diff options
| -rw-r--r-- | doc/tex/patents.tex | 29 | ||||
| -rw-r--r-- | doc/tex/srp.tex | 4 | ||||
| -rw-r--r-- | lib/Makefile.am | 4 | ||||
| -rw-r--r-- | lib/gnutls_errors.c | 10 | ||||
| -rw-r--r-- | lib/gnutls_errors_int.h | 7 | ||||
| -rw-r--r-- | lib/gnutls_x509.c | 12 | ||||
| -rw-r--r-- | lib/x509_b64.c | 2 | ||||
| -rw-r--r-- | libextra/auth_srp.c | 2 | ||||
| -rw-r--r-- | libextra/auth_srp_passwd.c | 24 | ||||
| -rw-r--r-- | libextra/gnutls_openpgp.c | 2 |
10 files changed, 57 insertions, 39 deletions
diff --git a/doc/tex/patents.tex b/doc/tex/patents.tex index 2561150a87..0c30ca30fd 100644 --- a/doc/tex/patents.tex +++ b/doc/tex/patents.tex @@ -5,8 +5,11 @@ decided to approve such patents. In order for \gnutls{} to be free in all countries, we try not to include patented algorithms, which could turn the library being non free. -\section{TLS patent} -\index{Patents!TLS} +\par +Note that this chapter does not offer any legal advice of any kind. + +\section{SSL patent} +\index{Patents!SSL} A patent which we couln't avoid was a patent by Netscape Communications Corporation on the Secure Sockets Layer (\ssl{}) work that \tlsI{} is based on. Fortunately Netscape has provided a statement that allows royalty free @@ -40,10 +43,13 @@ Communications' statement in RFC2246\cite{RFC2246}. \section{SRP patent} \index{Patents!SRP} +\label{ap:srppatent} +The status of SRP is unclear. A patent application was filed by Stanford University on the SRP algorithm. -The letters\footnote{found in \htmladdnormallink{http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt}{http://www.ietf.org/ietf/IPR/WU-SRP}} below were sent to IETF. +The letters\footnote{found in \htmladdnormallink{http://www.ietf.org/ietf/IPR/WU-SRP}{http://www.ietf.org/ietf/IPR/WU-SRP}} below were sent to IETF. \begin{verbatim} +============================================================================= Received April 26, 2000 Kirsten Leute <kirsten.leute@stanford.edu> @@ -69,7 +75,7 @@ Associate Fax: (650) 725-7295 kirsten.leute@stanford.edu -====================================================================================== +============================================================================= Received December 22, 2000 From: Thomas Wu <tjw@CS.Stanford.EDU> @@ -87,15 +93,18 @@ http://otl.stanford.edu/ Tom Wu tjw@CS.Stanford.EDU +============================================================================= \end{verbatim} \par -\gnutls{} uses the SRP algorithm as described in RFC 2945, which +\gnutls{}, as part of it's SRP authentication method, +uses the SRP algorithm as described in RFC 2945, which is available royalty-free by Stanford, so the above patent does -not cause any harm. However -the US patent 6226383 held by Phoenix, known as the SPEKE patent +not cause any harm. + +However the US patent 6226383 held by Phoenix, known as the SPEKE patent, may apply to the SRP algorithm according to Phoenix. -See \htmladdnormallink{http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt}{http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt}. -Also the EKE patents (US 5241599 and US 5440635), held by Lucent, -may also apply to the SRP algorithm. See +The letter sent to IETF by Phoenix is available at \htmladdnormallink{http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt}{http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt}. +The EKE patents (US 5241599 and US 5440635), held by Lucent, +may also apply to the SRP