[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_3-26-gb35975d
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_3-26-gb35975d |
|
Date: |
Sat, 23 Jul 2011 12:14:22 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=b35975dffb003ed3fc9e25c37e4f90e54020287f
The branch, master has been updated
via b35975dffb003ed3fc9e25c37e4f90e54020287f (commit)
via 8be0eef1937bce9fd0a57654f6af1fd475f54ba8 (commit)
via 6e2c6ca7f3f4b6b5dd0859aa67aa640bbc966f05 (commit)
via 81e8620a3411519510750b30bb460987bce35b7f (commit)
via 95c30a2f7b42a9c463fae0466b97c5361588e788 (commit)
via e4d3d226bd638ecb0ad0f89e6f99993ab154f655 (commit)
via f4f8b191d8cbd520a86e0e1fe64094b3e860c159 (commit)
via e9dd3e14c75769e326331ee9d8a83f3e604dc215 (commit)
via 6f292254cd91e4c6a2e489e327b106d766d933a7 (commit)
via a6975081adb6a420ae499b4df0b211c9b3f16f91 (commit)
from e04f3fa37f950f91b4280f32687e9a47b8bf5828 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b35975dffb003ed3fc9e25c37e4f90e54020287f
Author: Stef Walter <address@hidden>
Date: Thu Jul 7 19:05:17 2011 +0200
pkcs11: Use p11_kit_pin_xxx() functionality when 'pinfile' is in uris.
* This allows other apps to register a handler for a specific pinfile
and then that application will be able to provide the PIN for
those URIs.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
commit 8be0eef1937bce9fd0a57654f6af1fd475f54ba8
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Jul 22 13:32:55 2011 +0300
Added compatibility mode with /etc/gnutls/pkcs11.conf
commit 6e2c6ca7f3f4b6b5dd0859aa67aa640bbc966f05
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Jul 21 17:44:11 2011 +0300
Updates in upward negotiation section.
commit 81e8620a3411519510750b30bb460987bce35b7f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Jul 21 16:46:49 2011 +0300
Corrected bibliography
commit 95c30a2f7b42a9c463fae0466b97c5361588e788
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Jul 21 15:34:14 2011 +0300
corrected section names.
commit e4d3d226bd638ecb0ad0f89e6f99993ab154f655
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Jul 21 15:12:31 2011 +0300
Updated information on required libraries.
commit f4f8b191d8cbd520a86e0e1fe64094b3e860c159
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Jul 21 15:08:55 2011 +0300
Corrected typos.
commit e9dd3e14c75769e326331ee9d8a83f3e604dc215
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Jun 28 14:10:11 2011 +0300
updated function listing.
commit 6f292254cd91e4c6a2e489e327b106d766d933a7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Jun 28 14:09:00 2011 +0300
Added gnutls_alert_get_strname().
commit a6975081adb6a420ae499b4df0b211c9b3f16f91
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Jun 27 16:16:57 2011 +0300
documentation fixes
-----------------------------------------------------------------------
Summary of changes:
configure.ac | 2 +-
doc/.gitignore | 4 +
doc/Makefile.am | 14 +-
doc/alert-printlist.c | 140 ++++++++++++++++
doc/cha-auth.texi | 100 +++++++-----
doc/cha-cert-auth.texi | 192 ++++++++--------------
doc/cha-gtls-app.texi | 111 +++++--------
doc/cha-intro-tls.texi | 351 +++++++++++++++++----------------------
doc/cha-library.texi | 62 +++-----
doc/cha-preface.texi | 11 +-
doc/cha-programs.texi | 6 +-
doc/cha-support.texi | 13 +-
doc/cha-tls-app.texi | 15 +-
doc/gnutls.texi | 57 +++++++
doc/latex/Makefile.am | 14 ++-
doc/latex/gnutls.bib | 81 +++++-----
doc/latex/gnutls.tex | 10 +-
doc/latex/macros.tex | 142 ++++++++++++++++
doc/scripts/gdoc | 36 ++--
doc/scripts/mytexi2latex | 26 +++-
doc/scripts/sort1.pl | 4 +-
doc/scripts/split.pl | 39 +++++
lib/algorithms/cert_types.c | 2 +-
lib/algorithms/ciphers.c | 2 +-
lib/algorithms/ecc.c | 2 +-
lib/algorithms/kx.c | 2 +-
lib/algorithms/mac.c | 2 +-
lib/algorithms/protocols.c | 2 +-
lib/algorithms/publickey.c | 2 +-
lib/algorithms/secparams.c | 2 +-
lib/algorithms/sign.c | 2 +-
lib/auth/cert.c | 6 +-
lib/auth/psk.c | 4 +-
lib/auth/rsa_export.c | 2 +-
lib/crypto-api.c | 26 ++--
lib/crypto-backend.c | 18 +-
lib/ext/max_record.c | 4 +-
lib/ext/safe_renegotiation.c | 2 +-
lib/ext/server_name.c | 12 +-
lib/ext/session_ticket.c | 2 +-
lib/gcrypt/mpi.c | 4 +-
lib/gnutls_alert.c | 100 +++++++-----
lib/gnutls_anon_cred.c | 2 +-
lib/gnutls_auth.c | 4 +-
lib/gnutls_buffers.c | 2 +-
lib/gnutls_cert.c | 4 +-
lib/gnutls_dh_primes.c | 28 ++--
lib/gnutls_dtls.c | 6 +-
lib/gnutls_errors.c | 12 +-
lib/gnutls_global.c | 6 +-
lib/gnutls_handshake.c | 6 +-
lib/gnutls_mpi.c | 4 +-
lib/gnutls_pcert.c | 8 +-
lib/gnutls_priority.c | 8 +-
lib/gnutls_privkey.c | 20 +-
lib/gnutls_psk.c | 2 +-
lib/gnutls_pubkey.c | 42 +++---
lib/gnutls_record.c | 6 -
lib/gnutls_sig.c | 2 +-
lib/gnutls_srp.c | 4 +-
lib/gnutls_state.c | 4 +-
lib/gnutls_str.c | 2 +-
lib/gnutls_ui.c | 12 +-
lib/gnutls_x509.c | 57 +++----
lib/includes/gnutls/gnutls.h.in | 1 +
lib/includes/gnutls/pkcs11.h | 4 +-
lib/libgnutls.map | 1 +
lib/minitasn1/decoding.c | 2 +-
lib/minitasn1/errors.c | 4 +-
lib/nettle/ecc_verify_hash.c | 2 +-
lib/opencdk/kbnode.c | 4 +-
lib/opencdk/sig-check.c | 6 +-
lib/openpgp/extras.c | 2 +-
lib/openpgp/gnutls_openpgp.c | 16 +-
lib/openpgp/output.c | 4 +-
lib/openpgp/pgp.c | 28 ++--
lib/openpgp/privkey.c | 28 ++--
lib/pkcs11.c | 352 ++++++++++++++++++++++++++++-----------
lib/pkcs11_int.h | 4 +-
lib/pkcs11_privkey.c | 16 +-
lib/pkcs11_secret.c | 2 +-
lib/pkcs11_write.c | 10 +-
lib/random.c | 2 +-
lib/x509/common.c | 4 +-
lib/x509/crl.c | 68 ++++----
lib/x509/crl_write.c | 20 +-
lib/x509/crq.c | 120 +++++++-------
lib/x509/dn.c | 24 ++--
lib/x509/extensions.c | 2 +-
lib/x509/output.c | 12 +-
lib/x509/pkcs12.c | 16 +-
lib/x509/pkcs12_bag.c | 30 ++--
lib/x509/pkcs12_encr.c | 2 +-
lib/x509/pkcs7.c | 26 ++--
lib/x509/privkey.c | 40 +++---
lib/x509/privkey_pkcs8.c | 4 +-
lib/x509/rfc2818_hostname.c | 2 +-
lib/x509/sign.c | 2 +-
lib/x509/verify-high.c | 16 +-
lib/x509/verify.c | 22 +--
lib/x509/x509.c | 140 ++++++++--------
lib/x509/x509_write.c | 66 ++++----
102 files changed, 1713 insertions(+), 1260 deletions(-)
create mode 100644 doc/alert-printlist.c
create mode 100755 doc/scripts/split.pl
diff --git a/configure.ac b/configure.ac
index 14d15fb..15cc5db 100644
--- a/configure.ac
+++ b/configure.ac
@@ -126,7 +126,7 @@ AC_ARG_WITH(p11-kit,
[Build without p11-kit and PKCS#11 support]))
AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
if test "$with_p11_kit" != "no"; then
- PKG_CHECK_MODULES(P11_KIT, [p11-kit-1])
+ PKG_CHECK_MODULES(P11_KIT, [p11-kit-1 >= 0.2])
AC_DEFINE(ENABLE_PKCS11, 1, [Build PKCS#11 support])
CFLAGS="$CFLAGS $P11_KIT_CFLAGS"
LIBS="$LIBS $P11_KIT_LIBS"
diff --git a/doc/.gitignore b/doc/.gitignore
index 0ea0de1..915c30a 100644
--- a/doc/.gitignore
+++ b/doc/.gitignore
@@ -26,3 +26,7 @@ guile.toc
guile.tp
guile.vr
guile.vrs
+alerts.texi
+alert-printlist
+latex/alerts.tex
+latex/functions
diff --git a/doc/Makefile.am b/doc/Makefile.am
index e54e5a3..f3f91de 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -148,12 +148,12 @@ extra-api.texi: $(srcdir)/../libextra/gnutls_extra.c
# Generated texinfos.
-gnutls_TEXINFOS += error_codes.texi algorithms.texi
+gnutls_TEXINFOS += error_codes.texi algorithms.texi alerts.texi
MAINTAINERCLEANFILES += error_codes.texi algorithms.texi
AM_CPPFLAGS = -I$(top_srcdir)/lib/includes -I$(top_builddir)/lib/includes
-noinst_PROGRAMS = errcodes printlist
+noinst_PROGRAMS = errcodes printlist alert-printlist
errcodes_SOURCES = errcodes.c
errcodes_LDADD = ../lib/libgnutls.la ../gl/libgnu.la
@@ -161,16 +161,22 @@ errcodes_LDADD = ../lib/libgnutls.la ../gl/libgnu.la
printlist_SOURCES = printlist.c
printlist_LDADD = ../lib/libgnutls.la ../gl/libgnu.la
+alert_printlist_SOURCES = alert-printlist.c
+alert_printlist_LDADD = ../lib/libgnutls.la ../gl/libgnu.la
+
error_codes.texi: $(top_srcdir)/lib/gnutls_errors.c $(srcdir)/errcodes.c
make $(builddir)/errcodes
$(builddir)/errcodes > address@hidden
mv -f address@hidden $@
-algorithms.texi: $(srcdir)/printlist.c
- make $(builddir)/printlist
+algorithms.texi: printlist
$(builddir)/printlist > address@hidden
mv -f address@hidden $@
+alerts.texi: alert-printlist
+ $(builddir)/alert-printlist > address@hidden
+ mv -f address@hidden $@
+
# Guile texinfos.
guile_texi = core.c.texi extra.c.texi
diff --git a/doc/alert-printlist.c b/doc/alert-printlist.c
new file mode 100644
index 0000000..5c38666
--- /dev/null
+++ b/doc/alert-printlist.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2008, 2009, 2010 Free Software Foundation, Inc.
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/openpgp.h>
+
+static void main_texinfo (void);
+static void main_latex(void);
+
+int
+main (int argc, char *argv[])
+{
+ if (argc > 1)
+ main_latex();
+ else
+ main_texinfo();
+
+ return 0;
+}
+
+static void main_texinfo (void)
+{
+ {
+ size_t i;
+ const char *name;
+ gnutls_kx_algorithm_t kx;
+ gnutls_cipher_algorithm_t cipher;
+ gnutls_mac_algorithm_t mac;
+ gnutls_protocol_t version;
+
+ printf ("Available alert messages:\n");
+
+ printf ("@multitable @columnfractions .55 .10 address@hidden:alerts}\n");
+ for (i = 0; i<256;i++)
+ {
+ if (gnutls_alert_get_strname(i)==NULL) continue;
+ printf ("@item address@hidden address@hidden %s\n",
+ gnutls_alert_get_strname(i),
+ (unsigned int) i, gnutls_alert_get_name (i));
+ }
+ printf ("@end multitable\n");
+
+ }
+}
+
+static const char headers[] = "\\tablefirsthead{%\n"
+ "\\hline\n"
+ "Alert & ID & Description\\\\\n"
+ "\\hline}\n"
+ "\\tablehead{%\n"
+ "\\hline\n"
+ "\\multicolumn{3}{|l|}{\\small\\sl continued from previous page}\\\\\n"
+ "\\hline\n"
+ "Alert & ID & Description\\\\\n"
+ "\\hline}\n"
+ "\\tabletail{%\n"
+ "\\hline\n"
+ "\\multicolumn{3}{|r|}{\\small\\sl continued on next page}\\\\\n"
+ "\\hline}\n"
+ "\\tablelasttail{\\hline}\n"
+ "\\bottomcaption{The TLS alert table}\n\n";
+
+static char* escape_string( const char* str)
+{
+static char buffer[500];
+int i = 0, j = 0;
+
+
+while( str[i] != 0 && j < sizeof(buffer) - 1) {
+ if (str[i]=='_') {
+ buffer[j++] = '\\';
+ buffer[j++] = '_';
+ } else {
+ buffer[j++] = str[i];
+ }
+ i++;
+};
+
+buffer[j] = 0;
+
+return buffer;
+
+}
+
+static void main_latex(void)
+{
+int i, j;
+const char* desc;
+const char* _name;
+
+puts( headers);
+
+printf("\\begin{supertabular}{|l|p{1cm}|p{3.5cm}|}\n\\label{tab:alerts}\n");
+
+ {
+ size_t i;
+ const char *name;
+ gnutls_kx_algorithm_t kx;
+ gnutls_cipher_algorithm_t cipher;
+ gnutls_mac_algorithm_t mac;
+ gnutls_protocol_t version;
+
+ for (i = 0; i<256;i++)
+ {
+ if (gnutls_alert_get_strname(i)==NULL) continue;
+ printf ("{\\small{%s}} & \\code{%d} & %s",
+ escape_string(gnutls_alert_get_strname(i)),
+ (unsigned int) i, gnutls_alert_get_name (i));
+ printf( "\\\\\n");
+ }
+
+ printf("\\end{supertabular}\n\n");
+
+ }
+
+return;
+
+}
diff --git a/doc/cha-auth.texi b/doc/cha-auth.texi
index 9f85e2f..1006493 100644
--- a/doc/cha-auth.texi
+++ b/doc/cha-auth.texi
@@ -1,5 +1,5 @@
@node Authentication methods
address@hidden Authentication Methods
address@hidden Authentication methods
The @acronym{TLS} protocol provides confidentiality and encryption,
but also offers authentication, which is a prerequisite for a secure
@@ -18,6 +18,14 @@ are:
@end itemize
+The rule for each method is to allocate a credentials
+structure containing data required for authentication and
+associate that structure with the session using
address@hidden In the next paragraphs
+we elaborate on supported authentication methods.
+
address@hidden
+
@menu
* Certificate authentication::
* Anonymous authentication::
@@ -28,9 +36,9 @@ are:
@end menu
@node Certificate authentication
address@hidden Certificate Authentication
address@hidden Certificate authentication
address@hidden Authentication Using @acronym{X.509} Certificates
address@hidden Authentication using @acronym{X.509} certificates
@cindex @acronym{X.509} certificates
@acronym{X.509} certificates contain the public parameters, of a
@@ -38,8 +46,8 @@ public key algorithm, and an authority's signature, which
proves the
authenticity of the parameters. See @ref{The X.509 trust model}, for
more information on @acronym{X.509} protocols.
address@hidden Authentication Using @acronym{OpenPGP} Keys
address@hidden @acronym{OpenPGP} Keys
address@hidden Authentication using @acronym{OpenPGP} keys
address@hidden @acronym{OpenPGP} keys
@acronym{OpenPGP} keys also contain public parameters of a public key
algorithm, and signatures from several other parties. Depending on
@@ -50,7 +58,7 @@ based on the @xcite{TLSPGP} proposal.
More information on the @acronym{OpenPGP} trusted model is provided in
@ref{The OpenPGP trust model}.
For a more detailed introduction to @acronym{OpenPGP} and @acronym{GnuPG} see
@xcite{GPGH}.
address@hidden Using Certificate Authentication
address@hidden Using certificate authentication
In @acronym{GnuTLS} both the @acronym{OpenPGP} and @acronym{X.509}
certificates are part of the certificate authentication and thus are
@@ -70,35 +78,37 @@ certificate certifies the one before it. The trusted
authority's
certificate need not to be included, since the peer should possess it
already.
-As an alternative, a callback may be used so the server or the client
-specify the certificate and the key at the handshake time. That
-callback can be set using the functions:
-
address@hidden
-
address@hidden @funcref{gnutls_certificate_server_set_retrieve_function}
address@hidden,gnutls_certificate_set_x509_key_mem,gnutls_certificate_set_openpgp_key,gnutls_certificate_set_openpgp_key_file,gnutls_certificate_set_openpgp_key_mem}
address@hidden @funcref{gnutls_certificate_client_set_retrieve_function}
address@hidden
address@hidden itemize
address@hidden
-Clients and servers that will select certificates using callback
-functions should select a certificate according the peer's signature
+As an alternative, a callback may be used so the server or the client
+specifies the certificate and the key at the handshake time
+using @funcref{gnutls_certificate_set_retrieve_function}.
+In that case a certificate should be selected according the peer's signature
algorithm preferences. To get those preferences use
@funcref{gnutls_sign_algorithm_get_requested}.
address@hidden
+
+
Certificate verification is possible by loading the trusted
authorities into the credentials structure by using
@funcref{gnutls_certificate_set_x509_trust_file} or
@funcref{gnutls_certificate_set_openpgp_keyring_file} for openpgp
keys. Note however that the peer's certificate is not automatically
verified, you should call @funcref{gnutls_certificate_verify_peers2},
-after a successful handshake, to verify the signatures of the
-certificate. An alternative way, which reports a more detailed
+after a successful handshake or during if
@funcref{gnutls_certificate_set_verify_function}
+has been used, to verify the certificate's signature.
+An alternative way, which reports a more detailed
verification output, is to use @funcref{gnutls_certificate_get_peers} to
obtain the raw certificate of the peer and verify it using the
functions discussed in @ref{The X.509 trust model}.
address@hidden
+
In a handshake, the negotiated cipher suite depends on the
certificate's parameters, so not all key exchange methods will be
available with some certificates. @acronym{GnuTLS} will disable
@@ -112,6 +122,8 @@ and a different key for the plain RSA ciphersuites, which
use
encryption. All the key exchange methods shown below are available in
certificate authentication.
address@hidden
+
Note that the DHE key exchange methods are generally
address@hidden really depends on the group used. Primes with
lesser bits are always faster, but also easier to break. See @ref{Selecting
cryptographic key sizes}
@@ -168,7 +180,7 @@ algorithm.
@end float
@node Anonymous authentication
address@hidden Anonymous Authentication
address@hidden Anonymous authentication
@cindex Anonymous authentication
The anonymous key exchange performs encryption but there is no
@@ -250,7 +262,9 @@ Alternatively
@funcref{gnutls_srp_set_client_credentials_function}
may be used to specify a callback function.
The callback will be called once during the @acronym{TLS} handshake.
-In server side the default behaviour of @acronym{GnuTLS} is to read
address@hidden,gnutls_srp_set_client_credentials_function}
+
+In server side the default behavior of @acronym{GnuTLS} is to read
the usernames and @acronym{SRP} verifiers from password files. These
password files are the ones used by the @emph{Stanford srp libraries}
and @funcref{gnutls_srp_set_server_credentials_file} can be used to
@@ -259,23 +273,19 @@ password file format is to be used, then
@funcref{gnutls_srp_set_server_credentials_function} should be called,
to set an appropriate callback.
-Some helper functions such as
-
address@hidden
address@hidden
address@hidden @funcref{gnutls_srp_verifier}
address@hidden
address@hidden @funcref{gnutls_srp_base64_encode}
-
address@hidden @funcref{gnutls_srp_base64_decode}
-
address@hidden itemize
-
-are included in @acronym{GnuTLS}, and can be used to generate and
+Helper functions are included in @acronym{GnuTLS}, and can be used to generate
and
maintain @acronym{SRP} verifiers and password files. A program to
manipulate the required parameters for @acronym{SRP} authentication is
also included. See @ref{srptool}, for more information.
address@hidden
+
address@hidden,gnutls_srp_base64_decode}
+
@node Authentication using PSK
@section Authentication using @acronym{PSK}
@@ -298,6 +308,10 @@ Authentication using the @acronym{PSK} protocol.
Authentication using the @acronym{PSK} protocol and Diffie-Hellman key
exchange. This method offers perfect forward secrecy.
address@hidden ECDHE-PSK:
+Authentication using the @acronym{PSK} protocol and Elliptic curve
Diffie-Hellman key
+exchange. This method offers perfect forward secrecy.
+
@end table
Clients supporting @acronym{PSK} should supply the username and key
@@ -308,7 +322,9 @@ specify a callback function. This has the
advantage that the callback will be called only if @acronym{PSK} has
been negotiated.
-In server side the default behaviour of @acronym{GnuTLS} is to read
address@hidden,gnutls_psk_set_client_credentials_function}
+
+In server side the default behavior of @acronym{GnuTLS} is to read
the usernames and @acronym{PSK} keys from a password file. The
password file should contain usernames and keys in hexadecimal
format. The name of the password file can be stored to the credentials
@@ -324,22 +340,20 @@ A server, may specify the hint by calling
the hint, for example in the callback function, using
@funcref{gnutls_psk_client_get_hint}.
-Some helper functions such as:
-
address@hidden
address@hidden
address@hidden @funcref{gnutls_hex_encode}
address@hidden,gnutls_psk_set_server_credentials_hint,gnutls_psk_client_get_hint}
address@hidden @funcref{gnutls_hex_decode}
+Helper functions are included in @acronym{GnuTLS}, and may be used to generate
and
+maintain @acronym{PSK} keys.
address@hidden itemize
address@hidden
-are included in @acronym{GnuTLS}, and may be used to generate and
-maintain @acronym{PSK} keys.
address@hidden
@node Authentication and credentials
address@hidden Authentication and Credentials
address@hidden Authentication and credentials
In @acronym{GnuTLS} every key exchange method is associated with a
credentials type. So in order to enable to enable a specific method,
@@ -383,7 +397,7 @@ the corresponding credentials type should be initialized
and set using
@end float
@node Parameters stored in credentials
address@hidden Parameters Stored in Credentials
address@hidden Parameters stored in credentials
Several parameters such as the ones used for Diffie-Hellman
authentication are stored within the credentials structures, so all
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index 26ca9fd..ae2df5d 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -1,5 +1,5 @@
@node More on certificate authentication
address@hidden More on Certificate Authentication
address@hidden More on certificate authentication
@cindex Certificate authentication
@menu
@@ -11,7 +11,7 @@
@end menu
@node The X.509 trust model
address@hidden The @acronym{X.509} Trust Model
address@hidden The @acronym{X.509} trust model
@cindex @acronym{X.509} certificates
The @acronym{X.509} protocols rely on a hierarchical trust model. In
@@ -38,7 +38,7 @@ Detailed examples involving X.509 certificates are listed
below.
@end menu
@node X.509 certificates
address@hidden @acronym{X.509} Certificates
address@hidden @acronym{X.509} certificates
An @acronym{X.509} certificate usually contains information about the
certificate holder, the signer, a unique serial number, expiration
@@ -136,10 +136,10 @@ private keys with the @code{gnutls_x509_privkey_t} type.
All the
available functions for @acronym{X.509} certificate handling have
their prototypes in @file{gnutls/x509.h}. An example program to
demonstrate the @acronym{X.509} parsing capabilities can be found at
-section @ref{ex:x509-info}.
address@hidden:x509-info}.
@node Verifying X.509 certificate paths
address@hidden Verifying @acronym{X.509} Certificate Paths
address@hidden Verifying @acronym{X.509} certificate paths
@cindex Verifying certificate paths
@tindex gnutls_certificate_verify_flags
@@ -147,47 +147,22 @@ Verifying certificate paths is important in
@acronym{X.509}
authentication. For this purpose the following functions are
provided.
address@hidden @code
-
address@hidden @funcref{gnutls_x509_trust_list_init}:
-A function to initialize a list that will hold trusted
-certificate authorities and certificate revocation lists.
-
address@hidden @funcref{gnutls_x509_trust_list_deinit}:
-Deinitializes the list.
-
address@hidden @funcref{gnutls_x509_trust_list_add_cas}:
-Adds certificate authorities to the list.
-
address@hidden @funcref{gnutls_x509_trust_list_add_named_crt}:
-Adds trusted certificates for an entity identified
-by a name.
-
address@hidden @funcref{gnutls_x509_trust_list_add_crls}:
-Adds certificate revocation lists.
-
address@hidden @funcref{gnutls_x509_trust_list_verify_crt}:
-Verifies a certificate chain using the previously setup trusted
-list. A callback can be specified that will provide information
-about the verification procedure (and detailed reasons of failure).
-
address@hidden @funcref{gnutls_x509_trust_list_verify_named_crt}:
-Does verification of the certificate by looking for a matching one
-in the named certificates. A callback can be specified that will provide
information
-about the verification procedure (and detailed reasons of failure).
-
address@hidden table
address@hidden
address@hidden
address@hidden
address@hidden
address@hidden
address@hidden
address@hidden
The verification function will verify a given certificate chain against a list
of certificate
authorities and certificate revocation lists, and output
-a bitwise OR of elements of the @code{gnutls_certificate_status_t}
+a bit-wise OR of elements of the @code{gnutls_certificate_status_t}
enumeration. It is also possible to have a set of certificates that
are trusted for a particular server but not to authorize other certificates.
This purpose is served by the functions
@funcref{gnutls_x509_trust_list_add_named_crt} and
@funcref{gnutls_x509_trust_list_verify_named_crt}.
A detailed description of these elements can be found
-in figure below. An example of these functions in use can be found
-in @ref{ex:verify2}.
-
+in @ref{tab:cert-verify}. An example of certificate verification is shown in
@ref{ex:verify2}.
When operating in the context of a TLS session, the trusted certificate
authority list has been set via the
@@ -195,8 +170,7 @@ authority list has been set via the
thus it is not required to setup a trusted list as above.
Convenience functions such as @funcref{gnutls_certificate_verify_peers2}
are equivalent and will verify the peer's certificate chain
-in a TLS session. The certificate verification functions output
-codes as in @ref{tab:cert-verify}.
+in a TLS session.
@float Table,tab:cert-verify
@multitable @columnfractions .55 .45
@@ -241,7 +215,7 @@ flags are part of the enumeration
@headitem Flag @tab Description
@item GNUTLS_VERIFY_\-DISABLE_CA_SIGN @tab
If set a signer does not have to be a certificate authority. This
-flag should normaly be disabled, unless you know what this means.
+flag should normally be disabled, unless you know what this means.
@item GNUTLS_VERIFY_\-ALLOW_X509_V1_CA_CRT @tab
Allow only trusted CA certificates that have version 1. This is
@@ -288,7 +262,7 @@ certificate's owner is the one you expect. For more
information
consult @xcite{RFC2818} and section @ref{ex:verify} for an example.
@node Certificate requests
address@hidden @acronym{PKCS} #10 Certificate Requests
address@hidden @acronym{PKCS} #10 certificate requests
@cindex Certificate requests
@cindex @acronym{PKCS} #10
@@ -299,12 +273,15 @@ password. @acronym{GnuTLS} supports the requests defined
in
@acronym{PKCS} #10 @xcite{RFC2986}. Other certificate request's format
are not currently supported.
-In @acronym{GnuTLS} the @acronym{PKCS} #10 structures are handled
-using the @code{gnutls_x509_crq_t} type. An example of a certificate
-request generation can be found at section @ref{ex:crq}.
+The following example is about generating a certificate request, and a
+private key. A certificate request can be later be processed by a CA,
+which should return a signed certificate.
+
address@hidden:crq}
address@hidden examples/ex-crq.c
@node PKCS 12 structures
address@hidden @acronym{PKCS} #12 Structures
address@hidden @acronym{PKCS} #12 structures
@cindex @acronym{PKCS} #12
A @acronym{PKCS} #12 structure @xcite{PKCS12} usually contains a user's
@@ -319,16 +296,18 @@ keys or encrypted data. An Bag of type encrypted should
be decrypted
in order for its data to be accessed.
An example of a @acronym{PKCS} #12 structure generation can be found
-at section @ref{ex:pkcs12}.
+below.
+
address@hidden examples/ex-pkcs12.c
@node The OpenPGP trust model
address@hidden The @acronym{OpenPGP} Trust Model
address@hidden @acronym{OpenPGP} Keys
address@hidden The @acronym{OpenPGP} trust model
address@hidden @acronym{OpenPGP} keys
The @acronym{OpenPGP} key authentication relies on a distributed trust
model, called the ``web of trust''. The ``web of trust'' uses a
decentralized system of trusted introducers, which are the same as a
-CA. @acronym{OpenPGP} allows anyone to sign anyone's else public
+CA. @acronym{OpenPGP} allows anyone to sign anyone else's public
key. When Alice signs Bob's key, she is introducing Bob's key to
anyone who trusts Alice. If someone trusts Alice to introduce keys,
then Alice is a trusted introducer in the mind of that observer.
@@ -353,7 +332,7 @@ only Kevin, for some reason. A reason could be that Bob is
lazy
enough, and signs other people's keys without being sure that they
belong to the actual owner.
address@hidden @acronym{OpenPGP} Keys
address@hidden @acronym{OpenPGP} keys
In @acronym{GnuTLS} the @acronym{OpenPGP} key structures
@xcite{RFC2440} are handled using the @code{gnutls_openpgp_crt_t} type
@@ -361,13 +340,13 @@ and the corresponding private keys with the
@code{gnutls_openpgp_privkey_t} type. All the prototypes for the key
handling functions can be found at @file{gnutls/openpgp.h}.
address@hidden Verifying an @acronym{OpenPGP} Key
address@hidden Verifying an @acronym{OpenPGP} key
The verification functions of @acronym{OpenPGP} keys, included in
@acronym{GnuTLS}, are simple ones, and do not use the features of the
``web of trust''. For that reason, if the verification needs are
complex, the assistance of external tools like @acronym{GnuPG} and
-GPGME (@url{http://www.gnupg.org/related_software/gpgme/}) is
address@hidden@url{http://www.gnupg.org/related_software/gpgme/}} is
recommended.
There is one verification function in @acronym{GnuTLS}, the
@@ -419,44 +398,36 @@ Moreover it can be used to allow all applications in the
same operating system t
shared cryptographic keys and certificates in a uniform way, as in
@ref{fig:pkcs11-vision}.
@float Figure,fig:pkcs11-vision
address@hidden,8cm}
address@hidden,9cm}
@caption{PKCS #11 module usage.}
@end float
@subsection Initialization
To allow all the @acronym{GnuTLS} applications to access @acronym{PKCS} #11
tokens
-it is adviceable to use @code{/etc/pkcs11/modules/mymodule.conf}. This file
has the following
+it is advisable to use @code{/etc/pkcs11/modules/mymodule.conf}. This file has
the following
format:
address@hidden
address@hidden
module: /usr/lib/opensc-pkcs11.so
address@hidden verbatim
address@hidden smallexample
If you use this file, then there is no need for other initialization in
@acronym{GnuTLS}, except for the PIN and token functions. Those allow
retrieving a PIN
when accessing a protected object, such as a private key, as well as probe
the user to insert the token. All the initialization functions are below.
address@hidden
-
address@hidden @funcref{gnutls_pkcs11_init}: Global initialization
-
address@hidden @funcref{gnutls_pkcs11_deinit}: Global deinitialization
-
address@hidden @funcref{gnutls_pkcs11_set_token_function}: Sets the token
insertion function
-
address@hidden @funcref{gnutls_pkcs11_set_pin_function}: Sets the PIN request
function
-
address@hidden @funcref{gnutls_pkcs11_add_provider}: Adds an additional
@acronym{PKCS} #11 provider
-
address@hidden itemize
address@hidden
address@hidden
address@hidden
address@hidden
address@hidden
Note that due to limitations of @acronym{PKCS} #11 there are issues when
multiple libraries
are sharing a module. To avoid this problem GnuTLS uses
address@hidden@url{http://p11-glue.freedesktop.org/}}
that provides a middleware to control access to resources over the
multiple users.
address@hidden Reading Objects
address@hidden Reading objects
All @acronym{PKCS} #11 objects are referenced by @acronym{GnuTLS} functions by
URLs as described in @code{draft-pechanec-pkcs11uri-03}. For example a public
@@ -474,48 +445,31 @@
pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315;manufacturer=EnterSafe
@end example
-Objects can be accessed with the following functions
address@hidden
-
address@hidden @funcref{gnutls_pkcs11_obj_init}: Initializes an object
-
address@hidden @funcref{gnutls_pkcs11_obj_import_url}: To import an object from
a url
-
address@hidden @funcref{gnutls_pkcs11_obj_export_url}: To export the URL of the
object
-
address@hidden @funcref{gnutls_pkcs11_obj_deinit}: To deinitialize an object
-
address@hidden @funcref{gnutls_pkcs11_obj_export}: To export data associated
with object
-
address@hidden @funcref{gnutls_pkcs11_obj_get_info}: To obtain information
about an object
address@hidden #11 objects can be accessed with the functions shown below.
address@hidden @funcref{gnutls_pkcs11_obj_list_import_url}: To mass load of
objects
address@hidden,gnutls_pkcs11_obj_deinit}
address@hidden @funcref{gnutls_x509_crt_import_pkcs11}: Import a certificate
object
address@hidden
address@hidden @funcref{gnutls_x509_crt_import_pkcs11_url}: Helper function to
directly import a URL into a certificate
-
address@hidden @funcref{gnutls_x509_crt_list_import_pkcs11}: Mass import of
certificates
-
address@hidden itemize
-
-
-Functions that relate to token handling are shown below
address@hidden
address@hidden
address@hidden @funcref{gnutls_pkcs11_token_init}: Initializes a token
address@hidden
address@hidden @funcref{gnutls_pkcs11_token_set_pin}: Sets the token user's PIN
address@hidden
address@hidden @funcref{gnutls_pkcs11_token_get_url}: Returns the URL of a token
address@hidden
address@hidden @funcref{gnutls_pkcs11_token_get_info}: Obtain information about
a token
address@hidden,gnutls_x509_crt_import_pkcs11_url,gnutls_x509_crt_list_import_pkcs11}
address@hidden @funcref{gnutls_pkcs11_token_get_flags}: Returns flags about a
token (i.e. hardware or software)
+Functions that relate to token handling are shown below.
address@hidden itemize
address@hidden
address@hidden
address@hidden
address@hidden
address@hidden
-The following example will list all tokens.
+The following example will list all available PKCS #11 tokens in a system.
@example
int i;
char* url;
@@ -538,24 +492,18 @@ gnutls_global_deinit();
@end example
-The next one will list all certificates in a token, that have a corresponding
-private key:
+That example will only list all certificates in a token that have a
corresponding
+private key.
@verbatiminclude examples/ex-pkcs11-list.c
address@hidden Writing Objects
address@hidden Writing objects
With @acronym{GnuTLS} you can copy existing private keys and certificates
to a token. This can be achieved with the following functions
address@hidden
-
address@hidden @funcref{gnutls_pkcs11_delete_url}: To delete an object
-
address@hidden @funcref{gnutls_pkcs11_copy_x509_privkey}: To copy a private key
to a token
-
address@hidden @funcref{gnutls_pkcs11_copy_x509_crt}: To copy a certificate to
a token
-
address@hidden itemize
address@hidden
address@hidden
address@hidden
@subsection Using a @acronym{PKCS} #11 token with TLS
@@ -565,13 +513,7 @@ session, as shown in @ref{ex:pkcs11-client}. In addition
the following functions can be used to load PKCS #11 key and
certificates.
address@hidden
-
address@hidden @funcref{gnutls_certificate_set_x509_trust_file}: If given a
PKCS #11 URL will load the trusted certificates from it.
-
address@hidden @funcref{gnutls_certificate_set_x509_key_file}: Will also load
PKCS #11 URLs for keys and certificates.
-
address@hidden itemize
address@hidden,gnutls_certificate_set_x509_key_file}
@node Abstract key types
@@ -614,7 +556,7 @@ gnutls_privkey_t abs_key;
@node Digital signatures
address@hidden Digital Signatures
address@hidden Digital signatures
@cindex Digital signatures
In this section we will provide some information about digital
@@ -678,7 +620,7 @@ sometime in the future, SHA-1 will be disabled as well.
