From ea88f2a86c00a9b5afca523e30fd9e77adda373d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 23 Jun 2008 02:15:58 +0300 Subject: merged with master. --- AUTHORS | 3 + GNUmakefile | 10 +- Makefile.am | 2 +- NEWS | 471 +++++++- README | 20 - THANKS | 3 + build-aux/config.rpath | 10 +- build-aux/gendocs.sh | 11 +- configure.in | 77 +- doc/examples/Makefile.am | 18 +- doc/examples/ex-client-psk.c | 119 +++ doc/examples/ex-cxx.cpp | 101 ++ doc/examples/ex-serv-export.c | 10 +- doc/examples/ex-serv-psk.c | 226 ++++ doc/examples/ex-session-info.c | 11 +- doc/examples/ex-x509-info.c | 3 +- doc/gendocs_template | 6 +- doc/gnutls.texi | 1122 +++++++++++--------- .../draft-badra-tls-psk-new-mac-aes-gcm-02.txt | 485 +++++++++ doc/protocol/draft-ietf-netconf-tls-02.txt | 809 ++++++++++++++ doc/protocol/draft-ietf-tls-ecc-new-mac-06.txt | 392 +++++++ doc/protocol/draft-ietf-tls-ecc-new-mac-07.txt | 392 +++++++ .../draft-rescorla-tls-extended-random-00.txt | 448 ++++++++ doc/reference/gnutls-docs.sgml | 6 + gl/gnulib.mk | 17 +- gl/inet_ntop.h | 42 - gl/inet_pton.h | 24 - gl/m4/autobuild.m4 | 39 + guile/src/core.c | 4 + guile/tests/Makefile.am | 13 +- includes/gnutls/crypto.h | 1 + lgl/m4/strcase.m4 | 44 + lgl/m4/strings_h.m4 | 33 + lgl/stdio-impl.h | 94 ++ lgl/strcasecmp.c | 63 ++ lgl/strings.in.h | 86 ++ lgl/strncasecmp.c | 63 ++ m4/autobuild.m4 | 34 - m4/libgcrypt.m4 | 6 +- maint.mk | 2 +- po/LINGUAS | 1 + po/POTFILES.in | 1 + po/vi.po.in | 756 +++++++++++++ 43 files changed, 5390 insertions(+), 688 deletions(-) create mode 100644 doc/examples/ex-client-psk.c create mode 100644 doc/examples/ex-cxx.cpp create mode 100644 doc/examples/ex-serv-psk.c create mode 100644 doc/protocol/draft-badra-tls-psk-new-mac-aes-gcm-02.txt create mode 100644 doc/protocol/draft-ietf-netconf-tls-02.txt create mode 100644 doc/protocol/draft-ietf-tls-ecc-new-mac-06.txt create mode 100644 doc/protocol/draft-ietf-tls-ecc-new-mac-07.txt create mode 100644 doc/protocol/draft-rescorla-tls-extended-random-00.txt delete mode 100644 gl/inet_ntop.h delete mode 100644 gl/inet_pton.h create mode 100644 gl/m4/autobuild.m4 create mode 100644 lgl/m4/strcase.m4 create mode 100644 lgl/m4/strings_h.m4 create mode 100644 lgl/stdio-impl.h create mode 100644 lgl/strcasecmp.c create mode 100644 lgl/strings.in.h create mode 100644 lgl/strncasecmp.c delete mode 100644 m4/autobuild.m4 create mode 100644 po/vi.po.in diff --git a/AUTHORS b/AUTHORS index eb5667792a..456f4c6c60 100644 --- a/AUTHORS +++ b/AUTHORS @@ -45,6 +45,9 @@ TLS/IA fixes. Joe Orton Certificate name import/export, build fixes, test vectors. +Daniel Kahn Gillmor +OpenPGP discussion and improvements. + -----BEGIN PGP PUBLIC KEY BLOCK----- URL: http://josefsson.org/key.txt (always latest version) Comment: This 0xB565716F key is used to sign releases of GnuTLS. diff --git a/GNUmakefile b/GNUmakefile index 0c1bc38afb..062900b547 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -59,9 +59,13 @@ ifeq ($(_have-git-version-gen)0,yes$(MAKELEVEL)) _curr-ver := $(shell cd $(srcdir) && ./$(_build-aux)/git-version-gen \ $(srcdir)/.tarball-version) ifneq ($(_curr-ver),$(VERSION)) - $(info INFO: running autoreconf for new version string: $(_curr-ver)) - _dummy := $(shell cd $(srcdir) && rm -rf autom4te.cache .version \ - && $(_autoreconf)) + ifeq ($(_curr-ver),UNKNOWN) + $(info WARNING: unable to verify if $(VERSION) is correct version) + else + $(info INFO: running autoreconf for new version string: $(_curr-ver)) + _dummy := $(shell cd $(srcdir) && rm -rf autom4te.cache .version \ + && $(_autoreconf)) + endif endif endif endif diff --git a/Makefile.am b/Makefile.am index 7c921bf691..f7f31de4a8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -30,7 +30,7 @@ endif ACLOCAL_AMFLAGS = -I m4 -I gl/m4 -I lgl/m4 -EXTRA_DIST = cfg.mk .clcopying +EXTRA_DIST = cfg.mk maint.mk .clcopying # Maintainer targets diff --git a/NEWS b/NEWS index 60de271df9..b83319f4ba 100644 --- a/NEWS +++ b/NEWS @@ -5,8 +5,9 @@ See the end for copying conditions. * Version 2.5.0 (unreleased) -** Added wide wildcard hostname matching. Patch by Jean-Philippe Garcia -Ballester. +** Fix compiler warnings. +Reported by Massimo Gaspari in +. ** Added API to replace and update the crypto backend. @@ -21,6 +22,399 @@ gnutls_crypto_rnd_register2: Added gnutls_crypto_pk_register2: Added gnutls_crypto_bigint_register2: Added +* Version 2.4.0 (released 2008-06-19) + +** Major changes compared to the v2.2 branch: + +*** The OpenPGP sub-system has been improved and now supports subkeys. + +*** The PSK sub-system has been improved and now supports password +*** derivation and PSK identity hints. +The password derivation algorithms support is documented in +draft-ietf-netconf-tls-02.txt. + +*** The certtool --inder and --outder has been replaced by --inraw and --outraw. +This aligns terminology with OpenPGP, which doesn't use DER encoding. +The old parameters will continue to work for some time. + +*** Certtool now confirm passwords and changes permissions of private key files. + +*** The default handshake size limit has been increased to 48kb. +It appears as if some valid handshakes are large due to sending many +CA certificates. (The earlier limit was 16kb.) + +*** LZO compression is now disabled by default. +The main reason is that LZO compression in TLS is not standardized, +but license compatiblity issues with minilzo triggered us to make this +decision now. + +*** Improvements for cross-compilation to Windows and OpenWRT. + +*** The look of the GTK-DOC manual has been improved. +Major developer visible changes compared to the v2.2 branch: + +*** Full OpenPGP support is part of libgnutls, licensed