diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | doc/tex/ciphersuites.tex | 7 | ||||
| -rw-r--r-- | doc/tex/ex1.tex | 4 | ||||
| -rw-r--r-- | doc/tex/ex2.tex | 4 | ||||
| -rw-r--r-- | doc/tex/serv1.tex | 2 | ||||
| -rw-r--r-- | doc/tex/srp1.tex | 2 | ||||
| -rw-r--r-- | lib/gnutls.h.in | 13 | ||||
| -rw-r--r-- | lib/gnutls_buffers.c | 4 | ||||
| -rw-r--r-- | lib/gnutls_cert.c | 10 | ||||
| -rw-r--r-- | lib/gnutls_errors.c | 4 | ||||
| -rw-r--r-- | lib/gnutls_errors.h | 2 | ||||
| -rw-r--r-- | lib/gnutls_global.c | 8 | ||||
| -rw-r--r-- | lib/gnutls_handshake.c | 4 | ||||
| -rw-r--r-- | lib/gnutls_record.c | 17 | ||||
| -rw-r--r-- | lib/gnutls_session.c | 3 | ||||
| -rw-r--r-- | src/cli.c | 2 | ||||
| -rw-r--r-- | src/serv.c | 2 |
17 files changed, 52 insertions, 38 deletions
@@ -1,4 +1,4 @@ -Version ?.?.? +Version 0.3.0 (17/12/2001) - Corrected bug in new integer formatting (now we use the old again) - Several corrections and usual cleanups diff --git a/doc/tex/ciphersuites.tex b/doc/tex/ciphersuites.tex index 134f9b62f1..7206738430 100644 --- a/doc/tex/ciphersuites.tex +++ b/doc/tex/ciphersuites.tex @@ -16,5 +16,12 @@ be described as a keyed hash algorithm. See RFC2104.} algorithm used for authent MAC\_SHA is used in the above example. \end{itemize} +The ciphersuite that will be used in the connection is negotiated at +the handshake procedure. However you must note that \tlsI does not always +negotiate the strongest available cipher suite. There are cases where +a man in the middle attacker could make the two entities negotiate +the least secure method they support. For that reason do not enable +ciphers and algorithms that you consider weak. + \addvspace{1.5cm} diff --git a/doc/tex/ex1.tex b/doc/tex/ex1.tex index 9c8c8f7314..5432567716 100644 --- a/doc/tex/ex1.tex +++ b/doc/tex/ex1.tex @@ -133,7 +133,7 @@ int main() gnutls_write( state, MSG, strlen(MSG)); ret = gnutls_read( state, buffer, MAX_BUF); - if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { + if (gnutls_error_is_fatal(ret) == 1 || ret == 0) { if (ret == 0) { printf("- Peer has closed the GNUTLS connection\n"); goto end; @@ -147,7 +147,7 @@ int main() printf("* Received alert [%d]\n", gnutls_alert_get_last(state)); if (ret == GNUTLS_E_REHANDSHAKE) { printf("* Received HelloRequest message (server asked to rehandshake)\n"); - gnutls_send_appropriate_alert( state, ret); /* we don't want rehandshake */ + gnutls_alert_send_appropriate( state, ret); /* we don't want rehandshake */ } } diff --git a/doc/tex/ex2.tex b/doc/tex/ex2.tex index b5a80b9141..6c6ea3a321 100644 --- a/doc/tex/ex2.tex +++ b/doc/tex/ex2.tex @@ -105,7 +105,7 @@ int main() gnutls_write( state, MSG, strlen(MSG)); ret = gnutls_read( state, buffer, MAX_BUF); - if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { + if (gnutls_error_is_fatal(ret) == 1 || ret == 0) { if (ret == 0) { printf("- Peer has closed the GNUTLS connection\n"); goto end; @@ -119,7 +119,7 @@ int main() printf("* Received alert [%d]\n", gnutls_alert_get_last(state)); if (ret == GNUTLS_E_REHANDSHAKE) printf("* Received HelloRequest message (server asked to rehandshake)\n"); - gnutls_send_appropriate_alert( state, ret); /* we don't want rehandshake */ + gnutls_alert_send_appropriate( state, ret); /* we don't want rehandshake */ } if (ret > 0) { diff --git a/doc/tex/serv1.tex b/doc/tex/serv1.tex index ac761ae14f..0e7dec2714 100644 --- a/doc/tex/serv1.tex +++ b/doc/tex/serv1.tex @@ -195,7 +195,7 @@ int main() bzero(buffer, MAX_BUF + 1); ret = gnutls_read( state, buffer, MAX_BUF); - if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { + if (gnutls_error_is_fatal(ret) == 1 || ret == 0) { if (ret == 0) { printf ("\n- Peer has closed the GNUTLS connection\n"); diff --git a/doc/tex/srp1.tex b/doc/tex/srp1.tex index 44dcb251f1..59c55b5ca1 100644 --- a/doc/tex/srp1.tex +++ b/doc/tex/srp1.tex @@ -102,7 +102,7 @@ int main() gnutls_write( state, MSG, strlen(MSG)); ret = gnutls_read( state, buffer, MAX_BUF); - if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { + if (gnutls_error_is_fatal(ret) == 1 || ret == 0) { if (ret == 0) { printf("- Peer has closed the GNUTLS connection\n"); goto end; diff --git a/lib/gnutls.h.in b/lib/gnutls.h.in index a517516b60..769d65df39 100644 --- a/lib/gnutls.h.in +++ b/lib/gnutls.h.in @@ -85,7 +85,7 @@ typedef struct gnutls_private_key gnutls_private_key; /* internal functions */ int gnutls_init(GNUTLS_STATE * state, ConnectionEnd con_end); -int gnutls_deinit(GNUTLS_STATE state); +void gnutls_deinit(GNUTLS_STATE state); int gnutls_bye( GNUTLS_STATE state, CloseRequest how); int gnutls_handshake( GNUTLS_STATE state); @@ -111,7 +111,9 @@ const char *gnutls_kx_get_name( KXAlgorithm algorithm); /* error functions */ -int gnutls_is_fatal_error( int error); +int gnutls_error_is_fatal( int error); +#define gnutls_is_fatal_error(x) gnutls_error_is_fatal(x) + void gnutls_perror( int error); const char* gnutls_strerror( int error); @@ -237,8 +239,11 @@ void gnutls_transport_set_lowat( GNUTLS_STATE state, int num); typedef void (*LOG_FUNC)( const char*); -void gnutls_transport_set_push_function( GNUTLS_STATE, GNUTLS_PUSH_FUNC push_func); -void gnutls_transport_set_pull_function( GNUTLS_STATE, GNUTLS_PULL_FUNC pull_func); +void gnutls_transport_set_push_func( GNUTLS_STATE, GNUTLS_PUSH_FUNC push_func); +void gnutls_transport_set_pull_func( GNUTLS_STATE, GNUTLS_PULL_FUNC pull_func); + +#define gnutls_transport_set_push_function gnutls_transport_set_push_func +#define gnutls_transport_set_pull_function gnutls_transport_set_pull_func size_t gnutls_record_get_max_size( GNUTLS_STATE state); size_t gnutls_record_set_max_size( GNUTLS_STATE state, size_t size); diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index b8cf3e351c..7e9ee5cb16 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -391,7 +391,7 @@ ssize_t _gnutls_read_buffered( GNUTLS_STATE state, opaque **iptr, size_t sizeOfP /* return immediately if we got an interrupt or eagain * error. */ - if (ret < 0 && gnutls_is_fatal_error(ret)==0) { + if (ret < 0 && gnutls_error_is_fatal(ret)==0) { return ret; } } @@ -415,7 +415,7 @@ ssize_t _gnutls_read_buffered( GNUTLS_STATE state, opaque **iptr, size_t sizeOfP if (ret == (recvdata - recvlowat) && recvlowat > 0) { ret2 = _gnutls_read( state, &buf[buf_pos], recvlowat, MSG_PEEK); - if (ret2 < 0 && gnutls_is_fatal_error(ret2)==0) { + if (ret2 < 0 && gnutls_error_is_fatal(ret2)==0) { return ret2; } diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 7df74aa2bd..3160379ce0 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -1069,7 +1069,7 @@ void gnutls_x509pki_server_set_cert_request(GNUTLS_STATE state, * by one of these CAs. These names are DER encoded. To get a more * meaningful value use the function gnutls_x509pki_extract_dn(). * - * This function specifies what we (in case of a client) are going + * This function specifies what we, in case of a client, are going * to do when we have to send a certificate. If this callback * function is not provided then gnutls will automaticaly try to * find an appropriate certificate to send. @@ -1087,8 +1087,8 @@ void gnutls_x509pki_server_set_cert_request(GNUTLS_STATE state, * only to the return value of the callback function. * * The callback function should return the index of the certificate - * choosen by the user (or -1 to indicate that the user - * does not want to use client authentication). + * choosen by the user. -1 indicates that the user + * does not want to use client authentication. * * This function returns 0 on success. **/ @@ -1110,7 +1110,7 @@ void gnutls_x509pki_set_client_cert_callback(GNUTLS_STATE state, * 'server_cert' contains 'ncerts' gnutls_datum structures which hold * the DER encoded X.509 certificates of the server. * - * This function specifies what we (in case of a server) are going + * This function specifies what we, in case of a server, are going * to do when we have to send a certificate. If this callback * function is not provided then gnutls will automaticaly try to * find an