt needs another
+library, libgpg-error, and you need to install libgpg-error before
+installing Libgcrypt. Libgpg-error is available from
+@url{ftp://ftp.gnupg.org/gcrypt/libgpg-error}.
+
+Don't forget to verify the cryptographic signature after downloading
+source code packages.
+
+The package is then extracted, configured and built like many other
+packages that use Autoconf. For detailed information on configuring
+and building it, refer to the @file{INSTALL} file that is part of the
+distribution archive. Typically you invoke @code{./configure} and
+then @code{make check install}. There are a number of compile-time
+parameters, as discussed below.
+
+The compression libraries (libz and lzo) are optional dependencies.
+You can get libz from @url{http://www.zlib.net/}. You can get lzo
+from @url{http://www.oberhumer.com/opensource/lzo/}.
+
+The X.509 part of GnuTLS needs ASN.1 functionality, from a library
+called libtasn1. A copy of libtasn1 is included in GnuTLS. If you
+want to install it separately (e.g., to make it possibly to use
+libtasn1 in other programs), you can get it from
+@url{http://www.gnu.org/software/gnutls/download.html}.
+
+The OpenPGP part of GnuTLS uses a stripped down version of OpenCDK for
+parsing OpenPGP packets. It is included GnuTLS. Use parameter
+@code{--disable-openpgp-authentication} to disable the OpenPGP
+functionality in GnuTLS. Unfortunately, we didn't have resources to
+maintain the code in a separate library.
+
+Regarding the Guile bindings, there are additional installation
+considerations, see @xref{Guile Preparations}.
+
+A few @code{configure} options may be relevant, summarized in the
+table.
+
+@table @code
+
+@item --disable-srp-authentication
+@itemx --disable-psk-authentication
+@itemx --disable-anon-authentication
+@itemx --disable-extra-pki
+@itemx --disable-openpgp-authentication
+@itemx --disable-openssl-compatibility
+Disable or enable particular features. Generally not recommended.
+
+@end table
+
+For the complete list, refer to the output from @code{configure
+--help}.
+
+@node Bug Reports
+@section Bug Reports
+@cindex Reporting Bugs
+
+If you think you have found a bug in GnuTLS, please investigate it and
+report it.
+
+@itemize @bullet
+
+@item Please make sure that the bug is really in GnuTLS, and
+preferably also check that it hasn't already been fixed in the latest
+version.
+
+@item You have to send us a test case that makes it possible for us to
+reproduce the bug.
+
+@item You also have to explain what is wrong; if you get a crash, or
+if the results printed are not good and in that case, in what way.
+Make sure that the bug report includes all information you would need
+to fix this kind of bug for someone else.
+
+@end itemize
+
+Please make an effort to produce a self-contained report, with
+something definite that can be tested or debugged. Vague queries or
+piecemeal messages are difficult to act on and don't help the
+development effort.
+
+If your bug report is good, we will do our best to help you to get a
+corrected version of the software; if the bug report is poor, we won't
+do anything about it (apart from asking you to send better bug
+reports).
+
+If you think something in this manual is unclear, or downright
+incorrect, or if the language needs to be improved, please also send a
+note.
+
+Send your bug report to:
+
+@center @samp{bug-gnutls@@gnu.org}
+
+@node Contributing
+@section Contributing
+@cindex Contributing
+@cindex Hacking
+
+If you want to submit a patch for inclusion -- from solve a typo you
+discovered, up to adding support for a new feature -- you should
+submit it as a bug report (@pxref{Bug Reports}). There are some
+things that you can do to increase the chances for it to be included
+in the official package.
+
+Unless your patch is very small (say, under 10 lines) we require that
+you assign the copyright of your work to the Free Software Foundation.
+This is to protect the freedom of the project. If you have not
+already signed papers, we will send you the necessary information when
+you submit your contribution.
+
+For contributions that doesn't consist of actual programming code, the
+only guidelines are common sense. Use it.
+
+For code contributions, a number of style guides will help you:
+
+@itemize @bullet
+
+@item Coding Style.
+Follow the GNU Standards document (@pxref{top, GNU Coding Standards,,
+standards}).
+
+If you normally code using another coding standard, there is no
+problem, but you should use @samp{indent} to reformat the code
+(@pxref{top, GNU Indent,, indent}) before submitting your work.
+
+@item Use the unified diff format @samp{diff -u}.
+
+@item Return errors.
+No reason whatsoever should abort the execution of the library. Even
+memory allocation errors, e.g. when malloc return NULL, should work
+although result in an error code.
+
+@item Design with thread safety in mind.
+Don't use global variables. Don't even write to per-handle global
+variables unless the documented behaviour of the function you write is
+to write to the per-handle global variable.
+
+@item Avoid using the C math library.
+It causes problems for embedded implementations, and in most
+situations it is very easy to avoid using it.
+
+@item Document your functions.
+Use comments before each function headers, that, if properly
+formatted, are extracted into Texinfo manuals and GTK-DOC web pages.
+
+@item Supply a ChangeLog and NEWS entries, where appropriate.
+
+@end itemize
diff --git a/doc/cha-programs.texi b/doc/cha-programs.texi
new file mode 100644
index 0000000000..c1b940ca13
--- /dev/null
+++ b/doc/cha-programs.texi
@@ -0,0 +1,853 @@
+@node Included programs
+@chapter Included Programs
+
+Included with @acronym{GnuTLS} are also a few command line tools that
+let you use the library for common tasks without writing an
+application. The applications are discussed in this chapter.
+
+@menu
+* Invoking certtool::
+* Invoking gnutls-cli::
+* Invoking gnutls-cli-debug::
+* Invoking gnutls-serv::
+* Invoking psktool::
+* Invoking srptool::
+@end menu
+
+@node Invoking certtool
+@section Invoking certtool
+@cindex certtool
+
+This is a program to generate @acronym{X.509} certificates, certificate
+requests, CRLs and private keys.
+
+@verbatim
+Certtool help
+Usage: certtool [options]
+ -s, --generate-self-signed
+ Generate a self-signed certificate.
+ -c, --generate-certificate
+ Generate a signed certificate.
+ --generate-proxy Generate a proxy certificate.
+ --generate-crl Generate a CRL.
+ -u, --update-certificate
+ Update a signed certificate.
+ -p, --generate-privkey Generate a private key.
+ -q, --generate-request Generate a PKCS #10 certificate
+ request.
+ -e, --verify-chain Verify a PEM encoded certificate chain.
+ The last certificate in the chain must
+ be a self signed one.
+ --verify-crl Verify a CRL.
+ --generate-dh-params Generate PKCS #3 encoded Diffie-Hellman
+ parameters.
+ --get-dh-params Get the included PKCS #3 encoded Diffie
+ Hellman parameters.
+ --load-privkey FILE Private key file to use.
+ --load-request FILE Certificate request file to use.
+ --load-certificate FILE
+ Certificate file to use.
+ --load-ca-privkey FILE Certificate authority's private key
+ file to use.
+ --load-ca-certificate FILE
+ Certificate authority's certificate
+ file to use.
+ --password PASSWORD Password to use.
+ -i, --certificate-info Print information on a certificate.
+ -l, --crl-info Print information on a CRL.
+ --p12-info Print information on a PKCS #12
+ structure.
+ --p7-info Print information on a PKCS #7
+ structure.
+ --smime-to-p7 Convert S/MIME to PKCS #7 structure.
+ -k, --key-info Print information on a private key.
+ --fix-key Regenerate the parameters in a private
+ key.
+ --to-p12 Generate a PKCS #12 structure.
+ -8, --pkcs8 Use PKCS #8 format for private keys.
+ --dsa Use DSA keys.
+ --hash STR Hash algorithm to use for signing
+ (MD5,SHA1,RMD160).
+ --export-ciphers Use weak encryption algorithms.
+ --inder Use DER format for input certificates
+ and private keys.
+ --outder Use DER format for output certificates
+ and private keys.
+ --bits BITS specify the number of bits for key
+ generation.
+ --outfile FILE Output file.
+ --infile FILE Input file.
+ --template FILE Template file to use for non
+ interactive operation.
+ -d, --debug LEVEL specify the debug level. Default is 1.
+ -h, --help shows this help text
+ -v, --version shows the program's version
+@end verbatim
+
+The program can be used interactively or non interactively by
+specifying the @code{--template} command line option. See below for an
+example of a template file.
+
+How to use certtool interactively:
+
+@itemize
+@item
+To generate parameters for Diffie-Hellman key exchange, use the command:
+@example
+$ certtool --generate-dh-params --outfile dh.pem
+@end example
+
+@item
+To generate parameters for the RSA-EXPORT key exchange, use the command:
+@example
+$ certtool --generate-privkey --bits 512 --outfile rsa.pem
+@end example
+
+@end itemize
+
+@itemize
+
+@item
+To create a self signed certificate, use the command:
+@example
+$ certtool --generate-privkey --outfile ca-key.pem
+$ certtool --generate-self-signed --load-privkey ca-key.pem \
+ --outfile ca-cert.pem
+@end example
+
+Note that a self-signed certificate usually belongs to a certificate
+authority, that signs other certificates.
+
+@item
+To create a private key (RSA by default), run:
+
+@example
+$ certtool --generate-privkey --outfile key.pem
+@end example
+
+To create a DSA private key, run:
+
+@example
+$ certtool --dsa --generate-privkey --outfile key-dsa.pem
+@end example
+
+@item
+To generate a certificate using the private key, use the command:
+
+@example
+$ certtool --generate-certificate --load-privkey key.pem \
+ --outfile cert.pem --load-ca-certificate ca-cert.pem \
+ --load-ca-privkey ca-key.pem
+@end example
+
+@item
+To create a certificate request (needed when the certificate is issued by
+another party), run:
+
+@example
+$ certtool --generate-request --load-privkey key.pem \
+ --outfile request.pem
+@end example
+
+@item
+To generate a certificate using the previous request, use the command:
+
+@example
+$ certtool --generate-certificate --load-request request.pem \
+ --outfile cert.pem \
+ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
+@end example
+
+@item
+To view the certificate information, use:
+
+@example
+$ certtool --certificate-info --infile cert.pem
+@end example
+
+@item
+To generate a @acronym{PKCS} #12 structure using the previous key and
+certificate, use the command:
+
+@example
+$ certtool --load-certificate cert.pem --load-privkey key.pem \
+ --to-p12 --outder --outfile key.p12
+@end example
+
+Some tools (reportedly web browsers) have problems with that file
+because it does not contain the CA certificate for the certificate.
+To work around that problem in the tool, you can use the
+@samp{--load-ca-certificate} parameter as follows:
+
+@example
+$ certtool --load-ca-certificate ca.pem \
+ --load-certificate cert.pem --load-privkey key.pem \
+ --to-p12 --outder --outfile key.p12
+@end example
+
+@item
+Proxy certificate can be used to delegate your credential to a
+temporary, typically short-lived, certificate. To create one from the
+previously created certificate, first create a temporary key and then
+generate a proxy certificate for it, using the commands:
+
+@example
+$ certtool --generate-privkey > proxy-key.pem
+$ certtool --generate-proxy --load-ca-privkey key.pem \
+ --load-privkey proxy-key.pem --load-certificate cert.pem \
+ --outfile proxy-cert.pem
+@end example
+
+@item
+To create an empty Certificate Revocation List (CRL) do:
+
+@example
+$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem
+@end example
+
+To create a CRL that contains some revoked certificates, place the
+certificates in a file and use @code{--load-certificate} as follows:
+
+@example
+$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
+@end example
+
+@item
+To verify a Certificate Revocation List (CRL) do:
+
+@example
+$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
+@end example
+
+@end itemize
+
+Certtool's template file format:
+
+@itemize
+
+@item
+Firstly create a file named 'cert.cfg' that contains the information
+about the certificate. An example file is listed below.
+
+@item
+Then execute:
+
+@example
+$ certtool --generate-certificate cert.pem --load-privkey key.pem \
+ --template cert.cfg \
+ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
+@end example
+
+@end itemize
+
+An example certtool template file:
+
+@example
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Koko inc."
+
+# The organizational unit of the subject.
+unit = "sleeping dept."
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+state = "Attiki"
+
+# The country of the subject. Two letter code.
+country = GR
+
+# The common name of the certificate owner.
+cn = "Cindy Lauper"
+
+# A user id of the certificate owner.
+#uid = "clauper"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal"
+
+# This is deprecated and should not be used in new
+# certificates.
+# pkcs9_email = "none@@none.org"
+
+# The serial number of the certificate
+serial = 007
+
+# In how many days, counting from today, this certificate will expire.
+expiration_days = 700
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+#dns_name = "www.none.org"
+#dns_name = "www.morethanone.org"
+
+# An IP address in case of a server.
+#ip_address = "192.168.1.1"
+
+# An email in case of a person
+email = "none@@none.org"
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+#crl_dist_points = "http://www.getcrl.crl/getcrl/"
+
+# Whether this is a CA certificate or not
+#ca
+
+# Whether this certificate will be used for a TLS client
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server
+#tls_www_server
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites).
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing.
+#encryption_key
+
+# Whether this key will be used to sign other certificates.
+#cert_signing_key
+
+# Whether this key will be used to sign CRLs.
+#crl_signing_key
+
+# Whether this key will be used to sign code.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data.
+#ocsp_signing_key
+
+# Whether this key will be used for time stamping.
+#time_stamping_key
+@end example
+
+@node Invoking gnutls-cli
+@section Invoking gnutls-cli
+@cindex gnutls-cli
+
+Simple client program to set up a TLS connection to some other
+computer. It sets up a TLS connection and forwards data from the
+standard input to the secured socket and vice versa.
+
+@verbatim
+GnuTLS test client
+Usage: gnutls-cli [options] hostname
+
+ -d, --debug integer Enable debugging
+ -r, --resume Connect, establish a session. Connect
+ again and resume this session.
+ -s, --starttls Connect, establish a plain session and
+ start TLS when EOF or a SIGALRM is
+ received.
+ --crlf Send CR LF instead of LF.
+ --x509fmtder Use DER format for certificates to read
+ from.
+ -f, --fingerprint Send the openpgp fingerprint, instead
+ of the key.
+ --disable-extensions Disable all the TLS extensions.
+ --print-cert Print the certificate in PEM format.
+ --recordsize integer The maximum record size to advertize.
+ -V, --verbose More verbose output.
+ --ciphers cipher1 cipher2...
+ Ciphers to enable.
+ --protocols protocol1 protocol2...
+ Protocols to enable.
+ --comp comp1 comp2... Compression methods to enable.
+ --macs mac1 mac2... MACs to enable.
+ --kx kx1 kx2... Key exchange methods to enable.
+ --ctypes certType1 certType2...
+ Certificate types to enable.
+ --priority PRIORITY STRING
+ Priorities string.
+ --x509cafile FILE Certificate file to use.
+ --x509crlfile FILE CRL file to use.
+ --pgpkeyfile FILE PGP Key file to use.
+ --pgpkeyring FILE PGP Key ring file to use.
+ --pgpcertfile FILE PGP Public Key (certificate) file to
+ use.
+ --pgpsubkey HEX|auto PGP subkey to use.
+ --x509keyfile FILE X.509 key file to use.
+ --x509certfile FILE X.509 Certificate file to use.
+ --srpusername NAME SRP username to use.
+ --srppasswd PASSWD SRP password to use.
+ --pskusername NAME PSK username to use.
+ --pskkey KEY PSK key (in hex) to use.
+ --opaque-prf-input DATA
+ Use Opaque PRF Input DATA.
+ -p, --port PORT The port to connect to.
+ --insecure Don't abort program if server
+ certificate can't be validated.
+ -l, --list Print a list of the supported
+ algorithms and modes.
+ -h, --help prints this help
+ -v, --version prints the program's version number
+@end verbatim
+
+To connect to a server using PSK authentication, you may use something
+like:
+
+@smallexample
+$ gnutls-cli -p 5556 test.gnutls.org --pskusername jas --pskkey 9e32cf7786321a828ef7668f09fb35db --priority NORMAL:+PSK:-RSA:-DHE-RSA -d 4711
+@end smallexample
+
+@menu
+* Example client PSK connection::
+@end menu
+
+@node Example client PSK connection
+@subsection Example client PSK connection
+@cindex PSK client
+
+If your server only supports the PSK ciphersuite, connecting to it
+should be as simple as connecting to the server:
+
+@smallexample
+$ ./gnutls-cli -p 5556 localhost
+Resolving 'localhost'...
+Connecting to '127.0.0.1:5556'...
+- PSK client callback. PSK hint 'psk_identity_hint'
+Enter PSK identity: psk_identity
+Enter password:
+- PSK authentication. PSK hint 'psk_identity_hint'
+- Version: TLS1.1
+- Key Exchange: PSK
+- Cipher: AES-128-CBC
+- MAC: SHA1
+- Compression: NULL
+- Handshake was completed
+
+- Simple Client Mode:
+@end smallexample
+
+If the server supports several cipher suites, you may need to force it
+to chose PSK by using a cipher priority parameter such as
+@code{--priority NORMAL:+PSK:-RSA:-DHE-RSA:-DHE-PSK}.
+
+@cindex Netconf
+Instead of using the Netconf-way to derive the PSK key from a
+password, you can also give the PSK username and key directly on the
+command line:
+
+@smallexample
+$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity --pskkey 88f3824b3e5659f52d00e959bacab954b6540344
+Resolving 'localhost'...
+Connecting to '127.0.0.1:5556'...
+- PSK authentication. PSK hint 'psk_identity_hint'
+- Version: TLS1.1
+- Key Exchange: PSK
+- Cipher: AES-128-CBC
+- MAC: SHA1
+- Compression: NULL
+- Handshake was completed
+
+- Simple Client Mode:
+@end smallexample
+
+By keeping the @code{--pskusername} parameter and removing the
+@code{--pskkey} parameter, it will query only for the password during
+the handshake.
+
+@node Invoking gnutls-cli-debug
+@section Invoking gnutls-cli-debug
+@cindex gnutls-cli-debug
+
+This program was created to assist in debugging @acronym{GnuTLS}, but
+it might be useful to extract a @acronym{TLS} server's capabilities.
+It's purpose is to connect onto a @acronym{TLS} server, perform some
+tests and print the server's capabilities. If called with the `-v'
+parameter a more checks will be performed. An example output is:
+
+@smallexample
+crystal:/cvs/gnutls/src$ ./gnutls-cli-debug localhost -p 5556
+Resolving 'localhost'...
+Connecting to '127.0.0.1:5556'...
+Checking for TLS 1.1 support... yes
+Checking fallback from TLS 1.1 to... N/A
+Checking for TLS 1.0 support... yes
+Checking for SSL 3.0 support... yes
+Checking for version rollback bug in RSA PMS... no
+Checking for version rollback bug in Client Hello... no
+Checking whether we need to disable TLS 1.0... N/A
+Checking whether the server ignores the RSA PMS version... no
+Checking whether the server can accept Hello Extensions... yes
+Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
+Checking whether the server can accept a bogus TLS record version in the client hello... yes
+Checking for certificate information... N/A
+Checking for trusted CAs... N/A
+Checking whether the server understands TLS closure alerts... yes
+Checking whether the server supports session resumption... yes
+Checking for export-grade ciphersuite support... no
+Checking RSA-export ciphersuite info... N/A
+Checking for anonymous authentication support... no
+Checking anonymous Diffie-Hellman group info... N/A
+Checking for ephemeral Diffie-Hellman support... no
+Checking ephemeral Diffie-Hellman group info... N/A
+Checking for AES cipher support (TLS extension)... yes
+Checking for 3DES cipher support... yes
+Checking for ARCFOUR 128 cipher support... yes
+Checking for ARCFOUR 40 cipher support... no
+Checking for MD5 MAC support... yes
+Checking for SHA1 MAC support... yes
+Checking for ZLIB compression support (TLS extension)... yes
+Checking for LZO compression support (GnuTLS extension)... yes
+Checking for max record size (TLS extension)... yes
+Checking for SRP authentication support (TLS extension)... yes
+Checking for OpenPGP authentication support (TLS extension)... no
+@end smallexample
+
+@node Invoking gnutls-serv
+@section Invoking gnutls-serv
+@cindex gnutls-serv
+
+Simple server program that listens to incoming TLS connections.
+
+@verbatim
+GnuTLS test server
+Usage: gnutls-serv [options]
+
+ -d, --debug integer Enable debugging
+ -g, --generate Generate Diffie-Hellman Parameters.
+ -p, --port integer The port to connect to.
+ -q, --quiet Suppress some messages.
+ --nodb Does not use the resume database.
+ --http Act as an HTTP Server.
+ --echo Act as an Echo Server.
+ --dhparams FILE DH params file to use.
+ --x509fmtder Use DER format for certificates
+ --x509cafile FILE Certificate file to use.
+ --x509crlfile FILE CRL file to use.
+ --pgpkeyring FILE PGP Key ring file to use.
+ --pgpkeyfile FILE PGP Key file to use.
+ --pgpcertfile FILE PGP Public Key (certificate) file to
+ use.
+ --pgpsubkey HEX|auto PGP subkey to use.
+ --x509keyfile FILE X.509 key file to use.
+ --x509certfile FILE X.509 Certificate file to use.
+ --x509dsakeyfile FILE Alternative X.509 key file to use.
+ --x509dsacertfile FILE Alternative X.509 certificate file to
+ use.
+ -r, --require-cert Require a valid certificate.
+ -a, --disable-client-cert
+ Disable request for a client
+ certificate.
+ --pskpasswd FILE PSK password file to use.
+ --pskhint HINT PSK identity hint to use.
+ --srppasswd FILE SRP password file to use.
+ --srppasswdconf FILE SRP password conf file to use.
+ --opaque-prf-input DATA
+ Use Opaque PRF Input DATA.
+ --ciphers cipher1 cipher2...
+ Ciphers to enable.
+ --protocols protocol1 protocol2...
+ Protocols to enable.
+ --comp comp1 comp2... Compression methods to enable.
+ --macs mac1 mac2... MACs to enable.
+ --kx kx1 kx2... Key exchange methods to enable.
+ --ctypes certType1 certType2...
+ Certificate types to enable.
+ --priority PRIORITY STRING
+ Priorities string.
+ -l, --list Print a list of the supported
+ algorithms and modes.
+ -h, --help prints this help
+ -v, --version prints the program's version number
+@end verbatim
+
+@subsection Setting Up a Test HTTPS Server
+@cindex HTTPS server
+@cindex debug server
+
+Running your own TLS server based on GnuTLS can be useful when
+debugging clients and/or GnuTLS itself. This section describes how to
+use @code{gnutls-serv} as a simple HTTPS server.
+
+The most basic server can be started as:
+
+@example
+gnutls-serv --http
+@end example
+
+It will only support anonymous ciphersuites, which many TLS clients
+refuse to use.
+
+The next step is to add support for X.509. First we generate a CA:
+
+@example
+certtool --generate-privkey > x509-ca-key.pem
+echo 'cn = GnuTLS test CA' > ca.tmpl
+echo 'ca' >> ca.tmpl
+echo 'cert_signing_key' >> ca.tmpl
+certtool --generate-self-signed --load-privkey x509-ca-key.pem \
+ --template ca.tmpl --outfile x509-ca.pem
+...