The collision
attacks on SHA-1 may also get better, given the new interest in tools
for creating them.
address@hidden Trading Security for Interoperability
address@hidden Trading security for interoperability
If you connect to a server and use GnuTLS' functions to verify the
certificate chain, and get a @code{GNUTLS_CERT_INSECURE_ALGORITHM}
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index c30d2be..1b5e47b 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1,5 +1,5 @@
@node How to use GnuTLS in applications
address@hidden How To Use @acronym{GnuTLS} in Applications
address@hidden How to use @acronym{GnuTLS} in applications
@anchor{examples}
@cindex Example programs
@@ -50,18 +50,18 @@ done by calling @funcref{gnutls_global_deinit}.
The extra functionality of the @acronym{GnuTLS-extra} library is
available after calling @funcref{gnutls_global_init_extra}.
-In order to take advantage of the internationalisation features in
+In order to take advantage of the internationalization features in
GnuTLS, such as translated error messages, the application must set
the current locale using @code{setlocale} before initializing GnuTLS.
@node Version check
address@hidden Version Check
address@hidden Version check
It is often desirable to check that the version of `gnutls' used is
indeed one which fits all requirements. Even with binary
compatibility new features may have been introduced but due to problem
with the dynamic linker an old version is actually used. So you may
-want to check that the version is okay right after program startup.
+want to check that the version is okay right after program start-up.
See the function @funcref{gnutls_check_version}.
@node Debugging and auditing
@@ -83,7 +83,7 @@ TLS session. The session information might be used to derive
IP addresses
or other information about the peer involved.
@node Building the source
address@hidden Building the Source
address@hidden Building the source
If you want to compile a source file including the
@file{gnutls/gnutls.h} header file, you must make sure that the
@@ -114,7 +114,7 @@ the path to the library files has to be added to the
library search
path (via the @option{-L} option). For this, the option
@option{--libs} to @command{pkg-config gnutls} can be used. For
convenience, this option also outputs all other options that are
-required to link the program with the libarary (for instance, the
+required to link the program with the library (for instance, the
@samp{-ltasn1} option). The example shows how to link @file{foo.o}
with the library to a program @command{foo}.
@@ -131,7 +131,7 @@ gcc -o foo foo.c `pkg-config gnutls --cflags --libs`
@node Client examples
address@hidden Client Examples
address@hidden Client examples
This section contains examples of @acronym{TLS} and @acronym{SSL}
clients, using @acronym{GnuTLS}. Note that these examples contain
@@ -154,7 +154,7 @@ implemented by another example.
@end menu
@node Simple client example with anonymous authentication
address@hidden Simple Client Example with Anonymous Authentication
address@hidden Simple client example with anonymous authentication
The simplest client using TLS is the one that doesn't do any
authentication. This means no external certificates or passwords are
@@ -165,7 +165,7 @@ However, the data is integrity and privacy protected.
@verbatiminclude examples/ex-client1.c
@node Simple client example with X.509 certificate support
address@hidden Simple Client Example with @acronym{X.509} Certificate Support
address@hidden Simple client example with @acronym{X.509} certificate support
Let's assume now that we want to create a TCP client which
communicates with servers that use @acronym{X.509} or
@@ -178,7 +178,7 @@ redefining them.
@verbatiminclude examples/ex-client2.c
@node Simple Datagram TLS client example
address@hidden Simple Datagram @acronym{TLS} client example
address@hidden Simple datagram @acronym{TLS} client example
This is a client that uses @acronym{UDP} to connect to a
server. This is the @acronym{DTLS} equivalent to
@@ -187,7 +187,7 @@ server. This is the @acronym{DTLS} equivalent to
@verbatiminclude examples/ex-client-udp.c
@node Obtaining session information
address@hidden Obtaining Session Information
address@hidden Obtaining session information
Most of the times it is desirable to know the security properties of
the current established session. This includes the underlying ciphers
@@ -198,7 +198,7 @@ if called after a successful @funcref{gnutls_handshake}.
@verbatiminclude examples/ex-session-info.c
@node Verifying peer's certificate
address@hidden Verifying Peer's Certificate
address@hidden Verifying peer's certificate
@anchor{ex:verify}
A @acronym{TLS} session is not secure just after the handshake
@@ -211,7 +211,7 @@ treat the connection as being a secure one.
@verbatiminclude examples/ex-rfc2818.c
@node Using a callback to select the certificate to use
address@hidden Using a Callback to Select the Certificate to Use
address@hidden Using a callback to select the certificate to use
There are cases where a client holds several certificate and key
pairs, and may not want to load all of them in the credentials
@@ -221,7 +221,7 @@ certificate selection callback.
@verbatiminclude examples/ex-cert-select.c
@node Verifying a certificate
address@hidden Verifying a Certificate
address@hidden Verifying a certificate
@anchor{ex:verify2}
An example is listed below which uses the high level verification
@@ -230,7 +230,7 @@ functions to verify a given certificate list.
@verbatiminclude examples/ex-verify.c
@node Client using a PKCS 11 token with TLS
address@hidden Using a @acronym{PKCS #11} token with TLS
address@hidden Using a @acronym{PKCS} #11 token with TLS
@anchor{ex:pkcs11-client}
This example will demonstrate how to load keys and certificates
@@ -240,7 +240,7 @@ from a @acronym{PKCS} #11 token, and use it with a TLS
connection.
@node Client with Resume capability example
address@hidden Client with Resume Capability Example
address@hidden Client with resume capability example
@anchor{ex:resume-client}
This is a modification of the simple client example. Here we
@@ -252,7 +252,7 @@ establish a new connection using the previously negotiated
data.
@node Simple client example with SRP authentication
address@hidden Simple Client Example with @acronym{SRP} Authentication
address@hidden Simple client example with @acronym{SRP} authentication
The following client is a very simple @acronym{SRP} @acronym{TLS}
client which connects to a server and authenticates using a
@@ -262,7 +262,7 @@ itself using a certificate, and in that case it has to be
verified.
@verbatiminclude examples/ex-client-srp.c
@node Simple client example in C++
address@hidden Simple Client Example using the C++ API
address@hidden Simple client example using the C++ API
The following client is a simple example of a client client utilizing
the GnuTLS C++ API.
@@ -270,7 +270,7 @@ the GnuTLS C++ API.
@verbatiminclude examples/ex-cxx.cpp
@node Helper function for TCP connections
address@hidden Helper Function for TCP Connections
address@hidden Helper function for TCP connections
This helper function abstracts away TCP connection handling from the
other examples. It is required to build some examples.
@@ -278,7 +278,7 @@ other examples. It is required to build some examples.
@verbatiminclude examples/tcp.c
@node Server examples
address@hidden Server Examples
address@hidden Server examples
This section contains examples of @acronym{TLS} and @acronym{SSL}
servers, using @acronym{GnuTLS}.
@@ -291,7 +291,7 @@ servers, using @acronym{GnuTLS}.
@end menu
@node Echo Server with X.509 authentication
address@hidden Echo Server with @acronym{X.509} Authentication
address@hidden Echo server with @acronym{X.509} authentication
This example is a very simple echo server which supports
@acronym{X.509} authentication, using the RSA ciphersuites.
@@ -299,8 +299,8 @@ This example is a very simple echo server which supports
@verbatiminclude examples/ex-serv1.c
@node Echo Server with OpenPGP authentication
address@hidden Echo Server with @acronym{OpenPGP} Authentication
address@hidden @acronym{OpenPGP} Server
address@hidden Echo server with @acronym{OpenPGP} authentication
address@hidden @acronym{OpenPGP} server
The following example is an echo server which supports
@acronym{OpenPGP} key authentication. You can easily combine
@@ -311,7 +311,7 @@ them to keep these examples as simple as possible.
@verbatiminclude examples/ex-serv-pgp.c
@node Echo Server with SRP authentication
address@hidden Echo Server with @acronym{SRP} Authentication
address@hidden Echo server with @acronym{SRP} authentication
This is a server which supports @acronym{SRP} authentication. It is
also possible to combine this functionality with a certificate
@@ -320,7 +320,7 @@ server. Here it is separate for simplicity.
@verbatiminclude examples/ex-serv-srp.c
@node Echo Server with anonymous authentication
address@hidden Echo Server with Anonymous Authentication
address@hidden Echo Server with anonymous authentication
This example server support anonymous authentication, and could be
used to serve the example client for anonymous authentication.
@@ -328,17 +328,15 @@ used to serve the example client for anonymous
authentication.
@verbatiminclude examples/ex-serv-anon.c
@node Miscellaneous examples
address@hidden Miscellaneous Examples
address@hidden Miscellaneous examples
@menu
* Checking for an alert::
* X.509 certificate parsing example::
-* Certificate request generation::
-* PKCS 12 structure generation::
@end menu
@node Checking for an alert
address@hidden Checking for an Alert
address@hidden Checking for an alert
This is a function that checks if an alert has been received in the
current session.
@@ -346,7 +344,7 @@ current session.
@verbatiminclude examples/ex-alert.c
@node X.509 certificate parsing example
address@hidden @acronym{X.509} Certificate Parsing Example
address@hidden @acronym{X.509} certificate parsing example
@anchor{ex:x509-info}
To demonstrate the @acronym{X.509} parsing capabilities an example program is
@@ -355,25 +353,6 @@ information about it.
@verbatiminclude examples/ex-x509-info.c
address@hidden Certificate request generation
address@hidden Certificate Request Generation
address@hidden:crq}
-
-The following example is about generating a certificate request, and a
-private key. A certificate request can be later be processed by a CA,
-which should return a signed certificate.
-
address@hidden examples/ex-crq.c
-
address@hidden PKCS 12 structure generation
address@hidden @acronym{PKCS} #12 Structure Generation
address@hidden:pkcs12}
-
-The following example is about generating a @acronym{PKCS} #12
-structure.
-
address@hidden examples/ex-pkcs12.c
-
@node Advanced and other topics
@section Advanced and other topics
@@ -387,8 +366,8 @@ structure.
@node Parameter generation
@subsection Parameter generation
address@hidden parameter generation
address@hidden generating parameters
address@hidden Parameter generation
address@hidden Generating parameters
Several TLS ciphersuites require additional parameters that
need to be generated or provided by the application. The
@@ -400,12 +379,14 @@ The parameters can be used in a session by calling
@funcref{gnutls_certificate_set_dh_params} or
@funcref{gnutls_anon_set_server_dh_params} for anonymous sessions.
address@hidden,gnutls_dh_params_import_pkcs3,gnutls_certificate_set_dh_params,gnutls_anon_set_server_dh_params}
+
Due to the time-consuming calculations required for the generation
of Diffie-Hellman parameters we suggest against performing generation
of them within an application. The @code{certtool} tool can be used to
generate or export known safe values that can be stored in code
or in a configuration file to provide the ability to replace. We also
-recommend the usage of @funcref{gnutls_sec_param_to_pk_bits} to determine
+recommend the usage of @funcref{gnutls_sec_param_to_pk_bits} (see
@ref{Selecting cryptographic key sizes}) to determine
the bit size of the parameters to be generated.
The ciphersuites that involve the RSA-EXPORT key exchange require
@@ -416,23 +397,13 @@ requires 512-bit RSA keys to be generated. It is
recommended those
parameters to be refreshed (regenerated) in short intervals. The
following functions can be used for these parameters.
address@hidden
-
address@hidden @funcref{gnutls_rsa_params_generate2}
-
address@hidden @funcref{gnutls_certificate_set_rsa_export_params}
-
address@hidden @funcref{gnutls_rsa_params_import_pkcs1}
-
address@hidden @funcref{gnutls_rsa_params_export_pkcs1}
-
address@hidden itemize
address@hidden,gnutls_certificate_set_rsa_export_params,gnutls_rsa_params_import_pkcs1,gnutls_rsa_params_export_pkcs1}
@node Keying Material Exporters
address@hidden Keying Material Exporters
address@hidden Keying Material Exporters
address@hidden Exporting Keying Material
address@hidden Keying material exporters
address@hidden Keying material exporters
address@hidden Exporting keying material
The TLS PRF can be used by other protocols to derive data. The API to
use is @funcref{gnutls_prf}. The function needs to be provided with the
@@ -456,8 +427,8 @@ If you don't want to mix in the client/server random, there
is a more
low-level TLS PRF interface called @funcref{gnutls_prf_raw}.
@node Channel Bindings
address@hidden Channel Bindings
address@hidden Channel Bindings
address@hidden Channel bindings
address@hidden Channel bindings
In user authentication protocols (e.g., EAP or SASL mechanisms) it is
useful to have a unique string that identifies the secure channel that
@@ -498,13 +469,13 @@ Note that it must be run after a successful TLS handshake.
@end smallexample
@node Compatibility with the OpenSSL library
address@hidden Compatibility with the OpenSSL Library
address@hidden Compatibility with the OpenSSL library
@cindex OpenSSL
To ease @acronym{GnuTLS}' integration with existing applications, a
compatibility layer with the widely used OpenSSL library is included
in the @code{gnutls-openssl} library. This compatibility layer is not
-complete and it is not intended to completely reimplement the OpenSSL
+complete and it is not intended to completely re-implement the OpenSSL
API with @acronym{GnuTLS}. It only provides limited source-level
compatibility. There is currently no attempt to make it
binary-compatible with OpenSSL.
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index 8a2cf55..4cb90cd 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -33,20 +33,20 @@ noted otherwise.
@end menu
@node TLS layers
address@hidden TLS Layers
address@hidden TLS Layers
address@hidden TLS layers
address@hidden TLS layers
address@hidden is a layered protocol, and consists of the Record
-Protocol, the Handshake Protocol and the Alert Protocol. The Record
-Protocol is to serve all other protocols and is above the transport
-layer. The Record protocol offers symmetric encryption, data
address@hidden is a layered protocol, and consists of the record
+protocol, the handshake protocol and the alert protocol. The record
+protocol is to serve all other protocols and is above the transport
+layer. The record protocol offers symmetric encryption, data
authenticity, and optionally compression.
-The Alert protocol offers some signaling to the other protocols. It
+The alert protocol offers some signaling to the other protocols. It
can help informing the peer for the cause of failures and other error
conditions. @xref{The Alert Protocol}, for more information. The
alert protocol is above the record protocol.
-The Handshake protocol is responsible for the security parameters'
+The handshake protocol is responsible for the security parameters'
negotiation, the initial key exchange and authentication.
@xref{The Handshake Protocol}, for more information about the handshake
protocol. The protocol layering in TLS is shown in @ref{fig:tls-layers}.
@@ -57,33 +57,32 @@ protocol. The protocol layering in TLS is shown in
@ref{fig:tls-layers}.
@end float
@node The transport layer
address@hidden The Transport Layer
address@hidden The transport layer
@cindex Transport protocol
address@hidden Transport layer
address@hidden is not limited to one transport layer, it can be used
-above any transport layer, as long as it is a reliable one. A set of
-functions is provided and their purpose is to load to @acronym{GnuTLS} the
address@hidden is not limited to any transport layer and can be used
+above any transport layer, as long as it is a reliable one. @acronym{DTLS}
+can be used over reliable and unreliable transport layers.
+A set of functions is provided and their purpose is to load to
@acronym{GnuTLS} the
required callbacks to access the transport layer.
address@hidden
address@hidden @funcref{gnutls_transport_set_push_function}
address@hidden @funcref{gnutls_transport_set_vec_push_function}
address@hidden @funcref{gnutls_transport_set_pull_timeout_function} (for
@acronym{DTLS} only)
address@hidden @funcref{gnutls_transport_set_pull_function}
address@hidden @funcref{gnutls_transport_set_ptr}
address@hidden @funcref{gnutls_transport_set_errno}
address@hidden itemize
address@hidden,gnutls_transport_set_vec_push_function,gnutls_transport_set_pull_timeout_function,gnutls_transport_set_pull_function,gnutls_transport_set_ptr}
-These functions accept a callback function as a parameter. The
+The function @funcref{gnutls_transport_set_pull_timeout_function} is only
applicable
+to @acronym{DTLS} sessions.
+All those functions accept a callback function as a parameter. The
callback functions should return the number of bytes written, or -1 on
error and should set @code{errno} appropriately.
In some environments, setting @code{errno} is unreliable, for example
Windows have several errno variables in different CRTs, or it may be
that errno is not a thread-local variable. If this is a concern to
-you, call @code{gnutls_transport_set_errno} with the intended errno
+you, call @funcref{gnutls_transport_set_errno} with the intended errno
value instead of setting @code{errno} directly.
address@hidden
+
@acronym{GnuTLS} currently only interprets the EINTR and EAGAIN errno
values and returns the corresponding @acronym{GnuTLS} error codes:
@itemize
@@ -102,35 +101,21 @@ timers and waiting for peer's messages during the
handshake process,
blocking operation of @acronym{GnuTLS} during @acronym{DTLS} handshake
can be changed using the appropriate flags in @funcref{gnutls_init}.
address@hidden
+
By default, if the transport functions are not set, @acronym{GnuTLS}
-will use the Berkeley Sockets functions.
+will use the Berkeley sockets.
@node The TLS record protocol
address@hidden The TLS Record Protocol
address@hidden The TLS record protocol
@cindex Record protocol
-The Record protocol is the secure communications provider. Its purpose
+The record protocol is the secure communications provider. Its purpose
is to encrypt, authenticate and ---optionally--- compress packets.
-The following functions are available:
-
address@hidden @asis
-
address@hidden @funcref{gnutls_record_send}:
-To send a record packet with application data.
-
address@hidden @funcref{gnutls_record_recv}:
-To receive a record packet with application data.
address@hidden @funcref{gnutls_record_recv_seq}:
-To receive a record packet with application data as well
-as the sequence number of that. This is useful in @acronym{DTLS}
-where packets might be lost or received out of order.
address@hidden
address@hidden @funcref{gnutls_record_get_direction}:
-To get the direction of the last interrupted function call.
address@hidden table
-
-In @acronym{TLS} those functions can be called at any time after
+The record layer functions can be called at any time after
the handshake process is finished, when there is need to receive
or send data. In @acronym{DTLS} however, due to re-transmission
timers used in the handshake out-of-order handshake data might
@@ -140,15 +125,20 @@ should call @funcref{gnutls_record_recv} or
@funcref{gnutls_record_recv_seq}
for every packet received by the peer, even if no data were
expected.
-As you may have already noticed, the functions which access the Record
+As you may have already noticed, the functions which access the record
protocol, are quite limited, given the importance of this protocol in
address@hidden This is because the Record protocol's parameters are
-all set by the Handshake protocol.
address@hidden This is because the record protocol's parameters are
+all set by the handshake protocol.
-The Record protocol initially starts with NULL parameters, which means
+The record protocol initially starts with NULL parameters, which means
no encryption, and no MAC is used. Encryption and authentication begin
just after the handshake protocol has finished.
address@hidden
address@hidden
address@hidden
address@hidden @showfuncdesc{gnutls_record_get_direction}
+
@menu
* Encryption algorithms used in the record layer::
* Compression algorithms used in the record layer::
@@ -157,7 +147,7 @@ just after the handshake protocol has finished.
@end menu
@node Encryption algorithms used in the record layer
address@hidden Encryption Algorithms Used in the Record Layer
address@hidden Encryption algorithms used in the record layer
@cindex Symmetric encryption algorithms
Confidentiality in the record layer is achieved by using symmetric
@@ -198,7 +188,7 @@ This mode combines message authentication and encryption
and can
be extremely fast on CPUs that support hardware acceleration.
@item CAMELLIA_CBC @tab
-This is an 128-bit block cipher developed by Mitsubish and NTT. It
+This is an 128-bit block cipher developed by Mitsubishi and NTT. It
is one of the approved ciphers of the European NESSIE and Japanese
CRYPTREC projects.
@@ -232,13 +222,13 @@ GCM, is in use.
@node Compression algorithms used in the record layer
address@hidden Compression Algorithms Used in the Record Layer
address@hidden Compression algorithms used in the record layer
@cindex Compression algorithms
The TLS record layer also supports compression. The algorithms
implemented in @acronym{GnuTLS} can be found in the table below.
The included algorithms perform really good when text, or other
-compressible data are to be transfered, but offer nothing on already
+compressible data are to be transferred, but offer nothing on already
compressed data, such as compressed images, zipped archives etc.
These compression algorithms, may be useful in high bandwidth TLS
tunnels, and in cases where network usage has to be minimized. It
@@ -257,9 +247,9 @@ No compression.
@end table
@node Weaknesses and countermeasures
address@hidden Weaknesses and Countermeasures
address@hidden Weaknesses and countermeasures
-Some weaknesses that may affect the security of the Record layer have
+Some weaknesses that may affect the security of the record layer have
been found in @acronym{TLS} 1.0 protocol. These weaknesses can be
exploited by active attackers, and exploit the facts that
@@ -284,12 +274,12 @@ which is implemented in @acronym{GnuTLS}. For a detailed
discussion
see the archives of the TLS Working Group mailing list and @xcite{CBCATT}.
@node On Record Padding
address@hidden On Record Padding
address@hidden On record padding
@cindex Record padding
@cindex Bad record MAC
-The TLS protocol allows for random padding of records, to make it more
-difficult to perform analysis on the length of exchanged messages (see
@xcite{RFC5246} section 6.2.3.2).
+The TLS protocol allows for random padding of records, to prevent
+statistical analysis based on the length of exchanged messages (see
@xcite{RFC5246} section 6.2.3.2).
GnuTLS appears to be one of few implementation that take advantage of this
text,
and pad records by a random length.
@@ -305,7 +295,7 @@ record MAC', or both, on the GnuTLS server side.
GnuTLS implements a work around for this problem. However, it has to
be enabled specifically. It can be enabled by using
@funcref{gnutls_record_disable_padding}, or @funcref{gnutls_priority_set} with
-the @code{%COMPAT} priority string.
+the @code{%COMPAT} priority string (see @ref{Priority Strings}).
If you implement an application that have a configuration file, we
recommend that you make it possible for users or administrators to
@@ -314,17 +304,13 @@ application via @funcref{gnutls_priority_set}. To allow
the best
flexibility, make it possible to have a different priority string for
different incoming IP addresses.
-To enable the workaround in the @command{gnutls-cli} client or the
address@hidden server, for testing of other implementations, use
-the parameter: @option{--priority "NORMAL:%COMPAT"}.
-
@node The TLS Alert Protocol
address@hidden The TLS Alert Protocol
address@hidden The TLS alert protocol
@anchor{The Alert Protocol}
@cindex Alert protocol
-The Alert protocol is there to allow signals to be sent between peers.
+The alert protocol is there to allow signals to be sent between peers.
These signals are mostly used to inform the peer about the cause of a
protocol failure. Some of these signals are used internally by the
protocol and the application protocol does not have to cope with them
@@ -332,75 +318,52 @@ protocol and the application protocol does not have to
cope with them
application protocol solely (e.g. @code{GNUTLS_A_USER_CANCELLED}). An
alert signal includes a level indication which may be either fatal or
warning. Fatal alerts always terminate the current connection, and
-prevent future renegotiations using the current session ID.
+prevent future re-negotiations using the current session ID. All alert
+messages are summarized in @ref{tab:alerts}.
+
The alert messages are protected by the record protocol, thus the
information that is included does not leak. You must take extreme care
for the alert information not to leak to a possible attacker, via
-public log files etc.
+public log files etc. The available functions to control the alert
+protocol are shown below.
address@hidden @asis
address@hidden @funcref{gnutls_alert_send}:
-To send an alert signal.
address@hidden
address@hidden @funcref{gnutls_error_to_alert}:
-To map a gnutls error number to an alert signal.
address@hidden
address@hidden @funcref{gnutls_alert_get}:
-Returns the last received alert.
address@hidden,gnutls_alert_get_name}
address@hidden @funcref{gnutls_alert_get_name}:
-Returns the name, in a character array, of the given alert.
address@hidden alerts.texi
address@hidden table
@node The TLS Handshake Protocol
address@hidden The TLS Handshake Protocol
address@hidden The TLS handshake protocol
@anchor{The Handshake Protocol}
@cindex Handshake protocol
-The Handshake protocol is responsible for the ciphersuite negotiation,
+The handshake protocol is responsible for the ciphersuite negotiation,
the initial key exchange, and the authentication of the two peers.
This is fully controlled by the application layer, thus your program
-has to set up the required parameters. Available functions to control
-the handshake protocol include:
+has to set up the required parameters. The main handshake function
+is @funcref{gnutls_handshake}. In the next paragraphs we elaborate on
+controlling of the handshake protocol, i.e., the ciphersuite negotiation.
address@hidden @asis
address@hidden @funcref{gnutls_priority_init}:
-To initialize a priority set of ciphers.
-
address@hidden @funcref{gnutls_priority_deinit}:
-To deinitialize a priority set of ciphers.
-
address@hidden @funcref{gnutls_priority_set}:
-To associate a priority set with a @acronym{TLS} session.
-
address@hidden @funcref{gnutls_priority_set_direct}:
-To directly associate a session with a given priority string.
address@hidden
address@hidden @funcref{gnutls_credentials_set}:
-To set the appropriate credentials structures.
-
address@hidden @funcref{gnutls_certificate_server_set_request}:
-To set whether client certificate is required or not.
-
address@hidden @funcref{gnutls_handshake}:
-To initiate the handshake.
address@hidden table
@menu
* TLS Cipher Suites:: TLS session parameters.
* Priority Strings:: Defining how parameters are negotiated.
* Client Authentication:: Requesting a certificate from the client.
* Resuming Sessions:: Reusing previously established keys.
-* Resuming Internals:: More information on reusing previously
established keys.
* Interoperability:: About interoperability with other
implementations.
@end menu
@node TLS Cipher Suites
address@hidden TLS Cipher Suites
address@hidden TLS ciphersuites
-The Handshake Protocol of @acronym{TLS} negotiates cipher suites of
+The handshake protocol of @acronym{TLS} negotiates cipher suites of
a special form illustrated by the @code{TLS_DHE_RSA_WITH_3DES_CBC_SHA} cipher
suite name. A typical cipher
suite contains these parameters:
@@ -418,21 +381,25 @@ suite contains these parameters:
@end itemize
The cipher suite negotiated in the handshake protocol will affect the
-Record Protocol, by enabling encryption and data authentication. Note
+record protocol, by enabling encryption and data authentication. Note
that you should not over rely on @acronym{TLS} to negotiate the
strongest available cipher suite. Do not enable ciphers and algorithms
that you consider weak.
-All the supported ciphersuites are shown in @ref{ciphersuites}.
+All the supported ciphersuites are listed in @ref{ciphersuites}.
@node Priority Strings
address@hidden Priority Strings
address@hidden Priority strings
-In order to specify cipher suite preferences, the
+In order to specify cipher suite preferences on client or server side, the
previously shown priority functions accept a string
-that specifies the algorithms to be enabled in a TLS handshake.
+that specifies the enable for the handshake algorithms.
That string may contain some high level keyword such as
-the keywords in @ref{tab:prio-keywords}.
+the keywords in @ref{tab:prio-keywords}
+or it might contain special keywords, to be explained
+later on.
+
address@hidden,gnutls_priority_init,gnutls_priority_deinit,gnutls_priority_set}
@float Table,tab:prio-keywords
@multitable @columnfractions .30 .70
@@ -476,9 +443,6 @@ algorithms to be enabled.
@caption{Supported priority string keywords.}
@end float
-or it might contain special keywords, that will be explained
-later on.
-
Unless the first keyword is "NONE" the defaults (in preference
order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0, SSL3.0; for
compression NULL; for certificate types X.509, OpenPGP.
@@ -488,26 +452,20 @@ protocols. In all cases all the supported key exchange
algorithms
are enabled (except for the RSA-EXPORT which is only enabled in
EXPORT level).
-The NONE keyword is followed by the algorithms to be enabled,
-and is used to provide the exact list of requested address@hidden
-To avoid collisions in order to specify a compression algorithm in
+The NONE keyword must followed by the algorithms to be enabled,
+and is used to provide the exact list of requested address@hidden avoid
collisions in order to specify a compression algorithm in
this string you have to prefix it with "COMP-", protocol versions
with "VERS-", signature algorithms with "SIGN-" and certificate types with
"CTYPE-". All other
algorithms don't need a prefix.}. The order with which every algorithm
is specified is significant. Similar algorithms specified before others
will take precedence. The individual algorithms are shown in
@ref{tab:prio-algorithms}
and special keywords are in @ref{tab:prio-special}.
-
-
-Keywords prepended to individual algorithms:
+The prefixes for individual algorithms are:
@table @asis
-
@item '!' or '-'
appended with an algorithm will remove this algorithm.
-
@item "+"
appended with an algorithm will add this algorithm.
-
@end table
@@ -567,7 +525,7 @@ completely. Do not use unless you know what you are doing.
Testing purposes only.
@item %UNSAFE_RENEGOTIATION @tab
-will allow handshakes and rehandshakes
+will allow handshakes and re-handshakes
without the safe renegotiation extension. Note that for clients
this mode is insecure (you may be under attack), and for servers it
will allow insecure clients to connect (which could be fooled by an
@@ -576,7 +534,7 @@ maximum compatibility.
@item %PARTIAL_RENEGOTIATION @tab
will allow initial handshakes to proceed,
-but not rehandshakes. This leaves the client vulnerable to attack,
+but not re-handshakes. This leaves the client vulnerable to attack,
and servers will be compatible with non-upgraded clients for
initial handshakes. This is currently the default for clients and
servers, for compatibility reasons.
@@ -584,7 +542,7 @@ servers, for compatibility reasons.
@item %SAFE_RENEGOTIATION @tab
will enforce safe renegotiation. Clients and
servers will refuse to talk to an insecure peer. Currently this
-causes operability problems, but is required for full protection.
+causes interoperability problems, but is required for full protection.
@item %SSL3_RECORD_VERSION @tab
will use SSL3.0 record version in client hello.
@@ -604,86 +562,80 @@ will allow V1 CAs in chains.
@end float
@node Client Authentication
address@hidden Client Authentication
address@hidden Client authentication
@cindex Client Certificate authentication
In the case of ciphersuites that use certificate authentication, the
authentication of the client is optional in @acronym{TLS}. A server
-may request a certificate from the client --- using the
+may request a certificate from the client using the
@funcref{gnutls_certificate_server_set_request} function. If a certificate
is to be requested from the client during the handshake, the server
will send a certificate request message that contains a list of
acceptable certificate signers. In @acronym{GnuTLS} the certificate
signers list is constructed using the trusted Certificate Authorities
-by the server. That is the ones set using
address@hidden
address@hidden @funcref{gnutls_certificate_set_x509_trust_file}
address@hidden @funcref{gnutls_certificate_set_x509_trust_mem}
address@hidden itemize
+by the server. That is the ones set using the following functions.
+
address@hidden,gnutls_certificate_set_x509_trust_mem}
-Sending of the names of the certificate authorities can be controlled using
the function
address@hidden The client, then, may
-send a certificate, signed by one of the server's acceptable signers.
address@hidden
+
+In cases where the server supports a large number of certificate authorities
+it makes sense not to advertise all of the names to save bandwidth. That can
+be controlled using the function
@funcref{gnutls_certificate_send_x509_rdn_sequence}.
+This however will have the side-effect of not restricting the client to
certificates
+signed by server's acceptable signers.
+
address@hidden
@node Resuming Sessions
address@hidden Resuming Sessions
address@hidden Resuming sessions
@anchor{resume}
@cindex Resuming sessions
The @funcref{gnutls_handshake} function, is expensive since a lot of
calculations are performed. In order to support many fast connections
-to the same server a client may use session resuming. @strong{Session
-resuming} is a feature of the @acronym{TLS} protocol which allows a
+to the same server a client may use session resuming. Session
+resuming is a feature of the @acronym{TLS} protocol which allows a
client to connect to a server, after a successful handshake, without
-the expensive calculations. This is achieved by using the previously
+the expensive calculations. This is achieved by re-using the previously
established keys. @acronym{GnuTLS} supports this feature, and the
example in @ref{ex:resume-client} illustrates a typical use of it.
-Keep in mind that sessions are expired after some time, for security
-reasons, thus it may be normal for a server not to resume a session
-even if you requested that. Also note that you must enable, using the
+Keep in mind that sessions might be expired after some time,
+thus it may be normal for a server not to resume a session
+even if you requested that. That is to prevent temporal session keys
+from becoming long-term keys. Also note that as a client you must enable,
using the
priority functions, at least the algorithms used in the last session.
address@hidden Resuming Internals
address@hidden Resuming Internals
-
The resuming capability, mostly in the server side, is one of the
problems of a thread-safe TLS implementations. The problem is that all
threads must share information in order to be able to resume
sessions. The gnutls approach is, in case of a client, to leave all
the burden of resuming to the client. That is, copy and keep the
-necessary parameters. See the functions:
+necessary parameters. The relevant functions are listed below.
address@hidden
address@hidden
address@hidden @funcref{gnutls_session_get_data}
address@hidden
address@hidden @funcref{gnutls_session_get_id}
address@hidden
address@hidden @funcref{gnutls_session_set_data}
-
address@hidden itemize
-
-The server side is different. A server has to specify some callback
+Server side is different. A server needs to specify callback
functions which store, retrieve and delete session data. These can be
-registered with:
+registered with the functions shown below.
address@hidden
address@hidden
address@hidden @funcref{gnutls_db_set_remove_function}
address@hidden
address@hidden @funcref{gnutls_db_set_store_function}
-
address@hidden @funcref{gnutls_db_set_retrieve_function}
-
address@hidden @funcref{gnutls_db_set_ptr}
-
address@hidden itemize
address@hidden,gnutls_db_set_remove_function}
It might also be useful to be able to check for expired sessions in
order to remove them, and save space. The function
@funcref{gnutls_db_check_entry} is provided for that reason.
address@hidden
+
@node Interoperability
@subsection Interoperability
@@ -709,11 +661,12 @@ NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT
This priority string will only enable SSL 3.0 and TLS 1.0 as protocols and
will disable, via the @code{%COMPAT} keyword, several @acronym{TLS} protocol
options that are known to cause compatibility problems.
-We suggest however only to use this mode if compatibility issues occur.
+We suggest however only to use this mode if compatibility is preferred over
+security.
@node TLS Extensions
address@hidden TLS Extensions
address@hidden TLS Extensions
address@hidden TLS extensions
address@hidden TLS extensions
A number of extensions to the @acronym{TLS} protocol have been
proposed mainly in @xcite{TLSEXT}. The extensions supported
@@ -728,21 +681,22 @@ in @acronym{GnuTLS} are:
and they will be discussed in the subsections that follow.
address@hidden Maximum Fragment Length Negotiation
address@hidden TLS Extensions
address@hidden Maximum fragment length negotiation
address@hidden TLS extensions
@cindex Maximum fragment length
This extension allows a @acronym{TLS} implementation to negotiate a
smaller value for record packet maximum length. This extension may be
-useful to clients with constrained capabilities. See the functions:
address@hidden
address@hidden @funcref{gnutls_record_set_max_size}
address@hidden @funcref{gnutls_record_get_max_size}
address@hidden itemize
+useful to clients with constrained capabilities. The functions shown
+below can be used to control this extension.
address@hidden Server Name Indication
address@hidden
+
address@hidden
+
address@hidden Server name indication
@anchor{serverind}
address@hidden TLS Extensions
address@hidden TLS extensions
@cindex Server name indication
A common problem in @acronym{HTTPS} servers is the fact that the
@@ -757,9 +711,13 @@ begins within the first handshake packet. The functions
used to enable this extension, or to retrieve the name sent by a
client.
address@hidden Session Tickets
address@hidden TLS Extensions
address@hidden Session Tickets
address@hidden
+
address@hidden
+
address@hidden Session tickets
address@hidden TLS extensions
address@hidden Session tickets
@cindex Ticket
To resume a TLS session the server normally store some state. This
@@ -775,13 +733,19 @@ Clients can enable support for TLS tickets with
Clients resume sessions using the ticket using the normal session
resume functions, @ref{resume}.
address@hidden Safe Renegotiation
address@hidden
+
address@hidden
+
address@hidden
+
address@hidden Safe renegotiation
@cindex renegotiation
TLS gives the option to two communicating parties to renegotiate
and update their security parameters. One useful example of this feature
was for a client to initially connect using anonymous negotiation to a
-server, and the renegotiate using some authenticated ciphersuite. This occured
+server, and the renegotiate using some authenticated ciphersuite. This occurred
to avoid having the client sending its credentials in the clear.
However this renegotiation, as initially designed would not ensure that
@@ -831,14 +795,14 @@ negotiated.
Note that permitting clients to connect to servers when the safe
renegotiation extension is not enabled, is open up for attacks.
-Changing this default behaviour would prevent interoperability against
+Changing this default behavior would prevent interoperability against
the majority of deployed servers out there. We will reconsider this
-default behaviour in the future when more servers have been upgraded.
+default behavior in the future when more servers have been upgraded.
Note that it is easy to configure clients to always require the safe
renegotiation extension from servers (see below on the
@code{%SAFE_RENEGOTIATION} priority string).