appropriate certificate to send. (actually send the first in the list) @@ -1121,7 +1121,7 @@ void gnutls_x509pki_set_client_cert_callback(GNUTLS_STATE state, * * The callback function will only be called once per handshake. * The callback function should return the index of the certificate - * choosen by the server (or -1 in case of an error) + * choosen by the server. -1 indicates an error. * **/ void gnutls_x509pki_set_server_cert_callback(GNUTLS_STATE state, diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index ce42184098..ce2e4b9d5b 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -108,7 +108,7 @@ static gnutls_error_entry error_algorithms[] = { /** - * gnutls_is_fatal_error - Returns non-zero in case of a fatal error + * gnutls_error_is_fatal - Returns non-zero in case of a fatal error * @error: is an error returned by a gnutls function. Error should be a negative value. * * If a function returns a negative value you may feed that value @@ -117,7 +117,7 @@ static gnutls_error_entry error_algorithms[] = { * error code manualy, since some non-fatal errors to the protocol * may be fatal for you (your program). **/ -int gnutls_is_fatal_error(int error) +int gnutls_error_is_fatal(int error) { int ret = 0; diff --git a/lib/gnutls_errors.h b/lib/gnutls_errors.h index d46f232e04..97e2f6d16f 100644 --- a/lib/gnutls_errors.h +++ b/lib/gnutls_errors.h @@ -37,5 +37,5 @@ const char* gnutls_strerror(int error); void gnutls_perror(int error); -int gnutls_is_fatal_error( int error); +int gnutls_error_is_fatal( int error); void _gnutls_log( const char *fmt, ...); diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c index 491e4c1bbe..8264e29d4a 100644 --- a/lib/gnutls_global.c +++ b/lib/gnutls_global.c @@ -135,7 +135,7 @@ void gnutls_global_deinit() { */ /** - * gnutls_transport_set_pull_function - This function sets a read like function + * gnutls_transport_set_pull_func - This function sets a read like function * @pull_func: it's a function like read * @state: gnutls state * @@ -147,12 +147,12 @@ void gnutls_global_deinit() { * PULL_FUNC is of the form, * ssize_t (*PULL_FUNC)(GNUTLS_SOCKET_PTR, const void*, size_t); **/ -void gnutls_transport_set_pull_function( GNUTLS_STATE state, PULL_FUNC pull_func) { +void gnutls_transport_set_pull_func( GNUTLS_STATE state, PULL_FUNC pull_func) { state->gnutls_internals._gnutls_pull_func = pull_func; } /** - * gnutls_transport_set_push_function - This function sets the function to send data + * gnutls_transport_set_push_func - This function sets the function to send data * @push_func: it's a function like write * @state: gnutls state * @@ -166,6 +166,6 @@ void gnutls_transport_set_pull_function( GNUTLS_STATE state, PULL_FUNC pull_func * PUSH_FUNC is of the form, * ssize_t (*PUSH_FUNC)(GNUTLS_SOCKET_PTR, const void*, size_t); **/ -void gnutls_transport_set_push_function( GNUTLS_STATE state, PUSH_FUNC push_func) { +void gnutls_transport_set_push_func( GNUTLS_STATE state, PUSH_FUNC push_func) { state->gnutls_internals._gnutls_push_func = push_func; } diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index ac0db46c16..288067b544 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -1630,7 +1630,7 @@ int _gnutls_recv_hello(GNUTLS_STATE state, char *data, int datalen) * If the client does not wish to renegotiate parameters he * will reply with an alert message, thus the return code will be * GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be - * GNUTLS_NO_RENEGOTIATION. + * GNUTLS_A_NO_RENEGOTIATION. **/ int gnutls_rehandshake(GNUTLS_STATE state) { @@ -1697,7 +1697,7 @@ int gnutls_handshake(GNUTLS_STATE state) #define IMED_RET( str, ret) \ if (ret < 0) { \ - if (gnutls_is_fatal_error(ret)==0) return ret; \ + if (gnutls_error_is_fatal(ret)==0) return ret; \ gnutls_assert(); \ ERR( str, ret); \ gnutls_clear_handshake_buffer(state); \ diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index 3f8c0315b7..ff84850895 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -169,7 +169,7 @@ int