algorithm. See the letter sent to IETF found in \htmladdnormallink{http://www.ietf.org/ietf/IPR/LUCENT-SRP}{http://www.ietf.org/ietf/IPR/LUCENT-SRP}. diff --git a/doc/tex/srp.tex b/doc/tex/srp.tex index c380c3fef0..5f8a1f2e77 100644 --- a/doc/tex/srp.tex +++ b/doc/tex/srp.tex @@ -1,4 +1,5 @@ \section{Authentication using SRP\index{SRP authentication}} + Authentication using the SRP\footnote{SRP stands for Secure Password Protocol and is described in \cite{RFC2945}. The SRP key exchange is not a part of the \tlsI{} protocol} is actually password authentication, since the two peers are identified by the knowledge of a password. @@ -12,6 +13,9 @@ the user's password. This kind of protection is similar to the one used traditio in the \emph{UNIX} ``passwd'' file, where the contents of this file did not cause harm to the system security if they were revealed. \par +Before using SRP authentication, it is recommended to read \ref{ap:srppatent} on page +\pageref{ap:srppatent}, about the patents that relate to SRP. + The implementation in \gnutls{} is based on paper \cite{TLSSRP}. Available key exchange methods are shown in \hyperref{figure}{figure }{}{fig:srp}. diff --git a/lib/Makefile.am b/lib/Makefile.am index 00f6b81b52..f26331ef8b 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -14,11 +14,11 @@ EXTRA_DIST = minitasn1 debug.h gnutls_compress.h defines.h gnutls.asn pkix.asn \ auth_anon.h gnutls_extensions.h gnutls_buffer.h \ gnutls_auth_int.h gnutls_random.h x509_b64.h gnutls_v2_compat.h \ libgnutls-config.in libgnutls.m4 gnutls.h.in.in gnutls_errors_int.h \ - gnutls_datum.h auth_cert.h gnutls_mpi.h \ + gnutls-api.tex gnutls_datum.h auth_cert.h gnutls_mpi.h \ gnutls_pk.h gnutls_record.h gnutls_cert.h \ gnutls_privkey.h gnutls_constate.h gnutls_global.h x509_verify.h \ gnutls_sig.h gnutls_mem.h x509_extensions.h gnutls_ui.h \ - gnutls-api.tex io_debug.h ext_max_record.h gnutls_session_pack.h \ + io_debug.h ext_max_record.h gnutls_session_pack.h \ gnutls_alert.h gnutls_str.h gnutls_state.h gnutls_x509.h \ ext_cert_type.h gnutls_rsa_export.h ext_server_name.h auth_dh_common.h \ gnutls.sym diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index bac11b75d5..af17f2e622 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -78,11 +78,12 @@ static gnutls_error_entry error_algorithms[] = { ERROR_ENTRY("Internal error in memory allocation.", GNUTLS_E_MEMORY_ERROR, 1 ), ERROR_ENTRY("An unimplemented feature has been requested.", GNUTLS_E_UNIMPLEMENTED_FEATURE, 1 ), ERROR_ENTRY("Insuficient credentials for that request.", GNUTLS_E_INSUFICIENT_CREDENTIALS, 1 ), - ERROR_ENTRY("Error in password file.", GNUTLS_E_PWD_ERROR, 1 ), + ERROR_ENTRY("Error in SRP password file.", GNUTLS_E_SRP_PWD_ERROR, 1 ), ERROR_ENTRY("Wrong padding in PKCS1 packet.", GNUTLS_E_PKCS1_WRONG_PAD, 1 ), ERROR_ENTRY("The requested session has expired.", GNUTLS_E_EXPIRED, 1 ), ERROR_ENTRY("Hashing has failed.", GNUTLS_E_HASH_FAILED, 1 ), - ERROR_ENTRY("Parsing error.", GNUTLS_E_PARSING_ERROR, 1 ), + ERROR_ENTRY("Certificate parsing error.", GNUTLS_E_BASE64_DECODING_ERROR, 1 ), + ERROR_ENTRY("Parsing error in SRP password file.", GNUTLS_E_SRP_PWD_PARSING_ERROR, 1 ), ERROR_ENTRY("The requested data, were not available.", GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE, 0 ), ERROR_ENTRY("Error in the pull function.", GNUTLS_E_PULL_ERROR, 1 ), ERROR_ENTRY("Error in the push function.", GNUTLS_E_PUSH_ERROR, 1 ), @@ -102,7 +103,6 @@ static