under the LGPL. + +*** New APIs to access the raw X.509 Subject and Issuer DN's and +*** elements from the certificate credentials structure. +Thanks to Joe Orton. + +*** New APIs to improve working with username/passwords and PSK. + +*** Names of constants to affect certificate printing changed. +The constants are used for OpenPGP too, which the names didn't +reflect, so the following name change has been made: + + Old name New name + GNUTLS_X509_CRT_FULL GNUTLS_CRT_PRINT_FULL + GNUTLS_X509_CRT_ONELINE GNUTLS_CRT_PRINT_ONELINE + GNUTLS_X509_CRT_UNSIGNED_FULL GNUTLS_CRT_PRINT_UNSIGNED_FULL + +The old names will be mapped to the new names for some time. + +*** The function gnutls_openpgp_privkey_get_id has been renamed to +*** gnutls_openpgp_privkey_get_key_id. +A compatibility mapping exists to avoid breaking API backwards +compatibility. + +*** Replaced all uses of alloca with malloc and free. + +*** We no longer build with -D_REENTRANT -D_THREAD_SAFE. +We have been unable to find a documented rationale for this practice. + +*** Of course, many smaller fixes have been made, see the ChangeLog file. + +*** API/ABI changes in GnuTLS 2.4 +All OpenPGP related functions have been moved from libgnutls-extra to +libgnutls, and several new functions have been added (see below). +Before making the release, we discussed whether moving functions from +libgnutls-extra to libgnutls would require us to increment the ABI +version, but the general opinion was that this would not be required. +All older functions continue to work the same. We are open to the +possibility that this decision will lead to problem on some platform, +and if it turns out that the Right Thing should have been to increment +the shared library version, we would need to release an update within +the 2.4.x branch that increments the shared library version. + +This release adds the following functions: + + gnutls_psk_client_get_hint + gnutls_psk_set_server_credentials_hint + gnutls_psk_netconf_derive_key + + Used to get/set the PSK identity hint, and derive PSK keys from + passwords a'la netconf. + + gnutls_x509_dn_deinit + gnutls_x509_dn_export + gnutls_x509_dn_import + gnutls_x509_dn_init + + Used to handle X.509 Certificate DN's directly. + + gnutls_hex2bin + + Converts a data buffer to hex. Useful for handling PSK/SRP shared + secrets. + + gnutls_certificate_get_x509_cas + gnutls_certificate_get_x509_crls + gnutls_certificate_get_openpgp_keyring + + Functions for direct access to credential elements. + + gnutls_openpgp_crt_get_auth_subkey + gnutls_openpgp_crt_get_key_id + gnutls_openpgp_crt_get_pk_dsa_raw + gnutls_openpgp_crt_get_pk_rsa_raw + gnutls_openpgp_crt_get_preferred_key_id + gnutls_openpgp_crt_get_revoked_status + gnutls_openpgp_crt_get_subkey_count + gnutls_openpgp_crt_get_subkey_creation_time + gnutls_openpgp_crt_get_subkey_expiration_time + gnutls_openpgp_crt_get_subkey_fingerprint + gnutls_openpgp_crt_get_subkey_id + gnutls_openpgp_crt_get_subkey_idx + gnutls_openpgp_crt_get_subkey_pk_algorithm + gnutls_openpgp_crt_get_subkey_pk_dsa_raw + gnutls_openpgp_crt_get_subkey_pk_rsa_raw + gnutls_openpgp_crt_get_subkey_revoked_status + gnutls_openpgp_crt_get_subkey_usage + gnutls_openpgp_crt_print + gnutls_openpgp_crt_set_preferred_key_id + gnutls_openpgp_keyring_get_crt + gnutls_openpgp_keyring_get_crt_count + gnutls_openpgp_privkey_export + gnutls_openpgp_privkey_export_dsa_raw + gnutls_openpgp_privkey_export_rsa_raw + gnutls_openpgp_privkey_export_subkey_dsa_raw + gnutls_openpgp_privkey_export_subkey_rsa_raw + gnutls_openpgp_privkey_get_fingerprint + gnutls_openpgp_privkey_get_key_id + gnutls_openpgp_privkey_get_pk_algorithm + gnutls_openpgp_privkey_get_preferred_key_id + gnutls_openpgp_privkey_get_revoked_status + gnutls_openpgp_privkey_get_subkey_count + gnutls_openpgp_privkey_get_subkey_creation_time + gnutls_openpgp_privkey_get_subkey_expiration_time + gnutls_openpgp_privkey_get_subkey_fingerprint + gnutls_openpgp_privkey_get_subkey_id + gnutls_openpgp_privkey_get_subkey_idx + gnutls_openpgp_privkey_get_subkey_pk_algorithm + gnutls_openpgp_privkey_get_subkey_revoked_status + gnutls_openpgp_privkey_set_preferred_key_id + + New OpenPGP related functions. + + The function gnutls_openpgp_crt_get_key_id is the same as the old + from gnutls_openpgp_crt_get_id, see above. + +The release also adds a new header file 'gnutls/crypto.h', however it +is currently not used. + +** libgnutls [OpenPGP]: New APIs to retrieve fingerprint from OpenPGP subkeys. +Contributed by Daniel Kahn Gillmor . + +** API and ABI modifications: +gnutls_openpgp_crt_get_subkey_fingerprint: ADDED. +gnutls_openpgp_privkey_get_subkey_fingerprint: ADDED. + +* Version 2.3.15 (released 2008-06-15) + +** Disable the openpgp-certs self-tests. +It results in failure under Wine and doesn't work on Debian buildds. + +** API and ABI modifications: +No changes since last version. + +* Version 2.3.14 (released 2008-06-11) + +** libgnutls [OpenPGP]: Changed OpenPGP verification behaviour. +An OpenPGP certificate is now only considered verified if all the user +IDs are verified. + +** Examples: Make C++ example compile. +Earlier it may have failed with an unresolved reference to strlen. + +** Documentation: Doc fix for gnutls_x509_crt_get_extension_oid. +Reported by Sam Varshavchik . + +** API and ABI modifications: +No changes since last version. + +* Version 2.3.13 (released 2008-06-07) + +** libgnutls [OpenPGP]: Make OpenPGP handshakes work again. + +** doc/: Add psktool to info index. Some minor cleanups. + +** tests/: Added non-forking TLS handshake test, see tests/mini.c. + +** tests/: Added libgcrypt.supp which can be used with