[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-416-g08a1b04
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-416-g08a1b04 |
|
Date: |
Sat, 09 Apr 2011 07:25:49 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=08a1b04b3d049a4a44132c0bce0c017c0c70f892
The branch, master has been updated
via 08a1b04b3d049a4a44132c0bce0c017c0c70f892 (commit)
via 078b384417a34d3eedab9179f71bfcbe9052a3e2 (commit)
via 5054e1ad156f9dafdc8e5fa2014320cc8d04fd27 (commit)
from 871a12f18160544b6a1206ea5502cab83d1c03dc (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 08a1b04b3d049a4a44132c0bce0c017c0c70f892
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Apr 9 09:25:11 2011 +0200
Added documentation for Datagram TLS.
commit 078b384417a34d3eedab9179f71bfcbe9052a3e2
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Apr 9 09:24:15 2011 +0200
updated
commit 5054e1ad156f9dafdc8e5fa2014320cc8d04fd27
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Apr 8 16:54:14 2011 +0200
disable test in windows.
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 1 +
cfg.mk | 10 +++--
doc/cha-gtls-app.texi | 10 +++++
doc/cha-intro-tls.texi | 48 ++++++++++++++++++++----
doc/examples/Makefile.am | 4 +-
doc/examples/{ex-client2.c => ex-client-udp.c} | 38 ++++++++++---------
doc/examples/{tcp.c => udp.c} | 13 +++---
lib/gnutls_state.c | 6 ++-
tests/chainverify.c | 7 +++
9 files changed, 96 insertions(+), 41 deletions(-)
copy doc/examples/{ex-client2.c => ex-client-udp.c} (71%)
copy doc/examples/{tcp.c => udp.c} (80%)
diff --git a/.gitignore b/.gitignore
index ed50eba..bd5cdd1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -436,3 +436,4 @@ doc/examples/ex-cert-select-pkcs11
gl/m4/fcntl-o.m4
gl/m4/fcntl_h.m4
gl/m4/pipe.m4
+doc/examples/ex-client-udp
diff --git a/cfg.mk b/cfg.mk
index bc63aec..2c9d101 100644
--- a/cfg.mk
+++ b/cfg.mk
@@ -22,6 +22,7 @@
WFLAGS ?= --enable-gcc-warnings
ADDFLAGS ?=
CFGFLAGS ?= --enable-gtk-doc --enable-gtk-doc-pdf $(ADDFLAGS) $(WFLAGS)
+PACKAGE ?= gnutls
INDENT_SOURCES = `find . -name \*.[ch] -o -name gnutls.h.in | grep -v -e
^./build-aux/ -e ^./lib/minitasn1/ -e ^./lib/build-aux/ -e ^./gl/ -e
^./src/cfg/ -e -gaa.[ch] -e asn1_tab.c -e ^./tests/suite/`
@@ -123,12 +124,13 @@ upload:
cp $(distdir).tar.bz2 $(distdir).tar.bz2.sig ../releases/$(PACKAGE)/
web:
+ echo generating documentation for $(PACKAGE)
cd doc && $(SHELL) ../build-aux/gendocs.sh \
--html "--css-include=texinfo.css" \
- -o ../$(htmldir)/devel/manual/ $(PACKAGE) "$(PACKAGE_NAME)"
- cd doc/doxygen && doxygen && cd ../.. && cp -v doc/doxygen/html/*
$(htmldir)/devel/doxygen/ && cd doc/doxygen/latex && make refman.pdf && cd
../../../ && cp doc/doxygen/latex/refman.pdf
$(htmldir)/devel/doxygen/$(PACKAGE).pdf
- cp -v doc/reference/$(PACKAGE).pdf doc/reference/html/*.html
doc/reference/html/*.png doc/reference/html/*.devhelp doc/reference/html/*.css
$(htmldir)/devel/reference/
- cp -v doc/cyclo/cyclo-$(PACKAGE).html $(htmldir)/cyclo/
+ -o ../$(htmldir)/manual/ $(PACKAGE) "$(PACKAGE_NAME)"
+ #cd doc/doxygen && doxygen && cd ../.. && cp -v doc/doxygen/html/*
$(htmldir)/devel/doxygen/ && cd doc/doxygen/latex && make refman.pdf && cd
../../../ && cp doc/doxygen/latex/refman.pdf
$(htmldir)/devel/doxygen/$(PACKAGE).pdf
+ cp -v doc/reference/html/*.html doc/reference/html/*.png
doc/reference/html/*.devhelp doc/reference/html/*.css $(htmldir)/reference/
+ #cp -v doc/cyclo/cyclo-$(PACKAGE).html $(htmldir)/cyclo/
upload-web:
cd $(htmldir) && \
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 3f907e2..e91b135 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -175,6 +175,7 @@ implemented by another example.
