added required changes to release gnutls 0.3.3

(mostly bug fixes)

11 files changed, 148 insertions, 281 deletions

diff --git a/NEWS b/NEWS
index 884ad0857e..a99d05ad2f 100644
--- a/NEWS
+++ b/NEWS
@@ -1,10 +1,3 @@
-Version ?.?.?
-- gnutls_check_pending() was renamed to gnutls_record_check_pending()
-- Key exchange methods changed so they do not depend on the Certificate
-  type (GNUTLS_KX_X509PKI_* renamed to GNUTLS_KX_*)
-- Renamed gnutls_x509pki_s/get_dh_bits() to gnutls_dh_s/get_dhe_bits()
-- Renamed gnutls_anon_server/client_get_dh_bits() to gnutls_dh_get_dha_bits()
-
 Version 0.3.3
 - Added gnutls_x509pki_verify_certificate()
 - Added gnutls_x509pki_set_trust_mem() and gnutls_x509pki_set_key_mem()
@@ -12,7 +5,7 @@ Version 0.3.3
 - Bug fixes in the Handshake protocol (based on patch by Guillaume Morin)
 - Corrected library versioning
 
-Version 0.3.2 (5/01/2002)
+Version 0.3.2 (5/01/2001)
 - Corrected bug which did not allow a client to accept multiple CA names
 - Added gnutls_fingerprint()
 - Added gnutls_x509pki_extract_certificate_serial()
diff --git a/configure.in b/configure.in
index 9532e46703..5ebac40fb7 100644
--- a/configure.in
+++ b/configure.in
@@ -9,10 +9,9 @@ AC_DEFINE_UNQUOTED(T_CPU, "$target_cpu")
 AC_DEFINE_UNQUOTED(T_VENDOR, "$target_vendor")
 AC_DEFINE_UNQUOTED(T_OS, "$target_os")
 
-dnl Gnutls Version
 GNUTLS_MAJOR_VERSION=0
 GNUTLS_MINOR_VERSION=3
-GNUTLS_MICRO_VERSION=2
+GNUTLS_MICRO_VERSION=3
 GNUTLS_VERSION=$GNUTLS_MAJOR_VERSION.$GNUTLS_MINOR_VERSION.$GNUTLS_MICRO_VERSION
 
 AC_DEFINE_UNQUOTED(GNUTLS_VERSION, "$GNUTLS_VERSION")
@@ -20,7 +19,7 @@ AC_DEFINE_UNQUOTED(GNUTLS_VERSION, "$GNUTLS_VERSION")
 AM_INIT_AUTOMAKE(gnutls, $GNUTLS_VERSION)
 AM_CONFIG_HEADER(config.h)
 
-dnl This is the library version
+
 GNUTLS_MOST_RECENT_INTERFACE=3
 GNUTLS_CURRENT_INTERFACE_IMPLEMENTATION_NUMBER=$GNUTLS_MICRO_VERSION
 GNUTLS_OLDEST_INTERFACE=3
diff --git a/lib/auth_srp_sb64.c b/lib/auth_srp_sb64.c
index d7be368f30..cb48e5013f 100644
--- a/lib/auth_srp_sb64.c
+++ b/lib/auth_srp_sb64.c
@@ -161,7 +161,6 @@ int _gnutls_sbase64_encode(uint8 * data, int data_size, uint8 ** result)
 		memcpy(&(*result)[0], tmpres, tmp);
 		i = mod;
 		j = tmp;
-
 	}
 /* encode the rest
  */
diff --git a/lib/auth_x509.c b/lib/auth_x509.c
index 0fcc057aa3..18f5c82e89 100644
--- a/lib/auth_x509.c
+++ b/lib/auth_x509.c
@@ -1283,105 +1283,6 @@ int gnutls_x509pki_get_peer_certificate_status(GNUTLS_STATE state)
 	return verify;
 }
 
