[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_15-17-gdf2b654
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_15-17-gdf2b654 |
Date: |
Tue, 06 Mar 2012 17:07:32 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=df2b6546b2a5ab7280470a0a8148e014cc6abfc6
The branch, master has been updated
via df2b6546b2a5ab7280470a0a8148e014cc6abfc6 (commit)
via 84cb745c39ed8bec9fd22920a36b31f0acf3fe93 (commit)
via 15c2eb673385bfc9eb79d6479b414bfd5524a13a (commit)
via addee7cdf78578a0717725157a62dec948bf76a9 (commit)
via b779464e99e7af4993617d9100877aad8c79dd41 (commit)
via ab2f709f9f49a0bc2abec4a980e4ef013ea292a3 (commit)
via 6afa51a52324f8d9bcb7271008a8b3b1d7adf7e3 (commit)
via 37791cbe4ed9bafbe6190d3b3429a664a90f8e82 (commit)
via b4ba291dbad85afb27d804d9163c801bd6fd4fc4 (commit)
via c8048f6a8ce756bdae450c266077510f19120096 (commit)
from 84fdabbb9661960caf3ddfd99678d2febd50d124 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit df2b6546b2a5ab7280470a0a8148e014cc6abfc6
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Mar 6 18:13:19 2012 +0100
Added a real key purpose OID as example
commit 84cb745c39ed8bec9fd22920a36b31f0acf3fe93
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Mar 6 11:43:09 2012 +0100
updated p11tool documentation.
commit 15c2eb673385bfc9eb79d6479b414bfd5524a13a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Mar 6 10:05:29 2012 +0100
Only set the private status if it has been explicitly specified. That is
because some tokens don't want it set.
commit addee7cdf78578a0717725157a62dec948bf76a9
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Mar 6 09:39:06 2012 +0100
The default cipher when encrypting with PKCS12 is AES.
commit b779464e99e7af4993617d9100877aad8c79dd41
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Mar 6 09:38:47 2012 +0100
to-p12 requires the load-certificate and load-privkey.
commit ab2f709f9f49a0bc2abec4a980e4ef013ea292a3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Mar 5 23:10:45 2012 +0100
updated front-page to include all contributors.
commit 6afa51a52324f8d9bcb7271008a8b3b1d7adf7e3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Mar 5 22:51:04 2012 +0100
Some updates on supplemental data handling.
commit 37791cbe4ed9bafbe6190d3b3429a664a90f8e82
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Mar 5 22:20:17 2012 +0100
safe renegotiation tests only run under valgrind in the devel environment.
commit b4ba291dbad85afb27d804d9163c801bd6fd4fc4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Mar 3 14:09:47 2012 +0100
updated
commit c8048f6a8ce756bdae450c266077510f19120096
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Mar 3 14:08:04 2012 +0100
changes in asynchronous documentation
-----------------------------------------------------------------------
Summary of changes:
NEWS | 3 +++
doc/cha-bib.texi | 5 +++++
doc/cha-gtls-app.texi | 25 +++++++++++++++----------
doc/cha-internals.texi | 23 ++++++++++++++---------
doc/latex/cover.tex | 8 ++++++++
doc/latex/gnutls.bib | 9 +++++++++
doc/latex/gnutls.tex | 2 +-
doc/scripts/mytexi2latex | 1 +
lib/includes/gnutls/x509.h | 1 +
src/certtool-args.def | 14 ++++++++++----
src/certtool.c | 6 +++++-
src/p11tool-args.def | 4 +++-
src/p11tool.c | 13 ++++++++++---
tests/safe-renegotiation/Makefile.am | 3 +++
14 files changed, 88 insertions(+), 29 deletions(-)
diff --git a/NEWS b/NEWS
index 1280e3c..1c89635 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ See the end for copying conditions.
** Corrected SRP-RSA ciphersuites when used under TLS 1.2.
+** Small fixes in p11tool handling of the --private command
+line option.
+
** API and ABI modifications:
No changes since last version.
diff --git a/doc/cha-bib.texi b/doc/cha-bib.texi
index 965eeaf..7f975e5 100644
--- a/doc/cha-bib.texi
+++ b/doc/cha-bib.texi
@@ -31,6 +31,11 @@ Tim Dierks and Christopher Allen, "The TLS Protocol Version
1.0",
January 1999, Available from
@url{http://www.ietf.org/rfc/rfc2246.txt}.
address@hidden @anchor{RFC4680}[RFC4680]
+S. Santesson, "TLS Handshake Message for Supplemental Data",
+September 2006, Available from
address@hidden://www.ietf.org/rfc/rfc4680.txt}.