valgrind. +The file suppresses the known libgcrypt memory leaks, so they aren't +printed when you run valgrind on the gnutls self-tests. Use it as +follows: valgrind --suppressions=libgcrypt.supp ./x509self or add +'--suppressions=/home/you/src/gnutls/tests/libgcrypt.supp' to your +~/.valgrindrc file. + +** tests/: Reduce amount of debugging output by default. +Use --verbose for each test to get the full output. + +** tests/: Fix memory leaks in several self-tests. +None of the self tests should be leaking memory when running valgrind +or similar tools. (Known exceptions are dhepskself, pskself, and +set_pkcs12_cred, which appear likely to be due to memory leaks in the +library.) + +** API and ABI modifications: +No changes since last version. + +* Version 2.3.12 (released 2008-06-04) + +** Merge gnutls_with_netconf branch. + +*** libgnutls [PSK]: New API to retrieve PSK identity hint in client. +The function is gnutls_psk_client_get_hint. + +*** libgnutls [PSK]: New API to set PSK identity hint in server. +The function is gnutls_psk_set_server_credentials_hint. + +*** libgnutls [PSK]: Support server key exchange with PSK identity hint. +In the client, the message is parsed and the application can use +gnutls_psk_client_get_hint to retrieve the hint. In the server, the +message is sent if the application has specified a PSK identity hint +using gnutls_psk_set_server_credentials_hint. + +*** libgnutls [PSK]: Support Netconf PSK key derivation. +The function gnutls_psk_netconf_derive_key supports the PSK key +derivation as specified in draft-ietf-netconf-tls-02.txt. New self +test netconf-psk.c. + +*** psktool: Support new --netconf-hint to generate PSK key from password. +Uses the Netconf algorithm to derive PSK key from password. + +*** gnutls-serv: Support new --pskhint parameter to set PSK identity hint. + +*** gnutls-cli: Always support PSK modes, through a callback. +The callback will derive a PSK key using Netconf algorithm. It will +print the PSK identity hint to help the user. + +*** New PSK example client and server. +See doc/examples/ex-client-psk.c and doc/examples/ex-serv-psk.c. + +** libgnutls: Fix gnutls_x509_crl_set_version on arm platforms. +The code didn't work properly on platforms where 'char' is unsigned, +when you set version 0. Reported by Laurence Withers + in +. + +** libgnutls-openssl: added RAND_pseudo_bytes API. +Patch from Robert Millan . + +** API and ABI modifications: +RAND_pseudo_bytes: ADDED to libgnutls-openssl. +gnutls_psk_client_get_hint: ADDED. +gnutls_psk_set_server_credentials_hint: ADDED. +gnutls_psk_netconf_derive_key: ADDED + +* Version 2.3.11 (released 2008-05-20) + +** Fix flaw in fix for GNUTLS-SA-2008-1-3. +The flaw would result in incorrectly terminated sessions with the +error "Decryption has failed" when the server sends a small packet +(typically when the session is closed). Reported by Andreas Metzler + in +. + +** Don't use gnulib headers when building C++ library. +Fixes builds under Windows. + +** Make umask a requirement. +We don't know of any system that lacks it, even GNU CoreUtils use it +unconditionally. + +** Update gnulib files. +Fixes a problem where it pulled in a replacement for memcmp under +MinGW, which caused the C++ example to fail to build. + +** API and ABI modifications: +No changes since last version. + +* Version 2.3.10 (released 2008-05-19) + +** Added wide wildcard hostname matching. +Tiny patch by Jean-Philippe Garcia Ballester. + +** Fix three security vulnerabilities. [GNUTLS-SA-2008-1] +Thanks to CERT-FI for finding the bugs and providing detailed reports, +which allowed the bugs to be reproduced and fixed easily. Patches +developed by Simon Josefsson and Nikos Mavrogiannopoulos. Any updates +with more details about these vulnerabilities will be added to + + +*** [GNUTLS-SA-2008-1-1] +*** libgnutls: Fix crash when sending invalid server name. +The crash can be triggered remotely before authentication, which can +lead to a Daniel of Service attack to disable the server. The bug +cause gnutls to store more session resumption data than what was +allocated for, thus overwriting unallocated memory. + +*** [GNUTLS-SA-2008-1-2] +*** libgnutls: Fix crash when sending repeated client hellos. +The crash can be triggered remotely before authentication, which can +lead to a Daniel of Service attack to disable the server. The bug +triggers a null-pointer dereference. + +*** [GNUTLS-SA-2008-1-3] +*** libgnutls: Fix crash in cipher padding decoding for invalid record lengths. +The crash can be triggered remotely before authentication, which can +lead to a Daniel of Service attack to disable the server. The bug +cause gnutls to read memory beyond the end of the received record. + +** libgnutlsxx: Updated API according to patches from Eduardo +Villanueva Che (discussion at +) + +** Use umask to restrict permissions to owner before creating a file. + +** API and ABI modifications: +No changes since last version. + +* Version 2.3.9 (released 2008-05-16) + +** libgnutls: Fix build failures if SRP/OpenPGP is disabled. +Based on report and tiny patches from +, see +. + +** libgnutls: Translation fixes. + +** gnutls-cli: Fix so that PSK authentication works. +Also improve manual to give example for gnutls-cli PSK authentication. + +** certtool: Encrypting a private key now require a confirmed password. +Before './certtool -k -8' would merely ask for a password once. +Reported by Daniel 'NebuchadnezzaR' Dehennin + see +. + +** certtool: When writing private keys to files, change permissions of file. +Now the file which the private key is saved to is chmod'ed 0600. +Reported by martin f krafft see +. + +** guile: Fix -fgnu89-inline test. + +** Removed --enable-profile-mode. +The code linked gnutls with the libfc project (Function Check) which +appears to have been stalled since around 2002. + +** Clean up header file checks by ./configure. + +** Update of gnulib files. + +** API and ABI modifications: +No changes since last version. + +* Version 2.3.8 (released 2008-04-29) + +** libgnutls: Increase default handshake packet size limit to 48kb. +The old limit was 16kb and some servers send huge list of trusted CAs, +thus running into the limit. FYI, applications can further increase +this limit using gnutls_handshake_set_max_packet_length. Thanks to +Marc Haber and "Marc F. Clemente" + for reporting and providing test servers. + +** libgnutls: Add new error code: GNUTLS_E_HANDSHAKE_TOO_LARGE +Returned when the handshake data size is too large. Before +GNUTLS_E_MEMORY_ERROR was used, which could be confused with other +error situations. + +** libgnutls: Hide definitions in crypto.h. +We have decided that the APIs defined in crypto.h are not stable +enough for v2.4, so don't use any of those functions. + +** gnutls-cli: exit when hostname doesn't match certificate. +Use --insecure to avoid hostname comparison. + +** certtool: --inder and --outder replaced by --inraw and --outraw. +The reason is to align terminology with OpenPGP, which doesn't use +DER. The old parameters will continue to work for some time. + +** doc: Add section 'Index of new symbols in 2.4.0' to the GTK-DOC manual. + +** doc: Many cosmetic fixes, to silence (most) gtk-doc warnings. + +** Mingw32: Revert libgcrypt vasprintf work-around added in last release. +Use libgcrypt 1.4.1 or later when building on MinGW32, it removes the +vasprintf symbol from the libgcrypt library which caused problems. + +** Update of gnulib files. + + +** API and ABI modifications: +GNUTLS_E_HANDSHAKE_TOO_LARGE: ADDED. + * Version 2.3.7 (released 2008-04-21) ** opencdk now properly sets the key usage bits into openpgp keys. @@ -308,6 +702,79 @@ in a callback friendly way. ** API and ABI modifications: No changes since last version. +* Version 2.2.5 (released 2008-05-19) + +** Fix flaw in fix for GNUTLS-SA-2008-1-3. +The flaw would result in incorrectly terminated sessions with the +error "Decryption has failed" when the server sends a small packet +(typically when the session is closed). Reported by Andreas Metzler + in +. + +** API and ABI modifications: +No changes since last version. + +* Version 2.2.4 (released 2008-05-19) + +** Fix three security vulnerabilities. [GNUTLS-SA-2008-1] +Thanks to CERT-FI for finding the bugs and providing detailed reports, +which allowed the bugs to be reproduced and fixed easily. Patches +developed by Simon Josefsson and Nikos Mavrogiannopoulos. Any updates +with more details about these vulnerabilities will be added to + + +*** [GNUTLS-SA-2008-1-1] +*** libgnutls: Fix crash when sending invalid server name. +The crash can be triggered remotely before authentication, which can +lead to a Daniel of Service attack to disable the server. The bug +cause gnutls to store more session resumption data than what was +allocated for, thus overwriting unallocated memory. + +*** [GNUTLS-SA-2008-1-2] +*** libgnutls: Fix crash when sending repeated client hellos. +The crash can be triggered remotely before authentication, which can +lead to a Daniel of Service attack to disable the server. The bug +triggers a null-pointer dereference. + +*** [GNUTLS-SA-2008-1-3] +*** libgnutls: Fix crash in cipher padding decoding for invalid record lengths. +The crash can be triggered remotely before authentication, which can +lead to a Daniel of Service attack to disable the server. The bug +cause gnutls to read memory beyond the end of the received record. + +** API and ABI modifications: +No changes since last version. + +* Version 2.2.3 (released 2008-05-06) + +** Increase default handshake packet size limit to 48kb. +The old limit was 16kb and some servers send huge list of trusted CAs, +thus running into the limit. FYI, applications can further increase +this limit using gnutls_handshake_set_max_packet_length. Thanks to +Marc Haber and "Marc F. Clemente" + for reporting and providing test servers. + +** Fix compilation error related to __FUNCTION__ on some systems. +Reported by Tim Mooney, see +. + +** Documented the --priority option to gnutls-cli and gnutls-serv. + +** Fix fopen file descriptor leak in PSK server code. +Thanks to Laurence Withers , see +. + +** Build Guile code with -fgnu89-inline only when supported. +Reported by Kris Karas in +. + +** Make Camellia encryption work. +Reported by Yoshisato YANAGISAWA in +. + +** API and ABI modifications: +No changes since last version. + * Version 2.2.2 (released 2008-02-21) ** Cipher priority string handling now handle strings that starts with NULL. diff --git a/README b/README index cf72ea54de..7b8c2921f3 100644 --- a/README +++ b/README @@ -22,26 +22,6 @@ In case you are compiling for embedded systems you should check the configure options (that is run: 'configure --help'), and disable unneeded features of gnutls. -Experimental: - -If you specify --with-builtin-crypto, you will use gnulib instead of -libgcrypt for (some) crypto routines. - -Currently the generic crypto interface only support secret key -ciphering, hashing and gathering of random data. Supporting -RSA/DSA/DH/SEXP/MPI in the generic crypto interface is pending. - -If --with-builtin-crypto is specified, random data will be read from -system device files (e.g., /dev/random) directly. The files used are -printed when running configure, you can override them using ---enable-random-device, --enable-pseudo-random-device, and ---enable-nonce-device. Please let us know if the defaults for some -systems are wrong. - -The goal here is to make GnuTLS build standalone, in case Libgcrypt is -not available, but also to allow easy use of other crypto libraries or -crypto hardware. - LICENSE ISSUES -------------- diff --git a/THANKS b/THANKS index aa03f913ce..3c715af95b 100644 --- a/THANKS +++ b/THANKS @@ -80,6 +80,9 @@ Rainer Gerhards John Brooks Massimo Gaspari Marc F. Clemente +Daniel Dehennin +martin f krafft +Sam Varshavchik ---------------------------------------------------------------------- Copying and distribution of this file, with or without modification, diff --git a/build-aux/config.rpath b/build-aux/config.rpath index 35f959b87c..c547c68825 100755 --- a/build-aux/config.rpath +++ b/build-aux/config.rpath @@ -2,7 +2,7 @@ # Output a system dependent set of variables, describing how to set the # run time search path of shared libraries in an executable. # -# Copyright 1996-2008 Free Software Foundation, Inc. +# Copyright 1996-2007 Free Software Foundation, Inc. # Taken from GNU libtool, 2001 # Originally by Gordon Matzigkeit , 1996 # @@ -158,7 +158,7 @@ if test "$with_gnu_ld" = yes; then # option of GNU ld is called -rpath, not --rpath. hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' case "$host_os" in - aix[3-9]*) + aix3* | aix4* | aix5*) # On AIX/PPC, the GNU linker is very broken if test "$host_cpu" != ia64; then ld_shlibs=no @@ -254,7 +254,7 @@ else hardcode_direct=unsupported fi ;; - aix[4-9]*) + aix4* | aix5*) if test "$host_cpu" = ia64; then # On IA64, the linker does run time linking by default, so we don't # have to do anything special. @@ -264,7 +264,7 @@ else # Test if we are trying to use run time linking or normal # AIX style linking. If -brtl is somewhere in LDFLAGS, we # need to do runtime linking. - case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*) + case $host_os in aix4.[23]|aix4.[23].*|aix5*) for ld_flag in $LDFLAGS; do if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then aix_use_runtimelinking=yes @@ -505,7 +505,7 @@ case "$host_os" in aix3*) library_names_spec='$libname.a' ;; - aix[4-9]*) + aix4* | aix5*) library_names_spec='$libname$shrext' ;; amigaos*) diff --git a/build-aux/gendocs.sh b/build-aux/gendocs.sh index 5247034fe0..aded2c4d7f 100755 --- a/build-aux/gendocs.sh +++ b/build-aux/gendocs.sh @@ -157,6 +157,11 @@ if test ! -r $GENDOCS_TEMPLATE_DIR/gendocs_template; then exit 1 fi +case $outdir in + /*) dotdot_outdir="$outdir";; + *) dotdot_outdir="../$outdir";; +esac + echo Generating output formats for $srcfile cmd="$SETLANG $MAKEINFO -o $PACKAGE.info \"$srcfile\"" @@ -206,7 +211,7 @@ html_split() { ( cd ${split_html_dir} || exit 1 ln -sf ${PACKAGE}.html index.html - tar -czf ../$outdir/${PACKAGE}.html_$1.tar.gz -- *.html + tar -czf $dotdot_outdir/${PACKAGE}.html_$1.tar.gz -- *.html ) eval html_$1_tgz_size=`calcsize $outdir/${PACKAGE}.html_$1.tar.gz` rm -f $outdir/html_$1/*.html @@ -231,7 +236,7 @@ if test -z "$use_texi2html"; then split_html_dir=$PACKAGE.html ( cd ${split_html_dir} || exit 1 - tar -czf ../$outdir/${PACKAGE}.html_node.tar.gz -- *.html + tar -czf $dotdot_outdir/${PACKAGE}.html_node.tar.gz -- *.html ) html_node_tgz_size=`calcsize $outdir/${PACKAGE}.html_node.tar.gz` rm -f $outdir/html_node/*.html @@ -273,7 +278,7 @@ if test -n "$docbook"; then split_html_db_dir=html_node_db ( cd ${split_html_db_dir} || exit 1 - tar -czf ../$outdir/${PACKAGE}.html_node_db.tar.gz -- *.html + tar -czf $dotdot_outdir/${PACKAGE}.html_node_db.tar.gz -- *.html ) html_node_db_tgz_size=`calcsize $outdir/${PACKAGE}.html_node_db.tar.gz` rm -f $outdir/html_node_db/*.html diff --git a/configure.in b/configure.in index 2d07204b7e..70775ed606 100644 --- a/configure.in +++ b/configure.in @@ -22,24 +22,19 @@ dnl Process this file with autoconf to produce a configure script. # USA AC_PREREQ(2.61) -AC_INIT([GnuTLS], [2.3.8], [bug-gnutls@gnu.org]) +AC_INIT([GnuTLS], [2.5.0], [bug-gnutls@gnu.org]) AC_CONFIG_AUX_DIR([build-aux]) -AC_CANONICAL_TARGET - AM_INIT_AUTOMAKE([1.10 dist-bzip2]) AM_CONFIG_HEADER(config.h) -AB_INIT - # Library code modified: REVISION++ # Interfaces changed/added/removed: CURRENT++ REVISION=0 # Interfaces added: AGE++ # Interfaces removed: AGE=0 -AC_SUBST(LT_CURRENT, 29) -AC_SUBST(LT_REVISION, 2) -AC_SUBST(LT_AGE, 3) -ac_full=1 +AC_SUBST(LT_CURRENT, 31) +AC_SUBST(LT_REVISION, 0) +AC_SUBST(LT_AGE, 5) # Used when creating the Windows libgnutls-XX.def files. SOVERSION=`expr ${LT_CURRENT} - ${LT_AGE}` @@ -77,13 +72,6 @@ AC_ARG_ENABLE(developer-mode, opt_developer_mode=$enableval) AC_MSG_RESULT($opt_developer_mode) -opt_profiler_mode=no -AC_MSG_CHECKING([whether in profile mode]) -AC_ARG_ENABLE(profile-mode, - AS_HELP_STRING([--enable-profile-mode], [enable profiler]), -opt_profiler_mode=$enableval) -AC_MSG_RESULT($opt_profiler_mode) - AC_MSG_RESULT([*** *** Checking for compilation programs... ]) @@ -125,9 +113,6 @@ if test "$use_cxx" != "no"; then AC_COMPILE_IFELSE([AC_LANG_PROGRAM([],[])], use_cxx=yes, use_cxx=no) AC_LANG_POP(C++) fi -AM_CONDITIONAL(ENABLE_CXX, test "$use_cxx" != "no") -AC_MSG_CHECKING([whether to build C++ library]) -AC_MSG_RESULT($use_cxx) AC_MSG_CHECKING([whether C99 macros are supported]) AC_TRY_COMPILE(,[ @@ -164,8 +149,6 @@ if test $ac_cv_c_compiler_gnu != no; then AC_COMPILE_IFELSE(AC_LANG_PROGRAM([]), _gcc_gnu89_inline=yes, _gcc_gnu89_inline=no) AC_MSG_RESULT($_gcc_gnu89_inline) - AM_CONDITIONAL([HAVE_GCC_GNU89_INLINE_OPTION], - [test "x$_gcc_gnu89_inline" = "xyes"]) CFLAGS=$_gcc_cflags_save; AC_MSG_CHECKING([if gcc/ld supports -Wl,--output-def]) @@ -202,17 +185,22 @@ fi # Needs