+@end example
+
+Then generate a server certificate. Remember to change the dns_name
+value to the name of your server host, or skip that command to avoid
+the field.
+
+@example
+certtool --generate-privkey > x509-server-key.pem
+echo 'organization = GnuTLS test server' > server.tmpl
+echo 'cn = test.gnutls.org' >> server.tmpl
+echo 'tls_www_server' >> server.tmpl
+echo 'encryption_key' >> server.tmpl
+echo 'signing_key' >> server.tmpl
+echo 'dns_name = test.gnutls.org' >> server.tmpl
+certtool --generate-certificate --load-privkey x509-server-key.pem \
+ --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
+ --template server.tmpl --outfile x509-server.pem
+...
+@end example
+
+For use in the client, you may want to generate a client certificate
+as well.
+
+@example
+certtool --generate-privkey > x509-client-key.pem
+echo 'cn = GnuTLS test client' > client.tmpl
+echo 'tls_www_client' >> client.tmpl
+echo 'encryption_key' >> client.tmpl
+echo 'signing_key' >> client.tmpl
+certtool --generate-certificate --load-privkey x509-client-key.pem \
+ --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
+ --template client.tmpl --outfile x509-client.pem
+...
+@end example
+
+To be able to import the client key/certificate into some
+applications, you will need to convert them into a PKCS#12 structure.
+This also encrypts the security sensitive key with a password.
+
+@example
+certtool --to-p12 --load-ca-certificate x509-ca.pem --load-privkey x509-client-key.pem --load-certificate x509-client.pem --outder --outfile x509-client.p12
+@end example
+
+For icing, we'll create a proxy certificate for the client too.
+
+@example
+certtool --generate-privkey > x509-proxy-key.pem
+echo 'cn = GnuTLS test client proxy' > proxy.tmpl
+certtool --generate-proxy --load-privkey x509-proxy-key.pem \
+ --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
+ --load-certificate x509-client.pem --template proxy.tmpl \
+ --outfile x509-proxy.pem
+...
+@end example
+
+Then start the server again:
+
+@example
+gnutls-serv --http \
+ --x509cafile x509-ca.pem \
+ --x509keyfile x509-server-key.pem \
+ --x509certfile x509-server.pem
+@end example
+
+Try connecting to the server using your web browser. Note that the
+server listens to port 5556 by default.
+
+While you are at it, to allow connections using DSA, you can also
+create a DSA key and certificate for the server. These credentials
+will be used in the final example below.
+
+@example
+certtool --generate-privkey --dsa > x509-server-key-dsa.pem
+certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
+ --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
+ --template server.tmpl --outfile x509-server-dsa.pem
+...
+@end example
+
+The next step is to create OpenPGP credentials for the server.
+
+@example
+gpg --gen-key
+...enter whatever details you want, use 'test.gnutls.org' as name...
+@end example
+
+Make a note of the OpenPGP key identifier of the newly generated key,
+here it was @code{5D1D14D8}. You will need to export the key for
+GnuTLS to be able to use it.
+
+@example
+gpg -a --export 5D1D14D8 > openpgp-server.txt
+gpg --export 5D1D14D8 > openpgp-server.bin
+gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
+gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
+@end example
+
+Let's start the server with support for OpenPGP credentials:
+
+@example
+gnutls-serv --http \
+ --pgpkeyfile openpgp-server-key.txt \
+ --pgpcertfile openpgp-server.txt
+@end example
+
+The next step is to add support for SRP authentication.
+
+@example
+srptool --create-conf srp-tpasswd.conf
+srptool --passwd-conf srp-tpasswd.conf --username jas --passwd srp-passwd.txt
+Enter password: [TYPE "foo"]
+@end example
+
+Start the server with SRP support:
+
+@example
+gnutls-serv --http \
+ --srppasswdconf srp-tpasswd.conf \
+ --srppasswd srp-passwd.txt
+@end example
+
+Let's also add support for PSK.
+
+@example
+$ psktool --passwd psk-passwd.txt
+@end example
+
+Start the server with PSK support:
+
+@example
+gnutls-serv --http \
+ --pskpasswd psk-passwd.txt
+@end example
+
+Finally, we start the server with all the earlier parameters and you
+get this command:
+
+@example
+gnutls-serv --http \
+ --x509cafile x509-ca.pem \
+ --x509keyfile x509-server-key.pem \
+ --x509certfile x509-server.pem \
+ --x509dsakeyfile x509-server-key-dsa.pem \
+ --x509dsacertfile x509-server-dsa.pem \
+ --pgpkeyfile openpgp-server-key.txt \
+ --pgpcertfile openpgp-server.txt \
+ --srppasswdconf srp-tpasswd.conf \
+ --srppasswd srp-passwd.txt \
+ --pskpasswd psk-passwd.txt
+@end example
+
+@menu
+* Example server PSK connection::
+@end menu
+
+@node Example server PSK connection
+@subsection Example server PSK connection
+@cindex PSK server
+
+To set up a PSK server with @code{gnutls-serv} you need to create PSK
+password file (@pxref{Invoking psktool}). In the example below, I
+type @code{password} at the prompt.
+
+@smallexample
+$ ./psktool -u psk_identity -p psks.txt -n psk_identity_hint
+Enter password:
+Key stored to psks.txt
+$ cat psks.txt
+psk_identity:88f3824b3e5659f52d00e959bacab954b6540344
+$
+@end smallexample
+
+After this, start the server pointing to the password file. We
+disable DHE-PSK.
+
+@smallexample
+$ ./gnutls-serv --pskpasswd psks.txt --pskhint psk_identity_hint --priority NORMAL:-DHE-PSK
+Set static Diffie-Hellman parameters, consider --dhparams.
+Echo Server ready. Listening to port '5556'.
+@end smallexample
+
+You can now connect to the server using a PSK client (@pxref{Example
+client PSK connection}).
+
+@node Invoking psktool
+@section Invoking psktool
+@cindex psktool
+
+This is a program to manage @acronym{PSK} username and keys.
+
+@verbatim
+PSKtool help
+Usage : psktool [options]
+ -u, --username username
+ specify username.
+ -p, --passwd FILE specify a password file.
+ -n, --netconf-hint HINT
+ derive key from Netconf password, using
+ HINT as the psk_identity_hint.
+ -s, --keysize SIZE specify the key size in bytes.
+ -v, --version prints the program's version number
+ -h, --help shows this help text
+@end verbatim
+
+Normally the file will generate random keys for the indicate username.
+You may also derive PSK keys from passwords, using the algorithm
+specified in @file{draft-ietf-netconf-tls-02.txt}. The algorithm
+needs a PSK identity hint, which you specify using
+@code{--netconf-hint}. To derive a PSK key from a password with an
+empty PSK identity hint, using @code{--netconf-hint ""}.
+
+@node Invoking srptool
+@section Invoking srptool
+@anchor{srptool}
+@cindex srptool
+
+The @file{srptool} is a very simple program that emulates the programs
+in the @emph{Stanford SRP libraries}, see
+@url{http://srp.stanford.edu/}. It is intended for use in places
+where you don't expect @acronym{SRP} authentication to be the used for
+system users.
+
+Traditionally @emph{libsrp} used two files. One called @code{tpasswd}
+which holds usernames and verifiers, and @code{tpasswd.conf} which
+holds generators and primes.
+
+How to use srptool:
+
+@itemize
+
+@item
+To create tpasswd.conf which holds the g and n values for
+@acronym{SRP} protocol (generator and a large prime), run:
+
+@example
+$ srptool --create-conf /etc/tpasswd.conf
+@end example
+
+@item
+This command will create /etc/tpasswd and will add user 'test' (you
+will also be prompted for a password). Verifiers are stored by
+default in the way libsrp expects.
+
+@example
+$ srptool --passwd /etc/tpasswd \
+ --passwd-conf /etc/tpasswd.conf -u test
+@end example
+
+@item
+This command will check against a password. If the password matches
+the one in /etc/tpasswd you will get an ok.
+
+@example
+$ srptool --passwd /etc/tpasswd \
+ --passwd-conf /etc/tpasswd.conf --verify -u test
+@end example
+
+@end itemize
diff --git a/doc/cha-tls-app.texi b/doc/cha-tls-app.texi
new file mode 100644
index 0000000000..a34d891a93
--- /dev/null
+++ b/doc/cha-tls-app.texi
@@ -0,0 +1,130 @@
+@node How to use TLS in application protocols
+@chapter How To Use @acronym{TLS} in Application Protocols
+
+This chapter is intended to provide some hints on how to use the
+@acronym{TLS} over simple custom made application protocols. The
+discussion below mainly refers to the @emph{TCP/IP} transport layer
+but may be extended to other ones too.
+
+@menu
+* Separate ports::
+* Upward negotiation::
+@end menu
+
+@node Separate ports
+@section Separate Ports
+
+Traditionally @acronym{SSL} was used in application protocols by
+assigning a new port number for the secure services. That way two
+separate ports were assigned, one for the non secure sessions, and one
+for the secured ones. This has the benefit that if a user requests a
+secure session then the client will try to connect to the secure port
+and fail otherwise. The only possible attack with this method is a
+denial of service one. The most famous example of this method is the
+famous ``HTTP over TLS'' or @acronym{HTTPS} protocol @xcite{RFC2818}.
+
+Despite its wide use, this method is not as good as it seems. This
+approach starts the @acronym{TLS} Handshake procedure just after the
+client connects on the ---so called--- secure port. That way the
+@acronym{TLS} protocol does not know anything about the client, and
+popular methods like the host advertising in HTTP do not
+work@footnote{See also the Server Name Indication extension on
+@ref{serverind}.}. There is no way for the client to say ``I
+connected to YYY server'' before the Handshake starts, so the server
+cannot possibly know which certificate to use.
+
+Other than that it requires two separate ports to run a single
+service, which is unnecessary complication. Due to the fact that there
+is a limitation on the available privileged ports, this approach was
+soon obsoleted.
+
+@node Upward negotiation
+@section Upward Negotiation
+
+Other application protocols@footnote{See LDAP, IMAP etc.} use a
+different approach to enable the secure layer. They use something
+called the ``TLS upgrade'' method. This method is quite tricky but it
+is more flexible. The idea is to extend the application protocol to
+have a ``STARTTLS'' request, whose purpose it to start the TLS
+protocols just after the client requests it. This is a really neat
+idea and does not require an extra port.
+
+This method is used by almost all modern protocols and there is even
+the @xcite{RFC2817} paper which proposes extensions to HTTP to support
+it.
+
+The tricky part, in this method, is that the ``STARTTLS'' request is
+sent in the clear, thus is vulnerable to modifications. A typical
+attack is to modify the messages in a way that the client is fooled
+and thinks that the server does not have the ``STARTTLS'' capability.
+See a typical conversation of a hypothetical protocol:
+
+@quotation
+(client connects to the server)
+
+CLIENT: HELLO I'M MR. XXX
+
+SERVER: NICE TO MEET YOU XXX
+
+CLIENT: PLEASE START TLS
+
+SERVER: OK
+
+*** TLS STARTS
+
+CLIENT: HERE ARE SOME CONFIDENTIAL DATA
+@end quotation
+
+And see an example of a conversation where someone is acting
+in between:
+
+@quotation
+(client connects to the server)
+
+CLIENT: HELLO I'M MR. XXX
+
+SERVER: NICE TO MEET YOU XXX
+
+CLIENT: PLEASE START TLS
+
+(here someone inserts this message)
+
+SERVER: SORRY I DON'T HAVE THIS CAPABILITY
+
+CLIENT: HERE ARE SOME CONFIDENTIAL DATA
+@end quotation
+
+As you can see above the client was fooled, and was dummy enough to
+send the confidential data in the clear.
+
+How to avoid the above attack? As you may have already thought this
+one is easy to avoid. The client has to ask the user before it
+connects whether the user requests @acronym{TLS} or not. If the user
+answered that he certainly wants the secure layer the last
+conversation should be:
+
+@quotation
+(client connects to the server)
+
+CLIENT: HELLO I'M MR. XXX
+
+SERVER: NICE TO MEET YOU XXX
+
+CLIENT: PLEASE START TLS
+
+(here someone inserts this message)
+
+SERVER: SORRY I DON'T HAVE THIS CAPABILITY
+
+CLIENT: BYE
+
+(the client notifies the user that the secure connection was not possible)
+@end quotation
+
+This method, if implemented properly, is far better than the
+traditional method, and the security properties remain the same, since
+only denial of service is possible. The benefit is that the server may
+request additional data before the @acronym{TLS} Handshake protocol
+starts, in order to send the correct certificate, use the correct
+password file@footnote{in @acronym{SRP} authentication}, or anything
+else!
diff --git a/doc/gnutls.texi b/doc/gnutls.texi
index 84cc674447..bbecd1f8bf 100644
--- a/doc/gnutls.texi
+++ b/doc/gnutls.texi
@@ -90,4286 +90,29 @@ Documentation License''.
* Bibliography::
@end menu
+@include cha-preface.texi
-@node Preface
-@chapter Preface
+@include cha-library.texi
-This document tries to demonstrate and explain the @acronym{GnuTLS}
-library API. A brief introduction to the protocols and the technology
-involved, is also included so that an application programmer can
-better understand the @acronym{GnuTLS} purpose and actual offerings.
-Even if @acronym{GnuTLS} is a typical library software, it operates
-over several security and cryptographic protocols, which require the
-programmer to make careful and correct usage of them, otherwise he
-risks to offer just a false sense of security. Security and the
-network security terms are very general terms even for computer
-software thus cannot be easily restricted to a single cryptographic
-library. For that reason, do not consider a program secure just
-because it uses @acronym{GnuTLS}; there are several ways to compromise
-a program or a communication line and @acronym{GnuTLS} only helps with
-some of them.
+@include cha-intro-tls.texi
-Although this document tries to be self contained, basic network
-programming and PKI knowlegde is assumed in most of it. A good
-introduction to networking can be found in @xcite{STEVENS} and for
-Public Key Infrastructure in @xcite{GUTPKI}.
+@include cha-auth.texi
-@anchor{Availability}
+@include cha-cert-auth.texi
-Updated versions of the @acronym{GnuTLS} software and this document
-will be available from @url{http://www.gnutls.org/} and
-@url{http://www.gnu.org/software/gnutls/}.
+@include cha-tls-app.texi
-@menu
-* Getting help::
-* Commercial Support::
-* Downloading and Installing::
-* Bug Reports::
-* Contributing::
-@end menu
-
-@node Getting help
-@section Getting Help
-
-A mailing list where users may help each other exists, and you can
-reach it by sending e-mail to @email{help-gnutls@@gnu.org}. Archives
-of the mailing list discussions, and an interface to manage
-subscriptions, is available through the World Wide Web at
-@url{http://lists.gnu.org/mailman/listinfo/help-gnutls}.
-
-A mailing list for developers are also available, see
-@url{http://www.gnu.org/software/gnutls/lists.html}.
-
-Bug reports should be sent to @email{bug-gnutls@@gnu.org}, see
-@xref{Bug Reports}.
-
-@node Commercial Support
-@section Commercial Support
-
-Commercial support is available for users of GnuTLS. The kind of
-support that can be purchased may include:
-
-@itemize
-
-@item Implement new features.
-Such as a new TLS extension.
-
-@item Port GnuTLS to new platforms.
-This could include porting to an embedded platforms that may need
-memory or size optimization.
-
-@item Integrating TLS as a security environment in your existing project.
-
-@item System design of components related to TLS.
-
-@end itemize
-
-If you are interested, please write to:
-
-@verbatim
-Simon Josefsson Datakonsult
-Hagagatan 24
-113 47 Stockholm
-Sweden
-
-E-mail: simon@josefsson.org
-@end verbatim
-
-If your company provides support related to GnuTLS and would like to
-be mentioned here, contact the author (@pxref{Bug Reports}).
-
-@node Downloading and Installing
-@section Downloading and Installing
-@cindex Installation
-@cindex Download
-
-GnuTLS is available for download from the following URL:
-
-@url{http://www.gnutls.org/download.html}
-
-The latest version is stored in a file, e.g.,
-@samp{gnutls-@value{VERSION}.tar.gz} where the @samp{@value{VERSION}}
-value is the highest version number in the directory.
-
-GnuTLS uses a Linux-like development cycle: even minor version numbers
-indicate a stable release and a odd minor version number indicates a
-development release. For example, GnuTLS 1.6.3 denote a stable
-release since 6 is even, and GnuTLS 1.7.11 denote a development
-release since 7 is odd.
-
-GnuTLS depends on Libgcrypt,
-and you will need to install Libgcrypt
-before installing GnuTLS. Libgcrypt is available from
-@url{ftp://ftp.gnupg.org/gcrypt/libgcrypt}. Libgcrypt needs another
-library, libgpg-error, and you need to install libgpg-error before
-installing Libgcrypt. Libgpg-error is available from
-@url{ftp://ftp.gnupg.org/gcrypt/libgpg-error}.
-
-Don't forget to verify the cryptographic signature after downloading
-source code packages.
-
-The package is then extracted, configured and built like many other
-packages that use Autoconf. For detailed information on configuring
-and building it, refer to the @file{INSTALL} file that is part of the
-distribution archive. Typically you invoke @code{./configure} and
-then @code{make check install}. There are a number of compile-time
-parameters, as discussed below.
-
-The compression libraries (libz and lzo) are optional dependencies.
-You can get libz from @url{http://www.zlib.net/}. You can get lzo
-from @url{http://www.oberhumer.com/opensource/lzo/}.
-
-The X.509 part of GnuTLS needs ASN.1 functionality, from a library
-called libtasn1. A copy of libtasn1 is included in GnuTLS. If you
-want to install it separately (e.g., to make it possibly to use
-libtasn1 in other programs), you can get it from
-@url{http://www.gnu.org/software/gnutls/download.html}.
-
-The OpenPGP part of GnuTLS uses a stripped down version of OpenCDK for
-parsing OpenPGP packets. It is included GnuTLS. Use parameter
-@code{--disable-openpgp-authentication} to disable the OpenPGP
-functionality in GnuTLS. Unfortunately, we didn't have resources to
-maintain the code in a separate library.
-
-Regarding the Guile bindings, there are additional installation
-considerations, see @xref{Guile Preparations}.
-
-A few @code{configure} options may be relevant, summarized in the
-table.
-
-@table @code
-
-@item --disable-srp-authentication
-@itemx --disable-psk-authentication
-@itemx --disable-anon-authentication
-@itemx --disable-extra-pki
-@itemx --disable-openpgp-authentication
-@itemx --disable-openssl-compatibility
-Disable or enable particular features. Generally not recommended.
-
-@end table
-
-For the complete list, refer to the output from @code{configure
---help}.
-
-@node Bug Reports
-@section Bug Reports
-@cindex Reporting Bugs
-
-If you think you have found a bug in GnuTLS, please investigate it and
-report it.
-
-@itemize @bullet
-
-@item Please make sure that the bug is really in GnuTLS, and
-preferably also check that it hasn't already been fixed in the latest
-version.
-
-@item You have to send us a test case that makes it possible for us to
-reproduce the bug.
-
-@item You also have to explain what is wrong; if you get a crash, or
-if the results printed are not good and in that case, in what way.
-Make sure that the bug report includes all information you would need
-to fix this kind of bug for someone else.
-
-@end itemize
-
-Please make an effort to produce a self-contained report, with
-something definite that can be tested or debugged. Vague queries or
-piecemeal messages are difficult to act on and don't help the
-development effort.
-
-If your bug report is good, we will do our best to help you to get a
-corrected version of the software; if the bug report is poor, we won't
-do anything about it (apart from asking you to send better bug
-reports).
-
-If you think something in this manual is unclear, or downright
-incorrect, or if the language needs to be improved, please also send a
-note.
-
-Send your bug report to:
-
-@center @samp{bug-gnutls@@gnu.org}
-
-@node Contributing
-@section Contributing
-@cindex Contributing
-@cindex Hacking
-
-If you want to submit a patch for inclusion -- from solve a typo you
-discovered, up to adding support for a new feature -- you should
-submit it as a bug report (@pxref{Bug Reports}). There are some
-things that you can do to increase the chances for it to be included
-in the official package.
-
-Unless your patch is very small (say, under 10 lines) we require that
-you assign the copyright of your work to the Free Software Foundation.
-This is to protect the freedom of the project. If you have not
-already signed papers, we will send you the necessary information when
-you submit your contribution.
-
-For contributions that doesn't consist of actual programming code, the
-only guidelines are common sense. Use it.
-
-For code contributions, a number of style guides will help you:
-
-@itemize @bullet
-
-@item Coding Style.
-Follow the GNU Standards document (@pxref{top, GNU Coding Standards,,
-standards}).
-
-If you normally code using another coding standard, there is no
-problem, but you should use @samp{indent} to reformat the code
-(@pxref{top, GNU Indent,, indent}) before submitting your work.
-
-@item Use the unified diff format @samp{diff -u}.
-
-@item Return errors.
-No reason whatsoever should abort the execution of the library. Even
-memory allocation errors, e.g. when malloc return NULL, should work
-although result in an error code.
-
-@item Design with thread safety in mind.
-Don't use global variables. Don't even write to per-handle global
-variables unless the documented behaviour of the function you write is
-to write to the per-handle global variable.
-
-@item Avoid using the C math library.
-It causes problems for embedded implementations, and in most
-situations it is very easy to avoid using it.
-
-@item Document your functions.
-Use comments before each function headers, that, if properly
-formatted, are extracted into Texinfo manuals and GTK-DOC web pages.
-
-@item Supply a ChangeLog and NEWS entries, where appropriate.
-
-@end itemize
-@node The Library
-@chapter The Library
-
-In brief @acronym{GnuTLS} can be described as a library which offers an API
-to access secure communication protocols. These protocols provide
-privacy over insecure lines, and were designed to prevent
-eavesdropping, tampering, or message forgery.
-
-Technically @acronym{GnuTLS} is a portable ANSI C based library which
-implements the TLS 1.1 and SSL 3.0 protocols (@xref{Introduction to
-TLS}, for a more detailed description of the protocols), accompanied
-with the required framework for authentication and public key
-infrastructure. Important features of the @acronym{GnuTLS} library
-include:
-
-@itemize
-
-@item Support for TLS 1.0, TLS 1.1, and SSL 3.0 protocols.
-
-@item Support for both @acronym{X.509} and @acronym{OpenPGP} certificates.
-
-@item Support for handling and verification of certificates.
-
-@item Support for @acronym{SRP} for TLS authentication.
-
-@item Support for @acronym{PSK} for TLS authentication.
-
-@item Support for TLS Extension mechanism.
-
-@item Support for TLS Compression Methods.
-
-@end itemize
-
-Additionally @acronym{GnuTLS} provides a limited emulation API for the
-widely used OpenSSL@footnote{@url{http://www.openssl.org/}} library,
-to ease integration with existing applications.