+
@item @anchor{RFC4514}[RFC4514]
Kurt D. Zeilenga, "Lightweight Directory Access Protocol (LDAP): String
Representation of Distinguished Names",
June 2006, Available from
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index c02f095..9846896 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -596,13 +596,18 @@ remaining until the next retransmission, or better the
time until
@node Asynchronous operation
@subsection Asynchronous operation
@acronym{GnuTLS} can be used with asynchronous socket or event-driven
programming.
-During a TLS protocol session @acronym{GnuTLS} does not block for anything
except
-calculations. The only blocking operations are due to the transport layer
(sockets) functions.
-Those, however, in an asynchronous scenario are typically set to
-non-blocking mode, which forces them to return @code{EAGAIN} error code
instead of blocking.
-In that case @acronym{GnuTLS} functions
-will return the @code{GNUTLS_E_AGAIN} error code and can be resumed the
-same way as a system call would. The only exception is
@funcref{gnutls_record_send},
+The approach is similar to using Berkeley sockets under such an environment.
+The blocking, due to network interaction, calls such as
address@hidden, @funcref{gnutls_record_recv},
+can be set to non-blocking by setting the underlying sockets to non-blocking.
+If other push and pull functions are setup, then they should behave the same
+way as @funcintref{recv} and @funcintref{send} when used in a non-blocking
+way, i.e., set errno to @code{EAGAIN}. Since, during a TLS protocol session
address@hidden does not block except for network interaction, the non blocking
address@hidden errno will be propagated and @acronym{GnuTLS} functions
+will return the @code{GNUTLS_E_AGAIN} error code. Such calls can be resumed
the
+same way as a system call would.
+The only exception is @funcref{gnutls_record_send},
which if interrupted subsequent calls need not to include the data to be
sent (can be called with NULL argument).
@@ -612,13 +617,13 @@ and notifies on them being ready for reading or writing
data. Note however
that this system call cannot notify on data present in @acronym{GnuTLS}
read buffers, it is only applicable to the kernel sockets API. Thus if
you are using it for reading from a @acronym{GnuTLS} session, make sure
-the session is read completely. That can be achieved by checking there
+that any cached data are read completely. That can be achieved by checking
there
are no data waiting to be read (using @funcref{gnutls_record_check_pending}),
either before the @funcintref{select} system call, or after a call to
@funcref{gnutls_record_recv}. @acronym{GnuTLS} does not keep a write buffer,
-thus when writing @funcintref{select} need only to be consulted.
+thus when writing no additional actions are required.
-In the DTLS, however, @acronym{GnuTLS} might block due to timers
+In the DTLS, however, @acronym{GnuTLS} may block due to retransmission timers
required by the protocol. To prevent those timers from blocking a DTLS
handshake,
the @funcref{gnutls_init} should be called with the
@code{GNUTLS_NONBLOCK} flag (see @ref{Session initialization}).
diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi
index 2bdb629..69ac8fa 100644
--- a/doc/cha-internals.texi
+++ b/doc/cha-internals.texi
@@ -203,7 +203,7 @@ will be called to deinitialize the extension's private
parameters, if any.
Note that the conditional @code{ENABLE_FOOBAR} definition should only be
used if step 1 with the @code{configure} options has taken place.
address@hidden Add new files that implement the extension.
address@hidden Add new files that implement the extension.
The functions you are responsible to add are those mentioned in the
previous step. They should be added in a file such as @code{ext/@-foobar.c}
@@ -324,8 +324,8 @@ API was introduced in.
@subheading Adding a new Supplemental Data Handshake Message
TLS handshake extensions allow to send so called supplemental data
-handshake messages. This short section explains how to implement a
-supplemental data handshake message for a given TLS extension.
+handshake messages @xcite{RFC4680}. This short section explains how to
+implement a supplemental data handshake message for a given TLS extension.