to be called outside of 'if' clause. AM_CONDITIONAL(HAVE_LD_OUTPUT_DEF, test "$output_def" = "yes") +AM_CONDITIONAL([HAVE_GCC_GNU89_INLINE_OPTION], + [test "$_gcc_gnu89_inline" = "yes"]) AC_MSG_RESULT([*** *** Detecting C library capabilities... ]) AC_HEADER_STDC -AC_CHECK_HEADERS(strings.h) -AC_CHECK_HEADERS(errno.h) -AC_CHECK_HEADERS(math.h limits.h float.h stdarg.h ctype.h) AC_CHECK_HEADERS(netdb.h) -AC_CHECK_FUNCS(umask isascii fork,,) +AC_CHECK_FUNCS(fork,,) +AC_DEFINE([HAVE_STRINGS_H], 1, [Hard-code for src/cfg/.]) +AC_DEFINE([HAVE_FLOAT_H], 1, [Hard-code for src/cfg/.]) +AC_DEFINE([HAVE_LIMITS_H], 1, [Hard-code for src/cfg/.]) +AC_DEFINE([HAVE_MATH_H], 1, [Hard-code for src/cfg/.]) +AC_DEFINE([HAVE_CTYPE_H], 1, [Hard-code for src/cfg/.]) +AC_DEFINE([HAVE_ERRNO_H], 1, [Hard-code for src/cfg/.]) # No fork on MinGW, disable some self-tests until we fix them. AM_CONDITIONAL(HAVE_FORK, test "$ac_cv_func_fork" != "no") @@ -370,6 +358,10 @@ dnl Can't disable - gnutls depends on gcrypt ]])) libgcrypt=yes +# If this ever changes to 0, the user disabled some officially enabled +# stuff so we will print a warning. +ac_full=1 + # Hard-wire the gl/m4/gc.m4 test. AC_ARG_WITH(builtin-crypto, AS_HELP_STRING([--with-builtin-crypto], @@ -427,6 +419,7 @@ else ac_full=0 AC_MSG_RESULT(yes) fi +AM_CONDITIONAL(ENABLE_PSK, test "$ac_enable_psk" != "no") AC_MSG_CHECKING([whether to disable anonymous authentication support]) AC_ARG_ENABLE(anon-authentication, @@ -479,9 +472,6 @@ else fi AM_CONDITIONAL(ENABLE_PKI, test "$disable_pki" = "no") -dnl Check whether to disable OpenPGP authentication completely -dnl from libgnutls-extra. - ac_enable_openpgp=yes AC_MSG_CHECKING([whether to disable OpenPGP Certificate authentication support]) AC_ARG_ENABLE(openpgp-authentication, @@ -532,6 +522,17 @@ AC_MSG_RESULT($minitasn1_enabled) AM_CONDITIONAL(ENABLE_MINITASN1, test "$minitasn1_enabled" = "yes") +if test "$ac_full" != 1; then + AC_MSG_WARN([[ +*** +*** C++ library disabled because some parts of GnuTLS has been disabled. +]]) + use_cxx=no +fi +AM_CONDITIONAL(ENABLE_CXX, test "$use_cxx" != "no") +AC_MSG_CHECKING([whether to build C++ library]) +AC_MSG_RESULT($use_cxx) + dnl Check for libcfg+ SAVED_LIBS=$LIBS @@ -660,20 +661,6 @@ export ac_full AM_CFLAGS="${AM_CFLAGS} ${LIBGCRYPT_CFLAGS}" -if test $ac_cv_c_compiler_gnu != no; then - if test x$opt_profiler_mode = xyes; then - AC_CHECK_PROG(FC_OK, fc-config, yes, no) - if test x$FC_OK = xyes; then - AM_CFLAGS="${AM_CFLAGS} `fc-config --cflags`" - LIBS="$LIBS `fc-config --libs`" - else -AC_MSG_WARN(*** -*** You must install libfc in order to enable profiling. http://www710.univ-lyon1.fr/~yperret/fnccheck/profiler.html -) - fi - fi -fi - if test $ac_full -eq 0; then AC_SUBST(POSSIBLY_WARN_ABOUT_MISSING_FEATURES, [[ #ifdef __GNUC__ @@ -688,6 +675,10 @@ AC_CONFIG_COMMANDS([chmod-config],[[ chmod +x libextra/libgnutls-extra-config ]],[[]]) + +AC_DEFINE([INTERNAL_GNUTLS_CRYPTO_H_ENABLE_UNSUPPORTED_API], 1, + [Enable prototypes in includes/crypto.h.]) + AC_CONFIG_FILES([Makefile po/Makefile.in \ doc/Makefile doc/examples/Makefile doc/scripts/Makefile \ doc/manpages/Makefile doc/reference/Makefile \ @@ -702,7 +693,7 @@ AC_CONFIG_FILES([Makefile po/Makefile.in \ includes/Makefile includes/gnutls/gnutls.h \ lib/Makefile lib/minitasn1/Makefile lib/x509/Makefile \ libextra/Makefile lib/openpgp/Makefile lib/opencdk/Makefile \ - tests/openpgp/Makefile \ + tests/openpgp/Makefile tests/openpgp-certs/Makefile \ src/Makefile \ src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile \ lib/libgnutls-config libextra/libgnutls-extra-config \ diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am index f5db096241..df1e89158f 100644 --- a/doc/examples/Makefile.am +++ b/doc/examples/Makefile.am @@ -28,8 +28,18 @@ LDADD = libexamples.la \ ../../libextra/libgnutls-extra.la \ ../../gl/libgnu.la -noinst_PROGRAMS = ex-cert-select ex-client2 ex-client-resume \ - ex-crq ex-serv1 ex-serv-export +CXX_LDADD = $(LDADD) \ + ../../lib/libgnutlsxx.la + +noinst_PROGRAMS = ex-client2 ex-client-resume +noinst_PROGRAMS += ex-cert-select ex-crq +noinst_PROGRAMS += ex-serv1 ex-serv-export + +if ENABLE_CXX +ex_cxx_SOURCES = ex-cxx.cpp +ex_cxx_LDADD = $(CXX_LDADD) +noinst_PROGRAMS += ex-cxx +endif if ENABLE_ANON noinst_PROGRAMS += ex-client1 ex-serv-anon @@ -40,6 +50,10 @@ if ENABLE_OPENPGP noinst_PROGRAMS += ex-serv-pgp endif +if ENABLE_PSK +noinst_PROGRAMS += ex-client-psk ex-serv-psk +endif + if ENABLE_SRP noinst_PROGRAMS += ex-client-srp ex-serv-srp endif diff --git a/doc/examples/ex-client-psk.c b/doc/examples/ex-client-psk.c new file mode 100644 index 0000000000..be718e0bde --- /dev/null +++ b/doc/examples/ex-client-psk.c @@ -0,0 +1,119 @@ +/* Copyright 2007, 2008 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + +#if HAVE_CONFIG_H +# include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include + +/* A very basic TLS client, with PSK authentication. + */ + +#define MAX_BUF 1024 +#define CAFILE "ca.pem" +#define MSG "GET / HTTP/1.0\r\n\r\n" + +extern int tcp_connect (void); +extern void tcp_close (int sd); + +int +main (void) +{ + int ret, sd, ii; + gnutls_session_t session; + char buffer[MAX_BUF + 1]; + const char *err; + gnutls_psk_client_credentials_t pskcred; + const gnutls_datum_t key = { "DEADBEEF", 8 }; + + gnutls_global_init (); + + gnutls_psk_allocate_client_credentials (&pskcred); + gnutls_psk_set_client_credentials (pskcred, "test", &key, + GNUTLS_PSK_KEY_HEX); + + /* Initialize TLS session + */ + gnutls_init (&session, GNUTLS_CLIENT); + + /* Use default priorities */ + ret = gnutls_priority_set_direct (session, "PERFORMANCE", &err); + if (ret < 