-#define CLEAR_CERTS_CA for(x=0;x<peer_certificate_list_size;x++) gnutls_free_cert(peer_certificate_list[x]); \
-		for(x=0;x<ca_certificate_list_size;x++) gnutls_free_cert(ca_certificate_list[x])
-/**
-  * gnutls_x509pki_verify_certificate - This function verifies given certificate list
-  * @cert_list: is the certificate list to be verified
-  * @cert_list_length: holds the number of certificate in cert_list
-  * @CA_list: is the CA list which will be used in verification
-  * @CA_list_length: holds the number of CA certificate in CA_list
-  * @CRL_list: not used
-  * @CRL_list_length: not used
-  *
-  * This function will try to verify the given certificate list and return it's status (TRUSTED, EXPIRED etc.). 
-  * The return value (status) should be one of the CertificateStatus enumerated elements.
-  * However you must also check the peer's name in order to check if the verified certificate belongs to the 
-  * actual peer. Returns a negative error code in case of an error.
-  *
-  **/
-int gnutls_x509pki_verify_certificate( const gnutls_datum* cert_list, int cert_list_length, const gnutls_datum * CA_list, int CA_list_length, const gnutls_datum* CRL_list, int CRL_list_length)
-{
-	CertificateStatus verify;
-	gnutls_cert *peer_certificate_list;
-	gnutls_cert *ca_certificate_list;
-	int peer_certificate_list_size, i, x, ret, ca_certificate_list_size;
-
-	if (cert_list == NULL || cert_list_length == 0)
-		return GNUTLS_CERT_NONE;
-
-	/* generate a list of gnutls_certs based on the auth info
-	 * raw certs.
-	 */
-	peer_certificate_list_size = cert_list_length;
-	peer_certificate_list =
-	    gnutls_calloc(1,
-			  peer_certificate_list_size *
-			  sizeof(gnutls_cert));
-	if (peer_certificate_list == NULL) {
-		gnutls_assert();
-		return GNUTLS_E_MEMORY_ERROR;
-	}
-
-	ca_certificate_list_size = CA_list_length;
-	ca_certificate_list =
-	    gnutls_calloc(1,
-			  ca_certificate_list_size *
-			  sizeof(gnutls_cert));
-	if (ca_certificate_list == NULL) {
-		gnutls_assert();
-		gnutls_free( peer_certificate_list);
-		return GNUTLS_E_MEMORY_ERROR;
-	}
-
-	/* convert certA_list to gnutls_cert* list
-	 */
-	for (i = 0; i < peer_certificate_list_size; i++) {
-		if ((ret =
-		     _gnutls_cert2gnutlsCert(&peer_certificate_list[i],
-					     cert_list[i])) < 0) {
-			gnutls_assert();
-			CLEAR_CERTS_CA;
-			gnutls_free( peer_certificate_list);
-			gnutls_free( ca_certificate_list);
-			return ret;
-		}
-	}
-
-	/* convert CA_list to gnutls_cert* list
-	 */
-	for (i = 0; i < ca_certificate_list_size; i++) {
-		if ((ret =
-		     _gnutls_cert2gnutlsCert(&ca_certificate_list[i],
-					     CA_list[i])) < 0) {
-			gnutls_assert();
-			CLEAR_CERTS_CA;
-			gnutls_free( peer_certificate_list);
-			gnutls_free( ca_certificate_list);
-			return ret;
-		}
-	}
-
-	/* Verify certificate 
-	 */
-	verify =
-	    gnutls_verify_certificate(peer_certificate_list,
-				      peer_certificate_list_size,
-				      ca_certificate_list, ca_certificate_list_size, NULL, 0);
-
-	CLEAR_CERTS_CA;
-	gnutls_free( peer_certificate_list);
-	gnutls_free( ca_certificate_list);
-
-	if (verify < 0) {
-		gnutls_assert();
-		return GNUTLS_CERT_INVALID;
-	}
-
-	return verify;
-}
-
-
 /* finds the most appropriate certificate in the cert list.
  * The 'appropriate' is defined by the user. 
  * (frontend to _gnutls_server_find_cert_index())
@@ -1503,3 +1404,101 @@ int gnutls_x509pki_extract_certificate_serial(const gnutls_datum * cert, char* r
 	return 0;
 