-To modify the default behaviour, we have introduced some new priority
+To modify the default behavior, we have introduced some new priority
strings. The priority strings can be used by applications
(@funcref{gnutls_priority_set}) and end users (e.g., @code{--priority}
parameter to @code{gnutls-cli} and @code{gnutls-serv}).
@@ -848,7 +812,7 @@ The @code{%UNSAFE_RENEGOTIATION} priority string permits
negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will
prevent renegotiation with clients and servers not supporting the
extension. This is secure for servers but leaves clients vulnerable
-to some attacks, but this is a tradeoff between security and compatibility
+to some attacks, but this is a trade-off between security and compatibility
with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes
clients and servers require the extension for every handshake. The latter
is the most secure option for clients, at the cost of not being able
@@ -877,19 +841,19 @@ used to check if the extension has been negotiated on a
session, and
can be used both by clients and servers.
@node Selecting cryptographic key sizes
address@hidden Selecting Cryptographic Key Sizes
address@hidden Selecting cryptographic key sizes
@cindex key sizes
In TLS, since a lot of algorithms are involved, it is not easy to set
a consistent security level. For this reason in @ref{tab:key-sizes} we
-present some correspondance between key sizes of symmetric algorithms
+present some correspondence between key sizes of symmetric algorithms
and public key algorithms based on @xcite{ECRYPT}.
Those can be used to generate certificates with
appropriate key sizes as well as select parameters for Diffie-Hellman and SRP
authentication.
@float Table,tab:key-sizes
address@hidden @columnfractions .10 .15 .10 .20 .35
address@hidden @columnfractions .10 .12 .10 .20 .32
@headitem Security bits @tab RSA, DH and SRP parameter size @tab ECC key size
@tab Security parameter @tab Description
@@ -937,33 +901,30 @@ A mapping to @code{gnutls_sec_param_t} value is given for
each security paramete
the next column, and finally a brief description of the level.
Note however that the values suggested here are nothing more than an
-educated guess that is valid today. There are no guarrantees that an
+educated guess that is valid today. There are no guarantees that an
algorithm will remain unbreakable or that these values will remain
constant in time. There could be scientific breakthroughs that cannot
be predicted or total failure of the current public key systems by
quantum computers. On the other hand though the cryptosystems used in
TLS are selected in a conservative way and such catastrophic
breakthroughs or failures are believed to be unlikely.
-
-NIST publication SP 800-57 @xcite{NISTSP80057} contains a similar
+The NIST publication SP 800-57 @xcite{NISTSP80057} contains a similar
table.
When using @acronym{GnuTLS} and a decision on bit sizes for a public
key algorithm is required, use of the following functions is
recommended:
address@hidden
address@hidden @funcref{gnutls_pk_bits_to_sec_param}
address@hidden
address@hidden @funcref{gnutls_sec_param_to_pk_bits}
address@hidden
address@hidden itemize
Those functions will convert a human understandable security parameter
of @code{gnutls_sec_param_t} type, to a number of bits suitable for a public
key algorithm.
@node On SSL 2 and older protocols
address@hidden On SSL 2 and Older Protocols
address@hidden On SSL 2 and older protocols
@cindex SSL 2
One of the initial decisions in the @acronym{GnuTLS} development was
diff --git a/doc/cha-library.texi b/doc/cha-library.texi
index 7486523..98448c4 100644
--- a/doc/cha-library.texi
+++ b/doc/cha-library.texi
@@ -35,30 +35,30 @@ include:
@acronym{GnuTLS} consists of three independent parts, namely the ``TLS
protocol part'', the ``Certificate part'', and the ``Cryptographic
-backend'' part. The `TLS protocol part' is the actual protocol
+back-end'' part. The `TLS protocol part' is the actual protocol
implementation, and is entirely implemented within the
@acronym{GnuTLS} library. The `Certificate part' consists of the
certificate parsing, and verification functions which is partially
implemented in the @acronym{GnuTLS} library. The
address@hidden@url{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/libtasn1/}},
address@hidden@url{http://www.gnu.org/software/libtasn1/}},
a library which offers @acronym{ASN.1} parsing capabilities, is used
for the @acronym{X.509} certificate parsing functions.
-The ``Cryptographic backend'' is provided by
address@hidden@url{http://www.lysator.liu.se/~nisse/nettle/}}
+The ``Cryptographic back-end'' is provided by
address@hidden@url{http://www.lysator.liu.se/~nisse/nettle/}}
library.
In order to ease integration in embedded systems, parts of the
@acronym{GnuTLS} library can be disabled at compile time. That way a
smaller library, with the required features, can be generated.
@menu
-* General Idea::
+* General idea::
* Error handling::
* Memory handling::
* Thread safety::
* Callback functions::
@end menu
address@hidden General Idea
address@hidden General Idea
address@hidden General idea
address@hidden General idea
A brief description of how @acronym{GnuTLS} works internally is shown
at @ref{fig:gnutls-design}. This section may be easier to understand after
@@ -96,9 +96,9 @@ to the transport layer functions, in order to communicate
with the
peer. Every session has a unique session ID shared with the peer.
Since TLS sessions can be resumed, servers would probably need a
-database backend to hold the session's parameters. Every
+database back-end to hold the session's parameters. Every
@acronym{GnuTLS} session after a successful handshake calls the
-appropriate backend function (see @ref{resume}, for information on
+appropriate back-end function (see @ref{resume}, for information on
initialization) to store the newly negotiated session. The session
database is examined by the server just after having received the
client address@hidden first message in a @acronym{TLS} handshake},
@@ -107,7 +107,7 @@ the stored session will be retrieved, and the new session
will be a
resumed one, and will share the same session ID with the previous one.
@node Error handling
address@hidden Error Handling
address@hidden Error handling
In @acronym{GnuTLS} most functions return an integer type as a result.
In almost all cases a zero or a positive number means success, and a
@@ -131,7 +131,7 @@ reference. See @ref{Error codes}, for a description of the
available
error codes.
@node Memory handling
address@hidden Memory Handling
address@hidden Memory handling
@acronym{GnuTLS} internally handles heap allocated objects
differently, depending on the sensitivity of the data they
@@ -142,41 +142,38 @@ behavior the @funcref{gnutls_global_set_mem_functions}
function is
available which can be used to set other memory handlers than the
defaults.
-The @acronym{Libgcrypt} library on which @acronym{GnuTLS} depends, has
-such secure memory allocation functions available. These should be
-used in cases where even the system's swap memory is not considered
-secure. See the documentation of @acronym{Libgcrypt} for more
-information.
-
@node Thread safety
@section Thread safety
Although the @acronym{GnuTLS} library is thread safe by design, some
-parts of the cryptographic backend, such as the random generator, are not.
+parts of the cryptographic back-end, such as the random generator, are not.
Applications can either call @funcref{gnutls_global_init} which will use the
default
operating system provided locks (i.e. @code{pthreads} on GNU/Linux and
address@hidden on Windows), or specify manualy the locking system using
address@hidden on Windows), or specify manually the locking system using
the function @funcref{gnutls_global_set_mutex} before calling
@funcref{gnutls_global_init}.
Setting manually mutexes is recommended
only to applications that have full control of the underlying libraries. If
this
-is not the case, the use of the operating system defaults is suggested.
-
+is not the case, the use of the operating system defaults is recommended.
Examples
+are shown below.
-There are helper macros to help you properly initialize the libraries.
-Examples are shown in the following paragraphs.
address@hidden Native threads
@example
#include <gnutls.h>
+/* Native threads
+ */
+
int main()
@{
gnutls_global_init();
@}
@end example
address@hidden Other thread packages
@example
+#include <gnutls.h>
+
+/* Other thread packages
+ */
int main()
@{
@@ -187,7 +184,7 @@ int main()
@end example
@node Callback functions
address@hidden Callback Functions
address@hidden Callback functions
@cindex Callback functions
There are several cases where @acronym{GnuTLS} may need some out of
@@ -198,23 +195,12 @@ An example of this type of functions are the push and
pull callbacks
which are used to specify the functions that will retrieve and send
data to the transport layer.
address@hidden
-
address@hidden @funcref{gnutls_transport_set_push_function}
-
address@hidden @funcref{gnutls_transport_set_pull_function}
-
address@hidden itemize
address@hidden,gnutls_transport_set_pull_function}
Other callback functions may require more complicated input and data
to be allocated. Such an example is
@funcref{gnutls_srp_set_server_credentials_function}.
All callbacks should allocate and free memory using the functions shown below.
address@hidden
address@hidden,gnutls_free}
address@hidden @funcref{gnutls_malloc}
-
address@hidden @funcref{gnutls_free}
-
address@hidden itemize
diff --git a/doc/cha-preface.texi b/doc/cha-preface.texi
index 20ea7f8..9e78177 100644
--- a/doc/cha-preface.texi
+++ b/doc/cha-preface.texi
@@ -9,18 +9,17 @@ Even if @acronym{GnuTLS} is a typical library software, it
operates
over several security and cryptographic protocols which require the
programmer to make careful and correct usage of them. Otherwise it
is likely to only obtain a false sense of security.
-The terms of Security and
-network security terms are very general even if restricted to computer
-software, and cannot be offered by a single cryptographic
+The term of security is very broad even if restricted to computer
+software, and cannot be confined to a single cryptographic
library. For that reason, do not consider any program secure just
because it uses @acronym{GnuTLS}; there are several ways to compromise
a program or a communication line and @acronym{GnuTLS} only helps with
some of them.
Although this document tries to be self contained, basic network
-programming and PKI knowlegde is assumed in most of it. A good
-introduction to networking can be found in @xcite{STEVENS} and for
-Public Key Infrastructure in @xcite{GUTPKI}.
+programming and public key infrastructure (PKI) knowledge is assumed
+in most of it. A good introduction to networking can be found
+in @xcite{STEVENS} and for public key infrastructure in @xcite{GUTPKI}.
Updated versions of the @acronym{GnuTLS} software and this document
will be available from @url{http://www.gnutls.org/} and
diff --git a/doc/cha-programs.texi b/doc/cha-programs.texi
index bbdfade..531f0ee 100644
--- a/doc/cha-programs.texi
+++ b/doc/cha-programs.texi
@@ -1,5 +1,5 @@
@node Included programs
address@hidden Included Programs
address@hidden Included programs
Included with @acronym{GnuTLS} are also a few command line tools that
let you use the library for common tasks without writing an
@@ -217,7 +217,7 @@ $ certtool --generate-proxy --load-ca-privkey key.pem \
--outfile proxy-cert.pem
@end smallexample
address@hidden Certificate Revocation List generation
address@hidden Certificate revocation list generation
To create an empty Certificate Revocation List (CRL) do:
@smallexample
@@ -578,7 +578,7 @@ Usage: gnutls-serv [options]
-v, --version prints the program's version number
@end example
address@hidden Setting Up a Test HTTPS Server
address@hidden Setting up a test HTTPS server
@cindex HTTPS server
@cindex debug server
diff --git a/doc/cha-support.texi b/doc/cha-support.texi
index 273c30e..604f85f 100644
--- a/doc/cha-support.texi
+++ b/doc/cha-support.texi
@@ -72,14 +72,9 @@ development release. For example, GnuTLS 1.6.3 denote a
stable
release since 6 is even, and GnuTLS 1.7.11 denote a development
release since 7 is odd.
-GnuTLS depends on Libgcrypt,
-and you will need to install Libgcrypt
-before installing GnuTLS. Libgcrypt is available from
address@hidden://ftp.gnupg.org/gcrypt/libgcrypt}. Libgcrypt needs another
-library, libgpg-error, and you need to install libgpg-error before
-installing Libgcrypt. Libgpg-error is available from
address@hidden://ftp.gnupg.org/gcrypt/libgpg-error}.
-
+GnuTLS depends on Libnettle, and you will need to install it
+before installing GnuTLS. Libnettle is available from
address@hidden://www.lysator.liu.se/~nisse/nettle/}.
Don't forget to verify the cryptographic signature after downloading
source code packages.
@@ -98,8 +93,6 @@ called libtasn1. A copy of libtasn1 is included in GnuTLS.
If you
want to install it separately (e.g., to make it possibly to use
libtasn1 in other programs), you can get it from
@url{http://www.gnu.org/software/gnutls/download.html}.
-The OpenPGP part of GnuTLS uses a stripped down version of OpenCDK for
-parsing OpenPGP packets.
A few @code{configure} options may be relevant, summarized below.
They disable or enable particular features.
diff --git a/doc/cha-tls-app.texi b/doc/cha-tls-app.texi
index dbfad72..9344522 100644
--- a/doc/cha-tls-app.texi
+++ b/doc/cha-tls-app.texi
@@ -1,5 +1,5 @@
@node How to use TLS in application protocols
address@hidden How To Use @acronym{TLS} in Application Protocols
address@hidden How to use @acronym{TLS} in application protocols
This chapter is intended to provide some hints on how to use the
@acronym{TLS} over simple custom made application protocols. The
@@ -12,7 +12,7 @@ but may be extended to other ones too.
@end menu
@node Separate ports
address@hidden Separate Ports
address@hidden Separate ports
Traditionally @acronym{SSL} was used in application protocols by
assigning a new port number for the secure services. That way two
@@ -39,19 +39,16 @@ is a limitation on the available privileged ports, this
approach was
soon obsoleted.
@node Upward negotiation
address@hidden Upward Negotiation
address@hidden Upward negotiation
Other application address@hidden LDAP, IMAP etc.} use a
different approach to enable the secure layer. They use something
called the ``TLS upgrade'' method. This method is quite tricky but it
is more flexible. The idea is to extend the application protocol to
have a ``STARTTLS'' request, whose purpose it to start the TLS
-protocols just after the client requests it. This is a really neat
-idea and does not require an extra port.
-
-This method is used by almost all modern protocols and there is even
-the @xcite{RFC2817} paper which proposes extensions to HTTP to support
-it.
+protocols just after the client requests it. This approach
+does not require an extra port and is used by almost all modern protocols.
+There is even an extension to HTTP protocol to support that method
@xcite{RFC2817}.
The tricky part, in this method, is that the ``STARTTLS'' request is
sent in the clear, thus is vulnerable to modifications. A typical
diff --git a/doc/gnutls.texi b/doc/gnutls.texi
index 66368dd..a534184 100644
--- a/doc/gnutls.texi
+++ b/doc/gnutls.texi
@@ -71,6 +71,63 @@ Documentation License''.
@ref{\ref\}
@end macro
address@hidden showfuncA{ref}
address@hidden
address@hidden @ref{\ref\}
address@hidden itemize
address@hidden macro
+
address@hidden showfuncB{ref1,ref2}
address@hidden
address@hidden @ref{\ref1\}
address@hidden @ref{\ref2\}
address@hidden itemize
address@hidden macro
+
address@hidden showfuncC{ref1,ref2,ref3}
address@hidden
address@hidden @ref{\ref1\}
address@hidden @ref{\ref2\}
address@hidden @ref{\ref3\}
address@hidden itemize
address@hidden macro
+
address@hidden showfuncD{ref1,ref2,ref3,ref4}
address@hidden
address@hidden @ref{\ref1\}
address@hidden @ref{\ref2\}
address@hidden @ref{\ref3\}
address@hidden @ref{\ref4\}
address@hidden itemize
address@hidden macro
+
address@hidden showfuncE{ref1,ref2,ref3,ref4,ref5}
address@hidden
address@hidden @ref{\ref1\}
address@hidden @ref{\ref2\}
address@hidden @ref{\ref3\}
address@hidden @ref{\ref4\}
address@hidden @ref{\ref5\}
address@hidden itemize
address@hidden macro
+
address@hidden showfuncF{ref1,ref2,ref3,ref4,ref5,ref6}
address@hidden
address@hidden @ref{\ref1\}
address@hidden @ref{\ref2\}
address@hidden @ref{\ref3\}
address@hidden @ref{\ref4\}
address@hidden @ref{\ref5\}
address@hidden @ref{\ref6\}
address@hidden itemize
address@hidden macro
+
address@hidden showfuncdesc{ref}
address@hidden
address@hidden @ref{\ref\}
address@hidden itemize
address@hidden macro
+
@contents
@ifnottex
diff --git a/doc/latex/Makefile.am b/doc/latex/Makefile.am
index 1e86cf3..2c01e88 100644
--- a/doc/latex/Makefile.am
+++ b/doc/latex/Makefile.am
@@ -3,7 +3,7 @@ TEX_OBJECTS = gnutls.tex macros.tex fdl.tex cover.tex gnutls.bib
GEN_TEX_OBJECTS = cha-preface.tex cha-library.tex cha-intro-tls.tex
cha-auth.tex \
cha-cert-auth.tex cha-gtls-app.tex cha-tls-app.tex cha-programs.tex
cha-support.tex \
cha-functions.tex error_codes.tex cha-ciphersuites.tex algorithms.tex \
- cha-errors.tex
+ cha-errors.tex alerts.tex
cha-preface.tex: ../cha-preface.texi
../scripts/mytexi2latex $< > $@
@@ -45,10 +45,14 @@ error_codes.tex: $(top_srcdir)/lib/gnutls_errors.c
$(srcdir)/../errcodes
$(builddir)/../errcodes --latex > address@hidden
mv -f address@hidden $@
-algorithms.tex: $(srcdir)/../printlist.c $(builddir)/../printlist
+algorithms.tex: ../printlist
$(builddir)/../printlist --latex > address@hidden
mv -f address@hidden $@
+alerts.tex: ../alert-printlist
+ $(builddir)/../alert-printlist --latex > address@hidden
+ mv -f address@hidden $@
+
gnutls-api.tex: $(srcdir)/../../lib/*.c $(srcdir)/../../lib/ext/*.c
$(srcdir)/../../lib/auth/*.c $(srcdir)/../../lib/algorithms/*.c
echo "" > address@hidden
for i in $^; do \
@@ -57,6 +61,7 @@ gnutls-api.tex: $(srcdir)/../../lib/*.c
$(srcdir)/../../lib/ext/*.c $(srcdir)/..
echo "ok"; \
done
$(srcdir)/../scripts/sort1.pl < address@hidden > address@hidden
+ $(srcdir)/../scripts/split.pl functions < address@hidden
rm -f address@hidden
mv -f address@hidden $@
@@ -68,6 +73,7 @@ x509-api.tex: $(srcdir)/../../lib/x509/*.c
echo "ok"; \
done
$(srcdir)/../scripts/sort1.pl < address@hidden > address@hidden
+ $(srcdir)/../scripts/split.pl functions < address@hidden
rm -f address@hidden
mv -f address@hidden $@
@@ -79,6 +85,7 @@ pgp-api.tex: $(srcdir)/../../lib/openpgp/*.c
echo "ok"; \
done
$(srcdir)/../scripts/sort1.pl < address@hidden > address@hidden
+ $(srcdir)/../scripts/split.pl functions < address@hidden
rm -f address@hidden
mv -f address@hidden $@
@@ -90,6 +97,7 @@ extra-api.tex: $(srcdir)/../../libextra/gnutls_extra.c
echo "ok"; \
done
$(srcdir)/../scripts/sort1.pl < address@hidden > address@hidden
+ $(srcdir)/../scripts/split.pl functions < address@hidden
rm -f address@hidden
mv -f address@hidden $@
@@ -103,3 +111,5 @@ gnutls.pdf: $(TEX_OBJECTS) $(GEN_TEX_OBJECTS)
$(SOURCE_GEN_FILES)
clean-am:
rm -f $(GEN_TEX_OBJECTS) $(SOURCE_GEN_FILES) gnutls.aux gnutls.bbl
gnutls.blg gnutls.idx gnutls.ilg gnutls.ind gnutls.log gnutls.out gnutls.toc
+ rm -rf functions
+
diff --git a/doc/latex/gnutls.bib b/doc/latex/gnutls.bib
index 121c221..b909e45 100644
--- a/doc/latex/gnutls.bib
+++ b/doc/latex/gnutls.bib
@@ -3,7 +3,7 @@
title = "{The TLS Protocol Version 1.0}",
month = "January",
year = "1999",
- note = "Available from http://www.ietf.org/rfc/rfc2246.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc2246.txt}";,
url = "http://www.ietf.org/rfc/rfc2246.txt";
}
@@ -12,7 +12,7 @@
title="Internet {X.509} Public Key Infrastructure {(PKI)} Proxy Certificate
Profile",
month="June",
year=2004,
- note = "Available from @url{http://www.ietf.org/rfc/rfc3820}";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc3820}";,
url = "http://www.ietf.org/rfc/rfc3820";
}
@@ -21,7 +21,7 @@
title = "Transport Layer Security {(TLS)} Renegotiation Indication
Extension",
month ="February",
year=2010,
- note = "Available from @url{http://www.ietf.org/rfc/rfc5746}";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc5746}";,
url = "http://www.ietf.org/rfc/rfc5746";
}
@@ -30,7 +30,7 @@
title = "Transport Layer Security {(TLS)} Session Resumption without
Server-Side State",
month="January"
year="2008"
- note = "Available from @url{http://www.ietf.org/rfc/rfc5077}";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc5077}";,
url = "http://www.ietf.org/rfc/rfc5077";
}
@@ -61,7 +61,7 @@
title = "{The TLS Protocol Version 1.2}",
month = "August",
year = "2008",
- note = "Available from http://www.ietf.org/rfc/rfc5246.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc5246.txt}";,
url = "http://www.ietf.org/rfc/rfc5246.txt";
}
@@ -70,7 +70,8 @@
title = "{Colliding X.509 Certificates}",
publisher = "Cryptology ePrint Archive, Report 2005/067",
year = "2005",
- note = "Available from http://eprint.iacr.org/";,
+ note = "Available from \url{http://eprint.iacr.org/2005/067}";,
+ url = "http://eprint.iacr.org/2005/067";
}
@Misc{ RFC3749,
@@ -78,7 +79,7 @@
title = "Transport Layer Security Protocol Compression Methods",
month = "May",
year = "2004",
- note = "Available from http://www.ietf.org/rfc/rfc3749.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc3749.txt}";,
url = "http://www.ietf.org/rfc/rfc3749.txt";
}
@@ -87,7 +88,7 @@
title = "Datagram Transport Layer Security",
month = "April",
year = "2006",
- note = "Available from http://www.ietf.org/rfc/rfc4347.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc4347.txt}";,
url = "http://www.ietf.org/rfc/rfc4347.txt";
}
@@ -96,17 +97,17 @@
title = "The {TLS} Protocol Version 1.1",
month = "April",
year = "2006",
- note = "Available from http://www.ietf.org/rfc/rfc4346.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc4346.txt}";,
url = "http://www.ietf.org/rfc/rfc4346.txt";
}
@Misc{ RFC2440,
- author = "Jon Callas and Lutz Donnerhacke and Hal Finney and Rodney
Thayer",
+ author = "Jon Callas and Lutz Donnerhacke and Hal Finney and David Shaw
and Rodney Thayer",
title = "{OpenPGP} Message Format",
month = "November",
- year = "1998",
- note = "Available from http://www.ietf.org/rfc/rfc2440.txt";,
- url = "http://www.ietf.org/rfc/rfc2440.txt";
+ year = "2007",
+ note = "Available from \url{http://www.ietf.org/rfc/rfc4880.txt}";,
+ url = "http://www.ietf.org/rfc/rfc4880.txt";
}
@Misc{ RFC2511,
@@ -114,7 +115,7 @@
title = "Internet {X.509} Certificate Request Message Format",
month = "March",
year = "1999",
- note = "Available from http://www.ietf.org/rfc/rfc2511.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc2511.txt}";,
url = "http://www.ietf.org/rfc/rfc2511.txt";
}
@@ -123,7 +124,7 @@
title = "Upgrading to {TLS} Within {HTTP/1.1}",
month = "May",
year = "2000",
- note = "Available from http://www.ietf.org/rfc/rfc2817.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc2817.txt}";,
url = "http://www.ietf.org/rfc/rfc2817.txt";
}
@@ -132,7 +133,7 @@
title = "{HTTP over TLS}",
month = "May",
year = "2000",
- note = "Available from http://www.ietf.org/rfc/rfc2818.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc2818.txt}";,
url = "http://www.ietf.org/rfc/rfc2818.txt";
}
@@ -141,7 +142,7 @@
title = "The {SRP} Authentication and Key Exchange System",
month = "September",
year = "2000",
- note = "Available from http://www.ietf.org/rfc/rfc2945.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc2945.txt}";,
url = "http://www.ietf.org/rfc/rfc2945.txt";
}
@@ -150,7 +151,7 @@
title = "{PKCS 10 v1.7:} Certification Request Syntax Specification",
month = "November",
year = "2000",
- note = "Available from http://www.ietf.org/rfc/rfc2986.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc2986.txt}";,
url = "http://www.ietf.org/rfc/rfc2986.txt";
}
@@ -159,7 +160,7 @@
title = "Internet {X.509} Public Key Infrastructure Certificate and
Certificate Revocation List {(CRL)} Profile",
month = "April",
year = "2002",
- note = "Available from http://www.ietf.org/rfc/rfc3280.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc3280.txt}";,
url = "http://www.ietf.org/rfc/rfc3280.txt";
}
@@ -167,9 +168,9 @@
author = "Alan Freier and Philip Karlton and Paul Kocher",
title = "The {SSL} Protocol Version 3.0",
month = "November",
- year = "1996",
- note = "Available from http://wp.netscape.com/eng/ssl3/draft302.txt";,
- url = "http://wp.netscape.com/eng/ssl3/draft302.txt";
+ year = "2011",
+ note = "Available from
\url{http://tools.ietf.org/html/draft-mavrogiannopoulos-ssl-version3-06}";,
+ url =
"http://tools.ietf.org/html/draft-mavrogiannopoulos-ssl-version3-06";
}
@Misc{ PKCS12,
@@ -190,16 +191,16 @@
title = "Transport Layer Security {(TLS)} Extensions",
month = "June",
year = "2003",
- note = "Available from http://www.ietf.org/rfc/rfc3546.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc3546.txt}";,
url = "http://www.ietf.org/rfc/rfc3546.txt";
}
@Misc{ TLSSRP,
- author = "David Taylor and Trevor Perrin and Tom Wu and Nikos
Mavroyanopoulos",
+ author = "David Taylor and Trevor Perrin and Tom Wu and Nikos
Mavrogiannopoulos",
title = "Using {SRP for TLS} Authentication",
month = "November",
year = "2007",
- note = "Available from http://www.ietf.org/rfc/rfc5054.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc5054.txt}";,
url = "http://www.ietf.org/rfc/rfc5054.txt";
}
@@ -208,7 +209,7 @@
title = "On the Use of Channel Bindings to Secure Channels",
month = "November",
year = "2007",
- note = "Available from http://www.ietf.org/rfc/rfc5056.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc5056.txt}";,
url = "http://www.ietf.org/rfc/rfc5056.txt";
}
@@ -217,7 +218,7 @@
title = "Channel Bindings for {TLS}",
month = "July",
year = "2010",
- note = "Available from http://www.ietf.org/rfc/rfc5929.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc5929.txt}";,
url = "http://www.ietf.org/rfc/rfc5929.txt";
}
@@ -231,20 +232,20 @@
}
@Misc{ TLSPGP,
- author = "Nikos Mavroyanopoulos",
- title = "Using {OpenPGP keys for TLS} authentication",
- month = "April",
- year = "2004",
- note = "Internet draft, work in progress. Available from
http://www.normos.org/ietf/draft/draft-ietf-tls-openpgp-keys-05.txt";,
- url =
"http://www.normos.org/ietf/draft/draft-ietf-tls-openpgp-keys-05.txt";
+ author = "Nikos Mavrogiannopoulos and Daniel Gillmor",
+ title = "{Using OpenPGP Keys for Transport Layer Security (TLS)
Authentication}",
+ month = "February",
+ year = "2011",
+ note = "Available from \url{http://tools.ietf.org/html/rfc6091}";,
+ url = "http://tools.ietf.org/html/rfc6091";
}
@Misc{ TLSCOMP,
author = "Scott Hollenbeck",
title = "Transport Layer Security Protocol Compression Methods",
- month = "January",
+ month = "May",
year = "2004",
- note = "Internet draft, work in progress. Available from
http://www.ietf.org/rfc/rfc3749.txt";,
+ note = "Available from \url{http://www.ietf.org/rfc/rfc3749.txt}";,
url = "http://www.ietf.org/rfc/rfc3749.txt";
}
@@ -252,7 +253,7 @@
author = "Bodo Moeller",
title = "Security of {CBC} Ciphersuites in {SSL/TLS}: Problems and
Countermeasures",
year = "2002",
- note = "Available from http://www.openssl.org/\~\ bodo/tls-cbc.txt",
+ note = "Available from \url{http://www.openssl.org/\~bodo/tls-cbc.txt}";,
url = "http://www.openssl.org/~bodo/tls-cbc.txt";
}
@@ -260,7 +261,7 @@
author = "Peter Gutmann",
title = "Everything you never wanted to know about {PKI} but were
forced to find out",
year = "2002",
- note = "Available from http://www.cs.auckland.ac.nz/\~\
pgut001/pubs/pkitutorial.pdf",
+ note = "Available from
\url{http://www.cs.auckland.ac.nz/\~pgut001/pubs/pkitutorial.pdf}";,
url = "http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf";
}
@@ -268,19 +269,19 @@
author = "Mike Ashley",
title = "The {GNU} Privacy Handbook",
year = "2002",
- note = "Available from http://www.gnupg.org/gph/en/manual.pdf";,
+ note = "Available from \url{http://www.gnupg.org/gph/en/manual.pdf}";,
url = "http://www.gnupg.org/gph/en/manual.pdf";
}
@Misc{ TOMSRP,
author = "Tom Wu",
title = "The Stanford {SRP} Authentication Project",
- note = "Available at http://srp.stanford.edu/";,
+ note = "Available from \url{http://srp.stanford.edu/}";,
url = "http://srp.stanford.edu/";
}
@Book{ STEVENS,
- title = "{UNIX} Network Programming, Volume 1 0-13-490012-X",
+ title = "{UNIX} Network Programming, Volume 1",
author = "W. Richard Stevens",
publisher = "Prentice Hall",
year = "1998",
diff --git a/doc/latex/gnutls.tex b/doc/latex/gnutls.tex
index 973eb54..44a008f 100644
--- a/doc/latex/gnutls.tex
+++ b/doc/latex/gnutls.tex
@@ -1,17 +1,21 @@
-\documentclass{book}
+\documentclass[letterpaper,10pt]{book}
\bibliographystyle{plain}
-\usepackage{html}
\usepackage{fancyhdr}
\usepackage{graphicx}
\usepackage{makeidx}
\usepackage{supertabular}
\usepackage{color}
-\usepackage{colortbl}
\usepackage{fancyvrb}
\usepackage{eurosans}
\usepackage{parskip}
\usepackage{hyperref}
+\usepackage{framed}
+\usepackage{verbatim}
+\usepackage{listings}
+\usepackage{xcolor}
+\usepackage[greek,english]{babel}%for euro sign
+
\hypersetup{
colorlinks,%
diff --git a/doc/latex/macros.tex b/doc/latex/macros.tex
index 26df479..f6ea4a3 100644
--- a/doc/latex/macros.tex
+++ b/doc/latex/macros.tex
@@ -43,3 +43,145 @@
%\hyperref[#2]{#1()}%
\code{#1}%
}
+
+\newcommand{\showfunc}[1]{%
+ \let\Oldfd\functionDescription
+ \let\Oldendfd\endfunctionDescription
+ \let\functionDescription=\comment
+ \let\endfunctionDescription=\endcomment
+ \let\Oldfr\functionReturns
+ \let\Oldendfr\endfunctionReturns
+ \let\functionReturns=\comment
+ \let\endfunctionReturns=\endcomment
+\texttt{
+ \input{functions/#1}
+}
+ \let\functionDescription=\Oldfd
+ \let\endfunctionDescription=\Oldendfd
+ \let\functionReturns=\Oldfr
+ \let\endfunctionReturns=\Oldendfr
+}
+
+\newcommand{\showfuncdesc}[1]{%
+%\fcolorbox{black}{light-gray}{
+ \begin{minipage}[l]{\linewidth}
+ \begin{framed}
+ \texttt{
+ \input{functions/#1}
+ }
+% }
+ \end{framed}
+ \vspace{0.15cm}
+ \end{minipage}
+}
+
+\newcommand{\showfuncA}[1]{%
+% \fcolorbox{black}{light-gray}{
+ \begin{samepage}
+ \begin{framed}
+ \texttt{
+ \showfunc{#1}
+ }
+% }
+ \end{framed}
+ \end{samepage}
+}
+
+\newcommand{\showfuncB}[2]{%
+% \fcolorbox{black}{light-gray}{
+ \begin{samepage}
+ \begin{framed}
+ \texttt{
+ \showfunc{#1}
+ \showfunc{#2}
+ }
+% }
+ \end{framed}
+ \end{samepage}
+}
+
+\newcommand{\showfuncC}[3]{%
+% \fcolorbox{black}{light-gray}{
+ \begin{samepage}
+ \begin{framed}
+ \texttt{
+ \showfunc{#1}
+ \showfunc{#2}
+ \showfunc{#3}
+ }
+% }
+ \end{framed}
+ \end{samepage}
+}
+
+\newcommand{\showfuncD}[4]{%
+% \fcolorbox{black}{light-gray}{
+ \begin{samepage}
+ \begin{framed}
+ \texttt{
+ \showfunc{#1}
+ \showfunc{#2}
+ \showfunc{#3}
+ \showfunc{#4}
+ }
+% }
+ \end{framed}
+ \end{samepage}
+}
+
+\newcommand{\showfuncE}[5]{%
+% \fcolorbox{black}{light-gray}{
+ \begin{samepage}
+ \begin{framed}
+ \texttt{
+ \showfunc{#1}
+ \showfunc{#2}
+ \showfunc{#3}
+ \showfunc{#4}
+ \showfunc{#5}
+ }
+% }
+ \end{framed}
+ \end{samepage}
+}
+
+\newcommand{\showfuncF}[6]{%
+% \fcolorbox{black}{light-gray}{
+ \begin{samepage}
+ \begin{framed}
+ \texttt{
+ \showfunc{#1}
+ \showfunc{#2}
+ \showfunc{#3}
+ \showfunc{#4}
+ \showfunc{#5}
+ \showfunc{#6}
+ }
+% }
+ \end{framed}
+ \end{samepage}
+}
+
+\newenvironment{function}%
+ {\begin{minipage}[l]{1\linewidth}}%
+ {\end{minipage}}
+
+\let\functionArguments=\comment
+\let\endfunctionArguments=\endcomment
+
+\let\functionExamples=\comment
+\let\endfunctionExamples=\endcomment
+
+\newenvironment{functionDescription}%
+{\vspace{0.5cm}{\bf Description:}\footnotesize}
+{}
+
+\newcommand{\functionTitle}[1]{}
+
+\newenvironment{functionReturns}%
+{\vspace{0.5cm}{\bf Returns:}\footnotesize}
+{}
+
+\let\functionSince=\comment
+\let\endfunctionSince=\endcomment
+
diff --git a/doc/scripts/gdoc b/doc/scripts/gdoc
index afd0802..49868db 100755
--- a/doc/scripts/gdoc
+++ b/doc/scripts/gdoc
@@ -428,7 +428,8 @@ sub output_tex {
$func =~ s/_/\\_/g;
- print "\n\n\\subsection{". $func . "}\n\\label{" . $args{'function'} .