-
-@acronym{GnuTLS} consists of three independent parts, namely the ``TLS
-protocol part'', the ``Certificate part'', and the ``Cryptographic
-backend'' part. The `TLS protocol part' is the actual protocol
-implementation, and is entirely implemented within the
-@acronym{GnuTLS} library. The `Certificate part' consists of the
-certificate parsing, and verification functions which is partially
-implemented in the @acronym{GnuTLS} library. The
-@acronym{Libtasn1}@footnote{@url{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/libtasn1/}},
-a library which offers @acronym{ASN.1} parsing capabilities, is used
-for the @acronym{X.509} certificate parsing functions. A smaller
-version of
-@acronym{OpenCDK}@footnote{@url{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/opencdk/}}
-is used for the @acronym{OpenPGP} key support in @acronym{GnuTLS}.
-The ``Cryptographic backend'' is provided by the
-@acronym{Libgcrypt}@footnote{@url{ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/}}
-library@footnote{On current versions of GnuTLS it is possible to
-override the default crypto backend. Check @pxref{Cryptographic
-Backend} for details}.
-
-In order to ease integration in embedded systems, parts of the
-@acronym{GnuTLS} library can be disabled at compile time. That way a
-small library, with the required features, can be generated.
-
-@menu
-* General Idea::
-* Error handling::
-* Memory handling::
-* Callback functions::
-@end menu
-
-@node General Idea
-@section General Idea
-
-A brief description of how @acronym{GnuTLS} works internally is shown
-at the figure below. This section may be easier to understand after
-having seen the examples (@pxref{examples}).
-
-@image{gnutls-internals,12cm,8cm}
-
-As shown in the figure, there is a read-only global state that is
-initialized once by the global initialization function. This global
-structure, among others, contains the memory allocation functions
-used, and some structures needed for the @acronym{ASN.1} parser. This
-structure is never modified by any @acronym{GnuTLS} function, except
-for the deinitialization function which frees all memory allocated in
-the global structure and is called after the program has permanently
-finished using @acronym{GnuTLS}.
-
-The credentials structure is used by some authentication methods, such
-as certificate authentication (@pxref{Certificate Authentication}). A
-credentials structure may contain certificates, private keys,
-temporary parameters for Diffie-Hellman or RSA key exchange, and other
-stuff that may be shared between several TLS sessions.
-
-This structure should be initialized using the appropriate
-initialization functions. For example an application which uses
-certificate authentication would probably initialize the credentials,
-using the appropriate functions, and put its trusted certificates in
-this structure. The next step is to associate the credentials
-structure with each @acronym{TLS} session.
-
-A @acronym{GnuTLS} session contains all the required stuff for a
-session to handle one secure connection. This session calls directly
-to the transport layer functions, in order to communicate with the
-peer. Every session has a unique session ID shared with the peer.
-
-Since TLS sessions can be resumed, servers would probably need a
-database backend to hold the session's parameters. Every
-@acronym{GnuTLS} session after a successful handshake calls the
-appropriate backend function (@xref{resume}, for information on
-initialization) to store the newly negotiated session. The session
-database is examined by the server just after having received the
-client hello@footnote{The first message in a @acronym{TLS} handshake},
-and if the session ID sent by the client, matches a stored session,
-the stored session will be retrieved, and the new session will be a
-resumed one, and will share the same session ID with the previous one.
-
-@node Error handling
-@section Error Handling
-
-In @acronym{GnuTLS} most functions return an integer type as a result.
-In almost all cases a zero or a positive number means success, and a
-negative number indicates failure, or a situation that some action has
-to be taken. Thus negative error codes may be fatal or not.
-
-Fatal errors terminate the connection immediately and further sends
-and receives will be disallowed. An example of a fatal error code is
-@code{GNUTLS_E_DECRYPTION_FAILED}. Non-fatal errors may warn about
-something, i.e., a warning alert was received, or indicate the some
-action has to be taken. This is the case with the error code
-@code{GNUTLS_E_REHANDSHAKE} returned by @ref{gnutls_record_recv}.
-This error code indicates that the server requests a re-handshake. The
-client may ignore this request, or may reply with an alert. You can
-test if an error code is a fatal one by using the
-@ref{gnutls_error_is_fatal}.
-
-If any non fatal errors, that require an action, are to be returned by
-a function, these error codes will be documented in the function's
-reference. @xref{Error Codes}, for all the error codes.
-
-@node Memory handling
-@section Memory Handling
-
-@acronym{GnuTLS} internally handles heap allocated objects
-differently, depending on the sensitivity of the data they
-contain. However for performance reasons, the default memory functions
-do not overwrite sensitive data from memory, nor protect such objects
-from being written to the swap. In order to change the default
-behavior the @ref{gnutls_global_set_mem_functions} function is
-available which can be used to set other memory handlers than the
-defaults.
-
-The @acronym{Libgcrypt} library on which @acronym{GnuTLS} depends, has
-such secure memory allocation functions available. These should be
-used in cases where even the system's swap memory is not considered
-secure. See the documentation of @acronym{Libgcrypt} for more
-information.
-
-@node Callback functions
-@section Callback Functions
-@cindex Callback functions
-
-There are several cases where @acronym{GnuTLS} may need some out of
-band input from your program. This is now implemented using some
-callback functions, which your program is expected to register.
-
-An example of this type of functions are the push and pull callbacks
-which are used to specify the functions that will retrieve and send
-data to the transport layer.
-
-@itemize
-
-@item @ref{gnutls_transport_set_push_function}
-
-@item @ref{gnutls_transport_set_pull_function}
-
-@end itemize
-
-Other callback functions such as the one set by
-@ref{gnutls_srp_set_server_credentials_function}, may require more
-complicated input, including data to be allocated. These callbacks
-should allocate and free memory using the functions shown below.
-
-@itemize
-
-@item @ref{gnutls_malloc}
-
-@item @ref{gnutls_free}
-
-@end itemize
-
-@node Introduction to TLS
-@chapter Introduction to @acronym{TLS}
-
-@acronym{TLS} stands for ``Transport Layer Security'' and is the
-successor of SSL, the Secure Sockets Layer protocol @xcite{SSL3}
-designed by Netscape. @acronym{TLS} is an Internet protocol, defined
-by @acronym{IETF}@footnote{IETF, or Internet Engineering Task Force,
-is a large open international community of network designers,
-operators, vendors, and researchers concerned with the evolution of
-the Internet architecture and the smooth operation of the Internet.
-It is open to any interested individual.}, described in @acronym{RFC}
-4346 and also in @xcite{RESCORLA}. The protocol provides
-confidentiality, and authentication layers over any reliable transport
-layer. The description, below, refers to @acronym{TLS} 1.0 but also
-applies to @acronym{TLS} 1.1 @xcite{RFC4346} and @acronym{SSL} 3.0,
-since the differences of these protocols are minor. Older protocols
-such as @acronym{SSL} 2.0 are not discussed nor implemented in
-@acronym{GnuTLS} since they are not considered secure today. GnuTLS
-also supports @acronym{X.509} and @acronym{OpenPGP} @xcite{RFC4880}.
-
-@menu
-* TLS layers::
-* The transport layer::
-* The TLS record protocol::
-* The TLS Alert Protocol::
-* The TLS Handshake Protocol::
-* TLS Extensions::
-* Selecting cryptographic key sizes::
-* On SSL 2 and older protocols::
-* On Record Padding::
-* Safe Renegotiation::
-@end menu
-
-@node TLS layers
-@section TLS Layers
-@cindex TLS Layers
-
-@acronym{TLS} is a layered protocol, and consists of the Record
-Protocol, the Handshake Protocol and the Alert Protocol. The Record
-Protocol is to serve all other protocols and is above the transport
-layer. The Record protocol offers symmetric encryption, data
-authenticity, and optionally compression.
-
-The Alert protocol offers some signaling to the other protocols. It
-can help informing the peer for the cause of failures and other error
-conditions. @xref{The Alert Protocol}, for more information. The
-alert protocol is above the record protocol.
-
-The Handshake protocol is responsible for the security parameters'
-negotiation, the initial key exchange and authentication. @xref{The
-Handshake Protocol}, for more information about the handshake
-protocol. The protocol layering in TLS is shown in the figure below.
-
-@image{gnutls-layers,12cm,8cm}
-
-@node The transport layer
-@section The Transport Layer
-@cindex Transport protocol
-
-@acronym{TLS} is not limited to one transport layer, it can be used
-above any transport layer, as long as it is a reliable one. A set of
-functions is provided and their purpose is to load to @acronym{GnuTLS} the
-required callbacks to access the transport layer.
-
-@itemize
-@item @ref{gnutls_transport_set_push_function}
-@item @ref{gnutls_transport_set_pull_function}
-@item @ref{gnutls_transport_set_ptr}
-@item @ref{gnutls_transport_set_lowat}
-@item @ref{gnutls_transport_set_errno}
-@end itemize
-
-These functions accept a callback function as a parameter. The
-callback functions should return the number of bytes written, or -1 on
-error and should set @code{errno} appropriately.
-
-In some environments, setting @code{errno} is unreliable, for example
-Windows have several errno variables in different CRTs, or it may be
-that errno is not a thread-local variable. If this is a concern to
-you, call @code{gnutls_transport_set_errno} with the intended errno
-value instead of setting @code{errno} directly.
-
-@acronym{GnuTLS} currently only interprets the EINTR and EAGAIN errno
-values and returns the corresponding @acronym{GnuTLS} error codes
-@code{GNUTLS_E_INTERRUPTED} and @code{GNUTLS_E_AGAIN}. These values
-are usually returned by interrupted system calls, or when non blocking
-IO is used. All @acronym{GnuTLS} functions can be resumed (called
-again), if any of these error codes is returned. The error codes
-above refer to the system call, not the @acronym{GnuTLS} function,
-since signals do not interrupt @acronym{GnuTLS}' functions.
-
-For non blocking sockets or other custom made pull/push functions
-the @ref{gnutls_transport_set_lowat} must be called, with a zero
-low water mark value.
-
-By default, if the transport functions are not set, @acronym{GnuTLS}
-will use the Berkeley Sockets functions. In this case
-@acronym{GnuTLS} will use some hacks in order for @code{select} to
-work, thus making it easy to add @acronym{TLS} support to existing
-TCP/IP servers.
-
-@node The TLS record protocol
-@section The TLS Record Protocol
-@cindex Record protocol
-
-The Record protocol is the secure communications provider. Its purpose
-is to encrypt, authenticate and ---optionally--- compress packets.
-The following functions are available:
-
-@table @asis
-
-@item @ref{gnutls_record_send}:
-To send a record packet (with application data).
-
-@item @ref{gnutls_record_recv}:
-To receive a record packet (with application data).
-
-@item @ref{gnutls_record_get_direction}:
-To get the direction of the last interrupted function call.
-@end table
-
-As you may have already noticed, the functions which access the Record
-protocol, are quite limited, given the importance of this protocol in
-@acronym{TLS}. This is because the Record protocol's parameters are
-all set by the Handshake protocol.
-
-The Record protocol initially starts with NULL parameters, which means
-no encryption, and no MAC is used. Encryption and authentication begin
-just after the handshake protocol has finished.
-
-@menu
-* Encryption algorithms used in the record layer::
-* Compression algorithms used in the record layer::
-* Weaknesses and countermeasures::
-@end menu
-
-@node Encryption algorithms used in the record layer
-@subsection Encryption Algorithms Used in the Record Layer
-@cindex Symmetric encryption algorithms
-
-Confidentiality in the record layer is achieved by using symmetric
-block encryption algorithms like @code{3DES}, @code{AES}@footnote{AES,
-or Advanced Encryption Standard, is actually the RIJNDAEL algorithm.
-This is the algorithm that replaced DES.}, or stream algorithms like
-@code{ARCFOUR_128}@footnote{@code{ARCFOUR_128} is a compatible
-algorithm with RSA's RC4 algorithm, which is considered to be a trade
-secret.}. Ciphers are encryption algorithms that use a single, secret,
-key to encrypt and decrypt data. Block algorithms in TLS also provide
-protection against statistical analysis of the data. Thus, if you're
-using the @acronym{TLS} protocol, a random number of blocks will be
-appended to data, to prevent eavesdroppers from guessing the actual
-data size.
-
-Supported cipher algorithms:
-
-@table @code
-@item 3DES_CBC
-@code{3DES_CBC} is the DES block cipher algorithm used with triple
-encryption (EDE). Has 64 bits block size and is used in CBC mode.
-
-@item ARCFOUR_128
-ARCFOUR is a fast stream cipher.
-
-@item ARCFOUR_40
-This is the ARCFOUR cipher that is fed with a 40 bit key,
-which is considered weak.
-
-@item AES_CBC
-AES or RIJNDAEL is the block cipher algorithm that replaces the old
-DES algorithm. Has 128 bits block size and is used in CBC mode. This
-is not officially supported in TLS.
-@end table
-
-Supported MAC algorithms:
-
-@table @code
-@item MAC_MD5
-MD5 is a cryptographic hash algorithm designed by Ron Rivest. Outputs
-128 bits of data.
-
-@item MAC_SHA
-SHA is a cryptographic hash algorithm designed by NSA. Outputs 160
-bits of data.
-
-@end table
-
-@node Compression algorithms used in the record layer
-@subsection Compression Algorithms Used in the Record Layer
-@cindex Compression algorithms
-
-The TLS record layer also supports compression. The algorithms
-implemented in @acronym{GnuTLS} can be found in the table below.
-All the algorithms except for DEFLATE which is
-referenced in @xcite{RFC3749}, should be considered as
-@acronym{GnuTLS}' extensions@footnote{You should use
-@ref{gnutls_handshake_set_private_extensions} to enable private
-extensions.}, and should be advertised only when the peer is known to
-have a compliant client, to avoid interoperability problems.
-
-The included algorithms perform really good when text, or other
-compressible data are to be transfered, but offer nothing on already
-compressed data, such as compressed images, zipped archives etc.
-These compression algorithms, may be useful in high bandwidth TLS
-tunnels, and in cases where network usage has to be minimized. As a
-drawback, compression increases latency.
-
-The record layer compression in @acronym{GnuTLS} is implemented based
-on the proposal @xcite{RFC3749}.
-The supported compression algorithms are:
-
-@table @code
-@item DEFLATE
-Zlib compression, using the deflate algorithm.
-
-@item LZO
-LZO is a very fast compression algorithm. This algorithm is only
-available if the @acronym{GnuTLS-extra} library has been initialized
-and the private extensions are enabled, and if GnuTLS was built with
-LZO support.
-
-@end table
-
-@node Weaknesses and countermeasures
-@subsection Weaknesses and Countermeasures
-
-Some weaknesses that may affect the security of the Record layer have
-been found in @acronym{TLS} 1.0 protocol. These weaknesses can be
-exploited by active attackers, and exploit the facts that
-
-@enumerate
-
-@item
-@acronym{TLS} has separate alerts for ``decryption_failed'' and
-``bad_record_mac''
-
-@item
-The decryption failure reason can be detected by timing the response
-time.
-
-@item
-The IV for CBC encrypted packets is the last block of the previous
-encrypted packet.
-
-@end enumerate
-
-Those weaknesses were solved in @acronym{TLS} 1.1 @xcite{RFC4346}
-which is implemented in @acronym{GnuTLS}. For a detailed discussion
-see the archives of the TLS Working Group mailing list and the paper
-@xcite{CBCATT}.
-
-@node The TLS Alert Protocol
-@section The TLS Alert Protocol
-@anchor{The Alert Protocol}
-@cindex Alert protocol
-
-The Alert protocol is there to allow signals to be sent between peers.
-These signals are mostly used to inform the peer about the cause of a
-protocol failure. Some of these signals are used internally by the
-protocol and the application protocol does not have to cope with them
-(see @code{GNUTLS_A_CLOSE_NOTIFY}), and others refer to the
-application protocol solely (see @code{GNUTLS_A_USER_CANCELLED}). An
-alert signal includes a level indication which may be either fatal or
-warning. Fatal alerts always terminate the current connection, and
-prevent future renegotiations using the current session ID.
-
-The alert messages are protected by the record protocol, thus the
-information that is included does not leak. You must take extreme care
-for the alert information not to leak to a possible attacker, via
-public log files etc.
-
-@table @asis
-@item @ref{gnutls_alert_send}:
-To send an alert signal.
-
-@item @ref{gnutls_error_to_alert}:
-To map a gnutls error number to an alert signal.
-
-@item @ref{gnutls_alert_get}:
-Returns the last received alert.
-
-@item @ref{gnutls_alert_get_name}:
-Returns the name, in a character array, of the given alert.
-
-@end table
-
-@node The TLS Handshake Protocol
-@section The TLS Handshake Protocol
-@anchor{The Handshake Protocol}
-@cindex Handshake protocol
-
-The Handshake protocol is responsible for the ciphersuite negotiation,
-the initial key exchange, and the authentication of the two peers.
-This is fully controlled by the application layer, thus your program
-has to set up the required parameters. Available functions to control
-the handshake protocol include:
-
-@table @asis
-@item @ref{gnutls_priority_init}:
-To initialize a priority set of ciphers.
-
-@item @ref{gnutls_priority_deinit}:
-To deinitialize a priority set of ciphers.
-
-@item @ref{gnutls_priority_set}:
-To associate a priority set with a @acronym{TLS} session.
-
-@item @ref{gnutls_priority_set_direct}:
-To directly associate a session with a given priority string.
-
-@item @ref{gnutls_credentials_set}:
-To set the appropriate credentials structures.
-
-@item @ref{gnutls_certificate_server_set_request}:
-To set whether client certificate is required or not.
-
-@item @ref{gnutls_handshake}:
-To initiate the handshake.
-@end table
-
-@subsection TLS Cipher Suites
-
-The Handshake Protocol of @acronym{TLS} negotiates cipher suites of
-the form @code{TLS_DHE_RSA_WITH_3DES_CBC_SHA}. The usual cipher
-suites contain these parameters:
-
-@itemize
-
-@item The key exchange algorithm.
-@code{DHE_RSA} in the example.
-
-@item The Symmetric encryption algorithm and mode
-@code{3DES_CBC} in this example.
-
-@item The MAC@footnote{MAC stands for Message Authentication Code. It can be described as a keyed hash algorithm. See RFC2104.} algorithm used for authentication.
-@code{MAC_SHA} is used in the above example.
-
-@end itemize
-
-The cipher suite negotiated in the handshake protocol will affect the
-Record Protocol, by enabling encryption and data authentication. Note
-that you should not over rely on @acronym{TLS} to negotiate the
-strongest available cipher suite. Do not enable ciphers and algorithms
-that you consider weak.
-
-The priority functions, dicussed above, allow the application layer to
-enable and set priorities on the individual ciphers. It may imply that
-all combinations of ciphersuites are allowed, but this is not
-true. For several reasons, not discussed here, some combinations were
-not defined in the @acronym{TLS} protocol. The supported ciphersuites
-are shown in @ref{ciphersuites}.
-
-@subsection Client Authentication
-@cindex Client Certificate authentication
-
-In the case of ciphersuites that use certificate authentication, the
-authentication of the client is optional in @acronym{TLS}. A server
-may request a certificate from the client --- using the
-@ref{gnutls_certificate_server_set_request} function. If a certificate
-is to be requested from the client during the handshake, the server
-will send a certificate request message that contains a list of
-acceptable certificate signers. In @acronym{GnuTLS} the certificate
-signers list is constructed using the trusted Certificate Authorities
-by the server. That is the ones set using
-@itemize
-@item @ref{gnutls_certificate_set_x509_trust_file}
-@item @ref{gnutls_certificate_set_x509_trust_mem}
-@end itemize
-
-Sending of the names of the CAs can be controlled using
-@ref{gnutls_certificate_send_x509_rdn_sequence}. The client, then, may
-send a certificate, signed by one of the server's acceptable signers.
-
-@subsection Resuming Sessions
-@anchor{resume}
-@cindex Resuming sessions
-
-The @ref{gnutls_handshake} function, is expensive since a lot of
-calculations are performed. In order to support many fast connections
-to the same server a client may use session resuming. @strong{Session
-resuming} is a feature of the @acronym{TLS} protocol which allows a
-client to connect to a server, after a successful handshake, without
-the expensive calculations. This is achieved by using the previously
-established keys. @acronym{GnuTLS} supports this feature, and the
-example (@pxref{ex:resume-client}) illustrates a typical use of it.
-
-Keep in mind that sessions are expired after some time, for security
-reasons, thus it may be normal for a server not to resume a session
-even if you requested that. Also note that you must enable, using the
-priority functions, at least the algorithms used in the last session.
-
-@subsection Resuming Internals
-
-The resuming capability, mostly in the server side, is one of the
-problems of a thread-safe TLS implementations. The problem is that all
-threads must share information in order to be able to resume
-sessions. The gnutls approach is, in case of a client, to leave all
-the burden of resuming to the client. I.e., copy and keep the
-necessary parameters. See the functions:
-
-@itemize
-
-@item @ref{gnutls_session_get_data}
-
-@item @ref{gnutls_session_get_id}
-
-@item @ref{gnutls_session_set_data}
-
-@end itemize
-
-The server side is different. A server has to specify some callback
-functions which store, retrieve and delete session data. These can be
-registered with:
-
-@itemize
-
-@item @ref{gnutls_db_set_remove_function}
-
-@item @ref{gnutls_db_set_store_function}
-
-@item @ref{gnutls_db_set_retrieve_function}
-
-@item @ref{gnutls_db_set_ptr}
-
-@end itemize
-
-It might also be useful to be able to check for expired sessions in
-order to remove them, and save space. The function
-@ref{gnutls_db_check_entry} is provided for that reason.
-
-@node TLS Extensions
-@section TLS Extensions
-@cindex TLS Extensions
-
-A number of extensions to the @acronym{TLS} protocol have been
-proposed mainly in @xcite{TLSEXT}. The extensions supported
-in @acronym{GnuTLS} are:
-
-@itemize
-@item Maximum fragment length negotiation
-@item Server name indication
-@item Session tickets
-@end itemize
-
-and they will be discussed in the subsections that follow.
-
-@subsection Maximum Fragment Length Negotiation
-@cindex TLS Extensions
-@cindex Maximum fragment length
-
-This extension allows a @acronym{TLS} implementation to negotiate a
-smaller value for record packet maximum length. This extension may be
-useful to clients with constrained capabilities. See the
-@ref{gnutls_record_set_max_size} and the
-@ref{gnutls_record_get_max_size} functions.
-
-@subsection Server Name Indication
-@anchor{serverind}
-@cindex TLS Extensions
-@cindex Server name indication
-
-A common problem in @acronym{HTTPS} servers is the fact that the
-@acronym{TLS} protocol is not aware of the hostname that a client
-connects to, when the handshake procedure begins. For that reason the
-@acronym{TLS} server has no way to know which certificate to send.
-
-This extension solves that problem within the @acronym{TLS} protocol,
-and allows a client to send the HTTP hostname before the handshake
-begins within the first handshake packet. The functions
-@ref{gnutls_server_name_set} and @ref{gnutls_server_name_get} can be
-used to enable this extension, or to retrieve the name sent by a
-client.