 }
+
+#define CLEAR_CERTS_CA for(x=0;x<peer_certificate_list_size;x++) gnutls_free_cert(peer_certificate_list[x]); \
+		for(x=0;x<ca_certificate_list_size;x++) gnutls_free_cert(ca_certificate_list[x])
+/**
+  * gnutls_x509pki_verify_certificate - This function verifies given certificate list
+  * @cert_list: is the certificate list to be verified
+  * @cert_list_length: holds the number of certificate in cert_list
+  * @CA_list: is the CA list which will be used in verification
+  * @CA_list_length: holds the number of CA certificate in CA_list
+  * @CRL_list: not used
+  * @CRL_list_length: not used
+  *
+  * This function will try to verify the given certificate list and return it's status (TRUSTED, EXPIRED etc.). 
+  * The return value (status) should be one of the CertificateStatus enumerated elements.
+  * However you must also check the peer's name in order to check if the verified certificate belongs to the 
+  * actual peer. Returns a negative error code in case of an error.
+  *
+  **/
+int gnutls_x509pki_verify_certificate( const gnutls_datum* cert_list, int cert_list_length, const gnutls_datum * CA_list, int CA_list_length, const gnutls_datum* CRL_list, int CRL_list_length)
+{
+	CertificateStatus verify;
+	gnutls_cert *peer_certificate_list;
+	gnutls_cert *ca_certificate_list;
+	int peer_certificate_list_size, i, x, ret, ca_certificate_list_size;
+
+	if (cert_list == NULL || cert_list_length == 0)
+		return GNUTLS_CERT_NONE;
+
+	/* generate a list of gnutls_certs based on the auth info
+	 * raw certs.
+	 */
+	peer_certificate_list_size = cert_list_length;
+	peer_certificate_list =
+	    gnutls_calloc(1,
+			  peer_certificate_list_size *
+			  sizeof(gnutls_cert));
+	if (peer_certificate_list == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+
+	ca_certificate_list_size = CA_list_length;
+	ca_certificate_list =
+	    gnutls_calloc(1,
+			  ca_certificate_list_size *
+			  sizeof(gnutls_cert));
+	if (ca_certificate_list == NULL) {
+		gnutls_assert();
+		gnutls_free( peer_certificate_list);
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+
+	/* convert certA_list to gnutls_cert* list
+	 */
+	for (i = 0; i < peer_certificate_list_size; i++) {
+		if ((ret =
+		     _gnutls_cert2gnutlsCert(&peer_certificate_list[i],
+					     cert_list[i])) < 0) {
+			gnutls_assert();
+			CLEAR_CERTS_CA;
+			gnutls_free( peer_certificate_list);
+			gnutls_free( ca_certificate_list);
+			return ret;
+		}
+	}
+
+	/* convert CA_list to gnutls_cert* list
+	 */
+	for (i = 0; i < ca_certificate_list_size; i++) {
+		if ((ret =
+		     _gnutls_cert2gnutlsCert(&ca_certificate_list[i],
+					     CA_list[i])) < 0) {
+			gnutls_assert();
+			CLEAR_CERTS_CA;
+			gnutls_free( peer_certificate_list);
+			gnutls_free( ca_certificate_list);
+			return ret;
+		}
+	}
+
+	/* Verify certificate 
+	 */
+	verify =
+	    gnutls_verify_certificate(peer_certificate_list,
+				      peer_certificate_list_size,
+				      ca_certificate_list, ca_certificate_list_size, NULL, 0);
+
+	CLEAR_CERTS_CA;
+	gnutls_free( peer_certificate_list);
+	gnutls_free( ca_certificate_list);
+
+	if (verify < 0) {
+		gnutls_assert();
+		return GNUTLS_CERT_INVALID;
+	}
+
+	return verify;
+}
diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in
index eee80b9d4f..7f324229c2 100644
--- a/lib/gnutls.h.in.in
+++ b/lib/gnutls.h.in.in
@@ -30,18 +30,10 @@ extern "C" {
 @DEFINE_SIZE_T@
 @DEFINE_TIME_T@
 