"}\n";
+ print "\n\n\\begin{function}\n";
+ print "\\functionTitle{". $func . "}\n";
$type = $args{'functiontype'};
$type =~ s/_/\\_/g;
@@ -451,9 +452,8 @@ sub output_tex {
}
print ")\n";
- print "\n{\\large{Arguments}}\n";
+ print "\n\\begin{functionArguments}\n";
- print "\\begin{itemize}\n";
$check=0;
foreach $parameter (@{$args{'parameterlist'}}) {
$param1 = $args{'parametertypes'}{$parameter};
@@ -462,11 +462,12 @@ sub output_tex {
$param2 =~ s/_/\\_/g;
$check = 1;
- print "\\item {\\it ".$param1."} {\\bf ".$param2."}: \n";
+ print "\\functionArgument {\\it ".$param1."} {\\bf ".$param2."}: \n";
# print "\n";
$param3 = $args{'parameters'}{$parameter};
- $param3 =~ s/#([a-zA-Z\_]+)/{\\it \1}/g;
+ $param3 =~ s/\#([a-zA-Z\_]+)/{\\it $1}/g;
+ $param3 =~ s/\%([a-zA-Z\_]+)/{\\bf $1}/g;
$out = just_highlight($param3);
$out =~ s/_/\\_/g;
@@ -475,29 +476,30 @@ sub output_tex {
if ($check==0) {
print "\\item void\n";
}
- print "\\end{itemize}\n";
+ print "\\end{functionArguments}\n";
foreach $section (@{$args{'sectionlist'}}) {
$sec = $section;
$sec =~ s/_/\\_/g;
$sec =~ s/#([a-zA-Z\_]+)/{\\it \1}/g;
- print "\n{\\large{$sec}}\\\\\n";
- print "\\begin{rmfamily}\n";
+ print "\n\\begin{function$sec}\n";
+ $out = $args{'sections'}{$section};
- $sec = $args{'sections'}{$section};
- $sec =~ s/\\:/:/g;
- $sec =~ s/#([a-zA-Z\_]+)/{\\it \1}/g;
- $sec =~ s/->/\$\\rightarrow\$/g;
- $sec =~ s/([0-9]+)\^([0-9]+)/\$\{\1\}\^\{\2\}\$/g;
-
- $out = just_highlight($sec);
+ $out =~ s/\#([a-zA-Z\_]+)/{\\it $1}/g;
+ $out =~ s/\%([a-zA-Z\_]+)/{\\bf $1}/g;
+ $out =~ s/\@([a-zA-Z\_]+)/{\\bf $1}/g;
$out =~ s/_/\\_/g;
+ $out =~ s/#/\\#/g;
+ $out =~ s/\n\n/\n/g;
+ $out =~ s/\\:/:/g;
+ $out =~ s/\-\>/\$\\rightarrow\$/g;
+ $out =~ s/([0-9]+)\^([0-9]+)/\$\{\1\}\^\{\2\}\$/g;
print $out;
- print "\\end{rmfamily}\n";
+ print "\\end{function$sec}\n";
}
- print "\n";
+ print "\\end{function}\n\n";
}
diff --git a/doc/scripts/mytexi2latex b/doc/scripts/mytexi2latex
index fe7ea2d..7d842df 100755
--- a/doc/scripts/mytexi2latex
+++ b/doc/scripts/mytexi2latex
@@ -27,11 +27,30 @@ sub funcref()
my $prefix = $_[0];
my $suffix=$_[0];
$suffix =~ s/\\//g;
+ $prefix =~ s/\\_/\\_\\-/g;
return "\\funcref\{$prefix\}\{$suffix\}";
}
+sub showfunc()
+{
+my $prefix = $_[0];
+my $suffix = $_[1];
+ $suffix =~ s/\\//g;
+ $suffix =~ s/\,/\}\{/g;
+ return "\\showfunc$prefix\{$suffix\}";
+}
+
+sub showfuncdesc()
+{
+my $suffix = $_[0];
+ $suffix =~ s/\\//g;
+ return "\\showfuncdesc\{$suffix\}";
+}
+
my $punescape = \&unescape;
my $pfuncref = \&funcref;
+my $pshowfunc = \&showfunc;
+my $pshowfuncdesc = \&showfuncdesc;
my $mode;
my $num_args = $#ARGV + 1;
@@ -45,7 +64,7 @@ my $match = "[\\w\\d-\\.\\/address@hidden:\_\\\\\#]";
my $spacematch = "[\\s\\w\\d-\\.\\/address@hidden:]";
my $mathmatch = "[\\s\\w\\d-\\.\\/\\:\\(\\)\\+\\/\\^\\'\\=\{\}\\\\\\,]";
my $underscorematch = "[\\s\\w\\d-\\.\\/address@hidden:\\~]";
-my $codematch = "[\\s\\w\\d-\\.\\/address@hidden:\\-\\\"\+\\%]";
+my $codematch = "[\\s\\w\\d-\\.\\/address@hidden:\\-\\\"\+\\%\\,]";
my ($line, $prev_mode);
my ($verbatim, $label);
my @stack = ();
@@ -292,7 +311,8 @@ multitable:
$line =~ s/address@hidden (.+)/\\index{$1}/g;
$line =~ s/address@hidden($underscorematch+)\}/\\url{$1}/g;
#$line =~ s/address@hidden/\\euro/g;
- $line =~ s/address@hidden/euro/g;
+ $line =~ s/address@hidden/\~\\textgreek\{\\euro\}/g;
+ $line =~ s/address@hidden/\\newpage/g;
$line =~ s/address@hidden($spacematch+)\}/\\file{$1}/g;
$line =~ s/address@hidden($codematch+)\}/\\code{$1}/g;
$line =~ s/address@hidden($codematch+)\}/\\command{$1}/g;
@@ -301,6 +321,8 @@ multitable:
$line =~ s/address@hidden($spacematch+)\}/\\emph{$1}/g;
$line =~ s/address@hidden/\\myref\{/g;
$line =~ s/address@hidden($codematch+)\}/$pfuncref->($1)/ge;
+ $line =~
s/address@hidden([A-Z])\{($codematch+)\}/$pshowfunc->($1,$2)/ge;
+ $line =~
s/address@hidden($codematch+)\}/$pshowfuncdesc->($1)/ge;
$line =~ s/address@hidden/\\myref\{/g;
$line =~ s/address@hidden
(.*)/\\begin{center}\n$1\n\\end{center}/g;
if ($line =~ m/address@hidden/) {
diff --git a/doc/scripts/sort1.pl b/doc/scripts/sort1.pl
index 9d31ed4..504394d 100755
--- a/doc/scripts/sort1.pl
+++ b/doc/scripts/sort1.pl
@@ -9,12 +9,12 @@ sub key_of_record {
my ($i) = 1;
my ($key) = $lines[$i];
- while( !($key =~ m/^\\label(.*)/) && ($i < 5)) { $i=$i+1; $key = $lines[$i];
}
+ while( !($key =~ m/^\\functionTitle\{(.*)\}/) && ($i < 5)) { $i=$i+1; $key =
$lines[$i]; }
return $key;
}
-$/="\n\n\n"; # Records are separated by blank lines.
+$/="\n\\end{function}"; # Records are separated by blank lines.
@records = <>; # Read in whole file, one record per array element.
@records = sort { key_of_record($a) cmp key_of_record($b) } @records;
diff --git a/doc/scripts/split.pl b/doc/scripts/split.pl
new file mode 100755
index 0000000..ca7d785
--- /dev/null
+++ b/doc/scripts/split.pl
@@ -0,0 +1,39 @@
+#!/usr/bin/perl
+
+$dir = shift;
+
+sub key_of_record {
+ local($record) = @_;
+
+ # Split record into lines:
+ my @lines = split /\n/, $record;
+
+ my ($i) = 1;
+ my ($key) = $lines[$i];
+
+ while( !($key =~ m/^\\functionTitle\{(.*)\}/) && ($i < 5)) { $i=$i+1; $key =
$lines[$i]; }
+
+ return $key;
+}
+
+$/="\n\\end{function}"; # Records are separated by blank lines.
address@hidden = <>; # Read in whole file, one record per array element.
+
+mkdir $dir;
+
address@hidden = sort { key_of_record($a) cmp key_of_record($b) } @records;
+foreach (@records) {
+ $key = $_;
+ $key =~ m/\\functionTitle\{(.*)\}/;
+
+ $key = $1;
+ $key =~ s/\\_/_/g;
+
+ if (defined $key && $key ne "") {
+ open FILE, "> $dir/$key\n" or die $!;
+ print FILE $_ . "\n";
+ close FILE;
+ }
+}
+
+#print @records;
diff --git a/lib/algorithms/cert_types.c b/lib/algorithms/cert_types.c
index b0f2a88..12b8151 100644
--- a/lib/algorithms/cert_types.c
+++ b/lib/algorithms/cert_types.c
@@ -84,7 +84,7 @@ static const gnutls_certificate_type_t
supported_certificate_types[] = {
* OpenPGP certificates, you must link to libgnutls-extra and call
* gnutls_global_init_extra().
*
- * Returns: a zero-terminated list of #gnutls_certificate_type_t
+ * Returns: a (0)-terminated list of #gnutls_certificate_type_t
* integers indicating the available certificate types.
**/
const gnutls_certificate_type_t *
diff --git a/lib/algorithms/ciphers.c b/lib/algorithms/ciphers.c
index 7b845f9..9bcd4d9 100644
--- a/lib/algorithms/ciphers.c
+++ b/lib/algorithms/ciphers.c
@@ -237,7 +237,7 @@ gnutls_cipher_get_id (const char *name)
*
* This function is not thread safe.
*
- * Returns: a zero-terminated list of #gnutls_cipher_algorithm_t
+ * Returns: a (0)-terminated list of #gnutls_cipher_algorithm_t
* integers indicating the available ciphers.
*
**/
diff --git a/lib/algorithms/ecc.c b/lib/algorithms/ecc.c
index 53a8920..4360aef 100644
--- a/lib/algorithms/ecc.c
+++ b/lib/algorithms/ecc.c
@@ -279,7 +279,7 @@ _gnutls_ecc_curve_get_params (gnutls_ecc_curve_t curve)
*
* Returns the size in bytes of the curve.
*
- * Returns: a the size or zero.
+ * Returns: a the size or (0).
**/
int gnutls_ecc_curve_get_size (gnutls_ecc_curve_t curve)
{
diff --git a/lib/algorithms/kx.c b/lib/algorithms/kx.c
index f3e2196..23a7152 100644
--- a/lib/algorithms/kx.c
+++ b/lib/algorithms/kx.c
@@ -203,7 +203,7 @@ gnutls_kx_get_id (const char *name)
*
* This function is not thread safe.
*
- * Returns: a zero-terminated list of #gnutls_kx_algorithm_t integers
+ * Returns: a (0)-terminated list of #gnutls_kx_algorithm_t integers
* indicating the available key exchange algorithms.
**/
const gnutls_kx_algorithm_t *
diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c
index 9390d13..6725d88 100644
--- a/lib/algorithms/mac.c
+++ b/lib/algorithms/mac.c
@@ -147,7 +147,7 @@ gnutls_mac_get_key_size (gnutls_mac_algorithm_t algorithm)
*
* This function is not thread safe.
*
- * Returns: Return a zero-terminated list of #gnutls_mac_algorithm_t
+ * Returns: Return a (0)-terminated list of #gnutls_mac_algorithm_t
* integers indicating the available MACs.
**/
const gnutls_mac_algorithm_t *
diff --git a/lib/algorithms/protocols.c b/lib/algorithms/protocols.c
index 3322976..26b5e1a 100644
--- a/lib/algorithms/protocols.c
+++ b/lib/algorithms/protocols.c
@@ -162,7 +162,7 @@ gnutls_protocol_get_id (const char *name)
*
* This function is not threat safe.
*
- * Returns: a zero-terminated list of #gnutls_protocol_t integers
+ * Returns: a (0)-terminated list of #gnutls_protocol_t integers
* indicating the available protocols.
*
**/
diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c
index 5018f77..05e0ba1 100644
--- a/lib/algorithms/publickey.c
+++ b/lib/algorithms/publickey.c
@@ -140,7 +140,7 @@ gnutls_pk_algorithm_get_name (gnutls_pk_algorithm_t
algorithm)
*
* This function is not thread safe.
*
- * Returns: a zero-terminated list of #gnutls_pk_algorithm_t integers
+ * Returns: a (0)-terminated list of #gnutls_pk_algorithm_t integers
* indicating the available ciphers.
*
* Since: 2.6.0
diff --git a/lib/algorithms/secparams.c b/lib/algorithms/secparams.c
index b9bb0e3..c3acfe5 100644
--- a/lib/algorithms/secparams.c
+++ b/lib/algorithms/secparams.c
@@ -64,7 +64,7 @@ static const gnutls_sec_params_entry sec_params[] = {
* will convert a human understandable security parameter to an
* appropriate size for the specific algorithm.
*
- * Returns: The number of bits, or zero.
+ * Returns: The number of bits, or (0).
*
**/
unsigned int
diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c
index 414df76..9af8a53 100644
--- a/lib/algorithms/sign.c
+++ b/lib/algorithms/sign.c
@@ -113,7 +113,7 @@ gnutls_sign_get_name (gnutls_sign_algorithm_t sign)
*
* Get a list of supported public key signature algorithms.
*
- * Returns: a zero-terminated list of #gnutls_sign_algorithm_t
+ * Returns: a (0)-terminated list of #gnutls_sign_algorithm_t
* integers indicating the available ciphers.
*
**/
diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 11e2099..207f003 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -662,7 +662,7 @@ cleanup:
/* Finds the appropriate certificate depending on the cA Distinguished name
* advertized by the server. If none matches then returns 0 and -1 as index.
- * In case of an error a negative value, is returned.
+ * In case of an error a negative error code, is returned.
*
* 20020128: added ability to select a certificate depending on the SIGN
* algorithm (only in automatic mode).
@@ -1811,7 +1811,7 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t
session,
/* This function will return the appropriate certificate to use.
* Fills in the apr_cert_list, apr_cert_list_length and apr_pkey.
- * The return value is a negative value on error.
+ * The return value is a negative error code on error.
*
* It is normal to return 0 with no certificates in client side.
*
@@ -2080,7 +2080,7 @@ _gnutls_selected_certs_set (gnutls_session_t session,
* requested_algo holds the parameters required by the peer (RSA, DSA
* or -1 for any).
*
- * Returns 0 on success and a negative value on error. The
+ * Returns 0 on success and a negative error code on error. The
* selected certificate will be in session->internals.selected_*.
*
*/
diff --git a/lib/auth/psk.c b/lib/auth/psk.c
index a7d7663..358dac1 100644
--- a/lib/auth/psk.c
+++ b/lib/auth/psk.c
@@ -88,7 +88,7 @@ _gnutls_set_psk_session_key (gnutls_session_t session,
/* format of the premaster secret:
* (uint16_t) psk_size
- * psk_size bytes of zeros
+ * psk_size bytes of (0)s
* (uint16_t) psk_size
* the psk
*/
@@ -107,7 +107,7 @@ error:
}
/* returns the username and they key for the PSK session.
- * Free is non zero if they have to be freed.
+ * Free is non (0) if they have to be freed.
*/
int _gnutls_find_psk_key( gnutls_session_t session,
gnutls_psk_client_credentials_t cred,
gnutls_datum_t * username, gnutls_datum_t* key, int* free)
diff --git a/lib/auth/rsa_export.c b/lib/auth/rsa_export.c
index 6d258f3..9e5d56f 100644
--- a/lib/auth/rsa_export.c
+++ b/lib/auth/rsa_export.c
@@ -327,7 +327,7 @@ gen_rsa_export_server_kx (gnutls_session_t session,
gnutls_buffer_st* data)
return data->length;
}
-/* if the peer's certificate is of 512 bits or less, returns non zero.
+/* if the peer's certificate is of 512 bits or less, returns non (0).
*/
int
_gnutls_peers_cert_less_512 (gnutls_session_t session)
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index a5ee858..5f79ad0 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -41,7 +41,7 @@
* current crypto backend in use by gnutls or the cryptographic
* accelerator in use.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.10.0
**/
@@ -70,7 +70,7 @@ gnutls_cipher_init (gnutls_cipher_hd_t * handle,
* associated data (AEAD) ciphers and will return the
* output tag.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.99.0
**/
@@ -96,7 +96,7 @@ gnutls_cipher_tag (gnutls_cipher_hd_t handle, void *tag,
size_t tag_size)
* input data. This function can only be called once
* and before any encryption operations.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.99.0
**/
@@ -137,7 +137,7 @@ gnutls_cipher_set_iv (gnutls_cipher_hd_t handle, void *iv,
size_t ivlen)
* This function will encrypt the given data using the algorithm
* specified by the context.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.10.0
**/
@@ -156,7 +156,7 @@ gnutls_cipher_encrypt (gnutls_cipher_hd_t handle, void
*text, size_t textlen)
* This function will decrypt the given data using the algorithm
* specified by the context.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.10.0
**/
@@ -179,7 +179,7 @@ gnutls_cipher_decrypt (gnutls_cipher_hd_t handle, void
*ciphertext,
* This function will encrypt the given data using the algorithm
* specified by the context.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.10.0
**/
@@ -202,7 +202,7 @@ gnutls_cipher_encrypt2 (gnutls_cipher_hd_t handle, const
void *text, size_t text
* This function will decrypt the given data using the algorithm
* specified by the context.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.10.0
**/
@@ -245,7 +245,7 @@ gnutls_cipher_deinit (gnutls_cipher_hd_t handle)
* effectively use the current crypto backend in use by gnutls or the
* cryptographic accelerator in use.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.10.0
**/
@@ -273,7 +273,7 @@ gnutls_hmac_init (gnutls_hmac_hd_t * dig,
* This function will hash the given data using the algorithm
* specified by the context.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.10.0
**/
@@ -344,7 +344,7 @@ gnutls_hmac_get_len (gnutls_mac_algorithm_t algorithm)
* This convenience function will hash the given data and return output
* on a single call.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.10.0
**/
@@ -368,7 +368,7 @@ gnutls_hmac_fast (gnutls_mac_algorithm_t algorithm,
* current crypto backend in use by gnutls or the cryptographic
* accelerator in use.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.10.0
**/
@@ -394,7 +394,7 @@ gnutls_hash_init (gnutls_hash_hd_t * dig,
gnutls_digest_algorithm_t algorithm)
* This function will hash the given data using the algorithm
* specified by the context.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.10.0
**/
@@ -463,7 +463,7 @@ gnutls_hash_get_len (gnutls_digest_algorithm_t algorithm)
* This convenience function will hash the given data and return output
* on a single call.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
* Since: 2.10.0
**/
diff --git a/lib/crypto-backend.c b/lib/crypto-backend.c
index 1cfebf8..daac563 100644
--- a/lib/crypto-backend.c
+++ b/lib/crypto-backend.c
@@ -162,7 +162,7 @@ _gnutls_crypto_deregister (void)
* For simplicity you can use the convenience
* gnutls_crypto_single_cipher_register() macro.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.6.0
-*/
@@ -196,7 +196,7 @@ _gnutls_get_crypto_cipher (gnutls_cipher_algorithm_t algo)
* For simplicity you can use the convenience
* gnutls_crypto_rnd_register() macro.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.6.0
-*/
@@ -231,7 +231,7 @@ gnutls_crypto_rnd_register (int priority,
* For simplicity you can use the convenience
* gnutls_crypto_single_mac_register() macro.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.6.0
-*/
@@ -266,7 +266,7 @@ _gnutls_get_crypto_mac (gnutls_mac_algorithm_t algo)
* For simplicity you can use the convenience
* gnutls_crypto_single_digest_register() macro.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.6.0
-*/
@@ -303,7 +303,7 @@ _gnutls_get_crypto_digest (gnutls_digest_algorithm_t algo)
* For simplicity you can use the convenience gnutls_crypto_bigint_register()
* macro.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.6.0
-*/
@@ -340,7 +340,7 @@ gnutls_crypto_bigint_register (int priority,
* For simplicity you can use the convenience gnutls_crypto_pk_register()
* macro.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.6.0
-*/
@@ -374,7 +374,7 @@ gnutls_crypto_pk_register (int priority,
* For simplicity you can use the convenience
* gnutls_crypto_cipher_register() macro.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.6.0
-*/
@@ -408,7 +408,7 @@ gnutls_crypto_cipher_register (int priority,
* For simplicity you can use the convenience
* gnutls_crypto_digest_register() macro.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.6.0
-*/
@@ -442,7 +442,7 @@ gnutls_crypto_mac_register (int priority,
* For simplicity you can use the convenience
* gnutls_crypto_digest_register() macro.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.6.0
-*/
diff --git a/lib/ext/max_record.c b/lib/ext/max_record.c
index b362983..67fcf38 100644
--- a/lib/ext/max_record.c
+++ b/lib/ext/max_record.c
@@ -298,8 +298,8 @@ gnutls_record_get_max_size (gnutls_session_t session)
* This function uses a TLS extension called 'max record size'. Not
* all TLS implementations use or even understand this extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
ssize_t
gnutls_record_set_max_size (gnutls_session_t session, size_t size)
diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c
index 4373e37..4f5d3ae 100644
--- a/lib/ext/safe_renegotiation.c
+++ b/lib/ext/safe_renegotiation.c
@@ -446,7 +446,7 @@ _gnutls_sr_deinit_data (extension_priv_data_t priv)
* Can be used to check whether safe renegotiation is being used
* in the current session.
*
- * Returns: 0 when safe renegotiation is not used and non zero when
+ * Returns: 0 when safe renegotiation is not used and non (0) when
* safe renegotiation is used.
*
* Since: 2.10.0
diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c
index ea3e10e..eb96501 100644
--- a/lib/ext/server_name.c
+++ b/lib/ext/server_name.c
@@ -107,7 +107,7 @@ _gnutls_server_name_recv_params (gnutls_session_t session,
}
else
_gnutls_handshake_log
- ("HSK[%p]: Received zero size server name (under attack?)\n",
+ ("HSK[%p]: Received (0) size server name (under attack?)\n",
session);
}
@@ -274,8 +274,8 @@ _gnutls_server_name_send_params (gnutls_session_t session,
* and so on. If no name with the given index exists
* GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_server_name_get (gnutls_session_t session, void *data,
@@ -343,12 +343,12 @@ gnutls_server_name_get (gnutls_session_t session, void
*data,
* virtual hosting.
*
* The value of @name depends on the @type type. In case of
- * %GNUTLS_NAME_DNS, an ASCII zero-terminated domain name string,
+ * %GNUTLS_NAME_DNS, an ASCII (0)-terminated domain name string,
* without the trailing dot, is expected. IPv4 or IPv6 addresses are
* not permitted.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_server_name_set (gnutls_session_t session,
diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
index 5d0b0c0..7955396 100644
--- a/lib/ext/session_ticket.c
+++ b/lib/ext/session_ticket.c
@@ -350,7 +350,7 @@ session_ticket_recv_params (gnutls_session_t session,
return 0;
}
-/* returns a positive number if we send the extension data, zero if we
+/* returns a positive number if we send the extension data, (0) if we
do not want to send it, and a negative number on failure.
*/
static int
diff --git a/lib/gcrypt/mpi.c b/lib/gcrypt/mpi.c
index c3bdd61..f71a230 100644
--- a/lib/gcrypt/mpi.c
+++ b/lib/gcrypt/mpi.c
@@ -47,7 +47,7 @@ _format_conv (gnutls_bigint_format_t format)
return GCRYMPI_FMT_PGP;
}
-/* returns zero on success
+/* returns (0) on success
*/
static bigint_t
wrap_gcry_mpi_scan (const void *buffer, size_t nbytes,
@@ -82,7 +82,7 @@ wrap_gcry_mpi_print (const bigint_t a, void *buffer, size_t *
nbytes,
{
/* in STD format we may want to include
- * an extra byte for zero. Sometimes the gcry_
+ * an extra byte for (0). Sometimes the gcry_
* function doesn't add it.
*/
if (format == GNUTLS_MPI_FORMAT_STD)
diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c
index 1245148..b32c34e 100644
--- a/lib/gnutls_alert.c
+++ b/lib/gnutls_alert.c
@@ -34,47 +34,51 @@
typedef struct
{
gnutls_alert_description_t alert;
+ const char *name;
const char *desc;
} gnutls_alert_entry;
+#define ALERT_ENTRY(x,y) \
+ {x, #x, y}
+
static const gnutls_alert_entry sup_alerts[] = {
- {GNUTLS_A_CLOSE_NOTIFY, N_("Close notify")},
- {GNUTLS_A_UNEXPECTED_MESSAGE, N_("Unexpected message")},
- {GNUTLS_A_BAD_RECORD_MAC, N_("Bad record MAC")},
- {GNUTLS_A_DECRYPTION_FAILED, N_("Decryption failed")},
- {GNUTLS_A_RECORD_OVERFLOW, N_("Record overflow")},
- {GNUTLS_A_DECOMPRESSION_FAILURE, N_("Decompression failed")},
- {GNUTLS_A_HANDSHAKE_FAILURE, N_("Handshake failed")},
- {GNUTLS_A_BAD_CERTIFICATE, N_("Certificate is bad")},
- {GNUTLS_A_UNSUPPORTED_CERTIFICATE, N_("Certificate is not supported")},
- {GNUTLS_A_CERTIFICATE_REVOKED, N_("Certificate was revoked")},
- {GNUTLS_A_CERTIFICATE_EXPIRED, N_("Certificate is expired")},
- {GNUTLS_A_CERTIFICATE_UNKNOWN, N_("Unknown certificate")},
- {GNUTLS_A_ILLEGAL_PARAMETER, N_("Illegal parameter")},
- {GNUTLS_A_UNKNOWN_CA, N_("CA is unknown")},
- {GNUTLS_A_ACCESS_DENIED, N_("Access was denied")},
- {GNUTLS_A_DECODE_ERROR, N_("Decode error")},
- {GNUTLS_A_DECRYPT_ERROR, N_("Decrypt error")},
- {GNUTLS_A_EXPORT_RESTRICTION, N_("Export restriction")},
- {GNUTLS_A_PROTOCOL_VERSION, N_("Error in protocol version")},
- {GNUTLS_A_INSUFFICIENT_SECURITY, N_("Insufficient security")},
- {GNUTLS_A_USER_CANCELED, N_("User canceled")},
- {GNUTLS_A_SSL3_NO_CERTIFICATE, N_("No certificate (SSL 3.0)")},
- {GNUTLS_A_INTERNAL_ERROR, N_("Internal error")},
- {GNUTLS_A_NO_RENEGOTIATION, N_("No renegotiation is allowed")},
- {GNUTLS_A_CERTIFICATE_UNOBTAINABLE,
- N_("Could not retrieve the specified certificate")},
- {GNUTLS_A_UNSUPPORTED_EXTENSION, N_("An unsupported extension was sent")},
- {GNUTLS_A_UNRECOGNIZED_NAME,
- N_("The server name sent was not recognized")},
- {GNUTLS_A_UNKNOWN_PSK_IDENTITY,
- N_("The SRP/PSK username is missing or not known")},
- {0, NULL}
+ ALERT_ENTRY(GNUTLS_A_CLOSE_NOTIFY, N_("Close notify")),
+ ALERT_ENTRY(GNUTLS_A_UNEXPECTED_MESSAGE, N_("Unexpected message")),
+ ALERT_ENTRY(GNUTLS_A_BAD_RECORD_MAC, N_("Bad record MAC")),
+ ALERT_ENTRY(GNUTLS_A_DECRYPTION_FAILED, N_("Decryption failed")),
+ ALERT_ENTRY(GNUTLS_A_RECORD_OVERFLOW, N_("Record overflow")),
+ ALERT_ENTRY(GNUTLS_A_DECOMPRESSION_FAILURE, N_("Decompression failed")),
+ ALERT_ENTRY(GNUTLS_A_HANDSHAKE_FAILURE, N_("Handshake failed")),
+ ALERT_ENTRY(GNUTLS_A_BAD_CERTIFICATE, N_("Certificate is bad")),
+ ALERT_ENTRY(GNUTLS_A_UNSUPPORTED_CERTIFICATE, N_("Certificate is not
supported")),
+ ALERT_ENTRY(GNUTLS_A_CERTIFICATE_REVOKED, N_("Certificate was revoked")),
+ ALERT_ENTRY(GNUTLS_A_CERTIFICATE_EXPIRED, N_("Certificate is expired")),
+ ALERT_ENTRY(GNUTLS_A_CERTIFICATE_UNKNOWN, N_("Unknown certificate")),
+ ALERT_ENTRY(GNUTLS_A_ILLEGAL_PARAMETER, N_("Illegal parameter")),
+ ALERT_ENTRY(GNUTLS_A_UNKNOWN_CA, N_("CA is unknown")),
+ ALERT_ENTRY(GNUTLS_A_ACCESS_DENIED, N_("Access was denied")),
+ ALERT_ENTRY(GNUTLS_A_DECODE_ERROR, N_("Decode error")),
+ ALERT_ENTRY(GNUTLS_A_DECRYPT_ERROR, N_("Decrypt error")),
+ ALERT_ENTRY(GNUTLS_A_EXPORT_RESTRICTION, N_("Export restriction")),
+ ALERT_ENTRY(GNUTLS_A_PROTOCOL_VERSION, N_("Error in protocol version")),
+ ALERT_ENTRY(GNUTLS_A_INSUFFICIENT_SECURITY, N_("Insufficient security")),
+ ALERT_ENTRY(GNUTLS_A_USER_CANCELED, N_("User canceled")),
+ ALERT_ENTRY(GNUTLS_A_SSL3_NO_CERTIFICATE, N_("No certificate (SSL 3.0)")),
+ ALERT_ENTRY(GNUTLS_A_INTERNAL_ERROR, N_("Internal error")),
+ ALERT_ENTRY(GNUTLS_A_NO_RENEGOTIATION, N_("No renegotiation is allowed")),
+ ALERT_ENTRY(GNUTLS_A_CERTIFICATE_UNOBTAINABLE,
+ N_("Could not retrieve the specified certificate")),
+ ALERT_ENTRY(GNUTLS_A_UNSUPPORTED_EXTENSION, N_("An unsupported extension was
sent")),
+ ALERT_ENTRY(GNUTLS_A_UNRECOGNIZED_NAME,
+ N_("The server name sent was not recognized")),
+ ALERT_ENTRY(GNUTLS_A_UNKNOWN_PSK_IDENTITY,
+ N_("The SRP/PSK username is missing or not known")),
+ {0, NULL, NULL}
};
/**
* gnutls_alert_get_name:
- * @alert: is an alert number #gnutls_session_t structure.
+ * @alert: is an alert number.
*
* This function will return a string that describes the given alert
* number, or %NULL. See gnutls_alert_get().
@@ -94,6 +98,26 @@ gnutls_alert_get_name (gnutls_alert_description_t alert)
}
/**
+ * gnutls_alert_get_strname:
+ * @alert: is an alert number.
+ *
+ * This function will return a string of the name of the alert.
+ *
+ * Returns: string corresponding to #gnutls_alert_description_t value.
+ **/
+const char *
+gnutls_alert_get_strname (gnutls_alert_description_t alert)
+{
+ const gnutls_alert_entry *p;
+
+ for (p = sup_alerts; p->name != NULL; p++)
+ if (p->alert == alert)
+ return p->name;
+
+ return NULL;
+}
+
+/**
* gnutls_alert_send:
* @session: is a #gnutls_session_t structure.
* @level: is the level of the alert
@@ -303,14 +327,12 @@ gnutls_alert_send_appropriate (gnutls_session_t session,
int err)
* @session: is a #gnutls_session_t structure.
*
* This function will return the last alert number received. This
- * function should be called if %GNUTLS_E_WARNING_ALERT_RECEIVED or
- * %GNUTLS_E_FATAL_ALERT_RECEIVED has been returned by a gnutls
- * function. The peer may send alerts if he thinks some things were
- * not right. Check gnutls.h for the available alert descriptions.
- *
+ * function should be called when %GNUTLS_E_WARNING_ALERT_RECEIVED or
+ * %GNUTLS_E_FATAL_ALERT_RECEIVED errors are returned by a gnutls
+ * function. The peer may send alerts if he encounters an error.
* If no alert has been received the returned value is undefined.
*
- * Returns: returns the last alert received, a
+ * Returns: the last alert received, a
* #gnutls_alert_description_t value.
**/
gnutls_alert_description_t
diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c
index 93dbb81..b427a8d 100644
--- a/lib/gnutls_anon_cred.c
+++ b/lib/gnutls_anon_cred.c
@@ -125,7 +125,7 @@ gnutls_anon_set_server_dh_params
(gnutls_anon_server_credentials_t res,
*
* This function will set a callback in order for the server to get
* the Diffie-Hellman parameters for anonymous authentication. The
- * callback should return zero on success.
+ * callback should return %GNUTLS_E_SUCCESS (0) on success.
**/
void
gnutls_anon_set_server_params_function (gnutls_anon_server_credentials_t res,
diff --git a/lib/gnutls_auth.c b/lib/gnutls_auth.c
index 7a79053..7306725 100644
--- a/lib/gnutls_auth.c
+++ b/lib/gnutls_auth.c
@@ -90,8 +90,8 @@ gnutls_credentials_clear (gnutls_session_t session)
* For %GNUTLS_CRD_CERTIFICATE, @cred should be
* #gnutls_certificate_credentials_t.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_credentials_set (gnutls_session_t session,
diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c
index e9b95c4..198a495 100644
--- a/lib/gnutls_buffers.c
+++ b/lib/gnutls_buffers.c
@@ -595,7 +595,7 @@ _gnutls_io_write_flush (gnutls_session_t session)
* a timeframe.
*
* Returns 0 if data were received, GNUTLS_E_TIMEDOUT
- * on timeout and a negative value on error.
+ * on timeout and a negative error code on error.
*/
int
_gnutls_io_check_recv (gnutls_session_t session, unsigned int ms)
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index cbc627a..403ac91 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -108,7 +108,7 @@ gnutls_certificate_free_cas
(gnutls_certificate_credentials_t sc)
*
* This function will return the issuer of a given certificate.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -642,7 +642,7 @@ _gnutls_openpgp_crt_verify_peers (gnutls_session_t session,
* This function uses gnutls_x509_crt_list_verify() with the CAs in
* the credentials as trusted CAs.
*
- * Returns: a negative error code on error and zero on success.
+ * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on
success.
**/
int
gnutls_certificate_verify_peers2 (gnutls_session_t session,
diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c
index 511a235..4e7fa03 100644
--- a/lib/gnutls_dh_primes.c
+++ b/lib/gnutls_dh_primes.c
@@ -58,8 +58,8 @@ _gnutls_dh_params_to_mpi (gnutls_dh_params_t dh_primes)
* in the Diffie-Hellman key exchange. The new parameters should be
* stored in the appropriate gnutls_datum.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_dh_params_import_raw (gnutls_dh_params_t dh_params,
@@ -99,8 +99,8 @@ gnutls_dh_params_import_raw (gnutls_dh_params_t dh_params,
*
* This function will initialize the DH parameters structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_dh_params_init (gnutls_dh_params_t * dh_params)
@@ -144,8 +144,8 @@ gnutls_dh_params_deinit (gnutls_dh_params_t dh_params)
* This function will copy the DH parameters structure from source
* to destination.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_dh_params_cpy (gnutls_dh_params_t dst, gnutls_dh_params_t src)
@@ -179,8 +179,8 @@ gnutls_dh_params_cpy (gnutls_dh_params_t dst,
gnutls_dh_params_t src)
* Since clients use the parameters sent by the server, it's of
* no use to call this in client side.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_dh_params_generate2 (gnutls_dh_params_t params, unsigned int bits)
@@ -213,8 +213,8 @@ gnutls_dh_params_generate2 (gnutls_dh_params_t params,
unsigned int bits)
* If the structure is PEM encoded, it should have a header
* of "BEGIN DH PARAMETERS".
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_dh_params_import_pkcs3 (gnutls_dh_params_t params,
@@ -325,8 +325,8 @@ gnutls_dh_params_import_pkcs3 (gnutls_dh_params_t params,
* If the structure is PEM encoded, it will have a header
* of "BEGIN DH PARAMETERS".
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_dh_params_export_pkcs3 (gnutls_dh_params_t params,
@@ -499,8 +499,8 @@ gnutls_dh_params_export_pkcs3 (gnutls_dh_params_t params,
* allocated using gnutls_malloc() and will be stored in the
* appropriate datum.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_dh_params_export_raw (gnutls_dh_params_t params,
diff --git a/lib/gnutls_dtls.c b/lib/gnutls_dtls.c
index 8bfbd2e..b46f832 100644
--- a/lib/gnutls_dtls.c
+++ b/lib/gnutls_dtls.c
@@ -315,7 +315,7 @@ static void rot_window(gnutls_session_t session, int places)
#define MOVE_SIZE 20
/* Checks if a sequence number is not replayed. If replayed
- * returns a negative value, otherwise zero.
+ * returns a negative error code, otherwise zero.
*/
int _dtls_record_check(gnutls_session_t session, uint64 * _seq)
{
@@ -608,7 +608,7 @@ uint8_t digest[C_HASH_SIZE];
* it should be associated with the session using
* gnutls_dtls_prestate_set();
*
- * Returns: zero on success, or a negative error code.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
*
**/
int gnutls_dtls_cookie_verify(gnutls_datum_t* key,
@@ -677,7 +677,7 @@ uint8_t digest[C_HASH_SIZE];
* the cookie authentication with the client, with the newly
* established session.
*
- * Returns: zero on success, or a negative error code.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
*
**/
void gnutls_dtls_prestate_set(gnutls_session_t session,
gnutls_dtls_prestate_st* prestate)
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 8e9ade0..fa70609 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -209,7 +209,7 @@ static const gnutls_error_entry error_algorithms[] = {
ERROR_ENTRY (N_
("The GnuTLS library version does not match the GnuTLS-extra
library version."),
GNUTLS_E_LIBRARY_VERSION_MISMATCH, 1),
- ERROR_ENTRY (N_("The gcrypt library version is too old."),
+ ERROR_ENTRY (N_("The crypto library version is too old."),
GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY, 1),
ERROR_ENTRY (N_("The tasn1 library version is too old."),
@@ -336,9 +336,9 @@ static const gnutls_error_entry error_algorithms[] = {
/**
* gnutls_error_is_fatal:
- * @error: is a GnuTLS error code, a negative value
+ * @error: is a GnuTLS error code, a negative error code
*
- * If a GnuTLS function returns a negative value you may feed that
+ * If a GnuTLS function returns a negative error code you may feed that
* value to this function to see if the error condition is fatal.