gnutls_error_entry error_algorithms[] = { ERROR_ENTRY("The request is invalid.", GNUTLS_E_INVALID_REQUEST, 1 ), ERROR_ENTRY("An illegal parameter has been received.", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1 ), ERROR_ENTRY("Error while reading file.", GNUTLS_E_FILE_ERROR, 1 ), - ERROR_ENTRY("Error in ASCII armoring.", GNUTLS_E_ASCII_ARMOR_ERROR, 1 ), ERROR_ENTRY("ASN1 parser: Element was not found.", GNUTLS_E_ASN1_ELEMENT_NOT_FOUND, 1 ), ERROR_ENTRY("ASN1 parser: Identifier was not found", GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND, 1 ), @@ -149,6 +149,10 @@ static gnutls_error_entry error_algorithms[] = { * error 0 otherwise. However you may want to check the * error code manualy, since some non-fatal errors to the protocol * may be fatal for you (your program). + * + * This is only useful if you are dealing with errors from the + * record layer, or the handshake layer. + * **/ int gnutls_error_is_fatal(int error) { diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h index eee24502ca..61c63840bb 100644 --- a/lib/gnutls_errors_int.h +++ b/lib/gnutls_errors_int.h @@ -24,12 +24,13 @@ #define GNUTLS_E_AGAIN -28 #define GNUTLS_E_EXPIRED -29 #define GNUTLS_E_DB_ERROR -30 -#define GNUTLS_E_PWD_ERROR -31 +#define GNUTLS_E_SRP_PWD_ERROR -31 #define GNUTLS_E_INSUFICIENT_CREDENTIALS -32 #define GNUTLS_E_INSUFICIENT_CRED GNUTLS_E_INSUFICIENT_CREDENTIALS #define GNUTLS_E_HASH_FAILED -33 -#define GNUTLS_E_PARSING_ERROR -34 +#define GNUTLS_E_BASE64_DECODING_ERROR -34 + #define GNUTLS_E_MPI_PRINT_FAILED -35 #define GNUTLS_E_REHANDSHAKE -37 /* GNUTLS_A_NO_RENEGOTIATION */ #define GNUTLS_E_GOT_APPLICATION_DATA -38 @@ -59,7 +60,6 @@ #define GNUTLS_E_X509_UNKNOWN_SAN -62 #define GNUTLS_E_DH_PRIME_UNACCEPTABLE -63 #define GNUTLS_E_FILE_ERROR -64 -#define GNUTLS_E_ASCII_ARMOR_ERROR -65 #define GNUTLS_E_ASN1_ELEMENT_NOT_FOUND -67 #define GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND -68 #define GNUTLS_E_ASN1_DER_ERROR -69 @@ -96,6 +96,7 @@ #define GNUTLS_E_PK_SIG_VERIFY_FAILED -89 #define GNUTLS_E_ILLEGAL_SRP_USERNAME -90 +#define GNUTLS_E_SRP_PWD_PARSING_ERROR -91 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -250 diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 921ca3ac85..0a2daa8022 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -1288,7 +1288,7 @@ static int parse_pem_cert_mem( gnutls_cert** cert_list, int* ncerts, if (siz2 < 0) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_BASE64_DECODING_ERROR; } ret = parse_pkcs7_cert_mem( cert_list, ncerts, b64, @@ -1306,7 +1306,7 @@ static int parse_pem_cert_mem( gnutls_cert** cert_list, int* ncerts, if (ptr == NULL) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_BASE64_DECODING_ERROR; } siz = strlen( ptr); @@ -1319,7 +1319,7 @@ static int parse_pem_cert_mem( gnutls_cert** cert_list, int* ncerts, if (siz2 < 0) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_BASE64_DECODING_ERROR; } *cert_list = @@ -1544,14 +1544,14 @@ static int read_key_mem(gnutls_certificate_credentials res, const char *key, int key = strstr( key, PEM_KEY_DSA_SEP); if (key == NULL) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_BASE64_DECODING_ERROR; } key_size = strlen( key); } else { pk = GNUTLS_PK_RSA; key = strstr( key, PEM_KEY_RSA_SEP); if (key == NULL) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_BASE64_DECODING_ERROR; } key_size = strlen( key); } @@ -1561,7 +1561,7 @@ static int read_key_mem(gnutls_certificate_credentials