-
-@subsection Session Tickets
-@cindex TLS Extensions
-@cindex Session Tickets
-@cindex Ticket
-
-To resume a TLS session the server normally store some state. This
-complicates deployment, and typical situations the client can cache
-information and send it to the server instead. The Session Ticket
-extension implements this idea, and it is documented in
-RFC 5077 @xcite{TLSTKT}.
-
-Clients can enable support for TLS tickets with
-@ref{gnutls_session_ticket_enable_client} and servers use
-@ref{gnutls_session_ticket_key_generate} to generate a key and
-@ref{gnutls_session_ticket_enable_server} to enable the extension.
-Clients resume sessions using the ticket using the normal session
-resume functions, @ref{resume}.
-
-@node Selecting cryptographic key sizes
-@section Selecting Cryptographic Key Sizes
-@cindex key sizes
-
-In TLS, since a lot of algorithms are involved, it is not easy to set
-a consistent security level. For this reason this section will
-present some correspondance between key sizes of symmetric algorithms
-and public key algorithms based on the most conservative values of
-@xcite{SELKEY}. Those can be used to generate certificates with
-appropriate key sizes as well as parameters for Diffie-Hellman and SRP
-authentication.
-
-@multitable @columnfractions .15 .20 .20 .20
-
-@item Year
-@tab Symmetric key size
-@tab RSA key size, DH and SRP prime size
-@tab ECC key size
-
-@item 1982
-@tab 56
-@tab 417
-@tab 105
-
-@item 1988
-@tab 61
-@tab 566
-@tab 114
-
-@item 2002
-@tab 72
-@tab 1028
-@tab 139
-
-@item 2015
-@tab 82
-@tab 1613
-@tab 173
-
-@item 2028
-@tab 92
-@tab 2362
-@tab 210
-
-@item 2040
-@tab 101
-@tab 3214
-@tab 244
-
-@item 2050
-@tab 109
-@tab 4047
-@tab 272
-
-@end multitable
-
-The first column provides an estimation of the year until these
-parameters are considered safe and the rest of the columns list the
-parameters for the various algorithms.
-
-Note however that the values suggested here are nothing more than an
-educated guess that is valid today. There are no guarrantees that an
-algorithm will remain unbreakable or that these values will remain
-constant in time. There could be scientific breakthroughs that cannot
-be predicted or total failure of the current public key systems by
-quantum computers. On the other hand though the cryptosystems used in
-TLS are selected in a conservative way and such catastrophic
-breakthroughs or failures are believed to be unlikely.
-
-NIST publication SP 800-57 @xcite{NISTSP80057} contains a similar
-table that extends beyond the key sizes given above.
-
-@multitable @columnfractions .15 .20 .20 .20
-
-@item Bits of security
-@tab Symmetric key algorithms
-@tab RSA key size, DSA, DH and SRP prime size
-@tab ECC key size
-
-@item 80
-@tab 2TDEA
-@tab 1024
-@tab 160-223
-
-@item 112
-@tab 3DES
-@tab 2048
-@tab 224-255
-
-@item 128
-@tab AES-128
-@tab 3072
-@tab 256-383
-
-@item 192
-@tab AES-192
-@tab 7680
-@tab 384-511
-
-@item 256
-@tab AES-256
-@tab 15360
-@tab 512+
-
-@end multitable
-
-The recommendations are fairly consistent.
-
-@node On SSL 2 and older protocols
-@section On SSL 2 and Older Protocols
-@cindex SSL 2
-
-One of the initial decisions in the @acronym{GnuTLS} development was
-to implement the known security protocols for the transport layer.
-Initially @acronym{TLS} 1.0 was implemented since it was the latest at
-that time, and was considered to be the most advanced in security
-properties. Later the @acronym{SSL} 3.0 protocol was implemented
-since it is still the only protocol supported by several servers and
-there are no serious security vulnerabilities known.
-
-One question that may arise is why we didn't implement @acronym{SSL}
-2.0 in the library. There are several reasons, most important being
-that it has serious security flaws, unacceptable for a modern security
-library. Other than that, this protocol is barely used by anyone
-these days since it has been deprecated since 1996. The security
-problems in @acronym{SSL} 2.0 include:
-
-@itemize
-
-@item Message integrity compromised.
-The @acronym{SSLv2} message authentication uses the MD5 function, and
-is insecure.
-
-@item Man-in-the-middle attack.
-There is no protection of the handshake in @acronym{SSLv2}, which
-permits a man-in-the-middle attack.
-
-@item Truncation attack.
-@acronym{SSLv2} relies on TCP FIN to close the session, so the
-attacker can forge a TCP FIN, and the peer cannot tell if it was a
-legitimate end of data or not.
-
-@item Weak message integrity for export ciphers.
-The cryptographic keys in @acronym{SSLv2} are used for both message
-authentication and encryption, so if weak encryption schemes are
-negotiated (say 40-bit keys) the message authentication code use the
-same weak key, which isn't necessary.
-
-@end itemize
-
-@cindex PCT
-Other protocols such as Microsoft's @acronym{PCT} 1 and @acronym{PCT}
-2 were not implemented because they were also abandoned and deprecated
-by @acronym{SSL} 3.0 and later @acronym{TLS} 1.0.
-
-@node On Record Padding
-@section On Record Padding
-@cindex Record padding
-@cindex Bad record MAC
-
-The TLS protocol allows for random padding of records, to make it more
-difficult to perform analysis on the length of exchanged messages.
-(In RFC 4346 this is specified in section 6.2.3.2.) GnuTLS appears to
-be one of few implementation that take advantage of this text, and pad
-records by a random length.
-
-The TLS implementation in the Symbian operating system, frequently
-used by Nokia and Sony-Ericsson mobile phones, cannot handle
-non-minimal record padding. What happens when one of these clients
-handshake with a GnuTLS server is that the client will fail to compute
-the correct MAC for the record. The client sends a TLS alert
-(@code{bad_record_mac}) and disconnects. Typically this will result
-in error messages such as 'A TLS fatal alert has been received', 'Bad
-record MAC', or both, on the GnuTLS server side.
-
-GnuTLS implements a work around for this problem. However, it has to
-be enabled specifically. It can be enabled by using
-@ref{gnutls_record_disable_padding}, or @ref{gnutls_priority_set} with
-the @code{%COMPAT} priority string.
-
-If you implement an application that have a configuration file, we
-recommend that you make it possible for users or administrators to
-specify a GnuTLS protocol priority string, which is used by your
-application via @ref{gnutls_priority_set}. To allow the best
-flexibility, make it possible to have a different priority string for
-different incoming IP addresses.
-
-To enable the workaround in the @code{gnutls-cli} client or the
-@code{gnutls-serv} server, for testing of other implementations, use
-the following parameter: @code{--priority "%COMPAT"}.
-
-This problem has been discussed on mailing lists and in bug reports.
-This section tries to collect all pieces of information that we know
-about the problem. If you wish to go back to the old discussions,
-here are some links:
-
-@url{http://bugs.debian.org/390712}
-
-@url{http://bugs.debian.org/402861}
-
-@url{http://bugs.debian.org/438137}
-
-@url{http://thread.gmane.org/gmane.ietf.tls/3079}
-
-@node Safe Renegotiation
-@section Safe Renegotiation
-@cindex renegotiation
-
-Some application protocols and implementations uses the TLS
-renegotiation feature in a manner that enables attackers to insert
-content of his choice in the beginning of a TLS session.
-
-One easy to understand vulnerability is HTTPS when servers request
-client certificates optionally for certain parts of a web site. The
-attack works by having the attacker simulate a client and connect to a
-server, with server-only authentication, and send some data intended
-to cause harm. When the proper client attempts to contact the server,
-the attacker hijacks that connection and uses the TLS renegotiation
-feature with the server and splices in the client connection to the
-already established connection between the attacker and server. The
-attacker will not be able to read the data exchanged between the
-client and the server. However, the server will (incorrectly) assume
-that the data sent by the attacker was sent by the now authenticated
-client. The result is a prefix plain-text injection attack.
-
-The above is just one example. Other vulnerabilities exists that do
-not rely on the TLS renegotiation to change the client's authenticated
-status (either TLS or application layer).
-
-While fixing these application protocols and implementations would be
-one natural reaction, an extension to TLS has been designed that
-cryptographically binds together any renegotiated handshakes with the
-initial negotiation. When the extension is used, the attack is
-detected and the session can be terminated. The extension is
-specified in @xcite{RFC5746}.
-
-GnuTLS supports the safe renegotiation extension. The default
-behavior is as follows. Clients will attempt to negotiate the safe
-renegotiation extension when talking to servers. Servers will accept
-the extension when presented by clients. Clients and servers will
-permit an initial handshake to complete even when the other side does
-not support the safe renegotiation extension. Clients and servers
-will refuse renegotiation attempts when the extension has not been
-negotiated.
-
-Note that permitting clients to connect to servers even when the safe
-renegotiation extension is not negotiated open up for some attacks.
-Changing this default behaviour would prevent interoperability against
-the majority of deployed servers out there. We will reconsider this
-default behaviour in the future when more servers have been upgraded.
-Note that it is easy to configure clients to always require the safe
-renegotiation extension from servers (see below on the
-%SAFE_RENEGOTIATION priority string).
-
-To modify the default behaviour, we have introduced some new priority
-strings. The priority strings can be used by applications
-(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority}
-parameter to @code{gnutls-cli} and @code{gnutls-serv}).
-
-The @code{%UNSAFE_RENEGOTIATION} priority string permits
-(re-)handshakes even when the safe renegotiation extension was not
-negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will
-prevent renegotiation with clients and servers not supporting the
-extension. This is secure for servers but leaves clients vulnerable
-to some attacks, but this is a tradeoff between security and compatibility
-with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes
-clients and servers require the extension for every handshake. The latter
-is the most secure option for clients, at the cost of not being able
-to connect to legacy servers. Servers will also deny clients that
-do not support the extension from connecting.
-
-It is possible to disable use of the extension completely, in both
-clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION}
-priority string however we strongly recommend you to only do this for
-debugging and test purposes.
-
-The default values if the flags above are not specified are:
-@table @code
-
-@item Server:
-%PARTIAL_RENEGOTIATION
-
-@item Client:
-%PARTIAL_RENEGOTIATION
-
-@end table
-
-For applications we have introduced a new API related to safe
-renegotiation. The @ref{gnutls_safe_renegotiation_status} function is
-used to check if the extension has been negotiated on a session, and
-can be used both by clients and servers.
-
-@node Authentication methods
-@chapter Authentication Methods
-
-The @acronym{TLS} protocol provides confidentiality and encryption,
-but also offers authentication, which is a prerequisite for a secure
-connection. The available authentication methods in @acronym{GnuTLS}
-are:
-
-@itemize
-
-@item Certificate authentication
-
-@item Anonymous authentication
-
-@item @acronym{SRP} authentication
-
-@item @acronym{PSK} authentication
-
-@end itemize
-
-@menu
-* Certificate authentication::
-* Anonymous authentication::
-* Authentication using SRP::
-* Authentication using PSK::
-* Authentication and credentials::
-* Parameters stored in credentials::
-@end menu
-
-@node Certificate authentication
-@section Certificate Authentication
-
-@subsection Authentication Using @acronym{X.509} Certificates
-@cindex @acronym{X.509} certificates
-
-@acronym{X.509} certificates contain the public parameters, of a
-public key algorithm, and an authority's signature, which proves the
-authenticity of the parameters. @xref{The X.509 trust model}, for
-more information on @acronym{X.509} protocols.
-
-@subsection Authentication Using @acronym{OpenPGP} Keys
-@cindex @acronym{OpenPGP} Keys
-
-@acronym{OpenPGP} keys also contain public parameters of a public key
-algorithm, and signatures from several other parties. Depending on
-whether a signer is trusted the key is considered trusted or not.
-@acronym{GnuTLS}'s @acronym{OpenPGP} authentication implementation is
-based on the @xcite{TLSPGP} proposal.
-
-@xref{The OpenPGP trust model}, for more information about the
-@acronym{OpenPGP} trust model. For a more detailed introduction to
-@acronym{OpenPGP} and @acronym{GnuPG} see @xcite{GPGH}.
-
-@subsection Using Certificate Authentication
-
-In @acronym{GnuTLS} both the @acronym{OpenPGP} and @acronym{X.509}
-certificates are part of the certificate authentication and thus are
-handled using a common API.
-
-When using certificates the server is required to have at least one
-certificate and private key pair. A client may or may not have such a
-pair. The certificate and key pair should be loaded, before any
-@acronym{TLS} session is initialized, in a certificate credentials
-structure. This should be done by using
-@ref{gnutls_certificate_set_x509_key_file} or
-@ref{gnutls_certificate_set_openpgp_key_file} depending on the
-certificate type. In the @acronym{X.509} case, the functions will
-also accept and use a certificate list that leads to a trusted
-authority. The certificate list must be ordered in such way that every
-certificate certifies the one before it. The trusted authority's
-certificate need not to be included, since the peer should possess it
-already.
-
-As an alternative, a callback may be used so the server or the client
-specify the certificate and the key at the handshake time. That
-callback can be set using the functions:
-
-@itemize
-
-@item @ref{gnutls_certificate_server_set_retrieve_function}
-
-@item @ref{gnutls_certificate_client_set_retrieve_function}
-
-@end itemize
-
-Clients and servers that will select certificates using callback
-functions should select a certificate according the peer's signature
-algorithm preferences. To get those preferences use
-@ref{gnutls_sign_algorithm_get_requested}.
-
-Certificate verification is possible by loading the trusted
-authorities into the credentials structure by using
-@ref{gnutls_certificate_set_x509_trust_file} or
-@ref{gnutls_certificate_set_openpgp_keyring_file} for openpgp
-keys. Note however that the peer's certificate is not automatically
-verified, you should call @ref{gnutls_certificate_verify_peers2},
-after a successful handshake, to verify the signatures of the
-certificate. An alternative way, which reports a more detailed
-verification output, is to use @ref{gnutls_certificate_get_peers} to
-obtain the raw certificate of the peer and verify it using the
-functions discussed in @ref{The X.509 trust model}.
-
-In a handshake, the negotiated cipher suite depends on the
-certificate's parameters, so not all key exchange methods will be
-available with some certificates. @acronym{GnuTLS} will disable
-ciphersuites that are not compatible with the key, or the enabled
-authentication methods. For example keys marked as sign-only, will
-not be able to access the plain RSA ciphersuites, but only the
-@code{DHE_RSA} ones. It is recommended not to use RSA keys for both
-signing and encryption. If possible use the same key for the
-@code{DHE_RSA} and @code{RSA_EXPORT} ciphersuites, which use signing,
-and a different key for the plain RSA ciphersuites, which use
-encryption. All the key exchange methods shown below are available in
-certificate authentication.
-
-Note that the DHE key exchange methods are generally
-slower@footnote{It really depends on the group used. Primes with
-lesser bits are always faster, but also easier to break. Values less
-than 768 should not be used today} than plain RSA and require Diffie
-Hellman parameters to be generated and associated with a credentials
-structure, by the server. The @code{RSA-EXPORT} method also requires
-512 bit RSA parameters, that should also be generated and associated
-with the credentials structure. See the functions:
-
-@itemize
-
-@item @ref{gnutls_dh_params_generate2}
-
-@item @ref{gnutls_certificate_set_dh_params}
-
-@item @ref{gnutls_rsa_params_generate2}
-
-@item @ref{gnutls_certificate_set_rsa_export_params}
-
-@end itemize
-
-Sometimes in order to avoid bottlenecks in programs it is usefull to
-store and read parameters from formats that can be generated by
-external programs such as @code{certtool}. This is possible with
-@acronym{GnuTLS} by using the following functions:
-
-@itemize
-
-@item @ref{gnutls_dh_params_import_pkcs3}
-
-@item @ref{gnutls_rsa_params_import_pkcs1}
-
-@item @ref{gnutls_dh_params_export_pkcs3}
-
-@item @ref{gnutls_rsa_params_export_pkcs1}
-
-@end itemize
-
-Key exchange algorithms for @acronym{OpenPGP} and @acronym{X.509}
-certificates:
-
-@table @code
-
-@item RSA:
-The RSA algorithm is used to encrypt a key and send it to the peer.
-The certificate must allow the key to be used for encryption.
-
-@item RSA_EXPORT:
-The RSA algorithm is used to encrypt a key and send it to the peer.
-In the EXPORT algorithm, the server signs temporary RSA parameters of
-512 bits --- which are considered weak --- and sends them to the
-client.
-
-@item DHE_RSA:
-The RSA algorithm is used to sign Ephemeral Diffie-Hellman parameters
-which are sent to the peer. The key in the certificate must allow the
-key to be used for signing. Note that key exchange algorithms which
-use Ephemeral Diffie-Hellman parameters, offer perfect forward
-secrecy. That means that even if the private key used for signing is
-compromised, it cannot be used to reveal past session data.
-
-@item DHE_DSS:
-The DSS algorithm is used to sign Ephemeral Diffie-Hellman parameters
-which are sent to the peer. The certificate must contain DSA
-parameters to use this key exchange algorithm. DSS stands for Digital
-Signature Standard.
-
-@end table
-
-@node Anonymous authentication
-@section Anonymous Authentication
-@cindex Anonymous authentication
-
-The anonymous key exchange performs encryption but there is no
-indication of the identity of the peer. This kind of authentication
-is vulnerable to a man in the middle attack, but this protocol can be
-used even if there is no prior communication and trusted parties with
-the peer, or when full anonymity is required. Unless really required,
-do not use anonymous authentication. Available key exchange methods
-are shown below.
-
-Note that the key exchange methods for anonymous authentication
-require Diffie-Hellman parameters to be generated by the server and
-associated with an anonymous credentials structure.
-
-Supported anonymous key exchange algorithms:
-
-@table @code
-
-@item ANON_DH:
-This algorithm exchanges Diffie-Hellman parameters.
-
-@end table
-
-@node Authentication using SRP
-@section Authentication using @acronym{SRP}
-@cindex @acronym{SRP} authentication
-
-Authentication via the Secure Remote Password protocol,
-@acronym{SRP}@footnote{@acronym{SRP} is described in @xcite{RFC2945}},
-is supported. The @acronym{SRP} key exchange is an extension to the
-@acronym{TLS} protocol, and it is a password based authentication
-(unlike @acronym{X.509} or @acronym{OpenPGP} that use certificates).
-The two peers can be identified using a single password, or there can
-be combinations where the client is authenticated using @acronym{SRP}
-and the server using a certificate.
-
-The advantage of @acronym{SRP} authentication, over other proposed
-secure password authentication schemes, is that @acronym{SRP} does not
-require the server to hold the user's password. This kind of
-protection is similar to the one used traditionally in the @emph{UNIX}
-@file{/etc/passwd} file, where the contents of this file did not cause
-harm to the system security if they were revealed. The @acronym{SRP}
-needs instead of the plain password something called a verifier, which
-is calculated using the user's password, and if stolen cannot be used
-to impersonate the user. Check @xcite{TOMSRP} for a detailed
-description of the @acronym{SRP} protocol and the Stanford
-@acronym{SRP} libraries, which includes a PAM module that synchronizes
-the system's users passwords with the @acronym{SRP} password
-files. That way @acronym{SRP} authentication could be used for all the
-system's users.
-
-The implementation in @acronym{GnuTLS} is based on paper
-@xcite{TLSSRP}. The supported @acronym{SRP} key exchange methods are:
-
-@table @code
-
-@item SRP:
-Authentication using the @acronym{SRP} protocol.
-
-@item SRP_DSS:
-Client authentication using the @acronym{SRP} protocol. Server is
-authenticated using a certificate with DSA parameters.
-
-@item SRP_RSA:
-Client authentication using the @acronym{SRP} protocol. Server is
-authenticated using a certificate with RSA parameters.
-
-@end table
-
-If clients supporting @acronym{SRP} know the username and password
-before the connection, should initialize the client credentials and
-call the function @ref{gnutls_srp_set_client_credentials}.
-Alternatively they could specify a callback function by using the
-function @ref{gnutls_srp_set_client_credentials_function}. This has
-the advantage that allows probing the server for @acronym{SRP}
-support. In that case the callback function will be called twice per
-handshake. The first time is before the ciphersuite is negotiated,
-and if the callback returns a negative error code, the callback will
-be called again if @acronym{SRP} has been negotiated. This uses a
-special @acronym{TLS}-@acronym{SRP} handshake idiom in order to avoid,
-in interactive applications, to ask the user for @acronym{SRP}
-password and username if the server does not negotiate an
-@acronym{SRP} ciphersuite.
-
-In server side the default behaviour of @acronym{GnuTLS} is to read
-the usernames and @acronym{SRP} verifiers from password files. These
-password files are the ones used by the @emph{Stanford srp libraries}
-and can be specified using the
-@ref{gnutls_srp_set_server_credentials_file}. If a different
-password file format is to be used, then the function
-@ref{gnutls_srp_set_server_credentials_function}, should be called,
-in order to set an appropriate callback.
-
-Some helper functions such as
-
-@itemize
-
-@item @ref{gnutls_srp_verifier}
-
-@item @ref{gnutls_srp_base64_encode}
-
-@item @ref{gnutls_srp_base64_decode}
-
-@end itemize
-
-are included in @acronym{GnuTLS}, and can be used to generate and
-maintain @acronym{SRP} verifiers and password files. A program to
-manipulate the required parameters for @acronym{SRP} authentication is
-also included. @xref{srptool}, for more information.
-
-
-@node Authentication using PSK
-@section Authentication using @acronym{PSK}
-@cindex @acronym{PSK} authentication
-
-Authentication using Pre-shared keys is a method to authenticate using
-usernames and binary keys. This protocol avoids making use of public
-key infrastructure and expensive calculations, thus it is suitable for
-constraint clients.
-
-The implementation in @acronym{GnuTLS} is based on paper
-@xcite{TLSPSK}. The supported @acronym{PSK} key exchange methods are:
-
-@table @code
-
-@item PSK:
-Authentication using the @acronym{PSK} protocol.
-
-@item DHE-PSK:
-Authentication using the @acronym{PSK} protocol and Diffie-Hellman key
-exchange. This method offers perfect forward secrecy.
-
-@end table
-
-Clients supporting @acronym{PSK} should supply the username and key
-before the connection to the client credentials by calling the
-function @ref{gnutls_psk_set_client_credentials}. Alternatively they
-could specify a callback function by using the function
-@ref{gnutls_psk_set_client_credentials_function}. This has the
-advantage that the callback will be called only if @acronym{PSK} has
-been negotiated.
-
-In server side the default behaviour of @acronym{GnuTLS} is to read
-the usernames and @acronym{PSK} keys from a password file. The
-password file should contain usernames and keys in hexadecimal
-format. The name of the password file can be stored to the credentials
-structure by calling @ref{gnutls_psk_set_server_credentials_file}. If
-a different password file format is to be used, then the function
-@ref{gnutls_psk_set_server_credentials_function}, should be used
-instead.
-
-The server can help the client chose a suitable username and password,
-by sending a hint. In the server, specify the hint by calling
-@ref{gnutls_psk_set_server_credentials_hint}. The client can retrieve
-the hint, for example in the callback function, using
-@ref{gnutls_psk_client_get_hint}.