*
* Note that you may want to check the error code manually, since some
@@ -375,7 +375,7 @@ gnutls_error_is_fatal (int error)
/**
* gnutls_perror:
- * @error: is a GnuTLS error code, a negative value
+ * @error: is a GnuTLS error code, a negative error code
*
* This function is like perror(). The only difference is that it
* accepts an error number returned by a gnutls function.
@@ -389,13 +389,13 @@ gnutls_perror (int error)
/**
* gnutls_strerror:
- * @error: is a GnuTLS error code, a negative value
+ * @error: is a GnuTLS error code, a negative error code
*
* This function is similar to strerror. The difference is that it
* accepts an error number returned by a gnutls function; In case of
* an unknown error a descriptive string is sent instead of %NULL.
*
- * Error codes are always a negative value.
+ * Error codes are always a negative error code.
*
* Returns: A string explaining the GnuTLS error message.
**/
diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c
index 92cb0a7..2c57717 100644
--- a/lib/gnutls_global.c
+++ b/lib/gnutls_global.c
@@ -197,8 +197,8 @@ static int _gnutls_init = 0;
* function after aquiring a thread mutex. To ignore the potential
* memory leak is also an option.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_global_init (void)
@@ -318,7 +318,7 @@ gnutls_global_deinit (void)
*
* See %GNUTLS_VERSION for a suitable @req_version string.
*
- * Return value: Check that the version of the library is at
+ * Returns: Check that the version of the library is at
* minimum the one given as a string in @req_version and return the
* actual version string of the library; return %NULL if the
* condition is not met. If %NULL is passed to this function no
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 9c1bd2a..0b2e16e 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -334,7 +334,7 @@ _gnutls_tls_create_random (opaque * dst)
return 0;
}
-/* returns the 0 on success or a negative value.
+/* returns the 0 on success or a negative error code.
*/
int
_gnutls_negotiate_version (gnutls_session_t session,
@@ -2162,7 +2162,7 @@ _gnutls_recv_hello_verify_request (gnutls_session_t
session,
* %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
* this message.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
**/
int
gnutls_rehandshake (gnutls_session_t session)
@@ -2297,7 +2297,7 @@ cleanup:
* in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
* some data were pending.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
**/
int
gnutls_handshake (gnutls_session_t session)
diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c
index 693de3e..fddb87e 100644
--- a/lib/gnutls_mpi.c
+++ b/lib/gnutls_mpi.c
@@ -124,7 +124,7 @@ _gnutls_mpi_release (bigint_t * x)
*x = NULL;
}
-/* returns zero on success
+/* returns %GNUTLS_E_SUCCESS (0) on success
*/
int
_gnutls_mpi_scan (bigint_t * ret_mpi, const void *buffer, size_t nbytes)
@@ -140,7 +140,7 @@ _gnutls_mpi_scan (bigint_t * ret_mpi, const void *buffer,
size_t nbytes)
return 0;
}
-/* returns zero on success. Fails if the number is zero.
+/* returns %GNUTLS_E_SUCCESS (0) on success. Fails if the number is zero.
*/
int
_gnutls_mpi_scan_nz (bigint_t * ret_mpi, const void *buffer, size_t nbytes)
diff --git a/lib/gnutls_pcert.c b/lib/gnutls_pcert.c
index 70f4f9f..ef360a1 100644
--- a/lib/gnutls_pcert.c
+++ b/lib/gnutls_pcert.c
@@ -39,7 +39,7 @@
* #gnutls_pcert_st structure. The structure must be deinitialized
* afterwards using gnutls_pcert_deinit();
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int gnutls_pcert_import_x509 (gnutls_pcert_st* pcert,
@@ -110,7 +110,7 @@ cleanup:
* #gnutls_pcert_st structure. The structure must be deinitialized
* afterwards using gnutls_pcert_deinit();
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int gnutls_pcert_import_x509_raw (gnutls_pcert_st *pcert,
@@ -158,7 +158,7 @@ cleanup:
* #gnutls_pcert_st structure. The structure must be deinitialized
* afterwards using gnutls_pcert_deinit();
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int gnutls_pcert_import_openpgp (gnutls_pcert_st* pcert,
@@ -230,7 +230,7 @@ cleanup:
* #gnutls_pcert_st structure. The structure must be deinitialized
* afterwards using gnutls_pcert_deinit();
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int gnutls_pcert_import_openpgp_raw (gnutls_pcert_st *pcert,
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index f0affa1..bc26339 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -45,7 +45,7 @@ break_comma_list (char *etag,
* set on the client. The server does not use the algorithm's
* priority except for disabling algorithms that were not specified.
*
- * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
**/
int
gnutls_cipher_set_priority (gnutls_session_t session, const int *list)
@@ -585,8 +585,7 @@ gnutls_priority_set (gnutls_session_t session,
gnutls_priority_t priority)
*
* The #priorities option allows you to specify a colon
* separated list of the cipher priorities to enable.
- *
- * Common keywords: Some keywords are defined to provide quick access
+ * Some keywords are defined to provide quick access
* to common preferences.
*
* "PERFORMANCE" means all the "secure" ciphersuites are enabled,
@@ -615,9 +614,8 @@ gnutls_priority_set (gnutls_session_t session,
gnutls_priority_t priority)
* "NONE" means nothing is enabled. This disables even protocols and
* compression methods.
*
- * Special keywords:
+ * Special keywords are "!", "-" and "+".
* "!" or "-" appended with an algorithm will remove this algorithm.
- *
* "+" appended with an algorithm will add this algorithm.
*
* Check the GnuTLS manual section "Priority strings" for detailed
diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c
index 6bd9736..3a29212 100644
--- a/lib/gnutls_privkey.c
+++ b/lib/gnutls_privkey.c
@@ -60,7 +60,7 @@ struct gnutls_privkey_st
* actually the type of the subsystem used to set this private key.
*
* Returns: a member of the #gnutls_privkey_type_t enumeration on
- * success, or a negative value on error.
+ * success, or a negative error code on error.
**/
gnutls_privkey_type_t
gnutls_privkey_get_type (gnutls_privkey_t key)
@@ -78,7 +78,7 @@ gnutls_privkey_get_type (gnutls_privkey_t key)
* the security parameter of the key.
*
* Returns: a member of the #gnutls_pk_algorithm_t enumeration on
- * success, or a negative value on error.
+ * success, or a negative error code on error.
**/
int
gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key, unsigned int *bits)
@@ -244,7 +244,7 @@ _gnutls_privkey_get_public_mpis (gnutls_privkey_t key,
*
* This function will initialize an private key structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -313,7 +313,7 @@ static int check_if_clean(gnutls_privkey_t key)
* The #gnutls_pkcs11_privkey_t object must not be deallocated
* during the lifetime of this structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -351,7 +351,7 @@ int ret;
* The #gnutls_x509_privkey_t object must not be deallocated
* during the lifetime of this structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -389,7 +389,7 @@ int ret;
* during the lifetime of this structure. The subkey set as
* preferred will be used, or the master key otherwise.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -447,7 +447,7 @@ uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
* Use gnutls_pubkey_get_preferred_hash_algorithm() to determine
* the hash algorithm.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.12.0
@@ -508,7 +508,7 @@ cleanup:
* Use gnutls_pubkey_get_preferred_hash_algorithm() to determine
* the hash algorithm.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.12.0
@@ -562,7 +562,7 @@ cleanup:
* This function will sign the given data using a signature algorithm
* supported by the private key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
-*/
int
@@ -602,7 +602,7 @@ _gnutls_privkey_sign_hash (gnutls_privkey_t key,
* This function will decrypt the given data using the algorithm
* supported by the private key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/gnutls_psk.c b/lib/gnutls_psk.c
index 31f7779..1315c71 100644
--- a/lib/gnutls_psk.c
+++ b/lib/gnutls_psk.c
@@ -443,7 +443,7 @@ gnutls_psk_set_server_dh_params
(gnutls_psk_server_credentials_t res,
*
* This function will set a callback in order for the server to get
* the Diffie-Hellman parameters for PSK authentication. The callback
- * should return zero on success.
+ * should return %GNUTLS_E_SUCCESS (0) on success.
**/
void
gnutls_psk_set_server_params_function (gnutls_psk_server_credentials_t res,
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 52fb837..08b6895 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -87,7 +87,7 @@ int pubkey_to_bits(gnutls_pk_algorithm_t pk,
gnutls_pk_params_st* params)
* the security parameter of the key.
*
* Returns: a member of the #gnutls_pk_algorithm_t enumeration on
- * success, or a negative value on error.
+ * success, or a negative error code on error.
**/
int
gnutls_pubkey_get_pk_algorithm (gnutls_pubkey_t key, unsigned int *bits)
@@ -105,7 +105,7 @@ gnutls_pubkey_get_pk_algorithm (gnutls_pubkey_t key,
unsigned int *bits)
*
* This function will return the key usage of the public key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -123,7 +123,7 @@ gnutls_pubkey_get_key_usage (gnutls_pubkey_t key, unsigned
int *usage)
*
* This function will initialize an public key structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -161,7 +161,7 @@ gnutls_pubkey_deinit (gnutls_pubkey_t key)
* This function will import the given public key to the abstract
* #gnutls_pubkey_t structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -196,7 +196,7 @@ gnutls_pubkey_import_x509 (gnutls_pubkey_t key,
gnutls_x509_crt_t crt,
* This function will import the given public key to the abstract
* #gnutls_pubkey_t structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.12.0
@@ -222,7 +222,7 @@ gnutls_pubkey_import_privkey (gnutls_pubkey_t key,
gnutls_privkey_t pkey,
* algorithm to use for signing with this certificate. Some certificates (i.e.
* DSA might not be able to sign without the preferred algorithm).
*
- * Returns: the 0 if the hash algorithm is found. A negative value is
+ * Returns: the 0 if the hash algorithm is found. A negative error code is
* returned on error.
*
* Since: 2.11.0
@@ -258,7 +258,7 @@ gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t
key,
* This function will import the given public key to the abstract
* #gnutls_pubkey_t structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -314,7 +314,7 @@ gnutls_pubkey_import_pkcs11 (gnutls_pubkey_t key,
* #gnutls_pubkey_t structure. The subkey set as preferred will be
* imported or the master key otherwise.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -394,7 +394,7 @@ gnutls_pubkey_import_openpgp (gnutls_pubkey_t key,
* be returned. The output will normally be a SHA-1 hash output,
* which is 20 bytes.
*
- * Return value: In case of failure a negative value will be
+ * Returns: In case of failure a negative error code will be
* returned, and 0 on success.
**/
int
@@ -449,7 +449,7 @@ gnutls_pubkey_get_openpgp_key_id (gnutls_pubkey_t key,
unsigned int flags,
* If the structure is PEM encoded, it will have a header
* of "BEGIN CERTIFICATE".
*
- * Return value: In case of failure a negative value will be
+ * Returns: In case of failure a negative error code will be
* returned, and 0 on success.
**/
int
@@ -519,7 +519,7 @@ cleanup:
* be returned. The output will normally be a SHA-1 hash output,
* which is 20 bytes.
*
- * Return value: In case of failure a negative value will be
+ * Returns: In case of failure a negative error code will be
* returned, and 0 on success.
**/
int
@@ -557,7 +557,7 @@ gnutls_pubkey_get_key_id (gnutls_pubkey_t key, unsigned int
flags,
* the given structure. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
**/
int
gnutls_pubkey_get_pk_rsa_raw (gnutls_pubkey_t key,
@@ -607,7 +607,7 @@ gnutls_pubkey_get_pk_rsa_raw (gnutls_pubkey_t key,
* the given certificate. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
**/
int
gnutls_pubkey_get_pk_dsa_raw (gnutls_pubkey_t key,
@@ -682,7 +682,7 @@ gnutls_pubkey_get_pk_dsa_raw (gnutls_pubkey_t key,
* the given certificate. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
**/
int
gnutls_pubkey_get_pk_ecc_raw (gnutls_pubkey_t key, gnutls_ecc_curve_t *curve,
@@ -734,7 +734,7 @@ gnutls_pubkey_get_pk_ecc_raw (gnutls_pubkey_t key,
gnutls_ecc_curve_t *curve,
* to the native gnutls_pubkey_t format.The output will be stored * in @ key.
* If the Certificate is PEM encoded it should have a header of "PUBLIC KEY".
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -827,7 +827,7 @@ cleanup:
* This function will set the public parameters from the given public
* key to the request.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -866,7 +866,7 @@ gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt,
gnutls_pubkey_t key)
* This function will set the public parameters from the given public
* key to the request.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -906,7 +906,7 @@ gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq,
gnutls_pubkey_t key)
* is only useful if the key is to be exported to a certificate or
* certificate request.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -928,7 +928,7 @@ gnutls_pubkey_set_key_usage (gnutls_pubkey_t key, unsigned
int usage)
* This function will import a PKCS 11 certificate to a #gnutls_pubkey_t
* structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
@@ -1031,7 +1031,7 @@ gnutls_pubkey_import_rsa_raw (gnutls_pubkey_t key,
* native #gnutls_pubkey_t format. The output will be stored
* in @key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1217,7 +1217,7 @@ gnutls_pubkey_verify_hash (gnutls_pubkey_t key, unsigned
int flags,
* This function will read the certifcate and the signed data to
* determine the hash algorithm used to generate the signature.
*
- * Returns: the 0 if the hash algorithm is found. A negative value is
+ * Returns: the 0 if the hash algorithm is found. A negative error code is
* returned on error.
**/
int
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index a109d30..cfafc7b 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -1188,13 +1188,11 @@ _gnutls_recv_int (gnutls_session_t session,
content_type_t type,
* This function has the similar semantics with send(). The only
* difference is that it accepts a GnuTLS session, and uses different
* error codes.
- *
* Note that if the send buffer is full, send() will block this
* function. See the send() documentation for full information. You
* can replace the default push function by using
* gnutls_transport_set_ptr2() with a call to send() with a
* MSG_DONTWAIT flag if blocking is a problem.
- *
* If the EINTR is returned by the internal push function (the
* default is send()) then %GNUTLS_E_INTERRUPTED will be returned. If
* %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must
@@ -1225,19 +1223,16 @@ gnutls_record_send (gnutls_session_t session, const
void *data,
* This function has the similar semantics with recv(). The only
* difference is that it accepts a GnuTLS session, and uses different
* error codes.
- *
* In the special case that a server requests a renegotiation, the
* client may receive an error code of %GNUTLS_E_REHANDSHAKE. This
* message may be simply ignored, replied with an alert
* %GNUTLS_A_NO_RENEGOTIATION, or replied with a new handshake,
* depending on the client's will.
- *
* If %EINTR is returned by the internal push function (the default
* is recv()) then %GNUTLS_E_INTERRUPTED will be returned. If
* %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must
* call this function again to get the data. See also
* gnutls_record_get_direction().
- *
* A server may also receive %GNUTLS_E_REHANDSHAKE when a client has
* initiated a handshake. In that case the server can only initiate a
* handshake or terminate the connection.
@@ -1264,7 +1259,6 @@ gnutls_record_recv (gnutls_session_t session, void *data,
size_t data_size)
* it returns in addition to data, the sequence number of the data.
* This is useful in DTLS where record packets might be received
* out-of-order.
- *
* In DTLS the least significant 48-bits are a unique sequence
* number, per handshake. If your application is using TLS re-handshakes
* then the full 64-bits should be used as a unique sequence.
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 73f533c..9954892 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -608,7 +608,7 @@ _gnutls_handshake_sign_cert_vrfy12 (gnutls_session_t
session,
* 20091031: works for TLS 1.2 too!
*
* For TLS1.x, x<2 returns negative for failure and zero or unspecified for
success.
- * For TLS1.2 returns the signature algorithm used on success, or a negative
value;
+ * For TLS1.2 returns the signature algorithm used on success, or a negative
error code;
*/
int
_gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
diff --git a/lib/gnutls_srp.c b/lib/gnutls_srp.c
index bbfd793..95c2c82 100644
--- a/lib/gnutls_srp.c
+++ b/lib/gnutls_srp.c
@@ -674,9 +674,7 @@ gnutls_srp_server_get_username (gnutls_session_t session)
*
* This function will create an SRP verifier, as specified in
* RFC2945. The @prime and @generator should be one of the static
- * parameters defined in gnutls/extra.h or may be generated using the
- * libgcrypt functions gcry_prime_generate() and
- * gcry_prime_group_generator().
+ * parameters defined in gnutls/extra.h or may be generated.
*
* The verifier will be allocated with @gnutls_malloc() and will be stored in
* @res using binary format.
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index e144f16..5b285f9 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -286,7 +286,7 @@ _gnutls_handshake_internal_state_clear (gnutls_session_t
session)
* This function initializes the current session to null. Every
* session must be initialized before use, so internal structures can
* be allocated. This function allocates structures which can only
- * be free'd by calling gnutls_deinit(). Returns zero on success.
+ * be free'd by calling gnutls_deinit(). Returns %GNUTLS_E_SUCCESS (0) on
success.
*
* @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER. For a DTLS
* entity, the flags %GNUTLS_DATAGRAM and %GNUTLS_NONBLOCK are
@@ -1343,7 +1343,7 @@ gnutls_session_channel_binding (gnutls_session_t session,
/* returns overhead imposed by the record layer (encryption/compression)
* etc. It does include the record layer headers.
*
- * It may return a negative value on error.
+ * It may return a negative error code on error.
*/
int _gnutls_record_overhead_rt(gnutls_session_t session)
{
diff --git a/lib/gnutls_str.c b/lib/gnutls_str.c
index 71a07f4..f22c490 100644
--- a/lib/gnutls_str.c
+++ b/lib/gnutls_str.c
@@ -471,7 +471,7 @@ _gnutls_bin2hex (const void *_old, size_t oldlen,
*
* Convert a buffer with hex data to binary data.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.4.0
**/
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index a4cdd16..e953eee 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -373,7 +373,7 @@ gnutls_dh_get_prime_bits (gnutls_session_t session)
* Get the export RSA parameter's modulus size.
*
* Returns: the bits used in the last RSA-EXPORT key exchange with the
- * peer, or a negative value in case of error.
+ * peer, or a negative error code in case of error.
**/
int
gnutls_rsa_export_get_modulus_bits (gnutls_session_t session)
@@ -395,7 +395,7 @@ gnutls_rsa_export_get_modulus_bits (gnutls_session_t
session)
* anonymous and ephemeral Diffie-Hellman.
*
* Returns: the public key bit size used in the last Diffie-Hellman
- * key exchange with the peer, or a negative value in case of error.
+ * key exchange with the peer, or a negative error code in case of error.
**/
int
gnutls_dh_get_peers_public_bits (gnutls_session_t session)
@@ -522,7 +522,7 @@ gnutls_certificate_get_peers (gnutls_session_t
* Get whether client certificate is requested or not.
*
* Returns: 0 if the peer (server) did not request client
- * authentication or 1 otherwise, or a negative value in case of
+ * authentication or 1 otherwise, or a negative error code in case of
* error.
**/
int
@@ -611,7 +611,7 @@ gnutls_certificate_set_dh_params
(gnutls_certificate_credentials_t res,
*
* This function will set a callback in order for the server to get
* the Diffie-Hellman or RSA parameters for certificate
- * authentication. The callback should return zero on success.
+ * authentication. The callback should return %GNUTLS_E_SUCCESS (0) on
success.
**/
void
gnutls_certificate_set_params_function (gnutls_certificate_credentials_t res,
@@ -681,7 +681,7 @@ gnutls_certificate_set_rsa_export_params
(gnutls_certificate_credentials_t
*
* This function will set a callback in order for the server to get
* the Diffie-Hellman or RSA parameters for PSK authentication. The
- * callback should return zero on success.
+ * callback should return %GNUTLS_E_SUCCESS (0) on success.
**/
void
gnutls_psk_set_params_function (gnutls_psk_server_credentials_t res,
@@ -697,7 +697,7 @@ gnutls_psk_set_params_function
(gnutls_psk_server_credentials_t res,
*
* This function will set a callback in order for the server to get
* the Diffie-Hellman or RSA parameters for anonymous authentication.
- * The callback should return zero on success.
+ * The callback should return %GNUTLS_E_SUCCESS (0) on success.
**/
void
gnutls_anon_set_params_function (gnutls_anon_server_credentials_t res,
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 0791109..37ba539 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -749,14 +749,8 @@ read_key_file (gnutls_certificate_credentials_t res,
*
* This function sets a certificate/private key pair in the
* gnutls_certificate_credentials_t structure. This function may be called
- * more than once (in case multiple keys/certificates exist for the
- * server).
- *
- * Currently are supported: RSA PKCS-1 encoded private keys,
- * DSA private keys.
- *
- * DSA private keys are encoded the OpenSSL way, which is an ASN.1
- * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
+ * more than once, in case multiple keys/certificates exist for the
+ * server.
*
* Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
* is supported. This means that certificates intended for signing cannot
@@ -768,7 +762,7 @@ read_key_file (gnutls_certificate_credentials_t res,
* The @key may be %NULL if you are using a sign callback, see
* gnutls_sign_callback_set().
*
- * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
**/
int
gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res,
@@ -854,14 +848,14 @@ certificate_credentials_append_pkey
(gnutls_certificate_credentials_t res,
*
* This function sets a certificate/private key pair in the
* gnutls_certificate_credentials_t structure. This function may be
- * called more than once (in case multiple keys/certificates exist for
- * the server). For clients that wants to send more than its own end
+ * called more than once, in case multiple keys/certificates exist for
+ * the server. For clients that wants to send more than its own end
* entity certificate (e.g., also an intermediate CA cert) then put
* the certificate chain in @cert_list.
*
*
*
- * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
*
* Since: 2.4.0
**/
@@ -944,18 +938,15 @@ gnutls_certificate_set_x509_key
(gnutls_certificate_credentials_t res,
*
* This function sets a certificate/private key pair in the
* gnutls_certificate_credentials_t structure. This function may be
- * called more than once (in case multiple keys/certificates exist for
- * the server). For clients that wants to send more than its own end
- * entity certificate (e.g., also an intermediate CA cert) then put
- * the certificate chain in @certfile.
+ * called more than once, in case multiple keys/certificates exist for
+ * the server. For clients that need to send more than its own end
+ * entity certificate, e.g., also an intermediate CA cert, then the
+ * @certfile must contain the ordered certificate chain.
*
- * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
- * this function.
+ * This function can also accept PKCS #11 URLs at @keyfile and @certfile. In
that case it
+ * will import the private key and certificate indicated by the URLs.
*
- * This function can also accept PKCS #11 URLs. In that case it
- * will import the private key and certificate indicated by the urls.
- *
- * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
**/
int
gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res,
@@ -1199,7 +1190,7 @@ cleanup:
* a certificate request is sent. This can be disabled using
* gnutls_certificate_send_x509_rdn_sequence().
*
- * Returns: the number of certificates processed or a negative value
+ * Returns: the number of certificates processed or a negative error code
* on error.
**/
int
@@ -1235,7 +1226,7 @@ gnutls_certificate_set_x509_trust_mem
(gnutls_certificate_credentials_t res,
* a certificate request is sent. This can be disabled using
* gnutls_certificate_send_x509_rdn_sequence().
*
- * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
*
* Since: 2.4.0
**/
@@ -1306,7 +1297,7 @@ cleanup:
* This function can also accept PKCS #11 URLs. In that case it
* will import all certificates that are marked as trusted.
*
- * Returns: number of certificates processed, or a negative value on
+ * Returns: number of certificates processed, or a negative error code on
* error.
**/
int
@@ -1459,7 +1450,7 @@ read_crl_mem (gnutls_certificate_credentials_t res, const
void *crl,
* gnutls_certificate_verify_peers2(). This function may be called
* multiple times.
*
- * Returns: number of CRLs processed, or a negative value on error.
+ * Returns: number of CRLs processed, or a negative error code on error.
**/
int
gnutls_certificate_set_x509_crl_mem (gnutls_certificate_credentials_t res,
@@ -1481,7 +1472,7 @@ gnutls_certificate_set_x509_crl_mem
(gnutls_certificate_credentials_t res,
* gnutls_certificate_verify_peers2(). This function may be called
* multiple times.
*
- * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
*
* Since: 2.4.0
**/
@@ -1538,7 +1529,7 @@ cleanup:
* gnutls_certificate_verify_peers2().
* This function may be called multiple times.
*
- * Returns: number of CRLs processed or a negative value on error.
+ * Returns: number of CRLs processed or a negative error code on error.
**/
int
gnutls_certificate_set_x509_crl_file (gnutls_certificate_credentials_t res,
@@ -1891,9 +1882,6 @@ done:
* only password based security, and the same password for all
* operations, are supported.
*
- * The private keys may be RSA PKCS#1 or DSA private keys encoded in
- * the OpenSSL way.
- *
* PKCS#12 file may contain many keys and/or certificates, and there
* is no way to identify which key/certificate pair you want. You
* should make sure the PKCS#12 file only contain one key/certificate
@@ -1904,7 +1892,7 @@ done:
* complexity that would make it harder to use this functionality at
* all.
*
- * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
**/
int
gnutls_certificate_set_x509_simple_pkcs12_file
@@ -1948,9 +1936,6 @@ int
* only password based security, and the same password for all
* operations, are supported.
*
- * The private keys may be RSA PKCS#1 or DSA private keys encoded in
- * the OpenSSL way.
- *
* PKCS#12 file may contain many keys and/or certificates, and there
* is no way to identify which key/certificate pair you want. You
* should make sure the PKCS#12 file only contain one key/certificate
@@ -1961,7 +1946,7 @@ int
* complexity that would make it harder to use this functionality at
* all.
*
- * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
*
* Since: 2.8.0
**/
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index af159f5..1d6b5e1 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -739,6 +739,7 @@ typedef enum
gnutls_alert_description_t desc);
int gnutls_alert_send_appropriate (gnutls_session_t session, int err);
const char *gnutls_alert_get_name (gnutls_alert_description_t alert);
+ const char * gnutls_alert_get_strname (gnutls_alert_description_t alert);
gnutls_sec_param_t gnutls_pk_bits_to_sec_param (gnutls_pk_algorithm_t algo,
unsigned int bits);
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index edcea28..647b241 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -23,6 +23,7 @@ typedef int (*gnutls_pkcs11_token_callback_t) (void *const
global_data,
* gnutls_pkcs11_pin_flag_t:
* @GNUTLS_PKCS11_PIN_USER: The PIN for the user.
* @GNUTLS_PKCS11_PIN_SO: The PIN for the security officer.
+ * @GNUTLS_PKCS11_PIN_CONTEXT_SPECIFIC: The PIN is for a specific action and
key like signing.
* @GNUTLS_PKCS11_PIN_FINAL_TRY: This is the final try before blocking.
* @GNUTLS_PKCS11_PIN_COUNT_LOW: Few tries remain before token blocks.
*
@@ -32,8 +33,9 @@ typedef enum
{
GNUTLS_PKCS11_PIN_USER = (1 << 0),
GNUTLS_PKCS11_PIN_SO = (1 << 1),
+ GNUTLS_PKCS11_PIN_CONTEXT_SPECIFIC = (1 << 4),
GNUTLS_PKCS11_PIN_FINAL_TRY = (1 << 2),
- GNUTLS_PKCS11_PIN_COUNT_LOW = (1 << 3)
+ GNUTLS_PKCS11_PIN_COUNT_LOW = (1 << 3),
} gnutls_pkcs11_pin_flag_t;
typedef int (*gnutls_pkcs11_pin_callback_t) (void *userdata, int attempt,
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index bd3a4db..b26c065 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -713,6 +713,7 @@ GNUTLS_3_0_0 {
gnutls_pubkey_verify_data2;
gnutls_x509_trust_list_verify_named_crt;
gnutls_x509_trust_list_add_named_crt;
+ gnutls_alert_get_strname;
} GNUTLS_2_12;
GNUTLS_PRIVATE {
diff --git a/lib/minitasn1/decoding.c b/lib/minitasn1/decoding.c
index 8c8b01f..ae32c98 100644
--- a/lib/minitasn1/decoding.c
+++ b/lib/minitasn1/decoding.c
@@ -168,7 +168,7 @@ asn1_get_tag_der (const unsigned char *der, int der_len,
* asn1_get_length_der() is that this function will return a length
* even if the value has indefinite encoding.
*
- * Returns: Return the decoded length value, or negative value when
+ * Returns: Return the decoded length value, or negative error code when
* the value was too big.
*
* Since: 2.0
diff --git a/lib/minitasn1/errors.c b/lib/minitasn1/errors.c
index 052c64f..271158d 100644
--- a/lib/minitasn1/errors.c
+++ b/lib/minitasn1/errors.c
@@ -85,7 +85,7 @@ asn1_perror (asn1_retCode error)
*
* This function replaces libtasn1_strerror() in older libtasn1.
*
- * Returns: Pointer to static zero-terminated string describing error
+ * Returns: Pointer to static (0)-terminated string describing error
* code.
*
* Since: 1.6
@@ -130,7 +130,7 @@ libtasn1_perror (asn1_retCode error)
* similar to strerror. The only difference is that it accepts an
* error (number) returned by a libtasn1 function.
*
- * Returns: Pointer to static zero-terminated string describing error
+ * Returns: Pointer to static (0)-terminated string describing error
* code.
*
* Deprecated: Use asn1_strerror() instead.
diff --git a/lib/nettle/ecc_verify_hash.c b/lib/nettle/ecc_verify_hash.c
index 54d98f3..4f4ddbb 100644
--- a/lib/nettle/ecc_verify_hash.c
+++ b/lib/nettle/ecc_verify_hash.c
@@ -80,7 +80,7 @@ ecc_verify_hash (struct dsa_signature *signature,
goto error;
}
- /* check for zero */
+ /* check for (0) */
if (mpz_cmp_ui (signature->r, 0) == 0 || mpz_cmp_ui (signature->s, 0) == 0
|| mpz_cmp (signature->r, key->order) >= 0
|| mpz_cmp (signature->s, key->order) >= 0)
diff --git a/lib/opencdk/kbnode.c b/lib/opencdk/kbnode.c
index cfad127..c713cfa 100644
--- a/lib/opencdk/kbnode.c
+++ b/lib/opencdk/kbnode.c
@@ -496,7 +496,7 @@ cdk_kbnode_write_to_mem_alloc (cdk_kbnode_t node,
* @r_nbytes: the new length of the buffer.
*
* Tries to write the contents of the key node to the buffer @buf and
- * return the length of it in @r_nbytes. If buf is zero, only the
+ * return the length of it in @r_nbytes. If buf is (0), only the
* length of the node is calculated and returned in @r_nbytes.
* Whenever it is possible, the cdk_kbnode_write_to_mem_alloc should be used.
**/
@@ -568,7 +568,7 @@ cdk_kbnode_write_to_mem (cdk_kbnode_t node, byte * buf,
size_t * r_nbytes)
* @node: the key node
* @hashctx: opaque pointer to the hash context
* @is_v4: OpenPGP signature (yes=1, no=0)
- * @pkttype: packet type to hash (if zero use the packet type from the node)
+ * @pkttype: packet type to hash (if (0) use the packet type from the node)
* @flags: flags which depend on the operation
*
* Hashes the key node contents. Two modes are supported. If the packet
diff --git a/lib/opencdk/sig-check.c b/lib/opencdk/sig-check.c
index 90723d0..79dac5f 100644
--- a/lib/opencdk/sig-check.c
+++ b/lib/opencdk/sig-check.c
@@ -455,9 +455,9 @@ uid_list_free (struct verify_uid *list)
}
}
-/* returns non zero if all UIDs in the list have at least one
+/* returns non (0) if all UIDs in the list have at least one
* signature. If the list is empty or no signatures are present
- * a zero value is returned.
+ * a (0) value is returned.
*/
static int
uid_list_all_signed (struct verify_uid *list)
@@ -487,7 +487,7 @@ uid_list_all_signed (struct verify_uid *list)
*
* Check all signatures. When no key is available for checking, the
* sigstat is marked as 'NOKEY'. The @r_status contains the key flags
- * which are or-ed or zero when there are no flags.
+ * which are or-ed or (0) when there are no flags.
**/
cdk_error_t
cdk_pk_check_sigs (cdk_kbnode_t key, cdk_keydb_hd_t keydb, int *r_status)
diff --git a/lib/openpgp/extras.c b/lib/openpgp/extras.c
index 3810fb4..fc40c87 100644
--- a/lib/openpgp/extras.c
+++ b/lib/openpgp/extras.c
@@ -214,7 +214,7 @@ error:
* This function will return the number of OpenPGP certificates
* present in the given keyring.
*
- * Returns: the number of subkeys, or a negative value on error.
+ * Returns: the number of subkeys, or a negative error code on error.
**/
int
gnutls_openpgp_keyring_get_crt_count (gnutls_openpgp_keyring_t ring)
diff --git a/lib/openpgp/gnutls_openpgp.c b/lib/openpgp/gnutls_openpgp.c
index 2a827ba..433a352 100644
--- a/lib/openpgp/gnutls_openpgp.c
+++ b/lib/openpgp/gnutls_openpgp.c
@@ -79,8 +79,8 @@ _gnutls_map_cdk_rc (int rc)
* been set and be used. See gnutls_openpgp_crt_set_preferred_key_id().
* Otherwise the master key will be used.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_certificate_set_openpgp_key (gnutls_certificate_credentials_t res,
@@ -231,7 +231,7 @@ leave:
* This funtion is used to load OpenPGP keys into the GnuTLS credential
* structure. The datum should contain at least one valid non encrypted subkey.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -254,7 +254,7 @@ gnutls_certificate_set_openpgp_key_mem
(gnutls_certificate_credentials_t res,
* This funtion is used to load OpenPGP keys into the GnuTLS
* credentials structure. The file should contain at least one valid non
encrypted subkey.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -303,7 +303,7 @@ get_keyid (gnutls_openpgp_keyid_t keyid, const char *str)
* case the gnutls_openpgp_crt_get_auth_subkey() will be used to
* retrieve the subkey.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.4.0
@@ -400,7 +400,7 @@ gnutls_certificate_set_openpgp_key_mem2
(gnutls_certificate_credentials_t res,
* case the gnutls_openpgp_crt_get_auth_subkey() will be used to
* retrieve the subkey.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.4.0
@@ -508,7 +508,7 @@ gnutls_openpgp_count_key_names (const gnutls_datum_t * cert)
* is needed for an operations. The keyring will also be used at the
* verification functions.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -555,7 +555,7 @@ gnutls_certificate_set_openpgp_keyring_file
(gnutls_certificate_credentials_t
* is needed for an operations. The keyring will also be used at the
* verification functions.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/openpgp/output.c b/lib/openpgp/output.c
index c4a7bf8..74b0b8c 100644
--- a/lib/openpgp/output.c
+++ b/lib/openpgp/output.c
@@ -499,12 +499,12 @@ print_oneline (gnutls_buffer_st * str,
gnutls_openpgp_crt_t cert)
* gnutls_openpgp_crt_print:
* @cert: The structure to be printed
* @format: Indicate the format to use
- * @out: Newly allocated datum with zero terminated string.
+ * @out: Newly allocated datum with (0) terminated string.
*
* This function will pretty print an OpenPGP certificate, suitable
* for display to a human.
*
- * The format should be zero for future compatibility.
+ * The format should be (0) for future compatibility.
*
* The output @out needs to be deallocate using gnutls_free().
*
diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c
index e4028c8..506081c 100644
--- a/lib/openpgp/pgp.c
+++ b/lib/openpgp/pgp.c
@@ -420,7 +420,7 @@ gnutls_openpgp_crt_get_pk_algorithm (gnutls_openpgp_crt_t
key,
*
* Extract the version of the OpenPGP key.
*
- * Returns: the version number is returned, or a negative value on errors.
+ * Returns: the version number is returned, or a negative error code on errors.
**/
int
gnutls_openpgp_crt_get_version (gnutls_openpgp_crt_t key)
@@ -590,7 +590,7 @@ gnutls_openpgp_crt_check_hostname (gnutls_openpgp_crt_t key,
if (ret == 0)
{
/* Length returned by gnutls_openpgp_crt_get_name includes
- the terminating zero. */
+ the terminating (0). */
dnsnamesize--;
if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname, 0))
@@ -660,7 +660,7 @@ gnutls_openpgp_crt_get_key_usage (gnutls_openpgp_crt_t key,
* This function will return the number of subkeys present in the
* given OpenPGP certificate.