default_protocol_list[] = { GNUTLS_TLS1, 0 }; * * This function clears all buffers associated with the &state. **/ -int gnutls_deinit(GNUTLS_STATE state) +void gnutls_deinit(GNUTLS_STATE state) { /* if the session has failed abnormally it has to be removed from the db */ if ( state->gnutls_internals.resumable==RESUME_FALSE) { @@ -240,7 +240,8 @@ int gnutls_deinit(GNUTLS_STATE state) memset( state, 0, sizeof(struct GNUTLS_STATE_INT)); gnutls_free(state); - return 0; + + return; } inline @@ -487,13 +488,13 @@ int ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; * In case of GNUTLS_SHUT_RDWR then the TLS connection gets terminated and * further receives and sends will be disallowed. If the return * value is zero you may continue using the connection. - * (GNUTLS_SHUT_RDWR actually sends an alert containing a close request - * and waits for the peer to reply with the same message) + * GNUTLS_SHUT_RDWR actually sends an alert containing a close request + * and waits for the peer to reply with the same message. * * In case of GNUTLS_SHUT_WR then the TLS connection gets terminated and * further sends will be disallowed. In order to reuse the connection * you should wait for an EOF from the peer. - * (GNUTLS_SHUT_WR sends an alert containing a close request) + * GNUTLS_SHUT_WR sends an alert containing a close request. * * This function may also return GNUTLS_E_AGAIN, or GNUTLS_E_INTERRUPTED. * @@ -626,7 +627,7 @@ ssize_t gnutls_send_int( GNUTLS_STATE state, ContentType type, HandshakeType hty if ( ret != cipher_size) { gnutls_free( cipher); - if ( ret < 0 && gnutls_is_fatal_error(ret)==0) { + if ( ret < 0 && gnutls_error_is_fatal(ret)==0) { /* If we have sent any data then return * that value. */ @@ -748,7 +749,7 @@ ssize_t gnutls_recv_int( GNUTLS_STATE state, ContentType type, HandshakeType hty * must be set to non blocking mode */ if ( (ret = _gnutls_read_buffered( state, &headers, header_size, -1)) != header_size) { - if (ret < 0 && gnutls_is_fatal_error(ret)==0) return ret; + if (ret < 0 && gnutls_error_is_fatal(ret)==0) return ret; state->gnutls_internals.valid_connection = VALID_FALSE; if (type==GNUTLS_ALERT) { @@ -832,7 +833,7 @@ ssize_t gnutls_recv_int( GNUTLS_STATE state, ContentType type, HandshakeType hty /* check if we have that data into buffer. */ if ( (ret = _gnutls_read_buffered( state, &recv_data, header_size+length, recv_type)) != length+header_size) { - if (ret<0 && gnutls_is_fatal_error(ret)==0) return ret; + if (ret<0 && gnutls_error_is_fatal(ret)==0) return ret; state->gnutls_internals.valid_connection = VALID_FALSE; state->gnutls_internals.resumable = RESUME_FALSE; diff --git a/lib/gnutls_session.c b/lib/gnutls_session.c index 43cca3e1ab..b8008314dc 100644 --- a/lib/gnutls_session.c +++ b/lib/gnutls_session.c @@ -74,7 +74,8 @@ int gnutls_session_get_data( GNUTLS_STATE state, opaque* session, int *session_s * * Returns the current session id. This can be used if you want to check if * the next session you tried to resume was actually resumed. - * (resumed sessions have the same sessionID with the first session) + * This is because resumed sessions have the same sessionID with the + * original session. * * Session id is some data set by the server, that identify the current session. * In TLS 1.0 session id should not be more than 32 bytes. @@ -363,7 +363,7 @@ int main(int argc, char** argv) } while( ret==GNUTLS_E_INTERRUPTED || ret==GNUTLS_E_AGAIN); /* remove new line */ - if (gnutls_is_fatal_error(ret) == 1 || ret==0) { + if (gnutls_error_is_fatal(ret) == 1 || ret==0) { if (ret == 0) { printf("- Peer has closed the GNUTLS connection\n"); break; diff --git a/src/serv.c b/src/serv.c index 6051d313f2..d1a1f5836f 100644 --- a/src/serv.c +++ b/src/serv.c @@ -424,7 +424,7 @@ int main(int argc, char **argv) bzero(buffer, MAX_BUF + 1); ret = read_request( state, buffer, MAX_BUF, (http==0)?1:2); - if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { + if (gnutls_error_is_fatal(ret) == 1 || ret == 0) { fflush(stdout); if (ret == 0) { printf |