-
-There is no standard mechanism to derive a PSK key from a password
-specified by the TLS PSK document. However, GnuTLS provides
-@ref{gnutls_psk_netconf_derive_key} which follows the algorithm
-specified in @file{draft-ietf-netconf-tls-02.txt}.
-
-Some helper functions such as:
-
-@itemize
-
-@item @ref{gnutls_hex_encode}
-
-@item @ref{gnutls_hex_decode}
-
-@end itemize
-
-are included in @acronym{GnuTLS}, and may be used to generate and
-maintain @acronym{PSK} keys.
-
-
-@node Authentication and credentials
-@section Authentication and Credentials
-
-In @acronym{GnuTLS} every key exchange method is associated with a
-credentials type. So in order to enable to enable a specific method,
-the corresponding credentials type should be initialized and set using
-@ref{gnutls_credentials_set}. A mapping is shown below.
-
-Key exchange algorithms and the corresponding credential types:
-
-@multitable @columnfractions .3 .3 .3
-
-@headitem Key exchange @tab Client credentials @tab Server credentials
-
-@item @code{KX_RSA}
-@item @code{KX_DHE_RSA}
-@item @code{KX_DHE_DSS}
-@item @code{KX_RSA_EXPORT}
-@tab @code{CRD_CERTIFICATE}
-@tab @code{CRD_CERTIFICATE}
-
-@item @code{KX_SRP_RSA}
-@tab @code{CRD_SRP}
-@tab @code{CRD_SRP}
-@item @code{KX_SRP_DSS}
-@tab
-@tab @code{CRD_CERTIFICATE}
-
-@item @code{KX_SRP}
-@tab @code{CRD_SRP}
-@tab @code{CRD_SRP}
-
-@item @code{KX_ANON_DH}
-@tab @code{CRD_ANON}
-@tab @code{CRD_ANON}
-
-@item @code{KX_PSK}
-@tab @code{CRD_PSK}
-@tab @code{CRD_PSK}
-
-@end multitable
-
-@node Parameters stored in credentials
-@section Parameters Stored in Credentials
-
-Several parameters such as the ones used for Diffie-Hellman
-authentication are stored within the credentials structures, so all
-sessions can access them. Those parameters are stored in structures
-such as @code{gnutls_dh_params_t} and @code{gnutls_rsa_params_t}, and
-functions like @ref{gnutls_certificate_set_dh_params} and
-@ref{gnutls_certificate_set_rsa_export_params} can be used to
-associate those parameters with the given credentials structure.
-
-Since those parameters need to be renewed from time to time and a
-global structure such as the credentials, may not be easy to modify
-since it is accessible by all sessions, an alternative interface is
-available using a callback function. This can be set using the
-@ref{gnutls_certificate_set_params_function}. An example is shown
-below.
-
-@example
-#include <gnutls.h>
-
-gnutls_rsa_params_t rsa_params;
-gnutls_dh_params_t dh_params;
-
-/* This function will be called once a session requests DH
- * or RSA parameters. The parameters returned (if any) will
- * be used for the first handshake only.
- */
-static int get_params( gnutls_session_t session,
- gnutls_params_type_t type,
- gnutls_params_st *st)
-@{
- if (type == GNUTLS_PARAMS_RSA_EXPORT)
- st->params.rsa_export = rsa_params;
- else if (type == GNUTLS_PARAMS_DH)
- st->params.dh = dh_params;
- else return -1;
-
- st->type = type;
- /* do not deinitialize those parameters.
- */
- st->deinit = 0;
-
- return 0;
-@}
-
-int main()
-@{
- gnutls_certificate_credentials_t cert_cred;
-
- initialize_params();
-
- /* ...
- */
-
- gnutls_certificate_set_params_function( cert_cred, get_params);
-@}
-@end example
-
-@node More on certificate authentication
-@chapter More on Certificate Authentication
-@anchor{Certificate Authentication}
-@cindex Certificate authentication
-
-@menu
-* The X.509 trust model::
-* The OpenPGP trust model::
-* Digital signatures::
-@end menu
-
-@node The X.509 trust model
-@section The @acronym{X.509} Trust Model
-@cindex @acronym{X.509} certificates
-
-The @acronym{X.509} protocols rely on a hierarchical trust model. In
-this trust model Certification Authorities (CAs) are used to certify
-entities. Usually more than one certification authorities exist, and
-certification authorities may certify other authorities to issue
-certificates as well, following a hierarchical model.
-
-@image{gnutls-x509,7cm,9.5cm}
-
-One needs to trust one or more CAs for his secure communications. In
-that case only the certificates issued by the trusted authorities are
-acceptable. See the figure above for a typical example. The API for
-handling @acronym{X.509} certificates is described at section
-@ref{sec:x509api}. Some examples are listed below.
-
-@menu
-* X.509 certificates::
-* Verifying X.509 certificate paths::
-* PKCS #10 certificate requests::
-* PKCS #12 structures::
-@end menu
-
-@node X.509 certificates
-@subsection @acronym{X.509} Certificates
-
-An @acronym{X.509} certificate usually contains information about the
-certificate holder, the signer, a unique serial number, expiration
-dates and some other fields @xcite{PKIX} as shown in the table below.
-
-@table @code
-
-@item version:
-The field that indicates the version of the certificate.
-
-@item serialNumber:
-This field holds a unique serial number per certificate.
-
-@item issuer:
-Holds the issuer's distinguished name.
-
-@item validity:
-The activation and expiration dates.
-
-@item subject:
-The subject's distinguished name of the certificate.
-
-@item extensions:
-The extensions are fields only present in version 3 certificates.
-
-@end table
-
-The certificate's @emph{subject or issuer name} is not just a single
-string. It is a Distinguished name and in the @acronym{ASN.1}
-notation is a sequence of several object IDs with their corresponding
-values. Some of available OIDs to be used in an @acronym{X.509}
-distinguished name are defined in @file{gnutls/x509.h}.
-
-The @emph{Version} field in a certificate has values either 1 or 3 for
-version 3 certificates. Version 1 certificates do not support the
-extensions field so it is not possible to distinguish a CA from a
-person, thus their usage should be avoided.
-
-The @emph{validity} dates are there to indicate the date that the
-specific certificate was activated and the date the certificate's key
-would be considered invalid.
-
-Certificate @emph{extensions} are there to include information about
-the certificate's subject that did not fit in the typical certificate
-fields. Those may be e-mail addresses, flags that indicate whether the
-belongs to a CA etc. All the supported @acronym{X.509} version 3
-extensions are shown in the table below.
-
-@table @code
-
-@item subject key id (2.5.29.14):
-An identifier of the key of the subject.
-
-@item authority key id (2.5.29.35):
-An identifier of the authority's key used to sign the certificate.
-
-@item subject alternative name (2.5.29.17):
-Alternative names to subject's distinguished name.
-
-@item key usage (2.5.29.15):
-Constraints the key's usage of the certificate.
-
-@item extended key usage (2.5.29.37):
-Constraints the purpose of the certificate.
-
-@item basic constraints (2.5.29.19):
-Indicates whether this is a CA certificate or not, and specify the
-maximum path lengths of certificate chains.
-
-@item CRL distribution points (2.5.29.31):
-This extension is set by the CA, in order to inform about the issued
-CRLs.
-
-@item Proxy Certification Information (1.3.6.1.5.5.7.1.14):
-Proxy Certificates includes this extension that contains the OID of
-the proxy policy language used, and can specify limits on the maximum
-lengths of proxy chains. Proxy Certificates are specified in
-@xcite{RFC3820}.
-
-@end table
-
-In @acronym{GnuTLS} the @acronym{X.509} certificate structures are
-handled using the @code{gnutls_x509_crt_t} type and the corresponding
-private keys with the @code{gnutls_x509_privkey_t} type. All the
-available functions for @acronym{X.509} certificate handling have
-their prototypes in @file{gnutls/x509.h}. An example program to
-demonstrate the @acronym{X.509} parsing capabilities can be found at
-section @ref{ex:x509-info}.
-
-@node Verifying X.509 certificate paths
-@subsection Verifying @acronym{X.509} Certificate Paths
-@cindex Verifying certificate paths
-
-Verifying certificate paths is important in @acronym{X.509}
-authentication. For this purpose the function
-@ref{gnutls_x509_crt_verify} is provided. The output of this function
-is the bitwise OR of the elements of the
-@code{gnutls_certificate_status_t} enumeration. A detailed
-description of these elements can be found in figure below. The
-function @ref{gnutls_certificate_verify_peers2} is equivalent to the
-previous one, and will verify the peer's certificate in a TLS session.
-
-@table @code
-
-@item GNUTLS_CERT_INVALID:
-The certificate is not signed by one of the known authorities, or
-the signature is invalid.
-
-@item GNUTLS_CERT_REVOKED:
-The certificate has been revoked by its CA.
-
-@item GNUTLS_CERT_SIGNER_NOT_FOUND:
-The certificate's issuer is not known. This is the case when the
-issuer is not in the trusted certificates list.
-
-@item GNUTLS_CERT_SIGNER_NOT_CA:
-The certificate's signer was not a CA. This may happen if
-this was a version 1 certificate, which is common with some CAs, or
-a version 3 certificate without the basic constrains extension.
-
-@anchor{GNUTLS_CERT_INSECURE_ALGORITHM}
-@item GNUTLS_CERT_INSECURE_ALGORITHM:
-The certificate was signed using an insecure algorithm such as MD2 or
-MD5. These algorithms have been broken and should not be trusted.
-
-@end table
-
-There is also to possibility to pass some input to the verification
-functions in the form of flags. For @ref{gnutls_x509_crt_verify} the
-flags are passed straightforward, but
-@ref{gnutls_certificate_verify_peers2} depends on the flags set by
-calling @ref{gnutls_certificate_set_verify_flags}. All the available
-flags are part of the enumeration
-@ref{gnutls_certificate_verify_flags} and are explained in the table
-below.
-
-@anchor{gnutls_certificate_verify_flags}
-@tindex gnutls_certificate_verify_flags
-@table @code
-@item GNUTLS_VERIFY_DISABLE_CA_SIGN:
-If set a signer does not have to be a certificate authority. This
-flag should normaly be disabled, unless you know what this means.
-
-@item GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT:
-Allow only trusted CA certificates that have version 1. This is
-safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT, and should be
-used instead. That way only signers in your trusted list will be
-allowed to have certificates of version 1.
-
-@item GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT:
-Allow CA certificates that have version 1 (both root and
-intermediate). This is dangerous since those haven't the
-basicConstraints extension. Must be used in combination with
-GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.
-
-@item GNUTLS_VERIFY_DO_NOT_ALLOW_SAME:
-If a certificate is not signed by anyone trusted but exists in
-the trusted CA list do not treat it as trusted.
-
-@item GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2:
-Allow certificates to be signed using the old MD2 algorithm.
-
-@item GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5:
-Allow certificates to be signed using the broken MD5 algorithm.
-@end table
-
-Although the verification of a certificate path indicates that the
-certificate is signed by trusted authority, does not reveal anything
-about the peer's identity. It is required to verify if the
-certificate's owner is the one you expect. For more information
-consult @xcite{RFC2818} and section @ref{ex:verify} for an example.
-
-@node PKCS #10 certificate requests
-@subsection @acronym{PKCS} #10 Certificate Requests
-@cindex Certificate requests
-@cindex @acronym{PKCS} #10
-
-A certificate request is a structure, which contain information about
-an applicant of a certificate service. It usually contains a private
-key, a distinguished name and secondary data such as a challenge
-password. @acronym{GnuTLS} supports the requests defined in
-@acronym{PKCS} #10 @xcite{RFC2986}. Other certificate request's format
-such as PKIX's @xcite{RFC4211} are not currently supported.
-
-In @acronym{GnuTLS} the @acronym{PKCS} #10 structures are handled
-using the @code{gnutls_x509_crq_t} type. An example of a certificate
-request generation can be found at section @ref{ex:crq}.
-
-@node PKCS #12 structures
-@subsection @acronym{PKCS} #12 Structures
-@cindex @acronym{PKCS} #12
-
-A @acronym{PKCS} #12 structure @xcite{PKCS12} usually contains a user's
-private keys and certificates. It is commonly used in browsers to
-export and import the user's identities.
-
-In @acronym{GnuTLS} the @acronym{PKCS} #12 structures are handled
-using the @code{gnutls_pkcs12_t} type. This is an abstract type that
-may hold several @code{gnutls_pkcs12_bag_t} types. The Bag types are
-the holders of the actual data, which may be certificates, private
-keys or encrypted data. An Bag of type encrypted should be decrypted
-in order for its data to be accessed.
-
-An example of a @acronym{PKCS} #12 structure generation can be found
-at section @ref{ex:pkcs12}.
-
-@node The OpenPGP trust model
-@section The @acronym{OpenPGP} Trust Model
-@cindex @acronym{OpenPGP} Keys
-
-The @acronym{OpenPGP} key authentication relies on a distributed trust
-model, called the ``web of trust''. The ``web of trust'' uses a
-decentralized system of trusted introducers, which are the same as a
-CA. @acronym{OpenPGP} allows anyone to sign anyone's else public
-key. When Alice signs Bob's key, she is introducing Bob's key to
-anyone who trusts Alice. If someone trusts Alice to introduce keys,
-then Alice is a trusted introducer in the mind of that observer.
-
-@image{gnutls-pgp,11cm,9cm}
-
-For example: If David trusts Alice to be an introducer, and Alice
-signed Bob's key, Dave also trusts Bob's key to be the real one.
-
-There are some key points that are important in that model. In the
-example Alice has to sign Bob's key, only if she is sure that the key
-belongs to Bob. Otherwise she may also make Dave falsely believe that
-this is Bob's key. Dave has also the responsibility to know who to
-trust. This model is similar to real life relations.
-
-Just see how Charlie behaves in the previous example. Although he has
-signed Bob's key - because he knows, somehow, that it belongs to Bob -
-he does not trust Bob to be an introducer. Charlie decided to trust
-only Kevin, for some reason. A reason could be that Bob is lazy
-enough, and signs other people's keys without being sure that they
-belong to the actual owner.
-
-@subsection @acronym{OpenPGP} Keys
-
-In @acronym{GnuTLS} the @acronym{OpenPGP} key structures
-@xcite{RFC2440} are handled using the @code{gnutls_openpgp_crt_t} type
-and the corresponding private keys with the
-@code{gnutls_openpgp_privkey_t} type. All the prototypes for the key
-handling functions can be found at @file{gnutls/openpgp.h}.
-
-@subsection Verifying an @acronym{OpenPGP} Key
-
-The verification functions of @acronym{OpenPGP} keys, included in
-@acronym{GnuTLS}, are simple ones, and do not use the features of the
-``web of trust''. For that reason, if the verification needs are
-complex, the assistance of external tools like @acronym{GnuPG} and
-GPGME (@url{http://www.gnupg.org/related_software/gpgme/}) is
-recommended.
-
-There is one verification function in @acronym{GnuTLS}, the
-@ref{gnutls_openpgp_crt_verify_ring}. This checks an
-@acronym{OpenPGP} key against a given set of public keys (keyring) and
-returns the key status. The key verification status is the same as in
-@acronym{X.509} certificates, although the meaning and interpretation
-are different. For example an @acronym{OpenPGP} key may be valid, if
-the self signature is ok, even if no signers were found. The meaning
-of verification status is shown in the figure below.
-
-@table @code
-
-@item CERT_INVALID:
-A signature on the key is invalid. That means that the key was
-modified by somebody, or corrupted during transport.
-
-@item CERT_REVOKED:
-The key has been revoked by its owner.
-
-@item CERT_SIGNER_NOT_FOUND:
-The key was not signed by a known signer.
-
-@item GNUTLS_CERT_INSECURE_ALGORITHM:
-The certificate was signed using an insecure algorithm such as MD2 or
-MD5. These algorithms have been broken and should not be trusted.
-
-@end table
-
-@node Digital signatures
-@section Digital Signatures
-@cindex Digital signatures
-
-In this section we will provide some information about digital
-signatures, how they work, and give the rationale for disabling some
-of the algorithms used.
-
-Digital signatures work by using somebody's secret key to sign some
-arbitrary data. Then anybody else could use the public key of that
-person to verify the signature. Since the data may be arbitrary it is
-not suitable input to a cryptographic digital signature algorithm. For
-this reason and also for performance cryptographic hash algorithms are
-used to preprocess the input to the signature algorithm. This works as
-long as it is difficult enough to generate two different messages with
-the same hash algorithm output. In that case the same signature could
-be used as a proof for both messages. Nobody wants to sign an innocent
-message of donating 1 @euro{} to Greenpeace and find out that he
-donated 1.000.000 @euro{} to Bad Inc.
-
-For a hash algorithm to be called cryptographic the following three
-requirements must hold:
-
-@enumerate
-@item Preimage resistance.
-That means the algorithm must be one way and given the output of the
-hash function @math{H(x)}, it is impossible to calculate @math{x}.
-
-@item 2nd preimage resistance.
-That means that given a pair @math{x,y} with @math{y=H(x)} it is
-impossible to calculate an @math{x'} such that @math{y=H(x')}.
-
-@item Collision resistance.
-That means that it is impossible to calculate random @math{x} and
-@math{x'} such @math{H(x')=H(x)}.
-@end enumerate
-
-The last two requirements in the list are the most important in
-digital signatures. These protect against somebody who would like to
-generate two messages with the same hash output. When an algorithm is
-considered broken usually it means that the Collision resistance of
-the algorithm is less than brute force. Using the birthday paradox the
-brute force attack takes
-@iftex
-@math{2^{(\rm{hash\ size}) / 2}}
-@end iftex
-@ifnottex
-@math{2^{((hash size) / 2)}}
-@end ifnottex
-operations. Today colliding certificates using the MD5 hash algorithm
-have been generated as shown in @xcite{WEGER}.
-
-There has been cryptographic results for the SHA-1 hash algorithms as
-well, although they are not yet critical. Before 2004, MD5 had a
-presumed collision strength of @math{2^{64}}, but it has been showed
-to have a collision strength well under @math{2^{50}}. As of November
-2005, it is believed that SHA-1's collision strength is around
-@math{2^{63}}. We consider this sufficiently hard so that we still
-support SHA-1. We anticipate that SHA-256/386/512 will be used in
-publicly-distributed certificates in the future. When @math{2^{63}}
-can be considered too weak compared to the computer power available
-sometime in the future, SHA-1 will be disabled as well. The collision
-attacks on SHA-1 may also get better, given the new interest in tools
-for creating them.
-
-@subsection Trading Security for Interoperability
-
-If you connect to a server and use GnuTLS' functions to verify the
-certificate chain, and get a @ref{GNUTLS_CERT_INSECURE_ALGORITHM}
-validation error (@pxref{Verifying X.509 certificate paths}), it means
-that somewhere in the certificate chain there is a certificate signed
-using @code{RSA-MD2} or @code{RSA-MD5}. These two digital signature
-algorithms are considered broken, so GnuTLS fail when attempting to
-verify the certificate. In some situations, it may be useful to be
-able to verify the certificate chain anyway, assuming an attacker did
-not utilize the fact that these signatures algorithms are broken.
-This section will give help on how to achieve that.
-
-First, it is important to know that you do not have to enable any of
-the flags discussed here to be able to use trusted root CA
-certificates signed using @code{RSA-MD2} or @code{RSA-MD5}. The only
-attack today is that it is possible to generate certificates with
-colliding signatures (collision resistance); you cannot generate a
-certificate that has the same signature as an already existing
-signature (2nd preimage resistance).
-
-If you are using @ref{gnutls_certificate_verify_peers2} to verify the
-certificate chain, you can call
-@ref{gnutls_certificate_set_verify_flags} with the
-@code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2} or
-@code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5} flag, as in:
-
-@example
- gnutls_certificate_set_verify_flags (x509cred,
- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
-@end example
-
-This will tell the verifier algorithm to enable @code{RSA-MD5} when
-verifying the certificates.
-
-If you are using @ref{gnutls_x509_crt_verify} or
-@ref{gnutls_x509_crt_list_verify}, you can pass the
-@code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5} parameter directly in the
-@code{flags} parameter.
-
-If you are using these flags, it may also be a good idea to warn the
-user when verification failure occur for this reason. The simplest is
-to not use the flags by default, and only fall back to using them
-after warning the user. If you wish to inspect the certificate chain
-yourself, you can use @ref{gnutls_certificate_get_peers} to extract
-the raw server's certificate chain, then use
-@ref{gnutls_x509_crt_import} to parse each of the certificates, and
-then use @ref{gnutls_x509_crt_get_signature_algorithm} to find out the
-signing algorithm used for each certificate. If any of the
-intermediary certificates are using @code{GNUTLS_SIGN_RSA_MD2} or
-@code{GNUTLS_SIGN_RSA_MD5}, you could present a warning.
-
-
-
-@node How to use TLS in application protocols
-@chapter How To Use @acronym{TLS} in Application Protocols
-
-This chapter is intended to provide some hints on how to use the
-@acronym{TLS} over simple custom made application protocols. The
-discussion below mainly refers to the @emph{TCP/IP} transport layer
-but may be extended to other ones too.
-
-@menu
-* Separate ports::
-* Upward negotiation::
-@end menu
-
-@node Separate ports
-@section Separate Ports
-
-Traditionally @acronym{SSL} was used in application protocols by
-assigning a new port number for the secure services. That way two
-separate ports were assigned, one for the non secure sessions, and one
-for the secured ones. This has the benefit that if a user requests a
-secure session then the client will try to connect to the secure port
-and fail otherwise. The only possible attack with this method is a
-denial of service one. The most famous example of this method is the
-famous ``HTTP over TLS'' or @acronym{HTTPS} protocol @xcite{RFC2818}.
-
-Despite its wide use, this method is not as good as it seems. This
-approach starts the @acronym{TLS} Handshake procedure just after the
-client connects on the ---so called--- secure port. That way the
-@acronym{TLS} protocol does not know anything about the client, and
-popular methods like the host advertising in HTTP do not
-work@footnote{See also the Server Name Indication extension on
-@ref{serverind}.}. There is no way for the client to say ``I
-connected to YYY server'' before the Handshake starts, so the server
-cannot possibly know which certificate to use.
-
-Other than that it requires two separate ports to run a single
-service, which is unnecessary complication. Due to the fact that there
-is a limitation on the available privileged ports, this approach was
-soon obsoleted.
-
-@node Upward negotiation
-@section Upward Negotiation
-
-Other application protocols@footnote{See LDAP, IMAP etc.} use a
-different approach to enable the secure layer. They use something
-called the ``TLS upgrade'' method. This method is quite tricky but it
-is more flexible. The idea is to extend the application protocol to
-have a ``STARTTLS'' request, whose purpose it to start the TLS
-protocols just after the client requests it. This is a really neat
-idea and does not require an extra port.
-
-This method is used by almost all modern protocols and there is even
-the @xcite{RFC2817} paper which proposes extensions to HTTP to support
-it.