First of all, modify your extension @code{foobar} in the way, the that
flags
@@ -360,25 +360,30 @@ and @funcintref{_foobar_supp_send_params} to
@code{_foobar.h} and
@example
int
-_foobar_supp_recv_params(gnutls_session_t session,const opaque *data,size_t
_data_size)
+_foobar_supp_recv_params(gnutls_session_t session, const opaque *data, size_t
_data_size)
@{
- uint8_t len = (int) _data_size;
+ uint8_t len = _data_size;
unsigned char *msg;
- msg = (unsigned char *)malloc(len*sizeof(unsigned char));
- memcpy(msg,data,len);
+ msg = gnutls_malloc(len);
+ if (msg == NULL) return GNUTLS_E_MEMORY_ERROR;
+
+ memcpy(msg, data, len);
msg[len]='\0';
+ /* do something with msg */
+ gnutls_free(msg);
+
return len;
@}
int
-_foobar_supp_send_params(gnutls_session_t session,gnutls_buffer_st *buf)
+_foobar_supp_send_params(gnutls_session_t session, gnutls_buffer_st *buf)
@{
unsigned char *msg = "hello world";
int len = strlen(msg);
- _gnutls_buffer_append_data_prefix(buf,8,msg,(uint8_t) len);
+ _gnutls_buffer_append_data_prefix(buf, 8, msg, len);
return len;
@}
diff --git a/doc/latex/cover.tex b/doc/latex/cover.tex
index 78ba0f5..7cc8880 100644
--- a/doc/latex/cover.tex
+++ b/doc/latex/cover.tex
@@ -1,4 +1,12 @@
\thispagestyle{empty}
+
+\begin{quotation}
+This document includes text contributed by
+Nikos Mavrogiannopoulos, Simon Josefsson, Daiki Ueno,
+Carolin Latze and Andrew McDonald. Several corrections are due
+to Patrick Pelletier and Andreas Metzler.
+\end{quotation}
+
\vspace*{\stretch{2}}
diff --git a/doc/latex/gnutls.bib b/doc/latex/gnutls.bib
index 68c7e1f..685075e 100644
--- a/doc/latex/gnutls.bib
+++ b/doc/latex/gnutls.bib
@@ -16,6 +16,15 @@
url = "http://www.ietf.org/rfc/rfc2246"
}
address@hidden RFC4680,
+ author = "S. Santesson",
+ title = "{TLS Handshake Message for Supplemental Data}",
+ month = "September",
+ year = "2006",
+ note = "Available from \url{http://www.ietf.org/rfc/rfc4680}",
+ url = "http://www.ietf.org/rfc/rfc4680"
+}
+
@Misc{ RFC4514,
author = "Kurt D. Zeilenga",
title = "{Lightweight Directory Access Protocol (LDAP): String
Representation of Distinguished Names}",
diff --git a/doc/latex/gnutls.tex b/doc/latex/gnutls.tex
index a041ac4..36e59a1 100644
--- a/doc/latex/gnutls.tex
+++ b/doc/latex/gnutls.tex
@@ -43,7 +43,7 @@
\input{cover}
-\setcounter{tocdepth}{1}
+\setcounter{tocdepth}{2}
\tableofcontents
\listoftables
\listoffigures
diff --git a/doc/scripts/mytexi2latex b/doc/scripts/mytexi2latex
index 688c041..80ca3ce 100755
--- a/doc/scripts/mytexi2latex
+++ b/doc/scripts/mytexi2latex
@@ -379,6 +379,7 @@ multitable:
$line =~
s/address@hidden([A-Z])\{($codematch+)\}/$pshowfunc->($1,$2)/ge;
$line =~
s/address@hidden($codematch+)\}/$pshowfuncdesc->($1)/ge;
$line =~
s/address@hidden($codematch+),($extcodematch+)\}/$pshowenumdesc->($1,$2)/ge;
+ $line
=~s/address@hidden($spacematch+),($spacematch+)\}/\\myref\{$1\}/g;
$line =~ s/address@hidden/\\myref\{/g;
$line =~ s/address@hidden
(.*)/\\begin{center}\n$1\n\\end{center}/g;
if ($line =~ m/address@hidden/) {
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index b54832a..a0b11f1 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -72,6 +72,7 @@ extern "C"
#define GNUTLS_KP_TLS_WWW_SERVER "1.3.6.1.5.5.7.3.1"
#define GNUTLS_KP_TLS_WWW_CLIENT "1.3.6.1.5.5.7.3.2"
#define GNUTLS_KP_CODE_SIGNING "1.3.6.1.5.5.7.3.3"
+#define GNUTLS_KP_MS_SMART_CARD_LOGON "1.3.6.1.4.1.311.20.2.2"
#define GNUTLS_KP_EMAIL_PROTECTION "1.3.6.1.5.5.7.3.4"
#define GNUTLS_KP_TIME_STAMPING "1.3.6.1.5.5.7.3.8"
#define GNUTLS_KP_OCSP_SIGNING "1.3.6.1.5.5.7.3.9"
diff --git a/src/certtool-args.def b/src/certtool-args.def
index ca9d944..6dcb11d 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -240,7 +240,9 @@ flag = {
flag = {
name = to-p12;
descrip = "Generate a PKCS #12 structure";
- doc = "";
+ doc = "It requires a certificate, a private key and possibly a CA
certificate to be specified.";
+ flags-must = load-certificate;
+ flags-must = load-privkey;
};
flag = {
@@ -552,9 +554,6 @@ email = "none@@none.org"