*
- * Returns: the number of subkeys, or a negative value on error.
+ * Returns: the number of subkeys, or a negative error code on error.
*
* Since: 2.4.0
**/
@@ -806,7 +806,7 @@ _gnutls_openpgp_find_subkey_idx (cdk_kbnode_t knode,
uint32_t keyid[2],
* @key: the structure that contains the OpenPGP public key.
* @idx: is the subkey index
*
- * Get subkey revocation status. A negative value indicates an error.
+ * Get subkey revocation status. A negative error code indicates an error.
*
* Returns: true (1) if the key has been revoked, or false (0) if it
* has not.
@@ -1066,7 +1066,7 @@ gnutls_openpgp_crt_get_subkey_idx (gnutls_openpgp_crt_t
key,
* key algorithm. The key usage value will ORed values of
* %GNUTLS_KEY_DIGITAL_SIGNATURE or %GNUTLS_KEY_KEY_ENCIPHERMENT.
*
- * A negative value may be returned in case of parsing error.
+ * A negative error code may be returned in case of parsing error.
*
* Returns: key usage value.
*
@@ -1403,7 +1403,7 @@ cleanup:
* the given structure. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.4.0
**/
@@ -1436,7 +1436,7 @@ gnutls_openpgp_crt_get_pk_rsa_raw (gnutls_openpgp_crt_t
crt,
* the given certificate. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.4.0
**/
@@ -1469,7 +1469,7 @@ gnutls_openpgp_crt_get_pk_dsa_raw (gnutls_openpgp_crt_t
crt,
* the given structure. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.4.0
**/
@@ -1505,7 +1505,7 @@ gnutls_openpgp_crt_get_subkey_pk_rsa_raw
(gnutls_openpgp_crt_t crt,
* the given certificate. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.4.0
**/
@@ -1566,8 +1566,8 @@ gnutls_openpgp_crt_get_preferred_key_id
(gnutls_openpgp_crt_t key,
* This allows setting a preferred key id for the given certificate.
* This key will be used by functions that involve key handling.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_openpgp_crt_set_preferred_key_id (gnutls_openpgp_crt_t key,
@@ -1600,14 +1600,14 @@ gnutls_openpgp_crt_set_preferred_key_id
(gnutls_openpgp_crt_t key,
* gnutls_openpgp_crt_get_auth_subkey:
* @crt: the structure that contains the OpenPGP public key.
* @keyid: the struct to save the keyid.
- * @flag: Non zero indicates that a valid subkey is always returned.
+ * @flag: Non (0) indicates that a valid subkey is always returned.
*
* Returns the 64-bit keyID of the first valid OpenPGP subkey marked
- * for authentication. If flag is non zero and no authentication
+ * for authentication. If flag is non (0) and no authentication
* subkey exists, then a valid subkey will be returned even if it is
* not marked for authentication.
* Returns the 64-bit keyID of the first valid OpenPGP subkey marked
- * for authentication. If flag is non zero and no authentication
+ * for authentication. If flag is non (0) and no authentication
* subkey exists, then a valid subkey will be returned even if it is
* not marked for authentication.
*
diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c
index 28926a4..ae4a04a 100644
--- a/lib/openpgp/privkey.c
+++ b/lib/openpgp/privkey.c
@@ -107,7 +107,7 @@ gnutls_openpgp_privkey_sec_param (gnutls_openpgp_privkey_t
key)
* @data: The RAW or BASE64 encoded key.
* @format: One of #gnutls_openpgp_crt_fmt_t elements.
* @password: not used for now
- * @flags: should be zero
+ * @flags: should be (0)
*
* This function will convert the given RAW or Base64 encoded key to
* the native gnutls_openpgp_privkey_t format. The output will be
@@ -190,7 +190,7 @@ gnutls_openpgp_privkey_import (gnutls_openpgp_privkey_t key,
* @key: Holds the key.
* @format: One of gnutls_openpgp_crt_fmt_t elements.
* @password: the password that will be used to encrypt the key. (unused for
now)
- * @flags: zero for future compatibility
+ * @flags: (0) for future compatibility
* @output_data: will contain the key base64 encoded or raw
* @output_data_size: holds the size of output_data (and will be
* replaced by the actual size of parameters)
@@ -228,7 +228,7 @@ gnutls_openpgp_privkey_export (gnutls_openpgp_privkey_t key,
* For DSA the bits returned are of the public exponent.
*
* Returns: a member of the #gnutls_pk_algorithm_t enumeration on
- * success, or a negative value on error.
+ * success, or a negative error code on error.
*
* Since: 2.4.0
**/
@@ -282,7 +282,7 @@ _gnutls_openpgp_get_algo (int cdk_algo)
* Get revocation status of key.
*
* Returns: true (1) if the key has been revoked, or false (0) if it
- * has not, or a negative value indicates an error.
+ * has not, or a negative error code indicates an error.
*
* Since: 2.4.0
**/
@@ -395,7 +395,7 @@ gnutls_openpgp_privkey_get_key_id (gnutls_openpgp_privkey_t
key,
* This function will return the number of subkeys present in the
* given OpenPGP certificate.
*
- * Returns: the number of subkeys, or a negative value on error.
+ * Returns: the number of subkeys, or a negative error code on error.
*
* Since: 2.4.0
**/
@@ -452,7 +452,7 @@ _get_secret_subkey (gnutls_openpgp_privkey_t key, unsigned
int indx)
* Get revocation status of key.
*
* Returns: true (1) if the key has been revoked, or false (0) if it
- * has not, or a negative value indicates an error.
+ * has not, or a negative error code indicates an error.
*
* Since: 2.4.0
**/
@@ -491,7 +491,7 @@ gnutls_openpgp_privkey_get_subkey_revoked_status
(gnutls_openpgp_privkey_t
* For DSA the bits returned are of the public exponent.
*
* Returns: a member of the #gnutls_pk_algorithm_t enumeration on
- * success, or a negative value on error.
+ * success, or a negative error code on error.
*
* Since: 2.4.0
**/
@@ -999,7 +999,7 @@ cleanup:
* the given structure. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.4.0
**/
@@ -1035,7 +1035,7 @@ gnutls_openpgp_privkey_export_rsa_raw
(gnutls_openpgp_privkey_t pkey,
* the given certificate. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.4.0
**/
@@ -1073,7 +1073,7 @@ gnutls_openpgp_privkey_export_dsa_raw
(gnutls_openpgp_privkey_t pkey,
* the given structure. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.4.0
**/
@@ -1114,7 +1114,7 @@ gnutls_openpgp_privkey_export_subkey_rsa_raw
(gnutls_openpgp_privkey_t pkey,
* in the given certificate. The new parameters will be allocated
* using gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
*
* Since: 2.4.0
**/
@@ -1216,7 +1216,7 @@ gnutls_openpgp_privkey_set_preferred_key_id
(gnutls_openpgp_privkey_t key,
* should use gnutls_openpgp_privkey_set_preferred_key_id() before
* calling this function to set the subkey to use.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Deprecated: Use gnutls_privkey_sign_hash() instead.
@@ -1281,7 +1281,7 @@ gnutls_openpgp_privkey_sign_hash
(gnutls_openpgp_privkey_t key,
/*-
* _gnutls_openpgp_privkey_decrypt_data:
* @key: Holds the key
- * @flags: zero for now
+ * @flags: (0) for now
* @ciphertext: holds the data to be decrypted
* @plaintext: will contain newly allocated plaintext
*
@@ -1289,7 +1289,7 @@ gnutls_openpgp_privkey_sign_hash
(gnutls_openpgp_privkey_t key,
* should use gnutls_openpgp_privkey_set_preferred_key_id() before
* calling this function to set the subkey to use.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
-*/
int
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index cadc1f6..85ea789 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -31,6 +31,7 @@
#include <gnutls_datum.h>
#include <pkcs11_int.h>
#include <p11-kit/p11-kit.h>
+#include <p11-kit/pin.h>
#define MAX_PROVIDERS 16
@@ -239,7 +240,7 @@ fail:
* list used in gnutls. After this function is called the module will
* be used for PKCS 11 operations.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -285,7 +286,7 @@ gnutls_pkcs11_add_provider (const char *name, const char
*params)
* output is text it returns null terminated string although %output_size
contains
* the size of the actual data only.
*
- * Returns: zero on success or a negative value on error.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
**/
int
gnutls_pkcs11_obj_get_info (gnutls_pkcs11_obj_t crt,
@@ -414,6 +415,50 @@ pkcs11_get_info (struct p11_kit_uri *info,
static int init = 0;
+/* tries to load modules from /etc/gnutls/pkcs11.conf if it exists
+ */
+static void _pkcs11_compat_init(void)
+{
+FILE *fp;
+int ret;
+char line[512];
+const char *library;
+const char* configfile = "/etc/gnutls/pkcs11.conf";
+
+ fp = fopen (configfile, "r");
+ if (fp == NULL)
+ {
+ gnutls_assert ();
+ return;
+ }
+
+ while (fgets (line, sizeof (line), fp) != NULL)
+ {
+ if (strncmp (line, "load", sizeof ("load") - 1) == 0)
+ {
+ char *p;
+ p = strchr (line, '=');
+ if (p == NULL)
+ continue;
+
+ library = ++p;
+ p = strchr (line, '\n');
+ if (p != NULL)
+ *p = 0;
+
+ ret = gnutls_pkcs11_add_provider (library, NULL);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("Cannot load provider: %s\n", library);
+ continue;
+ }
+ }
+ }
+ fclose(fp);
+
+ return;
+}
/**
* gnutls_pkcs11_init:
@@ -429,7 +474,7 @@ static int init = 0;
* by gnutls_global_init() using the %GNUTLS_PKCS11_FLAG_AUTO. If other option
* is required then it must be called before it.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -449,7 +494,7 @@ gnutls_pkcs11_init (unsigned int flags, const char
*configfile)
if (flags == GNUTLS_PKCS11_FLAG_MANUAL)
return 0;
- else
+ else if (flags == GNUTLS_PKCS11_FLAG_AUTO)
{
rv = p11_kit_initialize_registered ();
if (rv != CKR_OK)
@@ -474,6 +519,8 @@ gnutls_pkcs11_init (unsigned int flags, const char
*configfile)
}
}
free (modules);
+
+ _pkcs11_compat_init();
}
return 0;
@@ -536,7 +583,7 @@ gnutls_pkcs11_deinit (void)
* first such invocation, the 'attempt' counter will have value zero;
* it will increase by one for each subsequent attempt.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
void
@@ -555,7 +602,7 @@ gnutls_pkcs11_set_pin_function
(gnutls_pkcs11_pin_callback_t fn,
* This function will set a callback function to be used when a token
* needs to be inserted to continue PKCS 11 operations.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
void
@@ -636,7 +683,7 @@ pkcs11_info_to_url (struct p11_kit_uri *info,
*
* This function will initialize a pkcs11 certificate structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -692,8 +739,8 @@ gnutls_pkcs11_obj_deinit (gnutls_pkcs11_obj_t obj)
* If the structure is PEM encoded, it will have a header
* of "BEGIN CERTIFICATE".
*
- * Return value: In case of failure a negative value will be
- * returned, and 0 on success.
+ * Returns: In case of failure a negative error code will be
+ * returned, and %GNUTLS_E_SUCCESS (0) on success.
**/
int
gnutls_pkcs11_obj_export (gnutls_pkcs11_obj_t obj,
@@ -845,7 +892,7 @@ pkcs11_open_session (struct ck_function_list ** _module,
ck_session_handle_t * _
if (flags & SESSION_LOGIN)
{
- ret = pkcs11_login (module, pks, &tinfo, (flags & SESSION_SO) ? 1 : 0);
+ ret = pkcs11_login (module, pks, &tinfo, info, (flags & SESSION_SO) ? 1
: 0);
if (ret < 0)
{
gnutls_assert ();
@@ -863,7 +910,7 @@ pkcs11_open_session (struct ck_function_list ** _module,
ck_session_handle_t * _
int
_pkcs11_traverse_tokens (find_func_t find_func, void *input,
- unsigned int flags)
+ struct p11_kit_uri *info, unsigned int flags)
{
ck_rv_t rv;
int found = 0, x, z, ret;
@@ -875,20 +922,20 @@ _pkcs11_traverse_tokens (find_func_t find_func, void
*input,
module = providers[x].module;
for (z = 0; z < providers[x].nslots; z++)
{
- struct token_info info;
+ struct token_info tinfo;
ret = GNUTLS_E_PKCS11_ERROR;
if (pkcs11_get_token_info (module, providers[x].slots[z],
- &info.tinfo) != CKR_OK)
+ &tinfo.tinfo) != CKR_OK)
{
continue;
}
- info.sid = providers[x].slots[z];
- info.prov = &providers[x];
+ tinfo.sid = providers[x].slots[z];
+ tinfo.prov = &providers[x];
if (pkcs11_get_slot_info (module, providers[x].slots[z],
- &info.sinfo) != CKR_OK)
+ &tinfo.sinfo) != CKR_OK)
{
continue;
}
@@ -904,7 +951,7 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input,
if (flags & SESSION_LOGIN)
{
- ret = pkcs11_login (module, pks, &info, (flags & SESSION_SO) ? 1
: 0);
+ ret = pkcs11_login (module, pks, &tinfo, info, (flags &
SESSION_SO) ? 1 : 0);
if (ret < 0)
{
gnutls_assert ();
@@ -912,7 +959,7 @@ _pkcs11_traverse_tokens (find_func_t find_func, void *input,
}
}
- ret = find_func (module, pks, &info, &providers[x].info, input);
+ ret = find_func (module, pks, &tinfo, &providers[x].info, input);
if (ret == 0)
{
@@ -1411,7 +1458,7 @@ pkcs11_obj_flags_to_int (unsigned int flags)
* parsing (such as X.509 or OpenPGP) since the #gnutls_pkcs11_obj_t is
* format agnostic. Only data are transferred.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1432,7 +1479,7 @@ gnutls_pkcs11_obj_import_url (gnutls_pkcs11_obj_t cert,
const char *url,
}
ret =
- _pkcs11_traverse_tokens (find_obj_url, &find_data,
+ _pkcs11_traverse_tokens (find_obj_url, &find_data, cert->info,
pkcs11_obj_flags_to_int (flags));
if (ret < 0)
@@ -1488,7 +1535,7 @@ find_token_num (struct ck_function_list *module,
* This function will return the URL for each token available
* in system. The url has to be released using gnutls_free()
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned,
%GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
%GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* if the sequence number exceeds the available tokens, otherwise a negative
error value.
**/
@@ -1503,7 +1550,7 @@ gnutls_pkcs11_token_get_url (unsigned int seq,
tn.seq = seq;
tn.info = p11_kit_uri_new ();
- ret = _pkcs11_traverse_tokens (find_token_num, &tn, 0);
+ ret = _pkcs11_traverse_tokens (find_token_num, &tn, NULL, 0);
if (ret < 0)
{
p11_kit_uri_free (tn.info);
@@ -1534,7 +1581,7 @@ gnutls_pkcs11_token_get_url (unsigned int seq,
* This function will return information about the PKCS 11 token such
* as the label, id as well as token information where the key is stored.
*
- * Returns: zero on success or a negative value on error.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
**/
int
gnutls_pkcs11_token_get_info (const char *url,
@@ -1603,7 +1650,7 @@ gnutls_pkcs11_token_get_info (const char *url,
*
* This function will export a URL identifying the given certificate.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1643,39 +1690,193 @@ struct pkey_list
size_t key_ids_size;
};
-int
-pkcs11_login (struct ck_function_list * module, ck_session_handle_t pks,
- const struct token_info *info, int so)
+
+static int
+retrieve_pin_for_pinfile (const char *pinfile, struct ck_token_info
*token_info,
+ int attempts, ck_user_type_t user_type, struct
p11_kit_pin **pin)
{
- int attempt = 0, ret;
- ck_rv_t rv;
- char *token_url;
- int pin_len;
- struct p11_kit_uri *uinfo;
+ unsigned int flags = 0;
+ struct p11_kit_uri *token_uri;
+ struct p11_kit_pin *result;
char *label;
- if (so == 0 && (info->tinfo.flags & CKF_LOGIN_REQUIRED) == 0)
+ label = p11_kit_space_strdup (token_info->label, sizeof (token_info->label));
+ if (label == NULL)
{
gnutls_assert ();
- _gnutls_debug_log ("pk11: No login required.\n");
- return 0;
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ token_uri = p11_kit_uri_new ();
+ if (token_uri == NULL)
+ {
+ free (label);
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ memcpy (p11_kit_uri_get_token_info (token_uri), token_info,
+ sizeof (struct ck_token_info));
+
+ if (attempts)
+ flags |= P11_KIT_PIN_FLAGS_RETRY;
+ if (user_type == CKU_USER)
+ {
+ flags |= P11_KIT_PIN_FLAGS_USER_LOGIN;
+ if (token_info->flags & CKF_USER_PIN_COUNT_LOW)
+ flags |= P11_KIT_PIN_FLAGS_MANY_TRIES;
+ if (token_info->flags & CKF_USER_PIN_FINAL_TRY)
+ flags |= P11_KIT_PIN_FLAGS_FINAL_TRY;
+ }
+ else if (user_type == CKU_SO)
+ {
+ flags |= P11_KIT_PIN_FLAGS_SO_LOGIN;
+ if (token_info->flags & CKF_SO_PIN_COUNT_LOW)
+ flags |= P11_KIT_PIN_FLAGS_MANY_TRIES;
+ if (token_info->flags & CKF_SO_PIN_FINAL_TRY)
+ flags |= P11_KIT_PIN_FLAGS_FINAL_TRY;
+ }
+ else if (user_type == CKU_CONTEXT_SPECIFIC)
+ {
+ flags |= P11_KIT_PIN_FLAGS_CONTEXT_LOGIN;
}
- uinfo = p11_kit_uri_new ();
- memcpy (p11_kit_uri_get_token_info (uinfo), &info->tinfo, sizeof (struct
ck_token_info));
- ret = pkcs11_info_to_url (uinfo, 1, &token_url);
- p11_kit_uri_free (uinfo);
+ result = p11_kit_pin_request (pinfile, token_uri, label, flags);
+ p11_kit_uri_free (token_uri);
+ free (label);
+
+ if (result == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_PKCS11_PIN_ERROR;
+ }
+
+ *pin = result;
+ return 0;
+}
+
+static int
+retrieve_pin_for_callback (struct ck_token_info *token_info, int attempts,
+ ck_user_type_t user_type, struct p11_kit_pin **pin)
+{
+ char pin_value[GNUTLS_PKCS11_MAX_PIN_LEN];
+ unsigned int flags = 0;
+ char *token_str;
+ char *label;
+ struct p11_kit_uri *token_uri;
+ int ret = 0;
+
+ label = p11_kit_space_strdup (token_info->label, sizeof (token_info->label));
+ if (label == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ token_uri = p11_kit_uri_new ();
+ if (token_uri == NULL)
+ {
+ free (label);
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ memcpy (p11_kit_uri_get_token_info (token_uri), token_info,
+ sizeof (struct ck_token_info));
+ ret = pkcs11_info_to_url (token_uri, 1, &token_str);
+ p11_kit_uri_free (token_uri);
if (ret < 0)
{
+ free (label);
gnutls_assert ();
- return ret;
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ if (user_type == CKU_USER)
+ {
+ flags |= GNUTLS_PKCS11_PIN_USER;
+ if (token_info->flags & CKF_USER_PIN_COUNT_LOW)
+ flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
+ if (token_info->flags & CKF_USER_PIN_FINAL_TRY)
+ flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
+ }
+ else if (user_type == CKU_SO)
+ {
+ flags |= GNUTLS_PKCS11_PIN_SO;
+ if (token_info->flags & CKF_SO_PIN_COUNT_LOW)
+ flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
+ if (token_info->flags & CKF_SO_PIN_FINAL_TRY)
+ flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
+ }
+
+ ret = pin_func (pin_data, attempts, (char*)token_str, label,
+ flags, pin_value, GNUTLS_PKCS11_MAX_PIN_LEN);
+ free (token_str);
+ free (label);
+
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_PKCS11_PIN_ERROR;
+ }
+
+ *pin = p11_kit_pin_new_for_string (pin_value);
+
+ /* Try to scrub the pin off the stack. Clever compilers will
+ * probably optimize this away, oh well. */
+ memset (pin, 0, sizeof pin);
+
+ return 0;
+}
+
+static int
+retrieve_pin (struct p11_kit_uri *info, struct ck_token_info *token_info,
+ int attempts, ck_user_type_t user_type, struct p11_kit_pin **pin)
+{
+ const char *pinfile;
+
+ *pin = NULL;
+
+ /* Check if a pinfile is specified, and use that if possible */
+ pinfile = p11_kit_uri_get_pinfile (info);
+ if (pinfile != NULL)
+ return retrieve_pin_for_pinfile (pinfile, token_info, attempts, user_type,
pin);
+
+ /* The global gnutls pin callback */
+ else if (pin_func)
+ return retrieve_pin_for_callback (token_info, attempts, user_type, pin);
+
+ /* Otherwise, PIN entry is necessary for login, so fail if there's
+ * no callback. */
+ else
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("pk11: No pin callback but login required.\n");
+ return GNUTLS_E_PKCS11_ERROR;
+ }
+}
+
+int
+pkcs11_login (struct ck_function_list * module, ck_session_handle_t pks,
+ const struct token_info *tokinfo, struct p11_kit_uri *info, int
so)
+{
+ int attempt = 0, ret;
+ ck_user_type_t user_type;
+ ck_rv_t rv;
+
+ user_type = (so == 0) ? CKU_USER : CKU_SO;
+ if (so == 0 && (tokinfo->tinfo.flags & CKF_LOGIN_REQUIRED) == 0)
+ {
+ gnutls_assert ();
+ _gnutls_debug_log ("pk11: No login required.\n");
+ return 0;
}
/* For a token with a "protected" (out-of-band) authentication
* path, calling login with a NULL username is all that is
* required. */
- if (info->tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
+ if (tokinfo->tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
{
rv = (module)->C_Login (pks, (so == 0) ? CKU_USER : CKU_SO, NULL, 0);
if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN)
@@ -1691,30 +1892,19 @@ pkcs11_login (struct ck_function_list * module,
ck_session_handle_t pks,
}
}
- /* Otherwise, PIN entry is necessary for login, so fail if there's
- * no callback. */
- if (!pin_func)
- {
- gnutls_assert ();
- _gnutls_debug_log ("pk11: No pin callback but login required.\n");
- ret = GNUTLS_E_PKCS11_ERROR;
- goto cleanup;
- }
-
do
{
+ struct p11_kit_pin *pin;
struct ck_token_info tinfo;
- char pin[GNUTLS_PKCS11_MAX_PIN_LEN];
- unsigned int flags;
- memcpy(&tinfo, &info->tinfo, sizeof(tinfo));
+ memcpy (&tinfo, &tokinfo->tinfo, sizeof(tinfo));
/* If login has been attempted once already, check the token
* status again, the flags might change. */
if (attempt)
{
if (pkcs11_get_token_info
- (info->prov->module, info->sid, &tinfo) != CKR_OK)
+ (tokinfo->prov->module, tokinfo->sid, &tinfo) != CKR_OK)
{
gnutls_assert ();
_gnutls_debug_log ("pk11: GetTokenInfo failed\n");
@@ -1723,43 +1913,18 @@ pkcs11_login (struct ck_function_list * module,
ck_session_handle_t pks,
}
}
- flags = 0;
- if (so == 0)
- {
- flags |= GNUTLS_PKCS11_PIN_USER;
- if (tinfo.flags & CKF_USER_PIN_COUNT_LOW)
- flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
- if (tinfo.flags & CKF_USER_PIN_FINAL_TRY)
- flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
- }
- else
- {
- flags |= GNUTLS_PKCS11_PIN_SO;
- if (tinfo.flags & CKF_SO_PIN_COUNT_LOW)
- flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
- if (tinfo.flags & CKF_SO_PIN_FINAL_TRY)
- flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
- }
-
- label = p11_kit_space_strdup (info->tinfo.label, sizeof
(info->tinfo.label));
- ret = pin_func (pin_data, attempt++,
- (char *) token_url, label, flags, pin, sizeof (pin));
- free (label);
-
+ ret = retrieve_pin (info, &tinfo, attempt, user_type, &pin);
if (ret < 0)
{
gnutls_assert ();
- ret = GNUTLS_E_PKCS11_PIN_ERROR;
goto cleanup;
}
- pin_len = strlen (pin);
- rv = (module)->C_Login (pks, (so == 0) ? CKU_USER : CKU_SO,
- (unsigned char *) pin, pin_len);
+ rv = (module)->C_Login (pks, user_type,
+ (unsigned char *)p11_kit_pin_get_value (pin,
NULL),
+ p11_kit_pin_get_length (pin));
- /* Try to scrub the pin off the stack. Clever compilers will
- * probably optimize this away, oh well. */
- memset (pin, 0, sizeof pin);
+ p11_kit_pin_unref (pin);
}
while (rv == CKR_PIN_INCORRECT);
@@ -1770,7 +1935,6 @@ pkcs11_login (struct ck_function_list * module,
ck_session_handle_t pks,
|| rv == CKR_USER_ALREADY_LOGGED_IN) ? 0 : pkcs11_rv_to_err (rv);
cleanup:
- gnutls_free (token_url);
return ret;
}
@@ -2191,7 +2355,7 @@ fail:
* This function will initialize and set values to an object list
* by using all objects identified by a PKCS 11 URL.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -2225,7 +2389,7 @@ gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t *
p_list,
}
ret =
- _pkcs11_traverse_tokens (find_objs, &find_data,
+ _pkcs11_traverse_tokens (find_objs, &find_data, find_data.info,
pkcs11_obj_flags_to_int (flags));
p11_kit_uri_free (find_data.info);
@@ -2248,7 +2412,7 @@ gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t *
p_list,
* without involving the #gnutls_pkcs11_obj_t structure. This function will
* fail if the certificate stored is not of X.509 type.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -2296,7 +2460,7 @@ cleanup:
* This function will import a PKCS 11 certificate to a #gnutls_x509_crt_t
* structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -2316,7 +2480,7 @@ gnutls_x509_crt_import_pkcs11 (gnutls_x509_crt_t crt,
* This function will import a PKCS 11 certificate list to a list of
* #gnutls_x509_crt_t structure. These must not be initialized.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -2391,7 +2555,7 @@ find_flags (struct ck_function_list * module,
ck_session_handle_t pks,
*
* This function will return information about the PKCS 11 token flags.
*
- * Returns: zero on success or a negative value on error.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
**/
int
gnutls_pkcs11_token_get_flags (const char *url, unsigned int *flags)
@@ -2407,7 +2571,7 @@ gnutls_pkcs11_token_get_flags (const char *url, unsigned
int *flags)
return ret;
}
- ret = _pkcs11_traverse_tokens (find_flags, &find_data, 0);
+ ret = _pkcs11_traverse_tokens (find_flags, &find_data, find_data.info, 0);
p11_kit_uri_free (find_data.info);
if (ret < 0)
@@ -2435,7 +2599,7 @@ gnutls_pkcs11_token_get_flags (const char *url, unsigned
int *flags)
* by the token. It should be called with an increasing index until
* it return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.
*
- * Returns: zero on success or a negative value on error.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
**/
int
gnutls_pkcs11_token_get_mechanism (const char *url, int idx,
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index 7ff7869..cd62904 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -53,7 +53,7 @@ int pkcs11_get_info (struct p11_kit_uri *info,
gnutls_pkcs11_obj_info_t itype, void *output,
size_t * output_size);
int pkcs11_login (struct ck_function_list * module, ck_session_handle_t pks,
- const struct token_info *info, int admin);
+ const struct token_info *tinfo, struct p11_kit_uri *info,
int admin);
int pkcs11_call_token_func (struct p11_kit_uri *info, const unsigned retry);
@@ -70,7 +70,7 @@ int pkcs11_info_to_url (struct p11_kit_uri *info,
int pkcs11_open_session (struct ck_function_list **_module,
ck_session_handle_t * _pks,
struct p11_kit_uri *info, unsigned int flags);
int _pkcs11_traverse_tokens (find_func_t find_func, void *input,
- unsigned int flags);
+ struct p11_kit_uri *info, unsigned int flags);
ck_object_class_t pkcs11_strtype_to_class (const char *type);
int pkcs11_token_matches_info (struct p11_kit_uri *info,
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index ab2672d..e1eea0f 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -33,6 +33,8 @@ struct gnutls_pkcs11_privkey_st
gnutls_pk_algorithm_t pk_algorithm;
unsigned int flags;
struct p11_kit_uri *info;
+ gnutls_pkcs11_pin_callback_t pin_func;
+ void *pin_data;
};
/**
@@ -41,7 +43,7 @@ struct gnutls_pkcs11_privkey_st
*
* This function will initialize an private key structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -87,7 +89,7 @@ gnutls_pkcs11_privkey_deinit (gnutls_pkcs11_privkey_t key)
* key.
*
* Returns: a member of the #gnutls_pk_algorithm_t enumeration on
- * success, or a negative value on error.
+ * success, or a negative error code on error.
**/
int
gnutls_pkcs11_privkey_get_pk_algorithm (gnutls_pkcs11_privkey_t key,
@@ -110,7 +112,7 @@ gnutls_pkcs11_privkey_get_pk_algorithm
(gnutls_pkcs11_privkey_t key,
* output is text it returns null terminated string although #output_size
contains
* the size of the actual data only.
*
- * Returns: zero on success or a negative value on error.
+ * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
**/
int
gnutls_pkcs11_privkey_get_info (gnutls_pkcs11_privkey_t pkey,
@@ -148,7 +150,7 @@ gnutls_pkcs11_privkey_get_info (gnutls_pkcs11_privkey_t
pkey,
* supported by the private key. It is assumed that the given data
* are the output of a hash function.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
-*/
int
@@ -223,7 +225,7 @@ cleanup:
* in most cases keys cannot be exported, the private key structure
* is being associated with the available operations on the token.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -302,7 +304,7 @@ cleanup:
* This function will decrypt the given data using the public key algorithm
* supported by the private key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
-*/
int
@@ -377,7 +379,7 @@ cleanup:
*
* This function will export a URL identifying the given key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/pkcs11_secret.c b/lib/pkcs11_secret.c
index 44fc281..63afa53 100644
--- a/lib/pkcs11_secret.c
+++ b/lib/pkcs11_secret.c
@@ -38,7 +38,7 @@
* This function will copy a raw secret (symmetric) key into a PKCS #11
* token specified by a URL. The key can be marked as sensitive or not.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index ea555ca..3665454 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -39,7 +39,7 @@ static const ck_bool_t fval = 0;
* This function will copy a certificate into a PKCS #11 token specified by
* a URL. The certificate can be marked as trusted or not.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -214,7 +214,7 @@ cleanup:
* a URL. It is highly recommended flags to contain
%GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE
* unless there is a strong reason not to.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -626,7 +626,7 @@ gnutls_pkcs11_delete_url (const char *object_url, unsigned
int flags)
}
ret =
- _pkcs11_traverse_tokens (delete_obj_url, &find_data,
+ _pkcs11_traverse_tokens (delete_obj_url, &find_data, find_data.info,
SESSION_WRITE | pkcs11_obj_flags_to_int (flags));
p11_kit_uri_free (find_data.info);
@@ -650,7 +650,7 @@ gnutls_pkcs11_delete_url (const char *object_url, unsigned
int flags)
* at a factory defaults state the security officer's PIN given will be
* set to be the default. Otherwise it should match the officer's PIN.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -710,7 +710,7 @@ gnutls_pkcs11_token_init (const char *token_url,
* If it is called to set a user pin for first time the oldpin must
* be NULL.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/random.c b/lib/random.c
index 1e4af0e..0486732 100644
--- a/lib/random.c
+++ b/lib/random.c
@@ -64,7 +64,7 @@ _gnutls_rnd_deinit (void)
* This function will generate random data and store it
* to output buffer.
*
- * Returns: Zero or a negative value on error.
+ * Returns: Zero or a negative error code on error.
*
**/
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 55543be..52b7436 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1092,7 +1092,7 @@ _gnutls_x509_der_encode_and_copy (ASN1_TYPE src, const
char *src_name,
}
/* Writes the value of the datum in the given ASN1_TYPE. If str is non
- * zero it encodes it as OCTET STRING.
+ * (0) it encodes it as OCTET STRING.
*/
int
_gnutls_x509_write_value (ASN1_TYPE c, const char *root,
@@ -1348,7 +1348,7 @@ cleanup:
* enumeration that is the signature algorithm that has been used to
* sign this certificate.
*
- * Returns: a #gnutls_sign_algorithm_t value, or a negative value on
+ * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on
* error.
-*/
int
diff --git a/lib/x509/crl.c b/lib/x509/crl.c
index 761551c..57decfc 100644
--- a/lib/x509/crl.c
+++ b/lib/x509/crl.c
@@ -44,7 +44,7 @@
* Authority. The revocation lists are always signed with the
* authority's private key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -97,7 +97,7 @@ gnutls_x509_crl_deinit (gnutls_x509_crl_t crl)
*
* If the CRL is PEM encoded it should have a header of "X509 CRL".
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -197,8 +197,8 @@ gnutls_x509_crl_get_issuer_dn (const gnutls_x509_crl_t crl,
char *buf,
* gnutls_x509_crl_get_issuer_dn_by_oid:
* @crl: should contain a gnutls_x509_crl_t structure
* @oid: holds an Object Identified in null terminated string
- * @indx: In case multiple same OIDs exist in the RDN, this specifies which to
send. Use zero to get the first one.
- * @raw_flag: If non zero returns the raw DER data of the DN part.
+ * @indx: In case multiple same OIDs exist in the RDN, this specifies which to
send. Use (0) to get the first one.
+ * @raw_flag: If non (0) returns the raw DER data of the DN part.
* @buf: a pointer to a structure to hold the peer's name (may be null)
* @sizeof_buf: initially holds the size of @buf
*
@@ -208,7 +208,7 @@ gnutls_x509_crl_get_issuer_dn (const gnutls_x509_crl_t crl,
char *buf,
* depending on the certificate data.
*
* Some helper macros with popular OIDs can be found in gnutls/x509.h
- * If raw flag is zero, this function will only return known OIDs as
+ * If raw flag is (0), this function will only return known OIDs as
* text. Other OIDs will be DER encoded, as described in RFC2253 -- in
* hex format with a '\#' prefix. You can check about known OIDs
* using gnutls_x509_dn_oid_known().
@@ -239,7 +239,7 @@ gnutls_x509_crl_get_issuer_dn_by_oid (gnutls_x509_crl_t crl,
/**
* gnutls_x509_crl_get_dn_oid:
* @crl: should contain a gnutls_x509_crl_t structure
- * @indx: Specifies which DN OID to send. Use zero to get the first one.
+ * @indx: Specifies which DN OID to send. Use (0) to get the first one.
* @oid: a pointer to a structure to hold the name (may be null)
* @sizeof_oid: initially holds the size of 'oid'
*
@@ -275,7 +275,7 @@ gnutls_x509_crl_get_dn_oid (gnutls_x509_crl_t crl,
* This function will return a value of the #gnutls_sign_algorithm_t
* enumeration that is the signature algorithm.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -319,8 +319,8 @@ gnutls_x509_crl_get_signature_algorithm (gnutls_x509_crl_t
crl)
*
* This function will extract the signature field of a CRL.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value. and a negative value on error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value. and a negative error code on error.
**/
int
gnutls_x509_crl_get_signature (gnutls_x509_crl_t crl,
@@ -374,7 +374,7 @@ gnutls_x509_crl_get_signature (gnutls_x509_crl_t crl,
*
* This function will return the version of the specified CRL.
*
- * Returns: The version number, or a negative value on error.
+ * Returns: The version number, or a negative error code on error.
**/
int
gnutls_x509_crl_get_version (gnutls_x509_crl_t crl)
@@ -449,7 +449,7 @@ gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl)
* This function will return the number of revoked certificates in the
* given CRL.
*
- * Returns: number of certificates, a negative value on failure.
+ * Returns: number of certificates, a negative error code on failure.
**/
int
gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl)
@@ -487,8 +487,8 @@ gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl)
* This function will retrieve the serial number of the specified, by
* the index, revoked certificate.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value. and a negative value on error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value. and a negative error code on error.
**/
int
gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int indx,
@@ -539,7 +539,7 @@ gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int
indx,
* This function will return a pointer to the DER encoded DN structure
* and the length.
*
- * Returns: a negative value on error, and zero on success.
+ * Returns: a negative error code on error, and (0) on success.
*
* Since: 2.12.0
**/
@@ -627,8 +627,8 @@ cleanup:
* If the structure is PEM encoded, it will have a header
* of "BEGIN X509 CRL".
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value. and a negative value on failure.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value. and a negative error code on failure.