-
-The tricky part, in this method, is that the ``STARTTLS'' request is
-sent in the clear, thus is vulnerable to modifications. A typical
-attack is to modify the messages in a way that the client is fooled
-and thinks that the server does not have the ``STARTTLS'' capability.
-See a typical conversation of a hypothetical protocol:
-
-@quotation
-(client connects to the server)
-
-CLIENT: HELLO I'M MR. XXX
-
-SERVER: NICE TO MEET YOU XXX
-
-CLIENT: PLEASE START TLS
-
-SERVER: OK
-
-*** TLS STARTS
-
-CLIENT: HERE ARE SOME CONFIDENTIAL DATA
-@end quotation
-
-And see an example of a conversation where someone is acting
-in between:
-
-@quotation
-(client connects to the server)
-
-CLIENT: HELLO I'M MR. XXX
-
-SERVER: NICE TO MEET YOU XXX
-
-CLIENT: PLEASE START TLS
-
-(here someone inserts this message)
-
-SERVER: SORRY I DON'T HAVE THIS CAPABILITY
-
-CLIENT: HERE ARE SOME CONFIDENTIAL DATA
-@end quotation
-
-As you can see above the client was fooled, and was dummy enough to
-send the confidential data in the clear.
-
-How to avoid the above attack? As you may have already thought this
-one is easy to avoid. The client has to ask the user before it
-connects whether the user requests @acronym{TLS} or not. If the user
-answered that he certainly wants the secure layer the last
-conversation should be:
-
-@quotation
-(client connects to the server)
-
-CLIENT: HELLO I'M MR. XXX
-
-SERVER: NICE TO MEET YOU XXX
-
-CLIENT: PLEASE START TLS
-
-(here someone inserts this message)
-
-SERVER: SORRY I DON'T HAVE THIS CAPABILITY
-
-CLIENT: BYE
-
-(the client notifies the user that the secure connection was not possible)
-@end quotation
-
-This method, if implemented properly, is far better than the
-traditional method, and the security properties remain the same, since
-only denial of service is possible. The benefit is that the server may
-request additional data before the @acronym{TLS} Handshake protocol
-starts, in order to send the correct certificate, use the correct
-password file@footnote{in @acronym{SRP} authentication}, or anything
-else!
-
-@node How to use GnuTLS in applications
-@chapter How To Use @acronym{GnuTLS} in Applications
-@anchor{examples}
-@cindex Example programs
-
-@menu
-* Preparation::
-* Multi-threaded applications::
-* Client examples::
-* Server examples::
-* Miscellaneous examples::
-* Compatibility with the OpenSSL library::
-* Opaque PRF Input TLS Extension::
-* Keying Material Exporters::
-@end menu
-
-@node Preparation
-@section Preparation
-
-To use @acronym{GnuTLS}, you have to perform some changes to your
-sources and your build system. The necessary changes are explained in
-the following subsections.
-
-@menu
-* Headers::
-* Initialization::
-* Version check::
-* Debugging::
-* Building the source::
-@end menu
-
-@node Headers
-@subsection Headers
-
-All the data types and functions of the @acronym{GnuTLS} library are
-defined in the header file @file{gnutls/gnutls.h}. This must be
-included in all programs that make use of the @acronym{GnuTLS}
-library.
-
-The extra functionality of the @acronym{GnuTLS-extra} library is
-available by including the header file @file{gnutls/extra.h} in your
-programs.
-
-@node Initialization
-@subsection Initialization
-
-GnuTLS must be initialized before it can be used. The library is
-initialized by calling @ref{gnutls_global_init}. The resources
-allocated by the initialization process can be released if the
-application no longer has a need to call GnuTLS functions, this is
-done by calling @ref{gnutls_global_deinit}.
-
-The extra functionality of the @acronym{GnuTLS-extra} library is
-available after calling @ref{gnutls_global_init_extra}.
-
-In order to take advantage of the internationalisation features in
-GnuTLS, such as translated error messages, the application must set
-the current locale using @code{setlocale} before initializing GnuTLS.
-
-@node Version check
-@subsection Version Check
-
-It is often desirable to check that the version of `gnutls' used is
-indeed one which fits all requirements. Even with binary
-compatibility new features may have been introduced but due to problem
-with the dynamic linker an old version is actually used. So you may
-want to check that the version is okay right after program startup.
-See the function @ref{gnutls_check_version}.
-
-@node Debugging
-@subsection Debugging
-
-In many cases things may not go as expected and further information,
-to assist debugging, from @acronym{GnuTLS} is desired. Those are the
-case where the @ref{gnutls_global_set_log_level} and
-@ref{gnutls_global_set_log_function} are to be used. Those will print
-verbose information on the @acronym{GnuTLS} functions internal flow.
-
-@node Building the source
-@subsection Building the Source
-
-If you want to compile a source file including the
-@file{gnutls/gnutls.h} header file, you must make sure that the
-compiler can find it in the directory hierarchy. This is accomplished
-by adding the path to the directory in which the header file is
-located to the compilers include file search path (via the @option{-I}
-option).
-
-However, the path to the include file is determined at the time the
-source is configured. To solve this problem, the library uses the
-external package @command{pkg-config} that knows the path to the
-include file and other configuration options. The options that need
-to be added to the compiler invocation at compile time are output by
-the @option{--cflags} option to @command{pkg-config gnutls}. The
-following example shows how it can be used at the command line:
-
-@example
-gcc -c foo.c `pkg-config gnutls --cflags`
-@end example
-
-Adding the output of @samp{pkg-config gnutls --cflags} to the
-compilers command line will ensure that the compiler can find the
-@file{gnutls/gnutls.h} header file.
-
-A similar problem occurs when linking the program with the library.
-Again, the compiler has to find the library files. For this to work,
-the path to the library files has to be added to the library search
-path (via the @option{-L} option). For this, the option
-@option{--libs} to @command{pkg-config gnutls} can be used. For
-convenience, this option also outputs all other options that are
-required to link the program with the libarary (for instance, the
-@samp{-ltasn1} option). The example shows how to link @file{foo.o}
-with the library to a program @command{foo}.
-
-@example
-gcc -o foo foo.o `pkg-config gnutls --libs`
-@end example
-
-Of course you can also combine both examples to a single command by
-specifying both options to @command{pkg-config}:
-
-@example
-gcc -o foo foo.c `pkg-config gnutls --cflags --libs`
-@end example
-
-@node Multi-threaded applications
-@section Multi-Threaded Applications
-
-Although the @acronym{GnuTLS} library is thread safe by design, some
-parts of Libgcrypt, such as the random generator, are not.
-Applications have to register callback functions to ensure proper
-locking in the sensitive parts of @emph{libgcrypt}.
-
-There are helper macros to help you properly initialize the libraries.
-Examples are shown below.
-
-@itemize
-
-@item POSIX threads
-@example
-#include <gnutls.h>
-#include <gcrypt.h>
-#include <errno.h>
-#include <pthread.h>
-GCRY_THREAD_OPTION_PTHREAD_IMPL;
-
-int main()
-@{
- /* The order matters.
- */
- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
- gnutls_global_init();
-@}
-@end example
-
-@item GNU PTH threads
-@example
-#include <gnutls.h>
-#include <gcrypt.h>
-#include <errno.h>
-#include <pth.h>
-GCRY_THREAD_OPTION_PTH_IMPL;
-
-int main()
-@{
- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pth);
- gnutls_global_init();
-@}
-@end example
-
-@item Other thread packages
-@example
-/* The gcry_thread_cbs structure must have been
- * initialized.
- */
-static struct gcry_thread_cbs gcry_threads_other = @{ ... @};
-
-int main()
-@{
- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_other);
-@}
-@end example
-@end itemize
-
-@node Client examples
-@section Client Examples
-
-This section contains examples of @acronym{TLS} and @acronym{SSL}
-clients, using @acronym{GnuTLS}. Note that these examples contain
-little or no error checking. Some of the examples require functions
-implemented by another example.
-
-@menu
-* Simple client example with anonymous authentication::
-* Simple client example with X.509 certificate support::
-* Obtaining session information::
-* Verifying peer's certificate::
-* Using a callback to select the certificate to use::
-* Client with Resume capability example::
-* Simple client example with SRP authentication::
-* Simple client example with TLS/IA support::
-* Simple client example in C++::
-* Helper function for TCP connections::
-@end menu
-
-@node Simple client example with anonymous authentication
-@subsection Simple Client Example with Anonymous Authentication
-
-The simplest client using TLS is the one that doesn't do any
-authentication. This means no external certificates or passwords are
-needed to set up the connection. As could be expected, the connection
-is vulnerable to man-in-the-middle (active or redirection) attacks.
-However, the data is integrity and privacy protected.
-
-@verbatiminclude examples/ex-client1.c
-
-@node Simple client example with X.509 certificate support
-@subsection Simple Client Example with @acronym{X.509} Certificate Support
-
-Let's assume now that we want to create a TCP client which
-communicates with servers that use @acronym{X.509} or
-@acronym{OpenPGP} certificate authentication. The following client is
-a very simple @acronym{TLS} client, it does not support session
-resuming, not even certificate verification. The TCP functions defined
-in this example are used in most of the other examples below, without
-redefining them.
-
-@verbatiminclude examples/ex-client2.c
-
-@node Obtaining session information
-@subsection Obtaining Session Information
-
-Most of the times it is desirable to know the security properties of
-the current established session. This includes the underlying ciphers
-and the protocols involved. That is the purpose of the following
-function. Note that this function will print meaningful values only
-if called after a successful @ref{gnutls_handshake}.
-
-@verbatiminclude examples/ex-session-info.c
-
-@node Verifying peer's certificate
-@subsection Verifying Peer's Certificate
-@anchor{ex:verify}
-
-A @acronym{TLS} session is not secure just after the handshake
-procedure has finished. It must be considered secure, only after the
-peer's certificate and identity have been verified. That is, you have
-to verify the signature in peer's certificate, the hostname in the
-certificate, and expiration dates. Just after this step you should
-treat the connection as being a secure one.
-
-@verbatiminclude examples/ex-rfc2818.c
-
-An other example is listed below which provides a more detailed
-verification output.
-
-@verbatiminclude examples/ex-verify.c
-
-@node Using a callback to select the certificate to use
-@subsection Using a Callback to Select the Certificate to Use
-
-There are cases where a client holds several certificate and key
-pairs, and may not want to load all of them in the credentials
-structure. The following example demonstrates the use of the
-certificate selection callback.
-
-@verbatiminclude examples/ex-cert-select.c
-
-@subsection Using a Callback to Select a @acronym{PKCS} #11 Certificate
-
-This example will demonstrate how to load keys and certificates
-from a @acronym{PKCS} #11 module, which is typically used
-for keys and certificates stored in smart cards.
-
-@verbatiminclude examples/ex-cert-select-pkcs11.c
-
-@node Client with Resume capability example
-@subsection Client with Resume Capability Example
-@anchor{ex:resume-client}
-
-This is a modification of the simple client example. Here we
-demonstrate the use of session resumption. The client tries to connect
-once using @acronym{TLS}, close the connection and then try to
-establish a new connection using the previously negotiated data.
-
-@verbatiminclude examples/ex-client-resume.c
-
-@node Simple client example with SRP authentication
-@subsection Simple Client Example with @acronym{SRP} Authentication
-
-The following client is a very simple @acronym{SRP} @acronym{TLS}
-client which connects to a server and authenticates using a
-@emph{username} and a @emph{password}. The server may authenticate
-itself using a certificate, and in that case it has to be verified.
-
-@verbatiminclude examples/ex-client-srp.c
-
-@node Simple client example with TLS/IA support
-@subsection Simple Client Example with @acronym{TLS/IA} Support
-
-The following client is a simple client which uses the
-@acronym{TLS/IA} extension to authenticate with the server.
-
-@verbatiminclude examples/ex-client-tlsia.c
-
-@node Simple client example in C++
-@subsection Simple Client Example using the C++ API
-
-The following client is a simple example of a client client utilizing
-the GnuTLS C++ API.
-
-@verbatiminclude examples/ex-cxx.cpp
-
-@node Helper function for TCP connections
-@subsection Helper Function for TCP Connections
-
-This helper function abstracts away TCP connection handling from the
-other examples. It is required to build some examples.
-
-@verbatiminclude examples/tcp.c
-
-@node Server examples
-@section Server Examples
-
-This section contains examples of @acronym{TLS} and @acronym{SSL}
-servers, using @acronym{GnuTLS}.
-
-@menu
-* Echo Server with X.509 authentication::
-* Echo Server with X.509 authentication II::
-* Echo Server with OpenPGP authentication::
-* Echo Server with SRP authentication::
-* Echo Server with anonymous authentication::
-@end menu
-
-@node Echo Server with X.509 authentication
-@subsection Echo Server with @acronym{X.509} Authentication
-
-This example is a very simple echo server which supports
-@acronym{X.509} authentication, using the RSA ciphersuites.
-
-@verbatiminclude examples/ex-serv1.c
-
-@node Echo Server with X.509 authentication II
-@subsection Echo Server with @acronym{X.509} Authentication II
-
-The following example is a server which supports @acronym{X.509}
-authentication. This server supports the export-grade cipher suites,
-the DHE ciphersuites and session resuming.
-
-@verbatiminclude examples/ex-serv-export.c
-
-@node Echo Server with OpenPGP authentication
-@subsection Echo Server with @acronym{OpenPGP} Authentication
-@cindex @acronym{OpenPGP} Server
-
-The following example is an echo server which supports
-@acronym{@acronym{OpenPGP}} key authentication. You can easily combine
-this functionality ---that is have a server that supports both
-@acronym{X.509} and @acronym{OpenPGP} certificates--- but we separated
-them to keep these examples as simple as possible.
-
-@verbatiminclude examples/ex-serv-pgp.c
-
-@node Echo Server with SRP authentication
-@subsection Echo Server with @acronym{SRP} Authentication
-
-This is a server which supports @acronym{SRP} authentication. It is
-also possible to combine this functionality with a certificate
-server. Here it is separate for simplicity.
-
-@verbatiminclude examples/ex-serv-srp.c
-
-@node Echo Server with anonymous authentication
-@subsection Echo Server with Anonymous Authentication
-
-This example server support anonymous authentication, and could be
-used to serve the example client for anonymous authentication.
-
-@verbatiminclude examples/ex-serv-anon.c
-
-@node Miscellaneous examples
-@section Miscellaneous Examples
-
-@menu
-* Checking for an alert::
-* X.509 certificate parsing example::
-* Certificate request generation::
-* PKCS #12 structure generation::
-@end menu
-
-@node Checking for an alert
-@subsection Checking for an Alert
-
-This is a function that checks if an alert has been received in the
-current session.
-
-@verbatiminclude examples/ex-alert.c
-
-@node X.509 certificate parsing example
-@subsection @acronym{X.509} Certificate Parsing Example
-@anchor{ex:x509-info}
-
-To demonstrate the @acronym{X.509} parsing capabilities an example program is
-listed below. That program reads the peer's certificate, and prints
-information about it.
-
-@verbatiminclude examples/ex-x509-info.c
-
-@node Certificate request generation
-@subsection Certificate Request Generation
-@anchor{ex:crq}
-
-The following example is about generating a certificate request, and a
-private key. A certificate request can be later be processed by a CA,
-which should return a signed certificate.
-
-@verbatiminclude examples/ex-crq.c
-
-@node PKCS #12 structure generation
-@subsection @acronym{PKCS} #12 Structure Generation
-@anchor{ex:pkcs12}
-
-The following example is about generating a @acronym{PKCS} #12
-structure.
-
-@verbatiminclude examples/ex-pkcs12.c
-
-@node Compatibility with the OpenSSL library
-@section Compatibility with the OpenSSL Library
-@cindex OpenSSL
-
-To ease @acronym{GnuTLS}' integration with existing applications, a
-compatibility layer with the widely used OpenSSL library is included
-in the @code{gnutls-openssl} library. This compatibility layer is not
-complete and it is not intended to completely reimplement the OpenSSL
-API with @acronym{GnuTLS}. It only provides source-level
-compatibility. There is currently no attempt to make it
-binary-compatible with OpenSSL.
-
-The prototypes for the compatibility functions are in the
-@file{gnutls/openssl.h} header file.
-
-Current limitations imposed by the compatibility layer include:
-
-@itemize
-
-@item Error handling is not thread safe.
-
-@end itemize
-
-@node Opaque PRF Input TLS Extension
-@section Opaque PRF Input TLS Extension
-@cindex Opaque PRF Input
-
-GnuTLS supports the Opaque PRF Input TLS extension
-(@code{draft-rescorla-tls-opaque-prf-input-00.txt}). The API consists
-of one API for use in the client, @ref{gnutls_oprfi_enable_client},
-and one API for use in the server, @ref{gnutls_oprfi_enable_server}.
-You must invoke both functions before calling @ref{gnutls_handshake}.
-The server utilizes a callback function into the application. The
-callback can look at the random string provided by the client, and
-also set the server string. The string lengths must be equal
-according to the protocol.
-
-@node Keying Material Exporters
-@section Keying Material Exporters
-@cindex Keying Material Exporters
-@cindex Exporting Keying Material
-
-The TLS PRF can be used by other protocols to derive data. The API to
-use is @ref{gnutls_prf}. The function needs to be provided with the
-label in the parameter @code{label}, and the extra data to mix in the
-@code{extra} parameter. Depending on whether you want to mix in the
-client or server random data first, you can set the
-@code{server_random_first} parameter.
-
-For example, after establishing a TLS session using
-@ref{gnutls_handshake}, you can invoke the TLS PRF with this call:
-
-@smallexample
-#define MYLABEL "EXPORTER-FOO"
-#define MYCONTEXT "some context data"
-char out[32];
-rc = gnutls_prf (session, strlen (MYLABEL), MYLABEL, 0,
- strlen (MYCONTEXT), MYCONTEXT, 32, out);
-@end smallexample
-
-If you don't want to mix in the client/server random, there is a more
-low-level TLS PRF interface called @ref{gnutls_prf_raw}.
-
-@node Included programs
-@chapter Included Programs
-
-Included with @acronym{GnuTLS} are also a few command line tools that
-let you use the library for common tasks without writing an
-application. The applications are discussed in this chapter.
-
-@menu
-* Invoking certtool::
-* Invoking gnutls-cli::
-* Invoking gnutls-cli-debug::
-* Invoking gnutls-serv::
-* Invoking psktool::
-* Invoking srptool::
-@end menu
-
-@node Invoking certtool
-@section Invoking certtool
-@cindex certtool
-
-This is a program to generate @acronym{X.509} certificates, certificate
-requests, CRLs and private keys.
-
-@verbatim
-Certtool help
-Usage: certtool [options]
- -s, --generate-self-signed
- Generate a self-signed certificate.
- -c, --generate-certificate
- Generate a signed certificate.
- --generate-proxy Generate a proxy certificate.
- --generate-crl Generate a CRL.
- -u, --update-certificate
- Update a signed certificate.
- -p, --generate-privkey Generate a private key.
- -q, --generate-request Generate a PKCS #10 certificate
- request.
- -e, --verify-chain Verify a PEM encoded certificate chain.
- The last certificate in the chain must
- be a self signed one.
- --verify-crl Verify a CRL.
- --generate-dh-params Generate PKCS #3 encoded Diffie-Hellman
- parameters.
- --get-dh-params Get the included PKCS #3 encoded Diffie
- Hellman parameters.
- --load-privkey FILE Private key file to use.
- --load-request FILE Certificate request file to use.
- --load-certificate FILE
- Certificate file to use.
- --load-ca-privkey FILE Certificate authority's private key
- file to use.
- --load-ca-certificate FILE
- Certificate authority's certificate
- file to use.
- --password PASSWORD Password to use.
- -i, --certificate-info Print information on a certificate.
- -l, --crl-info Print information on a CRL.
- --p12-info Print information on a PKCS #12
- structure.
- --p7-info Print information on a PKCS #7
- structure.
- --smime-to-p7 Convert S/MIME to PKCS #7 structure.
- -k, --key-info Print information on a private key.
- --fix-key Regenerate the parameters in a private
- key.
- --to-p12 Generate a PKCS #12 structure.
- -8, --pkcs8 Use PKCS #8 format for private keys.
- --dsa Use DSA keys.
- --hash STR Hash algorithm to use for signing
- (MD5,SHA1,RMD160).
- --export-ciphers Use weak encryption algorithms.
- --inder Use DER format for input certificates
- and private keys.
- --outder Use DER format for output certificates
- and private keys.
- --bits BITS specify the number of bits for key
- generation.
- --outfile FILE Output file.
- --infile FILE Input file.
- --template FILE Template file to use for non
- interactive operation.
- -d, --debug LEVEL specify the debug level. Default is 1.
- -h, --help shows this help text
- -v, --version shows the program's version
-@end verbatim
-
-The program can be used interactively or non interactively by
-specifying the @code{--template} command line option. See below for an
-example of a template file.
-
-How to use certtool interactively:
-
-@itemize
-@item
-To generate parameters for Diffie-Hellman key exchange, use the command:
-@example
-$ certtool --generate-dh-params --outfile dh.pem
-@end example
-
-@item
-To generate parameters for the RSA-EXPORT key exchange, use the command:
-@example
-$ certtool --generate-privkey --bits 512 --outfile rsa.pem
-@end example
-
-@end itemize
-
-@itemize
-
-@item
-To create a self signed certificate, use the command:
-@example
-$ certtool --generate-privkey --outfile ca-key.pem
-$ certtool --generate-self-signed --load-privkey ca-key.pem \
- --outfile ca-cert.pem
-@end example
-
-Note that a self-signed certificate usually belongs to a certificate
-authority, that signs other certificates.
-
-@item
-To create a private key (RSA by default), run:
-
-@example
-$ certtool --generate-privkey --outfile key.pem
-@end example
-
-To create a DSA private key, run:
-
-@example
-$ certtool --dsa --generate-privkey --outfile key-dsa.pem
-@end example
-
-@item
-To generate a certificate using the private key, use the command:
-
-@example
-$ certtool --generate-certificate --load-privkey key.pem \
- --outfile cert.pem --load-ca-certificate ca-cert.pem \
- --load-ca-privkey ca-key.pem
-@end example
-
-@item
-To create a certificate request (needed when the certificate is issued by
-another party), run:
-
-@example
-$ certtool --generate-request --load-privkey key.pem \
- --outfile request.pem
-@end example
-
-@item
-To generate a certificate using the previous request, use the command:
-
-@example
-$ certtool --generate-certificate --load-request request.pem \
- --outfile cert.pem \
- --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
-@end example
-
-@item
-To view the certificate information, use:
-
-@example
-$ certtool --certificate-info --infile cert.pem
-@end example
-
-@item
-To generate a @acronym{PKCS} #12 structure using the previous key and
-certificate, use the command:
-
-@example
-$ certtool --load-certificate cert.pem --load-privkey key.pem \
- --to-p12 --outder --outfile key.p12
-@end example
-
-Some tools (reportedly web browsers) have problems with that file
-because it does not contain the CA certificate for the certificate.