res, const char *key, int if (ret < 0) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_BASE64_DECODING_ERROR; } tmp.data = b64; diff --git a/lib/x509_b64.c b/lib/x509_b64.c index bab1c35b45..cc8215d14e 100644 --- a/lib/x509_b64.c +++ b/lib/x509_b64.c @@ -449,7 +449,7 @@ int _gnutls_fbase64_decode( const opaque* header, const opaque * data, size_t da if ((ret = _gnutls_base64_decode( kdata, kdata_size, result)) < 0) { gnutls_free(kdata); gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_BASE64_DECODING_ERROR; } gnutls_free(kdata); diff --git a/libextra/auth_srp.c b/libextra/auth_srp.c index b20cb9bc76..d6bdf1491a 100644 --- a/libextra/auth_srp.c +++ b/libextra/auth_srp.c @@ -101,7 +101,7 @@ int _gnutls_gen_srp_server_kx(gnutls_session state, opaque ** data) */ pwd_entry = _gnutls_randomize_pwd_entry(); } else { - return GNUTLS_E_PWD_ERROR; + return GNUTLS_E_SRP_PWD_ERROR; } } diff --git a/libextra/auth_srp_passwd.c b/libextra/auth_srp_passwd.c index 7bcd23d446..f5781a0692 100644 --- a/libextra/auth_srp_passwd.c +++ b/libextra/auth_srp_passwd.c @@ -49,7 +49,7 @@ int indx; p = rindex( str, ':'); /* we have index */ if (p==NULL) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } *p='\0'; @@ -59,14 +59,14 @@ int indx; indx = atoi(p); if (indx==0) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } /* now go for salt */ p = rindex( str, ':'); /* we have salt */ if (p==NULL) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } *p='\0'; @@ -78,14 +78,14 @@ int indx; if (entry->salt.size <= 0) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } /* now go for verifier */ p = rindex( str, ':'); /* we have verifier */ if (p==NULL) { _gnutls_free_datum(&entry->salt); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } *p='\0'; @@ -96,7 +96,7 @@ int indx; if (ret <= 0) { gnutls_assert(); _gnutls_free_datum(&entry->salt); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } verifier_size = ret; @@ -131,7 +131,7 @@ int ret; p = rindex( str, ':'); /* we have g */ if (p==NULL) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } *p='\0'; @@ -144,7 +144,7 @@ int ret; if (ret < 0) { gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } entry->g.data = tmp; @@ -155,7 +155,7 @@ int ret; if (p==NULL) { _gnutls_free_datum( &entry->g); gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } *p='\0'; @@ -167,7 +167,7 @@ int ret; if (ret < 0) { gnutls_assert(); _gnutls_free_datum( &entry->g); - return GNUTLS_E_PARSING_ERROR; + return GNUTLS_E_SRP_PWD_PARSING_ERROR; } entry->n.data = tmp; @@ -203,11 +203,11 @@ static int pwd_read_conf( const char* pconf_file, SRP_PWD_ENTRY* entry, int inde if ((index = pwd_put_values2( entry, line)) >= 0) return 0; else { - return GNUTLS_E_PWD_ERROR; + return GNUTLS_E_SRP_PWD_ERROR; } } } - return GNUTLS_E_PWD_ERROR; + return GNUTLS_E_SRP_PWD_ERROR; } diff --git a/libextra/gnutls_openpgp.c b/libextra/gnutls_openpgp.c index 2ce660a429..99111f1326 100644 --- a/libextra/gnutls_openpgp.c +++ b/libextra/gnutls_openpgp.c @@ -80,7 +80,7 @@ map_cdk_rc( int rc ) case CDK_MPI_Error: return GNUTLS_E_MPI_SCAN_FAILED; case CDK_Error_No_Key: return GNUTLS_E_OPENPGP_GETKEY_FAILED; case CDK_Wrong_Format: return GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED; - case CDK_Armor_Error: return GNUTLS_E_ASCII_ARMOR_ERROR; + case CDK_Armor_Error: return GNUTLS_E_BASE64_DECODING_ERROR; case CDK_Inv_Value: return GNUTLS_E_INVALID_REQUEST; default: return GNUTLS_E_INTERNAL_ERROR; } |