**/
int
gnutls_x509_crl_export (gnutls_x509_crl_t crl,
@@ -652,7 +652,7 @@ gnutls_x509_crl_export (gnutls_x509_crl_t crl,
*
* This function will copy an X.509 certificate structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
-*/
int
@@ -706,7 +706,7 @@ _gnutls_x509_crl_cpy (gnutls_x509_crl_t dest,
gnutls_x509_crl_t src)
* @crl: should contain a #gnutls_x509_crl_t structure
* @ret: The place where the identifier will be copied
* @ret_size: Holds the size of the result field.
- * @critical: will be non zero if the extension is marked as critical
+ * @critical: will be non (0) if the extension is marked as critical
* (may be null)
*
* This function will return the CRL authority's key identifier. This
@@ -714,8 +714,8 @@ _gnutls_x509_crl_cpy (gnutls_x509_crl_t dest,
gnutls_x509_crl_t src)
* (2.5.29.35). Note that this function only returns the
* keyIdentifier field of the extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative value in case of an error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error.
*
* Since: 2.8.0
**/
@@ -797,14 +797,14 @@ gnutls_x509_crl_get_authority_key_id (gnutls_x509_crl_t
crl, void *ret,
* @crl: should contain a #gnutls_x509_crl_t structure
* @ret: The place where the number will be copied
* @ret_size: Holds the size of the result field.
- * @critical: will be non zero if the extension is marked as critical
+ * @critical: will be non (0) if the extension is marked as critical
* (may be null)
*
* This function will return the CRL number extension. This is
* obtained by the CRL Number extension field (2.5.29.20).
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative value in case of an error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error.
*
* Since: 2.8.0
**/
@@ -856,7 +856,7 @@ gnutls_x509_crl_get_number (gnutls_x509_crl_t crl, void
*ret,
/**
* gnutls_x509_crl_get_extension_oid:
* @crl: should contain a #gnutls_x509_crl_t structure
- * @indx: Specifies which extension OID to send, use zero to get the first one.
+ * @indx: Specifies which extension OID to send, use (0) to get the first one.
* @oid: a pointer to a structure to hold the OID (may be null)
* @sizeof_oid: initially holds the size of @oid
*
@@ -864,8 +864,8 @@ gnutls_x509_crl_get_number (gnutls_x509_crl_t crl, void
*ret,
* The extension OID will be stored as a string in the provided
* buffer.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative value in case of an error. If your have reached the
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error. If your have reached the
* last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* will be returned.
*
@@ -896,7 +896,7 @@ gnutls_x509_crl_get_extension_oid (gnutls_x509_crl_t crl,
int indx,
/**
* gnutls_x509_crl_get_extension_info:
* @crl: should contain a #gnutls_x509_crl_t structure
- * @indx: Specifies which extension OID to send, use zero to get the first one.
+ * @indx: Specifies which extension OID to send, use (0) to get the first one.
* @oid: a pointer to a structure to hold the OID
* @sizeof_oid: initially holds the maximum size of @oid, on return
* holds actual size of @oid.
@@ -911,8 +911,8 @@ gnutls_x509_crl_get_extension_oid (gnutls_x509_crl_t crl,
int indx,
* address@hidden is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
* returned.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative value in case of an error. If your have reached the
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error. If your have reached the
* last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* will be returned.
*
@@ -974,7 +974,7 @@ gnutls_x509_crl_get_extension_info (gnutls_x509_crl_t crl,
int indx,
/**
* gnutls_x509_crl_get_extension_data:
* @crl: should contain a #gnutls_x509_crl_t structure
- * @indx: Specifies which extension OID to send. Use zero to get the first one.
+ * @indx: Specifies which extension OID to send. Use (0) to get the first one.
* @data: a pointer to a structure to hold the data (may be null)
* @sizeof_data: initially holds the size of @oid
*
@@ -987,8 +987,8 @@ gnutls_x509_crl_get_extension_info (gnutls_x509_crl_t crl,
int indx,
* if you want to get data indexed by the extension OID rather than
* sequence.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative value in case of an error. If your have reached the
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error. If your have reached the
* last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* will be returned.
*
@@ -1031,7 +1031,7 @@ gnutls_x509_crl_get_extension_data (gnutls_x509_crl_t
crl, int indx,
* @size: It will contain the size of the list.
* @data: The PEM encoded CRL.
* @format: One of DER or PEM.
- * @flags: must be zero or an OR'd sequence of gnutls_certificate_import_flags.
+ * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
*
* This function will convert the given PEM encoded CRL list
* to the native gnutls_x509_crl_t format. The output will be stored
@@ -1088,7 +1088,7 @@ int ret;
* @crl_max: Initially must hold the maximum number of crls. It will be
updated with the number of crls available.
* @data: The PEM encoded CRLs
* @format: One of DER or PEM.
- * @flags: must be zero or an OR'd sequence of gnutls_certificate_import_flags.
+ * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
*
* This function will convert the given PEM encoded CRL list
* to the native gnutls_x509_crl_t format. The output will be stored
diff --git a/lib/x509/crl_write.c b/lib/x509/crl_write.c
index 76b9046..055459b 100644
--- a/lib/x509/crl_write.c
+++ b/lib/x509/crl_write.c
@@ -48,7 +48,7 @@ static void disable_optional_stuff (gnutls_x509_crl_t crl);
* must be one for CRL version 1, and so on. The CRLs generated
* by gnutls should have a version number of 2.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -90,7 +90,7 @@ gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned
int version)
* This must be the last step in a certificate CRL since all
* the previously set parameters are now signed.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Deprecated: Use gnutls_x509_crl_privkey_sign() instead.
@@ -147,7 +147,7 @@ fail:
* This function is the same a gnutls_x509_crl_sign2() with no flags, and
* SHA1 as the hash algorithm.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Deprecated: Use gnutls_x509_crl_privkey_sign().
@@ -166,7 +166,7 @@ gnutls_x509_crl_sign (gnutls_x509_crl_t crl,
gnutls_x509_crt_t issuer,
*
* This function will set the time this CRL was issued.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -188,7 +188,7 @@ gnutls_x509_crl_set_this_update (gnutls_x509_crl_t crl,
time_t act_time)
*
* This function will set the time this CRL will be updated.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -211,7 +211,7 @@ gnutls_x509_crl_set_next_update (gnutls_x509_crl_t crl,
time_t exp_time)
*
* This function will set a revoked certificate's serial number to the CRL.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -276,7 +276,7 @@ gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t crl,
*
* This function will set a revoked certificate's serial number to the CRL.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -338,7 +338,7 @@ disable_optional_stuff (gnutls_x509_crl_t crl)
* This function will set the CRL's authority key ID extension. Only
* the keyIdentifier field can be set with this function.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.8.0
@@ -402,7 +402,7 @@ gnutls_x509_crl_set_authority_key_id (gnutls_x509_crl_t crl,
*
* This function will set the CRL's number extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.8.0
@@ -472,7 +472,7 @@ gnutls_x509_crl_set_number (gnutls_x509_crl_t crl,
* This must be the last step in a certificate CRL since all
* the previously set parameters are now signed.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index 31ee862..ce6ec5a 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -45,7 +45,7 @@
* This function will initialize a PKCS#10 certificate request
* structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -105,7 +105,7 @@ gnutls_x509_crq_deinit (gnutls_x509_crq_t crq)
* If the Certificate is PEM encoded it should have a header of "NEW
* CERTIFICATE REQUEST".
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -205,8 +205,8 @@ gnutls_x509_crq_get_dn (gnutls_x509_crq_t crq, char *buf,
size_t * sizeof_buf)
* @crq: should contain a gnutls_x509_crq_t structure
* @oid: holds an Object Identified in null terminated string
* @indx: In case multiple same OIDs exist in the RDN, this specifies
- * which to send. Use zero to get the first one.
- * @raw_flag: If non zero returns the raw DER data of the DN part.
+ * which to send. Use (0) to get the first one.
+ * @raw_flag: If non (0) returns the raw DER data of the DN part.
* @buf: a pointer to a structure to hold the name (may be %NULL)
* @sizeof_buf: initially holds the size of @buf
*
@@ -216,7 +216,7 @@ gnutls_x509_crq_get_dn (gnutls_x509_crq_t crq, char *buf,
size_t * sizeof_buf)
* or UTF-8 encoded, depending on the certificate data.
*
* Some helper macros with popular OIDs can be found in gnutls/x509.h
- * If raw flag is zero, this function will only return known OIDs as
+ * If raw flag is (0), this function will only return known OIDs as
* text. Other OIDs will be DER encoded, as described in RFC2253 --
* in hex format with a '\#' prefix. You can check about known OIDs
* using gnutls_x509_dn_oid_known().
@@ -245,7 +245,7 @@ gnutls_x509_crq_get_dn_by_oid (gnutls_x509_crq_t crq, const
char *oid,
/**
* gnutls_x509_crq_get_dn_oid:
* @crq: should contain a gnutls_x509_crq_t structure
- * @indx: Specifies which DN OID to send. Use zero to get the first one.
+ * @indx: Specifies which DN OID to send. Use (0) to get the first one.
* @oid: a pointer to a structure to hold the name (may be %NULL)
* @sizeof_oid: initially holds the size of @oid
*
@@ -409,14 +409,14 @@ cleanup:
/**
* gnutls_x509_crq_get_challenge_password:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @pass: will hold a zero-terminated password string
+ * @pass: will hold a (0)-terminated password string
* @sizeof_pass: Initially holds the size of @pass.
*
* This function will return the challenge password in the request.
* The challenge password is intended to be used for requesting a
* revocation of the certificate.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -593,7 +593,7 @@ set_attribute (ASN1_TYPE asn, const char *root,
/**
* gnutls_x509_crq_set_attribute_by_oid:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @oid: holds an Object Identified in zero-terminated string
+ * @oid: holds an Object Identified in (0)-terminated string
* @buf: a pointer to a structure that holds the attribute data
* @sizeof_buf: holds the size of @buf
*
@@ -601,7 +601,7 @@ set_attribute (ASN1_TYPE asn, const char *root,
* specified by the given Object ID. The attribute must be be DER
* encoded.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -627,9 +627,9 @@ gnutls_x509_crq_set_attribute_by_oid (gnutls_x509_crq_t crq,
/**
* gnutls_x509_crq_get_attribute_by_oid:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @oid: holds an Object Identified in zero-terminated string
+ * @oid: holds an Object Identified in (0)-terminated string
* @indx: In case multiple same OIDs exist in the attribute list, this
- * specifies which to send, use zero to get the first one
+ * specifies which to send, use (0) to get the first one
* @buf: a pointer to a structure to hold the attribute data (may be %NULL)
* @sizeof_buf: initially holds the size of @buf
*
@@ -637,7 +637,7 @@ gnutls_x509_crq_set_attribute_by_oid (gnutls_x509_crq_t crq,
* specified by the given Object ID. The attribute will be DER
* encoded.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -658,7 +658,7 @@ gnutls_x509_crq_get_attribute_by_oid (gnutls_x509_crq_t crq,
/**
* gnutls_x509_crq_set_dn_by_oid:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @oid: holds an Object Identifier in a zero-terminated string
+ * @oid: holds an Object Identifier in a (0)-terminated string
* @raw_flag: must be 0, or 1 if the data are DER encoded
* @data: a pointer to the input data
* @sizeof_data: holds the size of @data
@@ -673,7 +673,7 @@ gnutls_x509_crq_get_attribute_by_oid (gnutls_x509_crq_t crq,
* not known (by gnutls) you should properly DER encode your data, and
* call this function with raw_flag set.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -699,7 +699,7 @@ gnutls_x509_crq_set_dn_by_oid (gnutls_x509_crq_t crq, const
char *oid,
* This function will set the version of the certificate request. For
* version 1 requests this must be one.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -735,7 +735,7 @@ gnutls_x509_crq_set_version (gnutls_x509_crq_t crq,
unsigned int version)
* This function will return the version of the specified Certificate
* request.
*
- * Returns: version of certificate request, or a negative value on
+ * Returns: version of certificate request, or a negative error code on
* error.
**/
int
@@ -773,7 +773,7 @@ gnutls_x509_crq_get_version (gnutls_x509_crq_t crq)
* This function will set the public parameters from the given private
* key to the request. Only RSA keys are currently supported.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -811,7 +811,7 @@ gnutls_x509_crq_set_key (gnutls_x509_crq_t crq,
gnutls_x509_privkey_t key)
* the given structure. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.8.0
@@ -876,7 +876,7 @@ cleanup:
* This function will set the public parameters from the given private
* key to the request. Only RSA keys are currently supported.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.6.0
@@ -940,12 +940,12 @@ error:
/**
* gnutls_x509_crq_set_challenge_password:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @pass: holds a zero-terminated password
+ * @pass: holds a (0)-terminated password
*
* This function will set a challenge password to be used when
* revoking the request.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -997,7 +997,7 @@ gnutls_x509_crq_set_challenge_password (gnutls_x509_crq_t
crq,
* This must be the last step in a certificate request generation
* since all the previously set parameters are now signed.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
* %GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all
* information in the certificate request (e.g., the version using
* gnutls_x509_crq_set_version()).
@@ -1054,7 +1054,7 @@ fail:
* This function is the same a gnutls_x509_crq_sign2() with no flags,
* and SHA1 as the hash algorithm.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Deprecated: Use gnutls_x509_crq_privkey_sign() instead.
@@ -1083,7 +1083,7 @@ gnutls_x509_crq_sign (gnutls_x509_crq_t crq,
gnutls_x509_privkey_t key)
* If the structure is PEM encoded, it will have a header of "BEGIN
* NEW CERTIFICATE REQUEST".
*
- * Return value: In case of failure a negative value will be
+ * Return value: In case of failure a negative error code will be
* returned, and 0 on success.
**/
int
@@ -1114,7 +1114,7 @@ gnutls_x509_crq_export (gnutls_x509_crq_t crq,
* For DSA the bits returned are of the public exponent.
*
* Returns: a member of the #gnutls_pk_algorithm_t enumeration on
- * success, or a negative value on error.
+ * success, or a negative error code on error.
**/
int
gnutls_x509_crq_get_pk_algorithm (gnutls_x509_crq_t crq, unsigned int *bits)
@@ -1140,7 +1140,7 @@ gnutls_x509_crq_get_pk_algorithm (gnutls_x509_crq_t crq,
unsigned int *bits)
/**
* gnutls_x509_crq_get_attribute_info:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @indx: Specifies which attribute OID to send. Use zero to get the first one.
+ * @indx: Specifies which attribute OID to send. Use (0) to get the first one.
* @oid: a pointer to a structure to hold the OID
* @sizeof_oid: initially holds the maximum size of @oid, on return
* holds actual size of @oid.
@@ -1154,8 +1154,8 @@ gnutls_x509_crq_get_pk_algorithm (gnutls_x509_crq_t crq,
unsigned int *bits)
* address@hidden is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
* returned.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative value in case of an error. If your have reached the
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error. If your have reached the
* last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* will be returned.
*
@@ -1197,7 +1197,7 @@ gnutls_x509_crq_get_attribute_info (gnutls_x509_crq_t
crq, int indx,
/**
* gnutls_x509_crq_get_attribute_data:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @indx: Specifies which attribute OID to send. Use zero to get the first one.
+ * @indx: Specifies which attribute OID to send. Use (0) to get the first one.
* @data: a pointer to a structure to hold the data (may be null)
* @sizeof_data: initially holds the size of @oid
*
@@ -1210,8 +1210,8 @@ gnutls_x509_crq_get_attribute_info (gnutls_x509_crq_t
crq, int indx,
* if you want to get data indexed by the attribute OID rather than
* sequence.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative value in case of an error. If your have reached the
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error. If your have reached the
* last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* will be returned.
*
@@ -1251,7 +1251,7 @@ gnutls_x509_crq_get_attribute_data (gnutls_x509_crq_t
crq, int indx,
/**
* gnutls_x509_crq_get_extension_info:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @indx: Specifies which extension OID to send. Use zero to get the first one.
+ * @indx: Specifies which extension OID to send. Use (0) to get the first one.
* @oid: a pointer to a structure to hold the OID
* @sizeof_oid: initially holds the maximum size of @oid, on return
* holds actual size of @oid.
@@ -1266,8 +1266,8 @@ gnutls_x509_crq_get_attribute_data (gnutls_x509_crq_t
crq, int indx,
* address@hidden is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
* returned.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative value in case of an error. If your have reached the
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error. If your have reached the
* last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* will be returned.
*
@@ -1383,7 +1383,7 @@ out:
/**
* gnutls_x509_crq_get_extension_data:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @indx: Specifies which extension OID to send. Use zero to get the first one.
+ * @indx: Specifies which extension OID to send. Use (0) to get the first one.
* @data: a pointer to a structure to hold the data (may be null)
* @sizeof_data: initially holds the size of @oid
*
@@ -1396,8 +1396,8 @@ out:
* if you want to get data indexed by the extension OID rather than
* sequence.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative value in case of an error. If your have reached the
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error. If your have reached the
* last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* will be returned.
*
@@ -1486,7 +1486,7 @@ gnutls_x509_crq_get_extension_data (gnutls_x509_crq_t
crq, int indx,
* gnutls_x509_crq_get_key_usage:
* @crq: should contain a #gnutls_x509_crq_t structure
* @key_usage: where the key usage bits will be stored
- * @critical: will be non zero if the extension is marked as critical
+ * @critical: will be non (0) if the extension is marked as critical
*
* This function will return certificate's key usage, by reading the
* keyUsage X.509 extension (2.5.29.15). The key usage value will
@@ -1496,7 +1496,7 @@ gnutls_x509_crq_get_extension_data (gnutls_x509_crq_t
crq, int indx,
* %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN,
* %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY.
*
- * Returns: the certificate key usage, or a negative value in case of
+ * Returns: the certificate key usage, or a negative error code in case of
* parsing error. If the certificate does not contain the keyUsage
* extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
* returned.
@@ -1543,11 +1543,11 @@ gnutls_x509_crq_get_key_usage (gnutls_x509_crq_t crq,
/**
* gnutls_x509_crq_get_basic_constraints:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @critical: will be non zero if the extension is marked as critical
+ * @critical: will be non (0) if the extension is marked as critical
* @ca: pointer to output integer indicating CA status, may be NULL,
* value is 1 if the certificate CA flag is set, 0 otherwise.
* @pathlen: pointer to output integer indicating path length (may be
- * NULL), non-negative values indicate a present pathLenConstraint
+ * NULL), non-negative error codes indicate a present pathLenConstraint
* field and the actual value, -1 indicate that the field is absent.
*
* This function will read the certificate's basic constraints, and
@@ -1555,8 +1555,8 @@ gnutls_x509_crq_get_key_usage (gnutls_x509_crq_t crq,
* X.509 extension (2.5.29.19).
*
* Return value: If the certificate is a CA a positive value will be
- * returned, or zero if the certificate does not have CA flag set.
- * A negative value may be returned in case of errors. If the
+ * returned, or (0) if the certificate does not have CA flag set.
+ * A negative error code may be returned in case of errors. If the
* certificate does not contain the basicConstraints extension
* %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
*
@@ -1691,7 +1691,7 @@ get_subject_alt_name (gnutls_x509_crq_t crq,
* @ret: is the place where the alternative name will be copied to
* @ret_size: holds the size of ret.
* @ret_type: holds the #gnutls_x509_subject_alt_name_t name type
- * @critical: will be non zero if the extension is marked as critical
+ * @critical: will be non (0) if the extension is marked as critical
* (may be null)
*
* This function will return the alternative names, contained in the
@@ -1763,17 +1763,17 @@ gnutls_x509_crq_get_subject_alt_othername_oid
(gnutls_x509_crq_t crq,
* @crq: should contain a #gnutls_x509_crq_t structure
* @oid: holds an Object Identified in null terminated string
* @indx: In case multiple same OIDs exist in the extensions, this
- * specifies which to send. Use zero to get the first one.
+ * specifies which to send. Use (0) to get the first one.
* @buf: a pointer to a structure to hold the name (may be null)
* @sizeof_buf: initially holds the size of @buf
- * @critical: will be non zero if the extension is marked as critical
+ * @critical: will be non (0) if the extension is marked as critical
*
* This function will return the extension specified by the OID in
* the certificate. The extensions will be returned as binary data
* DER encoded, in the provided buffer.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative value in case of an error. If the certificate does not
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error. If the certificate does not
* contain the specified extension
* %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
*
@@ -1839,7 +1839,7 @@ gnutls_x509_crq_get_extension_by_oid (gnutls_x509_crq_t
crq,
*
* Other values can be set as binary values with the proper DER encoding.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.8.0
@@ -1936,13 +1936,13 @@ finish:
* gnutls_x509_crq_set_basic_constraints:
* @crq: a certificate request of type #gnutls_x509_crq_t
* @ca: true(1) or false(0) depending on the Certificate authority status.
- * @pathLenConstraint: non-negative values indicate maximum length of path,
- * and negative values indicate that the pathLenConstraints field should
+ * @pathLenConstraint: non-negative error codes indicate maximum length of
path,
+ * and negative error codes indicate that the pathLenConstraints field should
* not be present.
*
* This function will set the basicConstraints certificate extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.8.0
@@ -1990,7 +1990,7 @@ gnutls_x509_crq_set_basic_constraints (gnutls_x509_crq_t
crq,
*
* This function will set the keyUsage certificate extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.8.0
@@ -2032,7 +2032,7 @@ gnutls_x509_crq_set_key_usage (gnutls_x509_crq_t crq,
unsigned int usage)
/**
* gnutls_x509_crq_get_key_purpose_oid:
* @crq: should contain a #gnutls_x509_crq_t structure
- * @indx: This specifies which OID to return, use zero to get the first one
+ * @indx: This specifies which OID to return, use (0) to get the first one
* @oid: a pointer to a buffer to hold the OID (may be %NULL)
* @sizeof_oid: initially holds the size of @oid
* @critical: output variable with critical flag, may be %NULL.
@@ -2140,7 +2140,7 @@ gnutls_x509_crq_get_key_purpose_oid (gnutls_x509_crq_t
crq,
/**
* gnutls_x509_crq_set_key_purpose_oid:
* @crq: a certificate of type #gnutls_x509_crq_t
- * @oid: a pointer to a zero-terminated string that holds the OID
+ * @oid: a pointer to a (0)-terminated string that holds the OID
* @critical: Whether this extension will be critical or not
*
* This function will set the key purpose OIDs of the Certificate.
@@ -2149,7 +2149,7 @@ gnutls_x509_crq_get_key_purpose_oid (gnutls_x509_crq_t
crq,
*
* Subsequent calls to this function will append OIDs to the OID list.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.8.0
@@ -2331,7 +2331,7 @@ cleanup:
* be returned. The output will normally be a SHA-1 hash output,
* which is 20 bytes.
*
- * Return value: In case of failure a negative value will be
+ * Return value: In case of failure a negative error code will be
* returned, and 0 on success.
*
* Since: 2.8.0
@@ -2423,7 +2423,7 @@ gnutls_x509_crq_get_key_id (gnutls_x509_crq_t crq,
unsigned int flags,
* This must be the last step in a certificate request generation
* since all the previously set parameters are now signed.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
* %GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all
* information in the certificate request (e.g., the version using
* gnutls_x509_crq_set_version()).
@@ -2511,7 +2511,7 @@ gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq,
gnutls_privkey_t key,
* This function will verify self signature in the certificate
* request and return its status.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned,
%GNUTLS_E_PK_SIG_VERIFY_FAILED
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
%GNUTLS_E_PK_SIG_VERIFY_FAILED
* if verification failed, otherwise a negative error value.
**/
int
diff --git a/lib/x509/dn.c b/lib/x509/dn.c
index 948d6f0..c197931 100644
--- a/lib/x509/dn.c
+++ b/lib/x509/dn.c
@@ -635,7 +635,7 @@ cleanup:
}
/* This will encode and write the AttributeTypeAndValue field.
- * 'multi' must be zero if writing an AttributeTypeAndValue, and 1 if
Attribute.
+ * 'multi' must be (0) if writing an AttributeTypeAndValue, and 1 if Attribute.
* In all cases only one value is written.
*/
int
@@ -764,7 +764,7 @@ error:
}
/* This will write the AttributeTypeAndValue field. The data must be already
DER encoded.
- * 'multi' must be zero if writing an AttributeTypeAndValue, and 1 if
Attribute.
+ * 'multi' must be (0) if writing an AttributeTypeAndValue, and 1 if Attribute.
* In all cases only one value is written.
*/
static int
@@ -807,7 +807,7 @@ _gnutls_x509_write_attribute (const char *given_oid,
/* Decodes an X.509 Attribute (if multi==1) or an AttributeTypeAndValue
* otherwise.
*
- * octet_string should be non zero if we are to decode octet strings after
+ * octet_string should be non (0) if we are to decode octet strings after
* decoding.
*
* The output is allocated and stored in value.
@@ -949,7 +949,7 @@ _gnutls_x509_set_dn_oid (ASN1_TYPE asn1_struct,
* The object returned must be deallocated using
* gnutls_x509_dn_deinit().
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.4.0
@@ -983,7 +983,7 @@ gnutls_x509_dn_init (gnutls_x509_dn_t * dn)
* with gnutls_x509_dn_init(). You may use gnutls_x509_dn_get_rdn_ava() to
* decode the DN.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.4.0
@@ -1032,7 +1032,7 @@ gnutls_x509_dn_deinit (gnutls_x509_dn_t dn)
* name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in
* RFC2253.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, or
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or
* %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and address@hidden is
* updated if the provided buffer is not long enough, otherwise a
* negative error value.
@@ -1084,7 +1084,7 @@ gnutls_x509_rdn_get (const gnutls_datum_t * idn,
* @oid: an Object Identifier
* @indx: In case multiple same OIDs exist in the RDN indicates which
* to send. Use 0 for the first one.
- * @raw_flag: If non zero then the raw DER data are returned.
+ * @raw_flag: If non (0) then the raw DER data are returned.
* @buf: a pointer to a structure to hold the peer's name
* @sizeof_buf: holds the size of @buf
*
@@ -1092,7 +1092,7 @@ gnutls_x509_rdn_get (const gnutls_datum_t * idn,
* of the RDN sequence. The name will be encoded using the rules
* from RFC2253.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, or
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or
* %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and address@hidden is
* updated if the provided buffer is not long enough, otherwise a
* negative error value.
@@ -1146,7 +1146,7 @@ gnutls_x509_rdn_get_by_oid (const gnutls_datum_t * idn,
const char *oid,
* This function will return the specified Object identifier, of the
* RDN sequence.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, or
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or
* %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and address@hidden is
* updated if the provided buffer is not long enough, otherwise a
* negative error value.
@@ -1194,8 +1194,8 @@ gnutls_x509_rdn_get_oid (const gnutls_datum_t * idn,
*
* FIXME: use a real DN comparison algorithm.
*
- * Returns 1 if the DN's match and zero if they don't match. Otherwise
- * a negative value is returned to indicate error.
+ * Returns 1 if the DN's match and (0) if they don't match. Otherwise
+ * a negative error code is returned to indicate error.
*/
int
_gnutls_x509_compare_raw_dn (const gnutls_datum_t * dn1,
@@ -1232,7 +1232,7 @@ _gnutls_x509_compare_raw_dn (const gnutls_datum_t * dn1,
* If the structure is PEM encoded, it will have a header
* of "BEGIN NAME".
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c
index 43f8671..a0cd3d9 100644
--- a/lib/x509/extensions.c
+++ b/lib/x509/extensions.c
@@ -714,7 +714,7 @@ _gnutls_x509_ext_extract_basicConstraints (int *CA,
/* generate the basicConstraints in a DER encoded extension
* Use 0 or 1 (TRUE) for CA.
- * Use negative values for pathLenConstraint to indicate that the field
+ * Use negative error codes for pathLenConstraint to indicate that the field
* should not be present, >= 0 to indicate set values.
*/
int
diff --git a/lib/x509/output.c b/lib/x509/output.c
index e32fa9a..387c0e0 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -1549,7 +1549,7 @@ print_oneline (gnutls_buffer_st * str, gnutls_x509_crt_t
cert)
* gnutls_x509_crt_print:
* @cert: The structure to be printed
* @format: Indicate the format to use
- * @out: Newly allocated datum with zero terminated string.
+ * @out: Newly allocated datum with (0) terminated string.
*
* This function will pretty print a X.509 certificate, suitable for
* display to a human.
@@ -1561,7 +1561,7 @@ print_oneline (gnutls_buffer_st * str, gnutls_x509_crt_t
cert)
*
* The output @out needs to be deallocate using gnutls_free().
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1910,14 +1910,14 @@ print_crl (gnutls_buffer_st * str, gnutls_x509_crl_t
crl, int notsigned)
* gnutls_x509_crl_print:
* @crl: The structure to be printed
* @format: Indicate the format to use
- * @out: Newly allocated datum with zero terminated string.
+ * @out: Newly allocated datum with (0) terminated string.
*
* This function will pretty print a X.509 certificate revocation
* list, suitable for display to a human.
*
* The output @out needs to be deallocate using gnutls_free().
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -2222,14 +2222,14 @@ print_crq_other (gnutls_buffer_st * str,
gnutls_x509_crq_t crq)
* gnutls_x509_crq_print:
* @crq: The structure to be printed
* @format: Indicate the format to use
- * @out: Newly allocated datum with zero terminated string.
+ * @out: Newly allocated datum with (0) terminated string.
*
* This function will pretty print a certificate request, suitable for
* display to a human.
*
* The output @out needs to be deallocate using gnutls_free().
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.8.0
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index 23253a3..d5ef3dd 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -131,7 +131,7 @@ cleanup:
* usually contain lists of X.509 Certificates and X.509 Certificate
* revocation lists.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -185,7 +185,7 @@ gnutls_pkcs12_deinit (gnutls_pkcs12_t pkcs12)
*
* If the PKCS12 is PEM encoded it should have a header of "PKCS12".
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -268,7 +268,7 @@ cleanup:
* If the structure is PEM encoded, it will have a header
* of "BEGIN PKCS12".
*
- * Return value: In case of failure a negative value will be
+ * Return value: In case of failure a negative error code will be
* returned, and 0 on success.
**/
int
@@ -580,7 +580,7 @@ cleanup:
* After the last Bag has been read
* %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -725,7 +725,7 @@ cleanup:
*
* This function will insert a Bag into the PKCS12 structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -857,7 +857,7 @@ cleanup:
*
* This function will generate a MAC for the PKCS12 structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -990,7 +990,7 @@ cleanup:
*
* This function will verify the MAC for the PKCS12 structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1206,7 +1206,7 @@ write_attributes (gnutls_pkcs12_bag_t bag, int elem,
/* Encodes the bag into a SafeContents structure, and puts the output in
- * the given datum. Enc is set to non zero if the data are encrypted;
+ * the given datum. Enc is set to non (0) if the data are encrypted;
*/
int
_pkcs12_encode_safe_contents (gnutls_pkcs12_bag_t bag, ASN1_TYPE * contents,
diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
index a894733..7741a26 100644
--- a/lib/x509/pkcs12_bag.c
+++ b/lib/x509/pkcs12_bag.c
@@ -42,7 +42,7 @@
* usually contain private keys, lists of X.509 Certificates and X.509
* Certificate revocation lists.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -145,7 +145,7 @@ gnutls_pkcs12_bag_get_count (gnutls_pkcs12_bag_t bag)
* that is stored into the bag. Should not be accessed after the bag
* is deleted.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -497,7 +497,7 @@ gnutls_pkcs12_bag_set_crt (gnutls_pkcs12_bag_t bag,
gnutls_x509_crt_t crt)
* This function will insert the given CRL into the
* bag. This is just a wrapper over gnutls_pkcs12_bag_set_data().
*
- * Returns: the index of the added bag on success, or a negative value
+ * Returns: the index of the added bag on success, or a negative error code
* on failure.
**/
int
@@ -538,8 +538,8 @@ gnutls_pkcs12_bag_set_crl (gnutls_pkcs12_bag_t bag,
gnutls_x509_crl_t crl)
* identifier' bag attribute, which is usually used to distinguish
* the local private key and the certificate pair.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value. or a negative value on error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value. or a negative error code on error.
**/
int
gnutls_pkcs12_bag_set_key_id (gnutls_pkcs12_bag_t bag, int indx,
@@ -582,8 +582,8 @@ gnutls_pkcs12_bag_set_key_id (gnutls_pkcs12_bag_t bag, int
indx,
* The key ID is usually used to distinguish the local private key and
* the certificate pair.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value. or a negative value on error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value. or a negative error code on error.
**/
int
gnutls_pkcs12_bag_get_key_id (gnutls_pkcs12_bag_t bag, int indx,
@@ -617,8 +617,8 @@ gnutls_pkcs12_bag_get_key_id (gnutls_pkcs12_bag_t bag, int
indx,
* element. The key ID is usually used to distinguish the local
* private key and the certificate pair.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value. or a negative value on error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value. or a negative error code on error.
**/
int
gnutls_pkcs12_bag_get_friendly_name (gnutls_pkcs12_bag_t bag, int indx,
@@ -653,8 +653,8 @@ gnutls_pkcs12_bag_get_friendly_name (gnutls_pkcs12_bag_t
bag, int indx,
* a 'Friendly name' bag attribute, which is usually used to set a
* user name to the local private key and the certificate pair.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value. or a negative value on error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value. or a negative error code on error.
**/
int
gnutls_pkcs12_bag_set_friendly_name (gnutls_pkcs12_bag_t bag, int indx,
@@ -692,8 +692,8 @@ gnutls_pkcs12_bag_set_friendly_name (gnutls_pkcs12_bag_t
bag, int indx,
* This function will decrypt the given encrypted bag and return 0 on
* success.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_pkcs12_bag_decrypt (gnutls_pkcs12_bag_t bag, const char *pass)
@@ -748,8 +748,8 @@ gnutls_pkcs12_bag_decrypt (gnutls_pkcs12_bag_t bag, const
char *pass)
*
* This function will encrypt the given bag.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_pkcs12_bag_encrypt (gnutls_pkcs12_bag_t bag, const char *pass,
diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c
index 6ce5407..4743cfd 100644
--- a/lib/x509/pkcs12_encr.c
+++ b/lib/x509/pkcs12_encr.c
@@ -112,7 +112,7 @@ _gnutls_pkcs12_string_to_key (unsigned int id, const opaque
* salt,
{
*p++ = 0;
*p++ = pw[j];
- if (++j > pwlen) /* Note, that we include the trailing zero */
+ if (++j > pwlen) /* Note, that we include the trailing (0) */
j = 0;
}
}
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index aa0ea44..d125443 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -144,7 +144,7 @@ cleanup:
* usually contain lists of X.509 Certificates and X.509 Certificate
* revocation lists.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -198,7 +198,7 @@ gnutls_pkcs7_deinit (gnutls_pkcs7_t pkcs7)
*
* If the PKCS7 is PEM encoded it should have a header of "PKCS7".
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -271,7 +271,7 @@ cleanup:
* After the last certificate has been read
* %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value. If the provided buffer is not long enough,
* then @certificate_size is updated and
* %GNUTLS_E_SHORT_MEMORY_BUFFER is returned.
@@ -373,7 +373,7 @@ cleanup:
* This function will return the number of certifcates in the PKCS7
* or RFC2630 certificate set.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -427,7 +427,7 @@ gnutls_pkcs7_get_crt_count (gnutls_pkcs7_t pkcs7)
* If the structure is PEM encoded, it will have a header
* of "BEGIN PKCS7".
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -529,7 +529,7 @@ cleanup:
* This function will add a certificate to the PKCS7 or RFC2630
* certificate set.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -624,7 +624,7 @@ cleanup:
* RFC2630 certificate set. This is a wrapper function over
* gnutls_pkcs7_set_crt_raw() .
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -665,7 +665,7 @@ gnutls_pkcs7_set_crt (gnutls_pkcs7_t pkcs7,
gnutls_x509_crt_t crt)
* This function will delete a certificate from a PKCS7 or RFC2630
* certificate set. Index starts from 0. Returns 0 on success.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -732,7 +732,7 @@ cleanup:
*
* This function will return a crl of the PKCS7 or RFC2630 crl set.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value. If the provided buffer is not long enough,
* then @crl_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER is
* returned. After the last crl has been read
@@ -807,7 +807,7 @@ cleanup:
* This function will return the number of certifcates in the PKCS7
* or RFC2630 crl set.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -851,7 +851,7 @@ gnutls_pkcs7_get_crl_count (gnutls_pkcs7_t pkcs7)
*
* This function will add a crl to the PKCS7 or RFC2630 crl set.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -935,7 +935,7 @@ cleanup:
* This function will add a parsed CRL to the PKCS7 or RFC2630 crl
* set.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -975,7 +975,7 @@ gnutls_pkcs7_set_crl (gnutls_pkcs7_t pkcs7,
gnutls_x509_crl_t crl)
* This function will delete a crl from a PKCS7 or RFC2630 crl set.