-To work around that problem in the tool, you can use the
-@samp{--load-ca-certificate} parameter as follows:
-
-@example
-$ certtool --load-ca-certificate ca.pem \
- --load-certificate cert.pem --load-privkey key.pem \
- --to-p12 --outder --outfile key.p12
-@end example
-
-@item
-Proxy certificate can be used to delegate your credential to a
-temporary, typically short-lived, certificate. To create one from the
-previously created certificate, first create a temporary key and then
-generate a proxy certificate for it, using the commands:
-
-@example
-$ certtool --generate-privkey > proxy-key.pem
-$ certtool --generate-proxy --load-ca-privkey key.pem \
- --load-privkey proxy-key.pem --load-certificate cert.pem \
- --outfile proxy-cert.pem
-@end example
-
-@item
-To create an empty Certificate Revocation List (CRL) do:
-
-@example
-$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem
-@end example
-
-To create a CRL that contains some revoked certificates, place the
-certificates in a file and use @code{--load-certificate} as follows:
-
-@example
-$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
-@end example
-
-@item
-To verify a Certificate Revocation List (CRL) do:
-
-@example
-$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
-@end example
-
-@end itemize
-
-Certtool's template file format:
-
-@itemize
-
-@item
-Firstly create a file named 'cert.cfg' that contains the information
-about the certificate. An example file is listed below.
-
-@item
-Then execute:
-
-@example
-$ certtool --generate-certificate cert.pem --load-privkey key.pem \
- --template cert.cfg \
- --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
-@end example
-
-@end itemize
-
-An example certtool template file:
-
-@example
-# X.509 Certificate options
-#
-# DN options
-
-# The organization of the subject.
-organization = "Koko inc."
-
-# The organizational unit of the subject.
-unit = "sleeping dept."
-
-# The locality of the subject.
-# locality =
-
-# The state of the certificate owner.
-state = "Attiki"
-
-# The country of the subject. Two letter code.
-country = GR
-
-# The common name of the certificate owner.
-cn = "Cindy Lauper"
-
-# A user id of the certificate owner.
-#uid = "clauper"
-
-# If the supported DN OIDs are not adequate you can set
-# any OID here.
-# For example set the X.520 Title and the X.520 Pseudonym
-# by using OID and string pairs.
-#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal"
-
-# This is deprecated and should not be used in new
-# certificates.
-# pkcs9_email = "none@@none.org"
-
-# The serial number of the certificate
-serial = 007
-
-# In how many days, counting from today, this certificate will expire.
-expiration_days = 700
-
-# X.509 v3 extensions
-
-# A dnsname in case of a WWW server.
-#dns_name = "www.none.org"
-#dns_name = "www.morethanone.org"
-
-# An IP address in case of a server.
-#ip_address = "192.168.1.1"
-
-# An email in case of a person
-email = "none@@none.org"
-
-# An URL that has CRLs (certificate revocation lists)
-# available. Needed in CA certificates.
-#crl_dist_points = "http://www.getcrl.crl/getcrl/"
-
-# Whether this is a CA certificate or not
-#ca
-
-# Whether this certificate will be used for a TLS client
-#tls_www_client
-
-# Whether this certificate will be used for a TLS server
-#tls_www_server
-
-# Whether this certificate will be used to sign data (needed
-# in TLS DHE ciphersuites).
-signing_key
-
-# Whether this certificate will be used to encrypt data (needed
-# in TLS RSA ciphersuites). Note that it is preferred to use different
-# keys for encryption and signing.
-#encryption_key
-
-# Whether this key will be used to sign other certificates.
-#cert_signing_key
-
-# Whether this key will be used to sign CRLs.
-#crl_signing_key
-
-# Whether this key will be used to sign code.
-#code_signing_key
-
-# Whether this key will be used to sign OCSP data.
-#ocsp_signing_key
-
-# Whether this key will be used for time stamping.
-#time_stamping_key
-@end example
-
-@node Invoking gnutls-cli
-@section Invoking gnutls-cli
-@cindex gnutls-cli
-
-Simple client program to set up a TLS connection to some other
-computer. It sets up a TLS connection and forwards data from the
-standard input to the secured socket and vice versa.
-
-@verbatim
-GnuTLS test client
-Usage: gnutls-cli [options] hostname
-
- -d, --debug integer Enable debugging
- -r, --resume Connect, establish a session. Connect
- again and resume this session.
- -s, --starttls Connect, establish a plain session and
- start TLS when EOF or a SIGALRM is
- received.
- --crlf Send CR LF instead of LF.
- --x509fmtder Use DER format for certificates to read
- from.
- -f, --fingerprint Send the openpgp fingerprint, instead
- of the key.
- --disable-extensions Disable all the TLS extensions.
- --print-cert Print the certificate in PEM format.
- --recordsize integer The maximum record size to advertize.
- -V, --verbose More verbose output.
- --ciphers cipher1 cipher2...
- Ciphers to enable.
- --protocols protocol1 protocol2...
- Protocols to enable.
- --comp comp1 comp2... Compression methods to enable.
- --macs mac1 mac2... MACs to enable.
- --kx kx1 kx2... Key exchange methods to enable.
- --ctypes certType1 certType2...
- Certificate types to enable.
- --priority PRIORITY STRING
- Priorities string.
- --x509cafile FILE Certificate file to use.
- --x509crlfile FILE CRL file to use.
- --pgpkeyfile FILE PGP Key file to use.
- --pgpkeyring FILE PGP Key ring file to use.
- --pgpcertfile FILE PGP Public Key (certificate) file to
- use.
- --pgpsubkey HEX|auto PGP subkey to use.
- --x509keyfile FILE X.509 key file to use.
- --x509certfile FILE X.509 Certificate file to use.
- --srpusername NAME SRP username to use.
- --srppasswd PASSWD SRP password to use.
- --pskusername NAME PSK username to use.
- --pskkey KEY PSK key (in hex) to use.
- --opaque-prf-input DATA
- Use Opaque PRF Input DATA.
- -p, --port PORT The port to connect to.
- --insecure Don't abort program if server
- certificate can't be validated.
- -l, --list Print a list of the supported
- algorithms and modes.
- -h, --help prints this help
- -v, --version prints the program's version number
-@end verbatim
-
-To connect to a server using PSK authentication, you may use something
-like:
-
-@smallexample
-$ gnutls-cli -p 5556 test.gnutls.org --pskusername jas --pskkey 9e32cf7786321a828ef7668f09fb35db --priority NORMAL:+PSK:-RSA:-DHE-RSA -d 4711
-@end smallexample
-
-@menu
-* Example client PSK connection::
-@end menu
-
-@node Example client PSK connection
-@subsection Example client PSK connection
-@cindex PSK client
-
-If your server only supports the PSK ciphersuite, connecting to it
-should be as simple as connecting to the server:
-
-@smallexample
-$ ./gnutls-cli -p 5556 localhost
-Resolving 'localhost'...
-Connecting to '127.0.0.1:5556'...
-- PSK client callback. PSK hint 'psk_identity_hint'
-Enter PSK identity: psk_identity
-Enter password:
-- PSK authentication. PSK hint 'psk_identity_hint'
-- Version: TLS1.1
-- Key Exchange: PSK
-- Cipher: AES-128-CBC
-- MAC: SHA1
-- Compression: NULL
-- Handshake was completed
-
-- Simple Client Mode:
-@end smallexample
-
-If the server supports several cipher suites, you may need to force it
-to chose PSK by using a cipher priority parameter such as
-@code{--priority NORMAL:+PSK:-RSA:-DHE-RSA:-DHE-PSK}.
-
-@cindex Netconf
-Instead of using the Netconf-way to derive the PSK key from a
-password, you can also give the PSK username and key directly on the
-command line:
-
-@smallexample
-$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity --pskkey 88f3824b3e5659f52d00e959bacab954b6540344
-Resolving 'localhost'...
-Connecting to '127.0.0.1:5556'...
-- PSK authentication. PSK hint 'psk_identity_hint'
-- Version: TLS1.1
-- Key Exchange: PSK
-- Cipher: AES-128-CBC
-- MAC: SHA1
-- Compression: NULL
-- Handshake was completed
-
-- Simple Client Mode:
-@end smallexample
-
-By keeping the @code{--pskusername} parameter and removing the
-@code{--pskkey} parameter, it will query only for the password during
-the handshake.
-
-@node Invoking gnutls-cli-debug
-@section Invoking gnutls-cli-debug
-@cindex gnutls-cli-debug
-
-This program was created to assist in debugging @acronym{GnuTLS}, but
-it might be useful to extract a @acronym{TLS} server's capabilities.
-It's purpose is to connect onto a @acronym{TLS} server, perform some
-tests and print the server's capabilities. If called with the `-v'
-parameter a more checks will be performed. An example output is:
-
-@smallexample
-crystal:/cvs/gnutls/src$ ./gnutls-cli-debug localhost -p 5556
-Resolving 'localhost'...
-Connecting to '127.0.0.1:5556'...
-Checking for TLS 1.1 support... yes
-Checking fallback from TLS 1.1 to... N/A
-Checking for TLS 1.0 support... yes
-Checking for SSL 3.0 support... yes
-Checking for version rollback bug in RSA PMS... no
-Checking for version rollback bug in Client Hello... no
-Checking whether we need to disable TLS 1.0... N/A
-Checking whether the server ignores the RSA PMS version... no
-Checking whether the server can accept Hello Extensions... yes
-Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
-Checking whether the server can accept a bogus TLS record version in the client hello... yes
-Checking for certificate information... N/A
-Checking for trusted CAs... N/A
-Checking whether the server understands TLS closure alerts... yes
-Checking whether the server supports session resumption... yes
-Checking for export-grade ciphersuite support... no
-Checking RSA-export ciphersuite info... N/A
-Checking for anonymous authentication support... no
-Checking anonymous Diffie-Hellman group info... N/A
-Checking for ephemeral Diffie-Hellman support... no
-Checking ephemeral Diffie-Hellman group info... N/A
-Checking for AES cipher support (TLS extension)... yes
-Checking for 3DES cipher support... yes
-Checking for ARCFOUR 128 cipher support... yes
-Checking for ARCFOUR 40 cipher support... no
-Checking for MD5 MAC support... yes
-Checking for SHA1 MAC support... yes
-Checking for ZLIB compression support (TLS extension)... yes
-Checking for LZO compression support (GnuTLS extension)... yes
-Checking for max record size (TLS extension)... yes
-Checking for SRP authentication support (TLS extension)... yes
-Checking for OpenPGP authentication support (TLS extension)... no
-@end smallexample
-
-@node Invoking gnutls-serv
-@section Invoking gnutls-serv
-@cindex gnutls-serv
-
-Simple server program that listens to incoming TLS connections.
-
-@verbatim
-GnuTLS test server
-Usage: gnutls-serv [options]
-
- -d, --debug integer Enable debugging
- -g, --generate Generate Diffie-Hellman Parameters.
- -p, --port integer The port to connect to.
- -q, --quiet Suppress some messages.
- --nodb Does not use the resume database.
- --http Act as an HTTP Server.
- --echo Act as an Echo Server.
- --dhparams FILE DH params file to use.
- --x509fmtder Use DER format for certificates
- --x509cafile FILE Certificate file to use.
- --x509crlfile FILE CRL file to use.
- --pgpkeyring FILE PGP Key ring file to use.
- --pgpkeyfile FILE PGP Key file to use.
- --pgpcertfile FILE PGP Public Key (certificate) file to
- use.
- --pgpsubkey HEX|auto PGP subkey to use.
- --x509keyfile FILE X.509 key file to use.
- --x509certfile FILE X.509 Certificate file to use.
- --x509dsakeyfile FILE Alternative X.509 key file to use.
- --x509dsacertfile FILE Alternative X.509 certificate file to
- use.
- -r, --require-cert Require a valid certificate.
- -a, --disable-client-cert
- Disable request for a client
- certificate.
- --pskpasswd FILE PSK password file to use.
- --pskhint HINT PSK identity hint to use.
- --srppasswd FILE SRP password file to use.
- --srppasswdconf FILE SRP password conf file to use.
- --opaque-prf-input DATA
- Use Opaque PRF Input DATA.
- --ciphers cipher1 cipher2...
- Ciphers to enable.
- --protocols protocol1 protocol2...
- Protocols to enable.
- --comp comp1 comp2... Compression methods to enable.
- --macs mac1 mac2... MACs to enable.
- --kx kx1 kx2... Key exchange methods to enable.
- --ctypes certType1 certType2...
- Certificate types to enable.
- --priority PRIORITY STRING
- Priorities string.
- -l, --list Print a list of the supported
- algorithms and modes.
- -h, --help prints this help
- -v, --version prints the program's version number
-@end verbatim
-
-@subsection Setting Up a Test HTTPS Server
-@cindex HTTPS server
-@cindex debug server
-
-Running your own TLS server based on GnuTLS can be useful when
-debugging clients and/or GnuTLS itself. This section describes how to
-use @code{gnutls-serv} as a simple HTTPS server.
-
-The most basic server can be started as:
-
-@example
-gnutls-serv --http
-@end example
-
-It will only support anonymous ciphersuites, which many TLS clients
-refuse to use.
-
-The next step is to add support for X.509. First we generate a CA:
-
-@example
-certtool --generate-privkey > x509-ca-key.pem
-echo 'cn = GnuTLS test CA' > ca.tmpl
-echo 'ca' >> ca.tmpl
-echo 'cert_signing_key' >> ca.tmpl
-certtool --generate-self-signed --load-privkey x509-ca-key.pem \
- --template ca.tmpl --outfile x509-ca.pem
-...
-@end example
-
-Then generate a server certificate. Remember to change the dns_name
-value to the name of your server host, or skip that command to avoid
-the field.
-
-@example
-certtool --generate-privkey > x509-server-key.pem
-echo 'organization = GnuTLS test server' > server.tmpl
-echo 'cn = test.gnutls.org' >> server.tmpl
-echo 'tls_www_server' >> server.tmpl
-echo 'encryption_key' >> server.tmpl
-echo 'signing_key' >> server.tmpl
-echo 'dns_name = test.gnutls.org' >> server.tmpl
-certtool --generate-certificate --load-privkey x509-server-key.pem \
- --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
- --template server.tmpl --outfile x509-server.pem
-...
-@end example
-
-For use in the client, you may want to generate a client certificate
-as well.
-
-@example
-certtool --generate-privkey > x509-client-key.pem
-echo 'cn = GnuTLS test client' > client.tmpl
-echo 'tls_www_client' >> client.tmpl
-echo 'encryption_key' >> client.tmpl
-echo 'signing_key' >> client.tmpl
-certtool --generate-certificate --load-privkey x509-client-key.pem \
- --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
- --template client.tmpl --outfile x509-client.pem
-...
-@end example
-
-To be able to import the client key/certificate into some
-applications, you will need to convert them into a PKCS#12 structure.
-This also encrypts the security sensitive key with a password.
-
-@example
-certtool --to-p12 --load-ca-certificate x509-ca.pem --load-privkey x509-client-key.pem --load-certificate x509-client.pem --outder --outfile x509-client.p12
-@end example
-
-For icing, we'll create a proxy certificate for the client too.
-
-@example
-certtool --generate-privkey > x509-proxy-key.pem
-echo 'cn = GnuTLS test client proxy' > proxy.tmpl
-certtool --generate-proxy --load-privkey x509-proxy-key.pem \
- --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
- --load-certificate x509-client.pem --template proxy.tmpl \
- --outfile x509-proxy.pem
-...
-@end example
-
-Then start the server again:
-
-@example
-gnutls-serv --http \
- --x509cafile x509-ca.pem \
- --x509keyfile x509-server-key.pem \
- --x509certfile x509-server.pem
-@end example
-
-Try connecting to the server using your web browser. Note that the
-server listens to port 5556 by default.
-
-While you are at it, to allow connections using DSA, you can also
-create a DSA key and certificate for the server. These credentials
-will be used in the final example below.
-
-@example
-certtool --generate-privkey --dsa > x509-server-key-dsa.pem
-certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
- --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
- --template server.tmpl --outfile x509-server-dsa.pem
-...
-@end example
-
-The next step is to create OpenPGP credentials for the server.
-
-@example
-gpg --gen-key
-...enter whatever details you want, use 'test.gnutls.org' as name...
-@end example
-
-Make a note of the OpenPGP key identifier of the newly generated key,
-here it was @code{5D1D14D8}. You will need to export the key for
-GnuTLS to be able to use it.
-
-@example
-gpg -a --export 5D1D14D8 > openpgp-server.txt
-gpg --export 5D1D14D8 > openpgp-server.bin
-gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
-gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
-@end example
-
-Let's start the server with support for OpenPGP credentials:
-
-@example
-gnutls-serv --http \
- --pgpkeyfile openpgp-server-key.txt \
- --pgpcertfile openpgp-server.txt
-@end example
-
-The next step is to add support for SRP authentication.
-
-@example
-srptool --create-conf srp-tpasswd.conf
-srptool --passwd-conf srp-tpasswd.conf --username jas --passwd srp-passwd.txt
-Enter password: [TYPE "foo"]
-@end example
-
-Start the server with SRP support:
-
-@example
-gnutls-serv --http \
- --srppasswdconf srp-tpasswd.conf \
- --srppasswd srp-passwd.txt
-@end example
-
-Let's also add support for PSK.
-
-@example
-$ psktool --passwd psk-passwd.txt
-@end example
-
-Start the server with PSK support:
-
-@example
-gnutls-serv --http \
- --pskpasswd psk-passwd.txt
-@end example
-
-Finally, we start the server with all the earlier parameters and you
-get this command:
-
-@example
-gnutls-serv --http \
- --x509cafile x509-ca.pem \
- --x509keyfile x509-server-key.pem \
- --x509certfile x509-server.pem \
- --x509dsakeyfile x509-server-key-dsa.pem \
- --x509dsacertfile x509-server-dsa.pem \
- --pgpkeyfile openpgp-server-key.txt \
- --pgpcertfile openpgp-server.txt \
- --srppasswdconf srp-tpasswd.conf \
- --srppasswd srp-passwd.txt \
- --pskpasswd psk-passwd.txt
-@end example
-
-@menu
-* Example server PSK connection::
-@end menu
-
-@node Example server PSK connection
-@subsection Example server PSK connection
-@cindex PSK server
-
-To set up a PSK server with @code{gnutls-serv} you need to create PSK
-password file (@pxref{Invoking psktool}). In the example below, I
-type @code{password} at the prompt.
-
-@smallexample
-$ ./psktool -u psk_identity -p psks.txt -n psk_identity_hint
-Enter password:
-Key stored to psks.txt
-$ cat psks.txt
-psk_identity:88f3824b3e5659f52d00e959bacab954b6540344
-$
-@end smallexample
-
-After this, start the server pointing to the password file. We
-disable DHE-PSK.
-
-@smallexample
-$ ./gnutls-serv --pskpasswd psks.txt --pskhint psk_identity_hint --priority NORMAL:-DHE-PSK
-Set static Diffie-Hellman parameters, consider --dhparams.
-Echo Server ready. Listening to port '5556'.
-@end smallexample
-
-You can now connect to the server using a PSK client (@pxref{Example
-client PSK connection}).
-
-@node Invoking psktool
-@section Invoking psktool
-@cindex psktool
-
-This is a program to manage @acronym{PSK} username and keys.
-
-@verbatim
-PSKtool help
-Usage : psktool [options]
- -u, --username username
- specify username.
- -p, --passwd FILE specify a password file.
- -n, --netconf-hint HINT
- derive key from Netconf password, using
- HINT as the psk_identity_hint.
- -s, --keysize SIZE specify the key size in bytes.
- -v, --version prints the program's version number
- -h, --help shows this help text
-@end verbatim
-
-Normally the file will generate random keys for the indicate username.
-You may also derive PSK keys from passwords, using the algorithm
-specified in @file{draft-ietf-netconf-tls-02.txt}. The algorithm
-needs a PSK identity hint, which you specify using
-@code{--netconf-hint}. To derive a PSK key from a password with an
-empty PSK identity hint, using @code{--netconf-hint ""}.
-
-@node Invoking srptool
-@section Invoking srptool
-@anchor{srptool}
-@cindex srptool
-
-The @file{srptool} is a very simple program that emulates the programs
-in the @emph{Stanford SRP libraries}, see
-@url{http://srp.stanford.edu/}. It is intended for use in places
-where you don't expect @acronym{SRP} authentication to be the used for
-system users.
-
-Traditionally @emph{libsrp} used two files. One called @code{tpasswd}
-which holds usernames and verifiers, and @code{tpasswd.conf} which
-holds generators and primes.
-
-How to use srptool:
-
-@itemize
-
-@item
-To create tpasswd.conf which holds the g and n values for
-@acronym{SRP} protocol (generator and a large prime), run:
-
-@example
-$ srptool --create-conf /etc/tpasswd.conf
-@end example
-
-@item
-This command will create /etc/tpasswd and will add user 'test' (you
-will also be prompted for a password). Verifiers are stored by
-default in the way libsrp expects.
-
-@example
-$ srptool --passwd /etc/tpasswd \
- --passwd-conf /etc/tpasswd.conf -u test
-@end example
-
-@item
-This command will check against a password. If the password matches
-the one in /etc/tpasswd you will get an ok.
-
-@example
-$ srptool --passwd /etc/tpasswd \
- --passwd-conf /etc/tpasswd.conf --verify -u test
-@end example
-
-@end itemize
-
-@node Function reference
-@chapter Function Reference
-@cindex Function reference
-
-@menu
-* Core functions::
-* X.509 certificate functions::
-* GnuTLS-extra functions::
-* OpenPGP functions::
-* TLS Inner Application (TLS/IA) functions::
-* Error codes and descriptions::
-@end menu
-
-@node Core functions
-@section Core Functions
-
-The prototypes for the following functions lie in
-@file{gnutls/gnutls.h}.
-
-@include gnutls-api.texi
-
-@node X.509 certificate functions
-@section @acronym{X.509} Certificate Functions
-@anchor{sec:x509api}
-@cindex @acronym{X.509} Functions
-
-The following functions are to be used for @acronym{X.509} certificate handling.
-Their prototypes lie in @file{gnutls/x509.h}.
-
-@include x509-api.texi
-
-@node GnuTLS-extra functions
-@section @acronym{GnuTLS-extra} Functions
-@cindex @acronym{GnuTLS-extra} functions
-
-These functions are only available in the GPLv3+ version of the
-library called @code{gnutls-extra}. The prototypes for this library
-lie in @file{gnutls/extra.h}.
-
-@include extra-api.texi
-
-@node OpenPGP functions
-@section @acronym{OpenPGP} Functions
-@cindex @acronym{OpenPGP} functions
-@anchor{sec:openpgpapi}
-
-The following functions are to be used for @acronym{OpenPGP}
-certificate handling. Their prototypes lie in
-@file{gnutls/openpgp.h}.
-
-@include pgp-api.texi
-
-@node TLS Inner Application (TLS/IA) functions
-@section @acronym{TLS} Inner Application (@acronym{TLS/IA}) Functions
-@cindex @acronym{TLS} Inner Application (@acronym{TLS/IA}) functions
-@cindex Inner Application (@acronym{TLS/IA}) functions
-
-The following functions are used for @acronym{TLS} Inner Application
-(@acronym{TLS/IA}). Their prototypes lie in @file{gnutls/extra.h}.