# Challenge password used in certificate requests
challenge_passwd = 123456
-# key_purpose_oid = 1.2.3.4.5.6.7
-# key_purpose_oid = 1.2.3.4.5.6.7.9
-
# An URL that has CRLs (certificate revocation lists)
# available. Needed in CA certificates.
#crl_dist_points = "http://www.getcrl.crl/getcrl/"
@@ -562,6 +561,11 @@ challenge_passwd = 123456
# Whether this is a CA certificate or not
#ca
+# for microsoft smart card logon
+# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
+
+### Other predefined key purpose OIDs
+
# Whether this certificate will be used for a TLS client
#tls_www_client
@@ -595,6 +599,8 @@ signing_key
# Whether this key will be used for IPsec IKE operations.
#ipsec_ike_key
+### end of key purpose OIDs
+
# When generating a certificate from a certificate
# request, then honor the extensions stored in the request
# and store them in the real certificate.
diff --git a/src/certtool.c b/src/certtool.c
index 0bf1609..036aef5 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -223,7 +223,11 @@ generate_private_key_int (common_info_st * cinfo)
static int
cipher_to_flags (const char *cipher)
{
- if (strcasecmp (cipher, "3des") == 0)
+ if (cipher == NULL)
+ {
+ return GNUTLS_PKCS_USE_PBES2_AES_128;
+ }
+ else if (strcasecmp (cipher, "3des") == 0)
{
return GNUTLS_PKCS_USE_PBES2_3DES;
}
diff --git a/src/p11tool-args.def b/src/p11tool-args.def
index b45d044..cc850d5 100644
--- a/src/p11tool-args.def
+++ b/src/p11tool-args.def
@@ -242,8 +242,10 @@ To store a private key and a certificate in a token run:
$ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \
--label "Mykey"
$ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \
- --label "MyCert"
+ --label "Mykey"
@end example
+Note that some tokens require the same label to be used for the certificate
+and its corresponding private key.
_EOT_;
};
diff --git a/src/p11tool.c b/src/p11tool.c
index a4e4913..1ee3edf 100644
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -176,7 +176,7 @@ cmd_parser (int argc, char **argv)
if (debug > 0)
{
- fprintf(stderr, "Private: %s\n", ENABLED_OPT(PRIVATE)?"yes":"no");
+ if (HAVE_OPT(PRIVATE)) fprintf(stderr, "Private: %s\n",
ENABLED_OPT(PRIVATE)?"yes":"no");
fprintf(stderr, "Trusted: %s\n", ENABLED_OPT(TRUSTED)?"yes":"no");
fprintf(stderr, "Login: %s\n", ENABLED_OPT(LOGIN)?"yes":"no");
fprintf(stderr, "Detailed URLs: %s\n",
ENABLED_OPT(DETAILED_URL)?"yes":"no");
@@ -225,8 +225,15 @@ cmd_parser (int argc, char **argv)
pkcs11_export (outfile, url, login, &cinfo);
}
else if (HAVE_OPT(WRITE))
- pkcs11_write (outfile, url, label,
- ENABLED_OPT(TRUSTED), ENABLED_OPT(PRIVATE), login, &cinfo);
+ {
+ int priv;
+
+ if (HAVE_OPT(PRIVATE))
+ priv = ENABLED_OPT(PRIVATE);
+ else priv = -1;
+ pkcs11_write (outfile, url, label,
+ ENABLED_OPT(TRUSTED), priv, login, &cinfo);
+ }
else if (HAVE_OPT(INITIALIZE))
pkcs11_init (outfile, url, label, &cinfo);
else if (HAVE_OPT(DELETE))
diff --git a/tests/safe-renegotiation/Makefile.am
b/tests/safe-renegotiation/Makefile.am
index 4d084cb..b19aed5 100644
--- a/tests/safe-renegotiation/Makefile.am
+++ b/tests/safe-renegotiation/Makefile.am
@@ -30,6 +30,9 @@ ctests = srn0 srn1 srn2 srn3 srn4 srn5
check_PROGRAMS = $(ctests)
TESTS = $(ctests)
+
+if WANT_TEST_SUITE
TESTS_ENVIRONMENT = $(VALGRIND)
+endif
EXTRA_DIST = README suppressions.valgrind
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_15-17-gdf2b654,
Nikos Mavrogiannopoulos <=