0) { + if (ret == GNUTLS_E_INVALID_REQUEST) { + fprintf(stderr, "Syntax error at: %s\n", err); + } + exit(1); + } + + /* put the x509 credentials to the current session + */ + gnutls_credentials_set (session, GNUTLS_CRD_PSK, pskcred); + + /* connect to the peer + */ + sd = tcp_connect (); + + gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); + + /* Perform the TLS handshake + */ + ret = gnutls_handshake (session); + + if (ret < 0) + { + fprintf (stderr, "*** Handshake failed\n"); + gnutls_perror (ret); + goto end; + } + else + { + printf ("- Handshake was completed\n"); + } + + gnutls_record_send (session, MSG, strlen (MSG)); + + ret = gnutls_record_recv (session, buffer, MAX_BUF); + if (ret == 0) + { + printf ("- Peer has closed the TLS connection\n"); + goto end; + } + else if (ret < 0) + { + fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret)); + goto end; + } + + printf ("- Received %d bytes: ", ret); + for (ii = 0; ii < ret; ii++) + { + fputc (buffer[ii], stdout); + } + fputs ("\n", stdout); + + gnutls_bye (session, GNUTLS_SHUT_RDWR); + +end: + + tcp_close (sd); + + gnutls_deinit (session); + + gnutls_psk_free_client_credentials (pskcred); + + gnutls_global_deinit (); + + return 0; +} diff --git a/doc/examples/ex-cxx.cpp b/doc/examples/ex-cxx.cpp new file mode 100644 index 0000000000..1bade542fe --- /dev/null +++ b/doc/examples/ex-cxx.cpp @@ -0,0 +1,101 @@ +#if HAVE_CONFIG_H +# include +#else +#endif +#include +#include +#include +#include +#include /* for strlen */ + +/* A very basic TLS client, with anonymous authentication. + * written by Eduardo Villanueva Che. + */ + +#define MAX_BUF 1024 +#define SA struct sockaddr + +#define CAFILE "ca.pem" +#define MSG "GET / HTTP/1.0\r\n\r\n" + +extern "C" +{ + int tcp_connect(void); + void tcp_close(int sd); +} + + +int main(void) +{ + int sd = -1; + gnutls_global_init(); + + try + { + + /* Allow connections to servers that have OpenPGP keys as well. + */ + gnutls::client_session session; + + /* X509 stuff */ + gnutls::certificate_credentials credentials; + + + /* sets the trusted cas file + */ + credentials.set_x509_trust_file(CAFILE, GNUTLS_X509_FMT_PEM); + /* put the x509 credentials to the current session + */ + session.set_credentials(credentials); + + /* Use default priorities */ + session.set_priority ("NORMAL", NULL); + + /* connect to the peer + */ + sd = tcp_connect(); + session.set_transport_ptr((gnutls_transport_ptr_t) sd); + + /* Perform the TLS handshake + */ + int ret = session.handshake(); + if (ret < 0) + { +// gnutls_perror(ret); + throw std::runtime_error("Handshake failed"); + } + else + { + std::cout << "- Handshake was completed" << std::endl; + } + + session.send(MSG, strlen(MSG)); + char buffer[MAX_BUF + 1]; + ret = session.recv(buffer, MAX_BUF); + if (ret == 0) + { + throw std::runtime_error("Peer has closed the TLS connection"); + } + else if (ret < 0) + { + throw std::runtime_error(gnutls_strerror(ret)); + } + + std::cout << "- Received " << ret << " bytes:" << std::endl; + std::cout.write(buffer, ret); + std::cout << std::endl; + + session.bye(GNUTLS_SHUT_RDWR); + } + catch (std::exception &ex) + { + std::cerr << "Exception caught: " << ex.what() << std::endl; + } + + if (sd != -1) + tcp_close(sd); + + gnutls_global_deinit(); + + return 0; +} diff --git a/doc/examples/ex-serv-export.c b/doc/examples/ex-serv-export.c index 2ff4aa6230..13f5308cca 100644 --- a/doc/examples/ex-serv-export.c +++ b/doc/examples/ex-serv-export.c @@ -1,4 +1,4 @@ -/* Copyright 2007 Free Software Foundation +/* Copyright 2007, 2008 Free Software Foundation * * Copying and distribution of this file, with or without modification, * are permitted in any medium without royalty provided the copyright @@ -248,6 +248,11 @@ main (void) } close (listen_sd); + if (TLS_SESSION_CACHE != 0) + { + wrap_db_deinit (); + } + gnutls_certificate_free_credentials (cert_cred); gnutls_global_deinit (); @@ -288,6 +293,9 @@ wrap_db_init (void) static void wrap_db_deinit (void) { + if (cache_db) + free (cache_db); + cache_db = NULL; return; } diff --git a/doc/examples/ex-serv-psk.c b/doc/examples/ex-serv-psk.c new file mode 100644 index 0000000000..a5ef67db68 --- /dev/null +++ b/doc/examples/ex-serv-psk.c @@ -0,0 +1,226 @@ +/* Copyright 2007, 2008 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + +#if HAVE_CONFIG_H +# include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include /* for gcry_control */ + +#define KEYFILE "key.pem" +#define CERTFILE "cert.pem" +#define CAFILE "ca.pem" +#define CRLFILE "crl.pem" + +/* This is a sample TLS echo server, supporting X.509 and PSK + authentication. + */ + + +#define SA struct sockaddr +#define SOCKET_ERR(err,s) if(err==-1) {perror(s);return(1);} +#define MAX_BUF 1024 +#define PORT 5556 /* listen to 5556 port */ +#define DH_BITS 1024 + +/* These are global */ +gnutls_certificate_credentials_t x509_cred; +gnutls_psk_server_credentials_t psk_cred; +gnutls_priority_t priority_cache; + +gnutls_session_t +initialize_tls_session (void) +{ + gnutls_session_t session; + + gnutls_init (&session, GNUTLS_SERVER); + + gnutls_priority_set (session, priority_cache); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); + gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred); + + /* request client certificate if any. + */ + gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); + + return session; +} + +static gnutls_dh_params_t dh_params; + +static int +generate_dh_params (void) +{ + + /* Generate Diffie Hellman parameters - for use with DHE + * kx algorithms. When short bit length is used, it might + * be wise to regenerate parameters. + * + * Check the ex-serv-export.c example