@menu
* Simple client example with anonymous authentication::
* Simple client example with X.509 certificate support::
+* Simple Datagram TLS client example::
* Obtaining session information::
* Verifying peer's certificate::
* Using a callback to select the certificate to use::
@@ -210,6 +211,15 @@ redefining them.
@verbatiminclude examples/ex-client2.c
address@hidden Simple Datagram TLS client example
address@hidden Simple Datagram @acronym{TLS} client example
+
+This is a client that uses @acronym{UDP} to connect to a
+server. This is the @acronym{DTLS} equivalent to
address@hidden client example with X.509 certificate support} above.
+
address@hidden examples/ex-client-udp.c
+
@node Obtaining session information
@subsection Obtaining Session Information
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index e2dd8a7..3439ceb 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -1,5 +1,5 @@
@node Introduction to TLS
address@hidden Introduction to @acronym{TLS}
address@hidden Introduction to @acronym{TLS} and @acronym{DTLS}
@acronym{TLS} stands for ``Transport Layer Security'' and is the
successor of SSL, the Secure Sockets Layer protocol @xcite{SSL3}
@@ -12,11 +12,17 @@ It is open to any interested individual.}, described in
@acronym{RFC}
4346 and also in @xcite{RESCORLA}. The protocol provides
confidentiality, and authentication layers over any reliable transport
layer. The description, below, refers to @acronym{TLS} 1.0 but also
-applies to @acronym{TLS} 1.1 @xcite{RFC4346} and @acronym{SSL} 3.0,
-since the differences of these protocols are minor. Older protocols
-such as @acronym{SSL} 2.0 are not discussed nor implemented in
address@hidden since they are not considered secure today. GnuTLS
-also supports @acronym{X.509} and @acronym{OpenPGP} @xcite{RFC4880}.
+applies to @acronym{TLS} 1.2 @xcite{RFC4346} and @acronym{SSL} 3.0,
+since the differences of these protocols are not major.
+
+The @acronym{DTLS} protocol, or ``Datagram @acronym{TLS}'' is a
+protocol with identical goals as @acronym{TLS}, but can operate
+under unreliable transport layers, such as @acronym{UDP}. The
+discussions below apply to this protocol as well, except when
+noted otherwise.
+
+Older protocols such as @acronym{SSL} 2.0 are not discussed nor implemented in
address@hidden since they are not considered secure today.
@menu
* TLS layers::
@@ -65,6 +71,7 @@ required callbacks to access the transport layer.
@itemize
@item @ref{gnutls_transport_set_push_function}
@item @ref{gnutls_transport_set_vec_push_function}
address@hidden @ref{gnutls_transport_set_pull_timeout_function} (for
@acronym{DTLS} only)
@item @ref{gnutls_transport_set_pull_function}
@item @ref{gnutls_transport_set_ptr}
@item @ref{gnutls_transport_set_errno}
@@ -89,6 +96,12 @@ again), if any of these error codes is returned. The error
codes
above refer to the system call, not the @acronym{GnuTLS} function,
since signals do not interrupt @acronym{GnuTLS}' functions.
address@hidden however deviates from this rule. Because it requires
+timers and waiting for peer's messages during the handshake process,
address@hidden will block and might be interrupted by signals. The
+blocking operation of @acronym{GnuTLS} during @acronym{DTLS} handshake
+can be changed using the appropriate flags in @ref{gnutls_init}.