* Index starts from 0. Returns 0 on success.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index 085d1b0..7982bdc 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -41,7 +41,7 @@
*
* This function will initialize an private key structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -84,7 +84,7 @@ gnutls_x509_privkey_deinit (gnutls_x509_privkey_t key)
* This function will copy a private key from source to destination
* key. Destination has to be initialized.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -429,7 +429,7 @@ error:
* If the key is PEM encoded it should have a header of "RSA PRIVATE
* KEY", or "DSA PRIVATE KEY".
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -578,7 +578,7 @@ failover:
* native #gnutls_x509_privkey_t format. The output will be stored in
* @key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -610,7 +610,7 @@ gnutls_x509_privkey_import_rsa_raw (gnutls_x509_privkey_t
key,
* native #gnutls_x509_privkey_t format. The output will be stored in
* @key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -751,7 +751,7 @@ cleanup:
* native #gnutls_x509_privkey_t format. The output will be stored
* in @key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -844,7 +844,7 @@ cleanup:
* native #gnutls_x509_privkey_t format. The output will be stored
* in @key.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -911,7 +911,7 @@ cleanup:
* key.
*
* Returns: a member of the #gnutls_pk_algorithm_t enumeration on
- * success, or a negative value on error.
+ * success, or a negative error code on error.
**/
int
gnutls_x509_privkey_get_pk_algorithm (gnutls_x509_privkey_t key)
@@ -944,7 +944,7 @@ gnutls_x509_privkey_get_pk_algorithm (gnutls_x509_privkey_t
key)
* If the structure is PEM encoded, it will have a header
* of "BEGIN RSA PRIVATE KEY".
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1018,7 +1018,7 @@ gnutls_x509_privkey_sec_param (gnutls_x509_privkey_t key)
* in the given structure. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int gnutls_x509_privkey_export_ecc_raw (gnutls_x509_privkey_t key,
@@ -1082,7 +1082,7 @@ int gnutls_x509_privkey_export_ecc_raw
(gnutls_x509_privkey_t key,
* in the given structure. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1112,7 +1112,7 @@ gnutls_x509_privkey_export_rsa_raw (gnutls_x509_privkey_t
key,
* in the given structure. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1247,7 +1247,7 @@ error:
* in the given structure. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1333,7 +1333,7 @@ gnutls_x509_privkey_export_dsa_raw (gnutls_x509_privkey_t
key,
*
* Do not set the number of bits directly, use gnutls_sec_param_to_pk_bits().
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1398,7 +1398,7 @@ cleanup:
* be returned. The output will normally be a SHA-1 hash output,
* which is 20 bytes.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1459,7 +1459,7 @@ cleanup:
* @hash_algo: The hash algorithm used
* @hash_data: holds the data to be signed
* @signature: will contain newly allocated signature
- * @flags: zero for now
+ * @flags: (0) for now
*
* This function will sign the given hashed data using a signature algorithm
* supported by the private key. Signature algorithms are always used
@@ -1472,7 +1472,7 @@ cleanup:
*
* The RSA algorithm is used in PKCS #1 v1.5 mode.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
-*/
static int
@@ -1528,7 +1528,7 @@ cleanup:
* requires the data to be hashed and stored in special formats
* (e.g. BER Digest-Info for RSA).
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Deprecated in: 2.12.0
@@ -1579,7 +1579,7 @@ gnutls_x509_privkey_sign_hash (gnutls_x509_privkey_t key,
* Use gnutls_x509_crt_get_preferred_hash_algorithm() to determine
* the hash algorithm.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Deprecated: Use gnutls_privkey_sign_data().
@@ -1643,7 +1643,7 @@ gnutls_x509_privkey_sign_data (gnutls_x509_privkey_t key,
* This function will recalculate the secondary parameters in a key.
* In RSA keys, this can be the coefficient and exponent1,2.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index e64aed9..942087d 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -595,7 +595,7 @@ error:
* of "BEGIN ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if
* encryption is not used.
*
- * Return value: In case of failure a negative value will be
+ * Return value: In case of failure a negative error code will be
* returned, and 0 on success.
**/
int
@@ -1175,7 +1175,7 @@ error:
* specify the flags if the key is DER encoded, since in that case
* the encryption status cannot be auto-detected.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c
index a374dec..c7d6d51 100644
--- a/lib/x509/rfc2818_hostname.c
+++ b/lib/x509/rfc2818_hostname.c
@@ -36,7 +36,7 @@
* described in RFC2818 (HTTPS), which takes into account wildcards,
* and the DNSName/IPAddress subject alternative name PKIX extension.
*
- * Returns: non zero for a successful match, and zero on failure.
+ * Returns: non (0) for a successful match, and (0) on failure.
**/
int
gnutls_x509_crt_check_hostname (gnutls_x509_crt_t cert, const char *hostname)
diff --git a/lib/x509/sign.c b/lib/x509/sign.c
index 1765467..242dc06 100644
--- a/lib/x509/sign.c
+++ b/lib/x509/sign.c
@@ -86,7 +86,7 @@ _gnutls_x509_get_tbs (ASN1_TYPE cert, const char *tbs_name,
* This function will sign a CRL or a certificate with the issuer's private
key, and
* will copy the issuer's information into the CRL or certificate.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
-*/
int
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 2d4b43c..ceb62a3 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -63,11 +63,11 @@ struct gnutls_x509_trust_list_st {
/**
* gnutls_x509_trust_list_init:
* @list: The structure to be initialized
- * @size: The size of the internal hash table. Use zero for default size.
+ * @size: The size of the internal hash table. Use (0) for default size.
*
* This function will initialize an X.509 trust list structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -97,7 +97,7 @@ gnutls_x509_trust_list_init (gnutls_x509_trust_list_t * list,
unsigned int size)
/**
* gnutls_x509_trust_list_deinit:
* @list: The structure to be deinitialized
- * @all: if non-zero it will deinitialize all the certificates and CRLs
contained in the structure.
+ * @all: if non-(0) it will deinitialize all the certificates and CRLs
contained in the structure.
*
* This function will deinitialize a trust list.
**/
@@ -200,7 +200,7 @@ uint32_t hash;
* The certificate must not be deinitialized during the lifetime
* of the trusted list.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
**/
@@ -387,12 +387,12 @@ gnutls_datum_t dn;
* @list: The structure of the list
* @cert: is the certificate to find issuer for
* @issuer: Will hold the issuer if any. Should be treated as constant.
- * @flags: Use zero.
+ * @flags: Use (0).
*
* This function will attempt to find the issuer of the
* given certificate.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list,
@@ -439,7 +439,7 @@ uint32_t hash;
* This function will try to verify the given certificate and return
* its status.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -535,7 +535,7 @@ uint32_t hash;
* match is found the certificate is considered valid. In addition to that
* this function will also check CRLs.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 6ed921c..243b953 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -213,8 +213,8 @@ cleanup:
* This does a straight (DER) compare of the issuer/subject fields in
* the given certificates.
*
- * Returns 1 if they match and zero if they don't match. Otherwise
- * a negative value is returned to indicate error.
+ * Returns 1 if they match and (0) if they don't match. Otherwise
+ * a negative error code is returned to indicate error.
*/
static int
is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer_cert)
@@ -248,8 +248,8 @@ cleanup:
}
/* Checks if the DN of two certificates is the same.
- * Returns 1 if they match and zero if they don't match. Otherwise
- * a negative value is returned to indicate error.
+ * Returns 1 if they match and (0) if they don't match. Otherwise
+ * a negative error code is returned to indicate error.
*/
int
_gnutls_is_same_dn (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2)
@@ -529,7 +529,7 @@ cleanup:
* given issuer.
*
* Returns: It will return true (1) if the given certificate is issued
- * by the given issuer, and false (0) if not. A negative value is
+ * by the given issuer, and false (0) if not. A negative error code is
* returned in case of an error.
**/
int
@@ -847,11 +847,7 @@ _gnutls_x509_verify_hashed_data (const gnutls_datum_t *
hash,
* elements bitwise or'd. For a more detailed verification status use
* gnutls_x509_crt_verify() per list element.
*
- * GNUTLS_CERT_INVALID: the certificate chain is not valid.
- *
- * GNUTLS_CERT_REVOKED: a certificate in the chain has been revoked.
- *
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -904,7 +900,7 @@ int i, ret;
* This function will try to verify the given certificate and return
* its status.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -935,7 +931,7 @@ gnutls_x509_crt_verify (gnutls_x509_crt_t cert,
* issuer certificate. It will return true (1) if the given CRL was
* issued by the given issuer, and false (0) if not.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -957,7 +953,7 @@ gnutls_x509_crl_check_issuer (gnutls_x509_crl_t crl,
* See gnutls_x509_crt_list_verify() for a detailed description of
* return values.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 5af20af..2adb899 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -40,7 +40,7 @@
*
* This function will initialize an X.509 certificate structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -76,7 +76,7 @@ gnutls_x509_crt_init (gnutls_x509_crt_t * cert)
*
* This function will copy an X.509 certificate structure.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
-*/
int
@@ -156,7 +156,7 @@ gnutls_x509_crt_deinit (gnutls_x509_crt_t cert)
* If the Certificate is PEM encoded it should have a header of "X509
* CERTIFICATE", or "CERTIFICATE".
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -284,8 +284,8 @@ gnutls_x509_crt_get_issuer_dn (gnutls_x509_crt_t cert, char
*buf,
* gnutls_x509_crt_get_issuer_dn_by_oid:
* @cert: should contain a #gnutls_x509_crt_t structure
* @oid: holds an Object Identified in null terminated string
- * @indx: In case multiple same OIDs exist in the RDN, this specifies which to
send. Use zero to get the first one.
- * @raw_flag: If non zero returns the raw DER data of the DN part.
+ * @indx: In case multiple same OIDs exist in the RDN, this specifies which to
send. Use (0) to get the first one.
+ * @raw_flag: If non (0) returns the raw DER data of the DN part.
* @buf: a pointer to a structure to hold the name (may be null)
* @sizeof_buf: initially holds the size of @buf
*
@@ -295,7 +295,7 @@ gnutls_x509_crt_get_issuer_dn (gnutls_x509_crt_t cert, char
*buf,
* ASCII or UTF-8 encoded, depending on the certificate data.
*
* Some helper macros with popular OIDs can be found in gnutls/x509.h
- * If raw flag is zero, this function will only return known OIDs as
+ * If raw flag is (0), this function will only return known OIDs as
* text. Other OIDs will be DER encoded, as described in RFC2253 --
* in hex format with a '\#' prefix. You can check about known OIDs
* using gnutls_x509_dn_oid_known().
@@ -326,7 +326,7 @@ gnutls_x509_crt_get_issuer_dn_by_oid (gnutls_x509_crt_t
cert,
/**
* gnutls_x509_crt_get_issuer_dn_oid:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @indx: This specifies which OID to return. Use zero to get the first one.
+ * @indx: This specifies which OID to return. Use (0) to get the first one.
* @oid: a pointer to a buffer to hold the OID (may be null)
* @sizeof_oid: initially holds the size of @oid
*
@@ -390,8 +390,8 @@ gnutls_x509_crt_get_dn (gnutls_x509_crt_t cert, char *buf,
* gnutls_x509_crt_get_dn_by_oid:
* @cert: should contain a #gnutls_x509_crt_t structure
* @oid: holds an Object Identified in null terminated string
- * @indx: In case multiple same OIDs exist in the RDN, this specifies which to
send. Use zero to get the first one.
- * @raw_flag: If non zero returns the raw DER data of the DN part.
+ * @indx: In case multiple same OIDs exist in the RDN, this specifies which to
send. Use (0) to get the first one.
+ * @raw_flag: If non (0) returns the raw DER data of the DN part.
* @buf: a pointer where the DN part will be copied (may be null).
* @sizeof_buf: initially holds the size of @buf
*
@@ -401,7 +401,7 @@ gnutls_x509_crt_get_dn (gnutls_x509_crt_t cert, char *buf,
* that is ASCII or UTF-8 encoded, depending on the certificate data.
*
* Some helper macros with popular OIDs can be found in gnutls/x509.h
- * If raw flag is zero, this function will only return known OIDs as
+ * If raw flag is (0), this function will only return known OIDs as
* text. Other OIDs will be DER encoded, as described in RFC2253 --
* in hex format with a '\#' prefix. You can check about known OIDs
* using gnutls_x509_dn_oid_known().
@@ -431,7 +431,7 @@ gnutls_x509_crt_get_dn_by_oid (gnutls_x509_crt_t cert,
const char *oid,
/**
* gnutls_x509_crt_get_dn_oid:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @indx: This specifies which OID to return. Use zero to get the first one.
+ * @indx: This specifies which OID to return. Use (0) to get the first one.
* @oid: a pointer to a buffer to hold the OID (may be null)
* @sizeof_oid: initially holds the size of @oid
*
@@ -467,7 +467,7 @@ gnutls_x509_crt_get_dn_oid (gnutls_x509_crt_t cert,
* enumeration that is the signature algorithm that has been used to
* sign this certificate.
*
- * Returns: a #gnutls_sign_algorithm_t value, or a negative value on
+ * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on
* error.
**/
int
@@ -484,8 +484,8 @@ gnutls_x509_crt_get_signature_algorithm (gnutls_x509_crt_t
cert)
*
* This function will extract the signature field of a certificate.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value. and a negative value on error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value. and a negative error code on error.
**/
int
gnutls_x509_crt_get_signature (gnutls_x509_crt_t cert,
@@ -538,7 +538,7 @@ gnutls_x509_crt_get_signature (gnutls_x509_crt_t cert,
*
* This function will return the version of the specified Certificate.
*
- * Returns: version of certificate, or a negative value on error.
+ * Returns: version of certificate, or a negative error code on error.
**/
int
gnutls_x509_crt_get_version (gnutls_x509_crt_t cert)
@@ -622,7 +622,7 @@ gnutls_x509_crt_get_expiration_time (gnutls_x509_crt_t cert)
* is not always a 32 or 64bit number. Some CAs use large serial
* numbers, thus it may be wise to handle it as something opaque.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -656,13 +656,13 @@ gnutls_x509_crt_get_serial (gnutls_x509_crt_t cert, void
*result,
* @cert: should contain a #gnutls_x509_crt_t structure
* @ret: The place where the identifier will be copied
* @ret_size: Holds the size of the result field.
- * @critical: will be non zero if the extension is marked as critical (may be
null)
+ * @critical: will be non (0) if the extension is marked as critical (may be
null)
*
* This function will return the X.509v3 certificate's subject key
* identifier. This is obtained by the X.509 Subject Key identifier
* extension field (2.5.29.14).
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -743,14 +743,14 @@ gnutls_x509_crt_get_subject_key_id (gnutls_x509_crt_t
cert, void *ret,
* @cert: should contain a #gnutls_x509_crt_t structure
* @ret: The place where the identifier will be copied
* @ret_size: Holds the size of the result field.
- * @critical: will be non zero if the extension is marked as critical (may be
null)
+ * @critical: will be non (0) if the extension is marked as critical (may be
null)
*
* This function will return the X.509v3 certificate authority's key
* identifier. This is obtained by the X.509 Authority Key
* identifier extension field (2.5.29.35). Note that this function
* only returns the keyIdentifier field of the extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -841,7 +841,7 @@ gnutls_x509_crt_get_authority_key_id (gnutls_x509_crt_t
cert, void *ret,
* exponent.
*
* Returns: a member of the #gnutls_pk_algorithm_t enumeration on
- * success, or a negative value on error.
+ * success, or a negative error code on error.
**/
int
gnutls_x509_crt_get_pk_algorithm (gnutls_x509_crt_t cert, unsigned int *bits)
@@ -1160,7 +1160,7 @@ get_alt_name (gnutls_x509_crt_t cert, const char
*extension_id,
* @seq: specifies the sequence number of the alt name (0 for the first one, 1
for the second etc.)
* @ret: is the place where the alternative name will be copied to
* @ret_size: holds the size of ret.
- * @critical: will be non zero if the extension is marked as critical (may be
null)
+ * @critical: will be non (0) if the extension is marked as critical (may be
null)
*
* This function retrieves the Alternative Name (2.5.29.17), contained
* in the given certificate in the X509v3 Certificate Extensions.
@@ -1200,7 +1200,7 @@ gnutls_x509_crt_get_subject_alt_name (gnutls_x509_crt_t
cert,
* @seq: specifies the sequence number of the alt name (0 for the first one, 1
for the second etc.)
* @ret: is the place where the alternative name will be copied to
* @ret_size: holds the size of ret.
- * @critical: will be non zero if the extension is marked as critical (may be
null)
+ * @critical: will be non (0) if the extension is marked as critical (may be
null)
*
* This function retrieves the Issuer Alternative Name (2.5.29.18),
* contained in the given certificate in the X509v3 Certificate
@@ -1244,7 +1244,7 @@ gnutls_x509_crt_get_issuer_alt_name (gnutls_x509_crt_t
cert,
* @ret: is the place where the alternative name will be copied to
* @ret_size: holds the size of ret.
* @ret_type: holds the type of the alternative name (one of
gnutls_x509_subject_alt_name_t).
- * @critical: will be non zero if the extension is marked as critical (may be
null)
+ * @critical: will be non (0) if the extension is marked as critical (may be
null)
*
* This function will return the alternative names, contained in the
* given certificate. It is the same as
@@ -1279,7 +1279,7 @@ gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t
cert,
* @ret: is the place where the alternative name will be copied to
* @ret_size: holds the size of ret.
* @ret_type: holds the type of the alternative name (one of
gnutls_x509_subject_alt_name_t).
- * @critical: will be non zero if the extension is marked as critical (may be
null)
+ * @critical: will be non (0) if the extension is marked as critical (may be
null)
*
* This function will return the alternative names, contained in the
* given certificate. It is the same as
@@ -1383,11 +1383,11 @@ gnutls_x509_crt_get_issuer_alt_othername_oid
(gnutls_x509_crt_t cert,
/**
* gnutls_x509_crt_get_basic_constraints:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @critical: will be non zero if the extension is marked as critical
+ * @critical: will be non (0) if the extension is marked as critical
* @ca: pointer to output integer indicating CA status, may be NULL,
* value is 1 if the certificate CA flag is set, 0 otherwise.
* @pathlen: pointer to output integer indicating path length (may be
- * NULL), non-negative values indicate a present pathLenConstraint
+ * NULL), non-negative error codes indicate a present pathLenConstraint
* field and the actual value, -1 indicate that the field is absent.
*
* This function will read the certificate's basic constraints, and
@@ -1395,8 +1395,8 @@ gnutls_x509_crt_get_issuer_alt_othername_oid
(gnutls_x509_crt_t cert,
* X.509 extension (2.5.29.19).
*
* Return value: If the certificate is a CA a positive value will be
- * returned, or zero if the certificate does not have CA flag set. A
- * negative value may be returned in case of errors. If the
+ * returned, or (0) if the certificate does not have CA flag set. A
+ * negative error code may be returned in case of errors. If the
* certificate does not contain the basicConstraints extension
* GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
**/
@@ -1449,17 +1449,17 @@ gnutls_x509_crt_get_basic_constraints
(gnutls_x509_crt_t cert,
/**
* gnutls_x509_crt_get_ca_status:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @critical: will be non zero if the extension is marked as critical
+ * @critical: will be non (0) if the extension is marked as critical
*
* This function will return certificates CA status, by reading the
* basicConstraints X.509 extension (2.5.29.19). If the certificate is
- * a CA a positive value will be returned, or zero if the certificate
+ * a CA a positive value will be returned, or (0) if the certificate
* does not have CA flag set.
*
* Use gnutls_x509_crt_get_basic_constraints() if you want to read the
* pathLenConstraint field too.
*
- * Returns: A negative value may be returned in case of parsing error.
+ * Returns: A negative error code may be returned in case of parsing error.
* If the certificate does not contain the basicConstraints extension
* %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
**/
@@ -1475,7 +1475,7 @@ gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert,
unsigned int *critical)
* gnutls_x509_crt_get_key_usage:
* @cert: should contain a #gnutls_x509_crt_t structure
* @key_usage: where the key usage bits will be stored
- * @critical: will be non zero if the extension is marked as critical
+ * @critical: will be non (0) if the extension is marked as critical
*
* This function will return certificate's key usage, by reading the
* keyUsage X.509 extension (2.5.29.15). The key usage value will ORed
@@ -1485,7 +1485,7 @@ gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert,
unsigned int *critical)
* %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN,
* %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY.
*
- * Returns: the certificate key usage, or a negative value in case of
+ * Returns: the certificate key usage, or a negative error code in case of
* parsing error. If the certificate does not contain the keyUsage
* extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
* returned.
@@ -1536,9 +1536,9 @@ gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t cert,
/**
* gnutls_x509_crt_get_proxy:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @critical: will be non zero if the extension is marked as critical
+ * @critical: will be non (0) if the extension is marked as critical
* @pathlen: pointer to output integer indicating path length (may be
- * NULL), non-negative values indicate a present pCPathLenConstraint
+ * NULL), non-negative error codes indicate a present pCPathLenConstraint
* field and the actual value, -1 indicate that the field is absent.
* @policyLanguage: output variable with OID of policy language
* @policy: output variable with policy data
@@ -1547,8 +1547,8 @@ gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t cert,
* This function will get information from a proxy certificate. It
* reads the ProxyCertInfo X.509 extension (1.3.6.1.5.5.7.1.14).
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_x509_crt_get_proxy (gnutls_x509_crt_t cert,
@@ -1599,17 +1599,17 @@ gnutls_x509_crt_get_proxy (gnutls_x509_crt_t cert,
* gnutls_x509_crt_get_extension_by_oid:
* @cert: should contain a #gnutls_x509_crt_t structure
* @oid: holds an Object Identified in null terminated string
- * @indx: In case multiple same OIDs exist in the extensions, this specifies
which to send. Use zero to get the first one.
+ * @indx: In case multiple same OIDs exist in the extensions, this specifies
which to send. Use (0) to get the first one.
* @buf: a pointer to a structure to hold the name (may be null)
* @sizeof_buf: initially holds the size of @buf
- * @critical: will be non zero if the extension is marked as critical
+ * @critical: will be non (0) if the extension is marked as critical
*
* This function will return the extension specified by the OID in the
* certificate. The extensions will be returned as binary data DER
* encoded, in the provided buffer.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned. If the certificate does not
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned. If the certificate does not
* contain the specified extension
* GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
**/
@@ -1663,15 +1663,15 @@ gnutls_x509_crt_get_extension_by_oid (gnutls_x509_crt_t
cert,
/**
* gnutls_x509_crt_get_extension_oid:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @indx: Specifies which extension OID to send. Use zero to get the first one.
+ * @indx: Specifies which extension OID to send. Use (0) to get the first one.
* @oid: a pointer to a structure to hold the OID (may be null)
* @sizeof_oid: initially holds the size of @oid
*
* This function will return the requested extension OID in the certificate.
* The extension OID will be stored as a string in the provided buffer.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned. If you have reached the
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned. If you have reached the
* last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* will be returned.
**/
@@ -1700,7 +1700,7 @@ gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t
cert, int indx,
/**
* gnutls_x509_crt_get_extension_info:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @indx: Specifies which extension OID to send. Use zero to get the first one.
+ * @indx: Specifies which extension OID to send. Use (0) to get the first one.
* @oid: a pointer to a structure to hold the OID
* @sizeof_oid: initially holds the maximum size of @oid, on return
* holds actual size of @oid.
@@ -1715,8 +1715,8 @@ gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t
cert, int indx,
* address@hidden is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
* returned.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned. If you have reached the
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned. If you have reached the
* last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* will be returned.
**/
@@ -1776,7 +1776,7 @@ gnutls_x509_crt_get_extension_info (gnutls_x509_crt_t
cert, int indx,
/**
* gnutls_x509_crt_get_extension_data:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @indx: Specifies which extension OID to send. Use zero to get the first one.
+ * @indx: Specifies which extension OID to send. Use (0) to get the first one.
* @data: a pointer to a structure to hold the data (may be null)
* @sizeof_data: initially holds the size of @oid
*
@@ -1789,8 +1789,8 @@ gnutls_x509_crt_get_extension_info (gnutls_x509_crt_t
cert, int indx,
* if you want to get data indexed by the extension OID rather than
* sequence.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned. If you have reached the
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned. If you have reached the
* last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
* will be returned.
**/
@@ -1892,8 +1892,8 @@ cleanup:
* This function will return a pointer to the DER encoded DN structure
* and the length.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value.or a negative value on error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.or a negative error code on error.
*
**/
int
@@ -1911,8 +1911,8 @@ gnutls_x509_crt_get_raw_issuer_dn (gnutls_x509_crt_t cert,
* This function will return a pointer to the DER encoded DN structure and
* the length.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
- * negative error value. or a negative value on error.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value. or a negative error code on error.
*
**/
int
@@ -2143,7 +2143,7 @@ gnutls_x509_crt_get_fingerprint (gnutls_x509_crt_t cert,
* If the structure is PEM encoded, it will have a header
* of "BEGIN CERTIFICATE".
*
- * Return value: In case of failure a negative value will be
+ * Return value: In case of failure a negative error code will be
* returned, and 0 on success.
**/
int
@@ -2255,7 +2255,7 @@ cleanup:
* be returned. The output will normally be a SHA-1 hash output,
* which is 20 bytes.
*
- * Return value: In case of failure a negative value will be
+ * Return value: In case of failure a negative error code will be
* returned, and 0 on success.
**/
int
@@ -2447,7 +2447,7 @@ _gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert,
* revoked. It is assumed that the CRLs have been verified before.
*
* Returns: 0 if the certificate is NOT revoked, and 1 if it is. A
- * negative value is returned on error.
+ * negative error code is returned on error.
**/
int
gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert,
@@ -2468,7 +2468,7 @@ gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert,
*
* Deprecated: Use gnutls_pubkey_get_verify_algorithm() instead.
*
- * Returns: the 0 if the hash algorithm is found. A negative value is
+ * Returns: the 0 if the hash algorithm is found. A negative error code is
* returned on error.
*
* Since: 2.8.0
@@ -2512,7 +2512,7 @@ gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t
crt,
* gnutls_x509_crt_get_preferred_hash_algorithm:
* @crt: Holds the certificate
* @hash: The result of the call with the hash algorithm used for signature
- * @mand: If non zero it means that the algorithm MUST use this hash. May be
NULL.
+ * @mand: If non (0) it means that the algorithm MUST use this hash. May be
NULL.
*
* This function will read the certifcate and return the appropriate digest
* algorithm to use for signing with this certificate. Some certificates (i.e.
@@ -2520,7 +2520,7 @@ gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t
crt,
*
* Deprecated: Please use gnutls_pubkey_get_preferred_hash_algorithm().
*
- * Returns: the 0 if the hash algorithm is found. A negative value is
+ * Returns: the 0 if the hash algorithm is found. A negative error code is
* returned on error.
*
* Since: 2.11.0
@@ -2640,7 +2640,7 @@ gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt,
unsigned int flags,
* @ret: is the place where the distribution point will be copied to
* @ret_size: holds the size of ret.
* @reason_flags: Revocation reasons flags.
- * @critical: will be non zero if the extension is marked as critical (may be
null)
+ * @critical: will be non (0) if the extension is marked as critical (may be
null)
*
* This function retrieves the CRL distribution points (2.5.29.31),
* contained in the given certificate in the X509v3 Certificate
@@ -2654,7 +2654,7 @@ gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt,
unsigned int flags,
* %GNUTLS_CRL_REASON_CESSATION_OF_OPERATION,
* %GNUTLS_CRL_REASON_CERTIFICATE_HOLD,
* %GNUTLS_CRL_REASON_PRIVILEGE_WITHDRAWN,
- * %GNUTLS_CRL_REASON_AA_COMPROMISE, or zero for all possible reasons.
+ * %GNUTLS_CRL_REASON_AA_COMPROMISE, or (0) for all possible reasons.
*
* Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER and updates @ret_size if
* @ret_size is not enough to hold the distribution point, or the
@@ -2768,7 +2768,7 @@ gnutls_x509_crt_get_crl_dist_points (gnutls_x509_crt_t
cert,
/**
* gnutls_x509_crt_get_key_purpose_oid:
* @cert: should contain a #gnutls_x509_crt_t structure
- * @indx: This specifies which OID to return. Use zero to get the first one.
+ * @indx: This specifies which OID to return. Use (0) to get the first one.
* @oid: a pointer to a buffer to hold the OID (may be null)
* @sizeof_oid: initially holds the size of @oid
* @critical: output flag to indicate criticality of extension
@@ -2873,7 +2873,7 @@ gnutls_x509_crt_get_key_purpose_oid (gnutls_x509_crt_t
cert,
* the given structure. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
**/
int
gnutls_x509_crt_get_pk_rsa_raw (gnutls_x509_crt_t crt,
@@ -2936,7 +2936,7 @@ cleanup:
* the given certificate. The new parameters will be allocated using
* gnutls_malloc() and will be stored in the appropriate datum.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
**/
int
gnutls_x509_crt_get_pk_dsa_raw (gnutls_x509_crt_t crt,
@@ -3022,7 +3022,7 @@ cleanup:
* @size: It will contain the size of the list.
* @data: The PEM encoded certificate.
* @format: One of DER or PEM.
- * @flags: must be zero or an OR'd sequence of gnutls_certificate_import_flags.
+ * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
*
* This function will convert the given PEM encoded certificate list
* to the native gnutls_x509_crt_t format. The output will be stored
@@ -3080,7 +3080,7 @@ int ret;
* @cert_max: Initially must hold the maximum number of certs. It will be
updated with the number of certs available.
* @data: The PEM encoded certificate.
* @format: One of DER or PEM.
- * @flags: must be zero or an OR'd sequence of gnutls_certificate_import_flags.
+ * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
*
* This function will convert the given PEM encoded certificate list
* to the native gnutls_x509_crt_t format. The output will be stored
@@ -3230,7 +3230,7 @@ error:
* full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
* returned, and sizeof_buf will be set to the actual length.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
**/
int
gnutls_x509_crt_get_subject_unique_id (gnutls_x509_crt_t crt, char *buf,
@@ -3274,7 +3274,7 @@ gnutls_x509_crt_get_subject_unique_id (gnutls_x509_crt_t
crt, char *buf,
* full subjectUniqueID, then a GNUTLS_E_SHORT_MEMORY_BUFFER error will be
* returned, and sizeof_buf will be set to the actual length.
*
- * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
**/
int
gnutls_x509_crt_get_issuer_unique_id (gnutls_x509_crt_t crt, char *buf,
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index d038b6e..1ae10ed 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -57,7 +57,7 @@ static void disable_optional_stuff (gnutls_x509_crt_t cert);
* not known (by gnutls) you should properly DER encode your data,
* and call this function with @raw_flag set.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -96,7 +96,7 @@ gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt, const
char *oid,
* operation will copy the signer's name as the issuer of the
* certificate.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -129,7 +129,7 @@ gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt,
* certificate naming style. Note that if @name is %NULL, you MUST
* set it later by using gnutls_x509_crt_set_dn_by_oid() or similar.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -176,7 +176,7 @@ gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t crt,
gnutls_x509_crt_t eecrt,
* functions such as gnutls_x509_crt_set_subject_alt_name()
* or gnutls_x509_crt_set_key_usage().
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -213,7 +213,7 @@ gnutls_x509_crt_set_version (gnutls_x509_crt_t crt,
unsigned int version)
* private key to the certificate. Only RSA keys are currently
* supported.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
**/
@@ -251,7 +251,7 @@ gnutls_x509_crt_set_key (gnutls_x509_crt_t crt,
gnutls_x509_privkey_t key)
* the extensions from the given certificate request to the certificate.
* Only RSA keys are currently supported.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -297,7 +297,7 @@ gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt,
gnutls_x509_crq_t crq)
* This function will set extensions from the given request to the
* certificate.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.8.0
@@ -385,13 +385,13 @@ gnutls_x509_crt_set_crq_extensions (gnutls_x509_crt_t crt,
* @oid: holds an Object Identified in null terminated string
* @buf: a pointer to a DER encoded data
* @sizeof_buf: holds the size of @buf
- * @critical: should be non zero if the extension is to be marked as critical
+ * @critical: should be non (0) if the extension is to be marked as critical
*
* This function will set an the extension, by the specified OID, in
* the certificate. The extension data should be binary data DER
* encoded.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -429,13 +429,13 @@ gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t
crt,
* gnutls_x509_crt_set_basic_constraints:
* @crt: a certificate of type #gnutls_x509_crt_t
* @ca: true(1) or false(0). Depending on the Certificate authority status.
- * @pathLenConstraint: non-negative values indicate maximum length of path,
- * and negative values indicate that the pathLenConstraints field should
+ * @pathLenConstraint: non-negative error codes indicate maximum length of
path,
+ * and negative error codes indicate that the pathLenConstraints field should
* not be present.
*
* This function will set the basicConstraints certificate extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -485,7 +485,7 @@ gnutls_x509_crt_set_basic_constraints (gnutls_x509_crt_t
crt,
* Use gnutls_x509_crt_set_basic_constraints() if you want to control
* the pathLenConstraint field too.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -501,7 +501,7 @@ gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt,
unsigned int ca)
*
* This function will set the keyUsage certificate extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -544,7 +544,7 @@ gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt,
unsigned int usage)
* gnutls_x509_crt_set_subject_alternative_name:
* @crt: a certificate of type #gnutls_x509_crt_t
* @type: is one of the gnutls_x509_subject_alt_name_t enumerations
- * @data_string: The data to be set, a zero terminated string
+ * @data_string: The data to be set, a (0) terminated string
*
* This function will set the subject alternative name certificate
* extension. This function assumes that data can be expressed as a null
@@ -553,7 +553,7 @@ gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt,
unsigned int usage)
* The name of the function is unfortunate since it is incosistent with
* gnutls_x509_crt_get_subject_alt_name().
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -601,7 +601,7 @@ gnutls_x509_crt_set_subject_alternative_name
(gnutls_x509_crt_t crt,
*
* Other values can be set as binary values with the proper DER encoding.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.6.0
@@ -675,8 +675,8 @@ finish:
/**
* gnutls_x509_crt_set_proxy:
* @crt: a certificate of type #gnutls_x509_crt_t
- * @pathLenConstraint: non-negative values indicate maximum length of path,
- * and negative values indicate that the pathLenConstraints field should
+ * @pathLenConstraint: non-negative error codes indicate maximum length of
path,
+ * and negative error codes indicate that the pathLenConstraints field should
* not be present.
* @policyLanguage: OID describing the language of @policy.
* @policy: opaque byte array with policy language, can be %NULL
@@ -684,7 +684,7 @@ finish:
*
* This function will set the proxyCertInfo extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -744,7 +744,7 @@ gnutls_x509_crt_set_proxy (gnutls_x509_crt_t crt,
* This must be the last step in a certificate generation since all
* the previously set parameters are now signed.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -799,7 +799,7 @@ fail:
* This function is the same a gnutls_x509_crt_sign2() with no flags,
* and SHA1 as the hash algorithm.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -817,7 +817,7 @@ gnutls_x509_crt_sign (gnutls_x509_crt_t crt,
gnutls_x509_crt_t issuer,
* This function will set the time this Certificate was or will be
* activated.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -841,7 +841,7 @@ gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t
cert, time_t act_time)
*
* This function will set the time this Certificate will expire.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -867,7 +867,7 @@ gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t
cert, time_t exp_time)
* serial numbers, thus it may be wise to handle it as something
* opaque.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -924,7 +924,7 @@ disable_optional_stuff (gnutls_x509_crt_t cert)
*
* This function will set the CRL distribution points certificate extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -948,7 +948,7 @@ gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt,
*
* This function will set the CRL distribution points certificate extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.6.0
@@ -1020,7 +1020,7 @@ gnutls_x509_crt_set_crl_dist_points2 (gnutls_x509_crt_t
crt,
* extension, from the source to the destination certificate.
* This may be useful to copy from a CA certificate to issued ones.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1072,7 +1072,7 @@ gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t
dst,
* This function will set the X.509 certificate's subject key ID
* extension.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1135,7 +1135,7 @@ gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t
cert,
* This function will set the X.509 certificate's authority key ID extension.
* Only the keyIdentifier field can be set with this function.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
@@ -1201,8 +1201,8 @@ gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t
cert,
*
* Subsequent calls to this function will append OIDs to the OID list.
*
- * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
- * otherwise an error code is returned.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
+ * otherwise a negative error code is returned.
**/
int
gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t cert,
@@ -1309,7 +1309,7 @@ gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t
cert,
* This must be the last step in a certificate generation since all
* the previously set parameters are now signed.
*
- * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_99_3-26-gb35975d,
Nikos Mavrogiannopoulos <=