for using static + * parameters. + */ + gnutls_dh_params_init (&dh_params); + gnutls_dh_params_generate2 (dh_params, DH_BITS); + + return 0; +} + +static int +pskfunc (gnutls_session_t session, const char *username, gnutls_datum_t * key) +{ + printf ("psk: username %s\n", username); + key->data = gnutls_malloc (4); + key->data[0] = 0xDE; + key->data[1] = 0xAD; + key->data[2] = 0xBE; + key->data[3] = 0xEF; + key->size = 4; + return 0; +} + +int +main (void) +{ + int err, listen_sd, i; + int sd, ret; + struct sockaddr_in sa_serv; + struct sockaddr_in sa_cli; + int client_len; + char topbuf[512]; + gnutls_session_t session; + char buffer[MAX_BUF + 1]; + int optval = 1; + + /* to disallow usage of the blocking /dev/random + */ + gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_certificate_allocate_credentials (&x509_cred); + gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE, + GNUTLS_X509_FMT_PEM); + + gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE, + GNUTLS_X509_FMT_PEM); + + gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE, + GNUTLS_X509_FMT_PEM); + + gnutls_psk_allocate_server_credentials (&psk_cred); + gnutls_psk_set_server_credentials_function (psk_cred, pskfunc); + + generate_dh_params (); + + gnutls_priority_init( &priority_cache, "NORMAL:PSK", NULL); + + + gnutls_certificate_set_dh_params (x509_cred, dh_params); + + /* Socket operations + */ + listen_sd = socket (AF_INET, SOCK_STREAM, 0); + SOCKET_ERR (listen_sd, "socket"); + + memset (&sa_serv, '\0', sizeof (sa_serv)); + sa_serv.sin_family = AF_INET; + sa_serv.sin_addr.s_addr = INADDR_ANY; + sa_serv.sin_port = htons (PORT); /* Server Port number */ + + setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int)); + + err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); + SOCKET_ERR (err, "bind"); + err = listen (listen_sd, 1024); + SOCKET_ERR (err, "listen"); + + printf ("Server ready. Listening to port '%d'.\n\n", PORT); + + client_len = sizeof (sa_cli); + for (;;) + { + session = initialize_tls_session (); + + sd = accept (listen_sd, (SA *) & sa_cli, &client_len); + + printf ("- connection from %s, port %d\n", + inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, + sizeof (topbuf)), ntohs (sa_cli.sin_port)); + + gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); + ret = gnutls_handshake (session); + if (ret < 0) + { + close (sd); + gnutls_deinit (session); + fprintf (stderr, "*** Handshake has failed (%s)\n\n", + gnutls_strerror (ret)); + continue; + } + printf ("- Handshake was completed\n"); + + /* see the Getting peer's information example */ + /* print_info(session); */ + + i = 0; + for (;;) + { + memset (buffer, 0, MAX_BUF + 1); + ret = gnutls_record_recv (session, buffer, MAX_BUF); + + if (ret == 0) + { + printf ("\n- Peer has closed the GNUTLS connection\n"); + break; + } + else if (ret < 0) + { + fprintf (stderr, "\n*** Received corrupted " + "data(%d). Closing the connection.\n\n", ret); + break; + } + else if (ret > 0) + { + /* echo data back to the client + */ + gnutls_record_send (session, buffer, strlen (buffer)); + } + } + printf ("\n"); + /* do not wait for the peer to close the connection. + */ + gnutls_bye (session, GNUTLS_SHUT_WR); + + close (sd); + gnutls_deinit (session); + + } + close (listen_sd); + + gnutls_certificate_free_credentials (x509_cred); + gnutls_psk_free_server_credentials (psk_cred); + + gnutls_priority_deinit(priority_cache); + + gnutls_global_deinit (); + + return 0; + +} diff --git a/doc/examples/ex-session-info.c b/doc/examples/ex-session-info.c index dded275152..382b038185 100644 --- a/doc/examples/ex-session-info.c +++ b/doc/examples/ex-session-info.c @@ -1,4 +1,4 @@ -/* Copyright 2007 Free Software Foundation +/* Copyright 2007, 2008 Free Software Foundation * * Copying and distribution of this file, with or without modification, * are permitted in any medium without royalty provided the copyright @@ -43,12 +43,21 @@ print_info (gnutls_session_t session) break; +#ifdef ENABLE_SRP case GNUTLS_CRD_SRP: printf ("- SRP session with username %s\n", gnutls_srp_server_get_username (session)); break; +#endif case GNUTLS_CRD_PSK: + /* This returns NULL in server side. + */ + if (gnutls_psk_client_get_hint (session) != NULL) + printf ("- PSK authentication. PSK hint '%s'\n", + gnutls_psk_client_get_hint (session)); + /* This returns NULL in client side. + */ if (gnutls_psk_server_get_username (session) != NULL) printf ("- PSK authentication. Connected as '%s'\n", gnutls_psk_server_get_username (session)); diff --git a/doc/examples/ex-x509-info.c b/doc/examples/ex-x509-info.c index 911d315d44..5ffee181e2 100644 --- a/doc/examples/ex-x509-info.c +++ b/doc/examples/ex-x509-info.c @@ -1,4 +1,4 @@ -/* Copyright 2007 Free Software Foundation +/* Copyright 2007, 2008 Free Software Foundation * * Copying and distribution of this file, with or without modification, * are permitted in any medium without royalty provided the copyright @@ -81,7 +81,6 @@ print_x509_certificate_info (gnutls_session_t session) size = sizeof (serial); gnutls_x509_crt_get_serial (cert, serial, &size); - size = sizeof (serial); printf ("\tCertificate serial number: %s\n", bin2hex (serial, size)); /* Extract some of the public key algorithm's parameters diff --git a/doc/gendocs_template b/doc/gendocs_template index 066908e023..63a636a6e4 100644 --- a/doc/gendocs_template +++ b/doc/gendocs_template @@ -59,7 +59,7 @@ (%%TEXI_TGZ_SIZE%%K bytes gzipped tar file). -

You can buy printed copies of +

You can buy printed copies of some manuals (among other items) from the Free Software Foundation; this helps support FSF activities.

@@ -80,7 +80,7 @@ script.)

- +