+
By default, if the transport functions are not set, @acronym{GnuTLS}
will use the Berkeley Sockets functions.
@@ -103,15 +116,30 @@ The following functions are available:
@table @asis
@item @ref{gnutls_record_send}:
-To send a record packet (with application data).
+To send a record packet with application data.
@item @ref{gnutls_record_recv}:
-To receive a record packet (with application data).
+To receive a record packet with application data.
+
address@hidden @ref{gnutls_record_recv_seq}:
+To receive a record packet with application data as well
+as the sequence number of that. This is useful in @acronym{DTLS}
+where packets might be lost or received out of order.
@item @ref{gnutls_record_get_direction}:
To get the direction of the last interrupted function call.
@end table
+In @acronym{TLS} those functions can be called at any time after
+the handshake process is finished, when there is need to receive
+or send data. In @acronym{DTLS} however, due to re-transmission
+timers used in the handshake out-of-order handshake data might
+be received for some time (maximum 60 seconds) after the handshake
+process is finished. For this reason programs using @acronym{DTLS}
+should call @ref{gnutls_record_recv} or @ref{gnutls_record_recv_seq}
+for every packet received by the peer, even if no data were
+expected.
+
As you may have already noticed, the functions which access the Record
protocol, are quite limited, given the importance of this protocol in
@acronym{TLS}. This is because the Record protocol's parameters are
@@ -161,6 +189,10 @@ which is considered weak.
@item AES_CBC
AES or RIJNDAEL is the block cipher algorithm that replaces the old
DES algorithm. Has 128 bits block size and is used in CBC mode.
+
address@hidden AES_GCM
+This is the AES algorithm in the authenticated encryption GCM mode.
+This mode combines message authentication and encryption.
@end table
Supported MAC algorithms:
diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am
index f7f61d8..bafa2a3 100644
--- a/doc/examples/Makefile.am
+++ b/doc/examples/Makefile.am
@@ -40,7 +40,7 @@ LDADD = libexamples.la \
CXX_LDADD = $(LDADD) \
../../lib/libgnutlsxx.la
-noinst_PROGRAMS = ex-client2 ex-client-resume
+noinst_PROGRAMS = ex-client2 ex-client-resume ex-client-udp
noinst_PROGRAMS += ex-cert-select ex-rfc2818
noinst_PROGRAMS += ex-cert-select-pkcs11
@@ -77,4 +77,4 @@ noinst_LTLIBRARIES = libexamples.la
libexamples_la_SOURCES = examples.h ex-alert.c ex-pkcs12.c \
ex-session-info.c ex-x509-info.c ex-verify.c \
- tcp.c
+ tcp.c udp.c
diff --git a/doc/examples/ex-client2.c b/doc/examples/ex-client-udp.c
similarity index 71%
copy from doc/examples/ex-client2.c
copy to doc/examples/ex-client-udp.c
index e58c910..f49d3d2 100644
--- a/doc/examples/ex-client2.c
+++ b/doc/examples/ex-client-udp.c
@@ -12,16 +12,17 @@
#include <arpa/inet.h>
#include <unistd.h>
#include <gnutls/gnutls.h>
+#include <gnutls/dtls.h>
-/* A very basic TLS client, with X.509 authentication.
+/* A very basic Datagram TLS client, over UDP with X.509 authentication.