-You need to link with @file{libgnutls-extra} to be able to use these
-functions (@pxref{GnuTLS-extra functions}).
-
-The typical control flow in an TLS/IA client (that would not require
-an Application Phase for resumed sessions) would be similar to the
-following:
-
-@example
-int client_avp (gnuls_session_t *session, void *ptr,
- const char *last, size_t lastlen,
- char **new, size_t *newlen)
-@{
-...
-@}
-...
-int main ()
-@{
- gnutls_ia_client_credentials_t iacred;
-...
- gnutls_init (&session, GNUTLS_CLIENT);
-...
- /* Enable TLS/IA. */
- gnutls_ia_allocate_client_credentials(&iacred);
- gnutls_ia_set_client_avp_function(iacred, client_avp);
- gnutls_credentials_set (session, GNUTLS_CRD_IA, iacred);
-...
- ret = gnutls_handshake (session);
- // Error handling...
-...
- if (gnutls_ia_handshake_p (session))
- @{
- ret = gnutls_ia_handshake (session);
- // Error handling...
-...
-@end example
-
-See below for detailed descriptions of all the functions used above.
-
-The function @code{client_avp} would have to be implemented by your
-application. The function is responsible for handling the AVP data.
-See @code{gnutls_ia_set_client_avp_function} below for more
-information on how that function should be implemented.
-
-The control flow in a typical server is similar to the above, use
-@code{gnutls_ia_server_credentials_t} instead of
-@code{gnutls_ia_client_credentials_t}, and replace the call to the
-client functions with the corresponding server functions.
-
-@include ia-api.texi
-
-@node Error codes and descriptions
-@section Error Codes and Descriptions
-@anchor{Error Codes}
-@cindex Error codes
-
-The error codes used throughout the library are described below. The
-return code @code{GNUTLS_E_SUCCESS} indicate successful operation, and
-is guaranteed to have the value 0, so you can use it in logical
-expressions.
-
-@include error_codes.texi
-
-@node All the supported ciphersuites in GnuTLS
-@chapter All the Supported Ciphersuites in @acronym{GnuTLS}
-@anchor{ciphersuites}
-@cindex Ciphersuites
-
-@include algorithms.texi
-
-Some additional information regarding some of the algorithms:
-
-@table @code
-@item RSA
-RSA is public key cryptosystem designed by Ronald Rivest, Adi Shamir
-and Leonard Adleman. It can be used with any hash functions.
-
-@item DSA
-DSA is the USA's Digital Signature Standard. It uses only the SHA-1
-hash algorithm.
-
-@item MD2
-MD2 is a cryptographic hash algorithm designed by Ron Rivest. It is
-optimized for 8-bit processors. Outputs 128 bits of data. There are
-no known weaknesses of this algorithm but since this algorithm is
-rarely used and not really studied it should not be used today.
-
-@item MD5
-MD5 is a cryptographic hash algorithm designed by Ron Rivest. Outputs
-128 bits of data. It is considered to be broken.
-
-@item SHA-1
-SHA is a cryptographic hash algorithm designed by NSA. Outputs 160
-bits of data. It is also considered to be broken, though no practical
-attacks have been found.
-
-@item RMD160
-RIPEMD is a cryptographic hash algorithm developed in the framework of
-the EU project RIPE. Outputs 160 bits of data.
-
-@end table
-
-@c
-@c Guile Bindings
-@c
-
-@include guile.texi
-
-
-@node Internal architecture of GnuTLS
-@chapter Internal Architecture of GnuTLS
-@cindex Internal architecture
-
-This chapter is to give a brief description of the
-way @acronym{GnuTLS} works. The focus is to give an idea
-to potential developers and those who want to know what
-happens inside the black box.
-
-@menu
-* The TLS Protocol::
-* TLS Handshake Protocol::
-* TLS Authentication Methods::
-* TLS Extension Handling::
-* Certificate Handling::
-* Cryptographic Backend::
-@end menu
-
-@node The TLS Protocol
-@section The TLS Protocol
-The main needs for the TLS protocol to be used are
-shown in the image below.
-
-@image{gnutls-client-server-use-case,9cm}
-
-This is being accomplished by the following object diagram.
-Note that since @acronym{GnuTLS} is being developed in C
-object are just structures with attributes. The operations listed
-are functions that require the first parameter to be that object.
-@image{gnutls-objects,15cm}
-
-@node TLS Handshake Protocol
-@section TLS Handshake Protocol
-The @acronym{GnuTLS} handshake protocol is implemented as a state
-machine that waits for input or returns immediately when the non-blocking
-transport layer functions are used. The main idea is shown in the following
-figure.
-
-@image{gnutls-handshake-state,9cm}
-
-Also the way the input is processed varies per ciphersuite. Several
-implementations of the internal handlers are available and
-@ref{gnutls_handshake} only multiplexes the input to the appropriate
-handler. For example a @acronym{PSK} ciphersuite has a different
-implementation of the @code{process_client_key_exchange} than a
-certificate ciphersuite.
-
-@image{gnutls-handshake-sequence,12cm}
-
-@node TLS Authentication Methods
-@section TLS Authentication Methods
-In @acronym{GnuTLS} authentication methods can be implemented quite
-easily. Since the required changes to add a new authentication method
-affect only the handshake protocol, a simple interface is used. An
-authentication method needs only to implement the functions as seen in
-the figure below.
-
-@image{gnutls-mod_auth_st,12cm}
-
-The functions that need to be implemented are the ones responsible for
-interpreting the handshake protocol messages. It is common for such
-functions to read data from one or more @code{credentials_t}
-structures@footnote{such as the
-@code{gnutls_certificate_credentials_t} structures} and write data,
-such as certificates, usernames etc. to @code{auth_info_t} structures.
-
-Simple examples of existing authentication methods can be seen in
-@code{auth_psk.c} for PSK ciphersuites and @code{auth_srp.c} for SRP
-ciphersuites. After implementing these functions the structure holding
-its pointers has to be registered in @code{gnutls_algorithms.c} in the
-@code{_gnutls_kx_algorithms} structure.
-
-@node TLS Extension Handling
-@section TLS Extension Handling
-As with authentication methods, the TLS extensions handlers can be
-implemented using the following interface.
-
-@image{gnutls-extensions_st,12cm}
-
-Here there are two functions, one for receiving the extension data
-and one for sending. These functions have to check internally whether
-they operate in client or server side.
-
-A simple example of an extension handler can be seen in
-@code{ext_srp.c} After implementing these functions, together with the
-extension number they handle, they have to be registered in
-@code{gnutls_extensions.c} in the @code{_gnutls_extensions} structure.
-
-@subsection Adding a New TLS Extension
-
-Adding support for a new TLS extension is done from time to time, and
-the process to do so is not difficult. Here are the steps you need to
-follow if you wish to do this yourself. For sake of discussion, let's
-consider adding support for the hypothetical TLS extension
-@code{foobar}.
-
-@enumerate
-
-@item Add @code{configure} option like @code{--enable-foobar} or @code{--disable-foobar}.
-
-Which to chose depends on whether you intend to make the extension be
-enabled by default. Look at existing checks (i.e., SRP, authz) for
-how to model the code. For example:
-
-@example
-AC_MSG_CHECKING([whether to disable foobar support])
-AC_ARG_ENABLE(foobar,
- AS_HELP_STRING([--disable-foobar],
- [disable foobar support]),
- ac_enable_foobar=no)
-if test x$ac_enable_foobar != xno; then
- AC_MSG_RESULT(no)
- AC_DEFINE(ENABLE_FOOBAR, 1, [enable foobar])
-else
- ac_full=0
- AC_MSG_RESULT(yes)
-fi
-AM_CONDITIONAL(ENABLE_FOOBAR, test "$ac_enable_foobar" != "no")
-@end example
-
-These lines should go in @code{lib/m4/hooks.m4}.
-
-@item Add IANA extension value to @code{extensions_t} in @code{gnutls_int.h}.
-
-A good name for the value would be GNUTLS_EXTENSION_FOOBAR. Check
-with @url{http://www.iana.org/assignments/tls-extensiontype-values}
-for allocated values. For experiments, you could pick a number but
-remember that some consider it a bad idea to deploy such modified
-version since it will lead to interoperability problems in the future
-when the IANA allocates that number to someone else, or when the
-foobar protocol is allocated another number.
-
-@item Add an entry to @code{_gnutls_extensions} in @code{gnutls_extensions.c}.
-
-A typical entry would be:
-
-@example
- int ret;
-
- /* ...
- */
-
-#if ENABLE_FOOBAR
- ret = gnutls_ext_register (GNUTLS_EXTENSION_FOOBAR,
- "FOOBAR",
- GNUTLS_EXT_TLS,
- _gnutls_foobar_recv_params,
- _gnutls_foobar_send_params);
- if (ret != GNUTLS_E_SUCCESS)
- return ret;
-#endif
-@end example
-
-The GNUTLS_EXTENSION_FOOBAR is the integer value you added to
-@code{gnutls_int.h} earlier. The two functions are new functions that
-you will need to implement, most likely you'll need to add an
-@code{#include "ext_foobar.h"} as well.
-
-@item Add new files @code{ext_foobar.c} and @code{ext_foobar.h} that implements the extension.
-
-The functions you are responsible to add are those mentioned in the
-previous step. As a starter, you could add this:
-
-@example
-int
-_gnutls_foobar_recv_params (gnutls_session_t session,
- const opaque * data,
- size_t data_size)
-@{
- return 0;
-@}
-
-int
-_gnutls_foobar_send_params (gnutls_session_t session,
- opaque * data,
- size_t _data_size)
-@{
- return 0;
-@}
-@end example
-
-The @code{_gnutls_foobar_recv_params} function is responsible for
-parsing incoming extension data (both in the client and server).
-
-The @code{_gnutls_foobar_send_params} function is responsible for
-sending extension data (both in the client and server).
-
-If you receive length fields that doesn't match, return
-@code{GNUTLS_E_UNEXPECTED_PACKET_LENGTH}. If you receive invalid
-data, return @code{GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER}. You can use
-other error codes too. Return 0 on success.
-
-The function typically store some information in the @code{session}
-variable for later usage. If you need to add new fields there, check
-@code{tls_ext_st} in @code{gnutls_int.h} and compare with existing TLS
-extension specific variables.
-
-Recall that both the client and server both send and receives
-parameters, and your code most likely will need to do different things
-depending on which mode it is in. It may be useful to make this
-distinction explicit in the code. Thus, for example, a better
-template than above would be:
-
-@example
-int
-_gnutls_foobar_recv_params (gnutls_session_t session,
- const opaque * data,
- size_t data_size)
-@{
- if (session->security_parameters.entity == GNUTLS_CLIENT)
- return foobar_recv_client (session, data, data_size);
- else
- return foobar_recv_server (session, data, data_size);
-@}
-
-int
-_gnutls_foobar_send_params (gnutls_session_t session,
- opaque * data,
- size_t data_size)
-@{
- if (session->security_parameters.entity == GNUTLS_CLIENT)
- return foobar_send_client (session, data, data_size);
- else
- return foobar_send_server (session, data, data_size);
-@}
-@end example
-
-The functions used would be declared as @code{static} functions, of
-the appropriate prototype, in the same file.
-
-When adding the files, you'll need to add them to @code{Makefile.am}
-as well, for example:
-
-@example
-if ENABLE_FOOBAR
-COBJECTS += ext_foobar.c
-HFILES += ext_foobar.h
-endif
-@end example
-
-@item Add API functions to enable/disable the extension.
-
-Normally the client will have one API to request use of the extension,
-and setting some extension specific data. The server will have one
-API to let the library know that it is willing to accept the
-extension, often this is implemented through a callback but it doesn't
-have to.
-
-The APIs need to be added to @code{includes/gnutls/gnutls.h} or
-@code{includes/gnutls/extra.h} as appropriate. It is recommended that
-if you don't have a requirement to use the LGPLv2.1+ license for your
-extension, that you place your work under the GPLv3+ license and thus
-in the libgnutls-extra library.
-
-You can implement the API function in the @code{ext_foobar.c} file, or
-if that file ends up becoming rather larger, add a
-@code{gnutls_foobar.c} file.
-
-To make the API available in the shared library you need to add the
-symbol in @code{lib/libgnutls.map} or
-@code{libextra/libgnutls-extra.map} as appropriate, so that the symbol
-is exported properly.
-
-When writing GTK-DOC style documentation for your new APIs, don't
-forget to add @code{Since:} tags to indicate the GnuTLS version the
-API was introduced in.
-
-@end enumerate
-
-@node Certificate Handling
-@section Certificate Handling
-What is provided by the certificate handling functions
-is summarized in the following diagram.
-
-@image{gnutls-certificate-user-use-case,12cm}
-
-@node Cryptographic Backend
-@section Cryptographic Backend
-Several new systems provide hardware assisted cryptographic algorithm
-implementations that offer implementations some orders of magnitude
-faster than the software. For this reason GnuTLS supports by default
-the /dev/crypto device usually found in FreeBSD and OpenBSD system, to
-take advantage of installed hardware.
-
-In addition it is possible to override parts of the crypto backend or the
-whole. It is possible to override them both at runtime and compile
-time, however here we will discuss the runtime possibility. The API
-available for this functionality is in @code{gnutls/crypto.h} header
-file.
-
-@subsection Override specific algorithms
-When an optimized implementation of a single algorithm is available,
-say a hardware assisted version of @acronym{AES-CBC} then the
-following functions can be used to register those algorithms.
-
-@itemize
-
-@item @ref{gnutls_crypto_single_cipher_register2}
-To register a cipher algorithm.
-
-@ref{gnutls_crypto_single_digest_register2}
-To register a hash (digest) or MAC algorithm.
-
-@end itemize
-
-Those registration functions will only replace the specified algorithm
-and leave the rest of subsystem intact.
-
-@subsection Override parts of the backend
-In some systems, such as embedded ones, it might be desirable to
-override big parts of the cryptographic backend, or even all of
-them. For this reason the following functions are provided.
-
-@itemize
-
-@item @ref{gnutls_crypto_cipher_register2}
-To override the cryptographic algorithms backend.
-
-@item @ref{gnutls_crypto_digest_register2}
-To override the digest algorithms backend.
-
-@item @ref{gnutls_crypto_rnd_register2}
-To override the random number generator backend.
-
-@item @ref{gnutls_crypto_bigint_register2}
-To override the big number number operations backend.
-
-@item @ref{gnutls_crypto_pk_register2}
-To override the public key encryption backend. This is tight to the
-big number operations so either both of them should be updated or care
-must be taken to use the same format.
-
-@end itemize
-
-If all of them are used then GnuTLS will no longer use libgcrypt.
-
-@node Copying Information
-@appendix Copying Information
-
-@menu
-* GNU Free Documentation License:: License for copying this manual.
-* GNU LGPL:: License for copying the core GnuTLS library.
-* GNU GPL:: License for copying GnuTLS-extra and tools.
-@end menu
-
-@node GNU Free Documentation License
-@appendixsec GNU Free Documentation License
-
-@cindex FDL, GNU Free Documentation License
-
-@include fdl-1.3.texi
-
-@node GNU LGPL
-@appendixsec GNU Lesser General Public License
-@cindex LGPL, GNU Lesser General Public License
-@cindex License, GNU LGPL
-
-@include lgpl-2.1.texi
-
-@node GNU GPL
-@appendixsec GNU General Public License
-@cindex GPL, GNU General Public License
-@cindex License, GNU GPL
-
-@include gpl-3.0.texi
-
-@node Bibliography
-@unnumbered Bibliography
-
-@table @asis
-
-@item @anchor{CBCATT}[CBCATT]
-Bodo Moeller, "Security of CBC Ciphersuites in SSL/TLS: Problems and
-Countermeasures", 2002, available from
-@url{http://www.openssl.org/~bodo/tls-cbc.txt}.
-
-@item @anchor{GPGH}[GPGH]
-Mike Ashley, "The GNU Privacy Handbook", 2002, available from
-@url{http://www.gnupg.org/gph/en/manual.pdf}.
-
-@item @anchor{GUTPKI}[GUTPKI]
-Peter Gutmann, "Everything you never wanted to know about PKI but were
-forced to find out", Available from
-@url{http://www.cs.auckland.ac.nz/~pgut001/}.
-
-@item @anchor{NISTSP80057}[NISTSP80057]
-NIST Special Publication 800-57, "Recommendation for Key Management -
-Part 1: General (Revised)", March 2007, available from
-@url{http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf}.
-
-@item @anchor{RFC2246}[RFC2246]
-Tim Dierks and Christopher Allen, "The TLS Protocol Version 1.0",
-January 1999, Available from
-@url{http://www.ietf.org/rfc/rfc2246.txt}.
-
-@item @anchor{RFC4346}[RFC4346]
-Tim Dierks and Eric Rescorla, "The TLS Protocol Version 1.1", Match
-2006, Available from @url{http://www.ietf.org/rfc/rfc4346.txt}.
-
-@item @anchor{RFC2440}[RFC2440]
-Jon Callas, Lutz Donnerhacke, Hal Finney and Rodney Thayer, "OpenPGP
-Message Format", November 1998, Available from
-@url{http://www.ietf.org/rfc/rfc2440.txt}.
-
-@item @anchor{RFC4880}[RFC4880]
-Jon Callas, Lutz Donnerhacke, Hal Finney, David Shaw and Rodney
-Thayer, "OpenPGP Message Format", November 2007, Available from
-@url{http://www.ietf.org/rfc/rfc4880.txt}.
-
-@item @anchor{RFC4211}[RFC4211]
-J. Schaad, "Internet X.509 Public Key Infrastructure Certificate
-Request Message Format (CRMF)", September 2005, Available from
-@url{http://www.ietf.org/rfc/rfc4211.txt}.
-
-@item @anchor{RFC2817}[RFC2817]
-Rohit Khare and Scott Lawrence, "Upgrading to TLS Within HTTP/1.1",
-May 2000, Available from @url{http://www.ietf.org/rfc/rfc2817.txt}
-
-@item @anchor{RFC2818}[RFC2818]
-Eric Rescorla, "HTTP Over TLS", May 2000, Available from
-@url{http://www.ietf/rfc/rfc2818.txt}.
-
-@item @anchor{RFC2945}[RFC2945]
-Tom Wu, "The SRP Authentication and Key Exchange System", September
-2000, Available from @url{http://www.ietf.org/rfc/rfc2945.txt}.
-
-@item @anchor{RFC2986}[RFC2986]
-Magnus Nystrom and Burt Kaliski, "PKCS 10 v1.7: Certification Request
-Syntax Specification", November 2000, Available from
-@url{http://www.ietf.org/rfc/rfc2986.txt}.
-
-@item @anchor{PKIX}[PKIX]
-D. Cooper, S. Santesson, S. Farrel, S. Boeyen, R. Housley, W. Polk,
-"Internet X.509 Public Key Infrastructure Certificate and Certificate
-Revocation List (CRL) Profile", May 2008, available from
-@url{http://www.ietf.org/rfc/rfc5280.txt}.
-
-@item @anchor{RFC3749}[RFC3749]
-Scott Hollenbeck, "Transport Layer Security Protocol Compression
-Methods", May 2004, available from
-@url{http://www.ietf.org/rfc/rfc3749.txt}.
-
-@item @anchor{RFC3820}[RFC3820]
-Steven Tuecke, Von Welch, Doug Engert, Laura Pearlman, and Mary
-Thompson, "Internet X.509 Public Key Infrastructure (PKI) Proxy
-Certificate Profile", June 2004, available from
-@url{http://www.ietf.org/rfc/rfc3820}.
-
-@item @anchor{RFC5746}[RFC5746]
-E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "Transport Layer
-Security (TLS) Renegotiation Indication Extension", February 2010,
-available from @url{http://www.ietf.org/rfc/rfc5746}.
-
-@item @anchor{TLSTKT}[TLSTKT]
-Joseph Salowey, Hao Zhou, Pasi Eronen, Hannes Tschofenig, "Transport
-Layer Security (TLS) Session Resumption without Server-Side State",
-January 2008, available from @url{http://www.ietf.org/rfc/rfc5077}.
-
-@item @anchor{PKCS12}[PKCS12]
-RSA Laboratories, "PKCS 12 v1.0: Personal Information Exchange
-Syntax", June 1999, Available from @url{http://www.rsa.com}.
-
-@item @anchor{RESCORLA}[RESCORLA]
-Eric Rescorla, "SSL and TLS: Designing and Building Secure Systems",
-2001
-
-@item @anchor{SELKEY}[SELKEY]
-Arjen Lenstra and Eric Verheul, "Selecting Cryptographic Key Sizes",
-2003, available from @url{http://www.win.tue.nl/~klenstra/key.pdf}.
-
-@item @anchor{SSL3}[SSL3]
-Alan Freier, Philip Karlton and Paul Kocher, "The SSL Protocol Version
-3.0", November 1996, Available from
-@url{http://wp.netscape.com/eng/ssl3/draft302.txt}.
-
-@item @anchor{STEVENS}[STEVENS]
-Richard Stevens, "UNIX Network Programming, Volume 1", Prentice Hall
-PTR, January 1998
-
-@item @anchor{TLSEXT}[TLSEXT]
-Simon Blake-Wilson, Magnus Nystrom, David Hopwood, Jan Mikkelsen and
-Tim Wright, "Transport Layer Security (TLS) Extensions", June 2003,
-Available from @url{http://www.ietf.org/rfc/rfc3546.txt}.
-
-@item @anchor{TLSPGP}[TLSPGP]
-Nikos Mavrogiannopoulos, "Using OpenPGP keys for TLS authentication",
-April 2004, November 2007. Available from
-@url{http://www.ietf.org/rfc/rfc5081.txt}.
+@include cha-programs.texi
-@item @anchor{TLSSRP}[TLSSRP]
-David Taylor, Trevor Perrin, Tom Wu and Nikos Mavrogiannopoulos,
-"Using SRP for TLS Authentication", November 2007. Available from
-@url{http://www.ietf.org/rfc/rfc5054.txt}.
+@include cha-functions.texi
-@item @anchor{TLSPSK}[TLSPSK]
-Pasi Eronen and Hannes Tschofenig, "Pre-shared key Ciphersuites for
-TLS", December 2005, Available from
-@url{http://www.ietf.org/rfc/rfc4279.txt}.
+@include cha-ciphersuites.texi
-@item @anchor{TOMSRP}[TOMSRP]
-Tom Wu, "The Stanford SRP Authentication Project", Available at
-@url{http://srp.stanford.edu/}.
+@include cha-internals.texi
-@item @anchor{WEGER}[WEGER]
-Arjen Lenstra and Xiaoyun Wang and Benne de Weger, "Colliding X.509
-Certificates", Cryptology ePrint Archive, Report 2005/067, Available
-at @url{http://eprint.iacr.org/}.
+@include cha-copying.texi
-@end table
+@include cha-bib.texi
@node Function and Data Index
@unnumbered Function and Data Index