*/
#define MAX_BUF 1024
#define CAFILE "ca.pem"
#define MSG "GET / HTTP/1.0\r\n\r\n"
-extern int tcp_connect (void);
-extern void tcp_close (int sd);
+extern int udp_connect (void);
+extern void udp_close (int sd);
int
main (void)
@@ -37,16 +38,14 @@ main (void)
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
- /* sets the trusted cas file
- */
+ /* sets the trusted cas file */
gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
- /* Initialize TLS session
- */
- gnutls_init (&session, GNUTLS_CLIENT);
+ /* Initialize TLS session */
+ gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM);
/* Use default priorities */
- ret = gnutls_priority_set_direct (session, "PERFORMANCE", &err);
+ ret = gnutls_priority_set_direct (session, "NORMAL", &err);
if (ret < 0)
{
if (ret == GNUTLS_E_INVALID_REQUEST)
@@ -56,18 +55,18 @@ main (void)
exit (1);
}
- /* put the x509 credentials to the current session
- */
+ /* put the x509 credentials to the current session */
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
- /* connect to the peer
- */
- sd = tcp_connect ();
+ /* connect to the peer */
+ sd = udp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
+
+ /* set the connection MTU */
+ gnutls_dtls_set_mtu (session, 1000);
- /* Perform the TLS handshake
- */
+ /* Perform the TLS handshake */
ret = gnutls_handshake (session);
if (ret < 0)
@@ -102,11 +101,14 @@ main (void)
}
fputs ("\n", stdout);
- gnutls_bye (session, GNUTLS_SHUT_RDWR);
+ /* It is suggested not to use GNUTLS_SHUT_RDWR in DTLS
+ * connections because the peer's closure message might
+ * be lost */
+ gnutls_bye (session, GNUTLS_SHUT_WR);
end:
- tcp_close (sd);
+ udp_close (sd);
gnutls_deinit (session);
diff --git a/doc/examples/tcp.c b/doc/examples/udp.c
similarity index 80%
copy from doc/examples/tcp.c
copy to doc/examples/udp.c
index 6961c4e..3eb567a 100644
--- a/doc/examples/tcp.c
+++ b/doc/examples/udp.c
@@ -16,23 +16,23 @@
#define SA struct sockaddr
/* tcp.c */
-int tcp_connect (void);
-void tcp_close (int sd);
+int udp_connect (void);
+void udp_close (int sd);
/* Connects to the peer and returns a socket
* descriptor.
*/
extern int
-tcp_connect (void)
+udp_connect (void)
{
- const char *PORT = "5556";
+ const char *PORT = "5557";
const char *SERVER = "127.0.0.1";
int err, sd;
struct sockaddr_in sa;
/* connects to server
*/
- sd = socket (AF_INET, SOCK_STREAM, 0);
+ sd = socket (AF_INET, SOCK_DGRAM, 0);
memset (&sa, '\0', sizeof (sa));
sa.sin_family = AF_INET;
@@ -52,8 +52,7 @@ tcp_connect (void)
/* closes the given socket descriptor.
*/
extern void
-tcp_close (int sd)
+udp_close (int sd)
{
- shutdown (sd, SHUT_RDWR); /* no more receptions */
close (sd);
}
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index f14927d..ed3037d 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -282,8 +282,10 @@ _gnutls_handshake_internal_state_clear (gnutls_session_t
session)
* be allocated. This function allocates structures which can only
* be free'd by calling gnutls_deinit(). Returns zero on success.
*
- * @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER and might
- * include %GNUTLS_DATAGRAM to enable datagram TLS (DTLS).
+ * @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER. For a DTLS
+ * entity, the flags %GNUTLS_DATAGRAM and %GNUTLS_NONBLOCK are
+ * also available. The latter flag will enable a non-blocking
+ * operation of the DTLS timers.
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
diff --git a/tests/chainverify.c b/tests/chainverify.c
index a7d5daf..8cd5244 100644
--- a/tests/chainverify.c
+++ b/tests/chainverify.c
@@ -761,6 +761,13 @@ doit (void)
size_t i;
int ret;
+ /* The overloading of time() seems to work in linux (ELF?)
+ * systems only. Disable it on windows.
+ */
+#ifdef _WIN32
+ exit(77);
+#endif
+
ret = gnutls_global_init ();
if (ret != 0)
{
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-416-g08a1b04,
Nikos Mavrogiannopoulos <=