-#define GNUTLS_CIPHER_AES_128_CBC GNUTLS_CIPHER_RIJNDAEL_128_CBC
-#define GNUTLS_CIPHER_AES_256_CBC GNUTLS_CIPHER_RIJNDAEL_256_CBC
-
-typedef enum GNUTLS_BulkCipherAlgorithm { GNUTLS_CIPHER_NULL=1, GNUTLS_CIPHER_ARCFOUR, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_RIJNDAEL_128_CBC, GNUTLS_CIPHER_TWOFISH_128_CBC, GNUTLS_CIPHER_RIJNDAEL_256_CBC } GNUTLS_BulkCipherAlgorithm;
-#define GNUTLS_CIPHER_RIJNDAEL_CBC GNUTLS_CIPHER_RIJNDAEL_128_CBC
-#define GNUTLS_CIPHER_RIJNDAEL256_CBC GNUTLS_CIPHER_RIJNDAEL_256_CBC
-
-typedef enum GNUTLS_KXAlgorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP } GNUTLS_KXAlgorithm;
-#define GNUTLS_KX_X509PKI_RSA GNUTLS_KX_RSA
-#define GNUTLS_KX_X509PKI_DHE_RSA GNUTLS_KX_DHE_RSA
-#define GNUTLS_KX_X509PKI_DHE_DSS GNUTLS_KX_DHE_DSS
+#define GNUTLS_AES GNUTLS_RIJNDAEL
 
+typedef enum GNUTLS_BulkCipherAlgorithm { GNUTLS_CIPHER_NULL=1, GNUTLS_CIPHER_ARCFOUR, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_CIPHER_RIJNDAEL256_CBC } GNUTLS_BulkCipherAlgorithm;
+typedef enum GNUTLS_KXAlgorithm { GNUTLS_KX_X509PKI_RSA=1, GNUTLS_KX_X509PKI_DHE_DSS, GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP } GNUTLS_KXAlgorithm;
 typedef enum GNUTLS_CredType { GNUTLS_X509PKI=1, GNUTLS_ANON, GNUTLS_SRP } GNUTLS_CredType;
 #define CredType GNUTLS_CredType
 
@@ -93,6 +85,7 @@ void gnutls_deinit(GNUTLS_STATE state);
 int gnutls_bye( GNUTLS_STATE state, GNUTLS_CloseRequest how);
 
 int gnutls_handshake( GNUTLS_STATE state);
+int gnutls_check_pending(GNUTLS_STATE state);
 int gnutls_rehandshake( GNUTLS_STATE state);
 
 
@@ -261,6 +254,4 @@ void gnutls_transport_set_pull_func( GNUTLS_STATE, GNUTLS_PULL_FUNC pull_func);
 size_t gnutls_record_get_max_size( GNUTLS_STATE state);
 size_t gnutls_record_set_max_size( GNUTLS_STATE state, size_t size);
 
-size_t gnutls_record_check_pending(GNUTLS_STATE state);
-
 int gnutls_fingerprint(GNUTLS_DigestAlgorithm algo, const gnutls_datum* data, char* result, int* result_size);
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 74372f69b2..b97f69a789 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -47,11 +47,11 @@ typedef struct {
 /* This table maps the Key exchange algorithms to
  * the certificate algorithms. Eg. if we have
  * RSA algorithm in the certificate then we can
- * use GNUTLS_KX_RSA or GNUTLS_KX_DHE_RSA.
+ * use GNUTLS_KX_X509PKI_RSA or GNUTLS_KX_X509PKI_DHE_RSA.
  */
 static const gnutls_pk_map pk_mappings[] = {
-	{GNUTLS_KX_RSA, GNUTLS_PK_RSA},
-	{GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA},
+	{GNUTLS_KX_X509PKI_RSA, GNUTLS_PK_RSA},
+	{GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_PK_RSA},
 	{0}
 };
 
@@ -510,102 +510,7 @@ int gnutls_x509pki_set_trust_file(GNUTLS_X509PKI_CREDENTIALS res, char *CAFILE,
 }
 
 /**
-  * gnutls_x509pki_set_key_mem - Used to set keys in a GNUTLS_X509PKI_CREDENTIALS structure
-  * @res: is an &GNUTLS_X509PKI_CREDENTIALS structure.
-  * @CERT: contains a PEM encoded certificate list (path) for
-  * the specified private key
-  * @KEY: is a PEM encoded private key
-  *
-  * This function sets a certificate/private key pair in the 
-  * GNUTLS_X509PKI_CREDENTIALS structure. This function may be called
-  * more than once (in case multiple keys/certificates exist for the
-  * server).
-  *
-  * Currently only PKCS-1 PEM encoded RSA private keys are accepted by
-  * this function.
-  *
-  **/
-int gnutls_x509pki_set_key_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum* CERT,
-			   const gnutls_datum* KEY)
-{
-	int ret;
-
-	/* this should be first 
-	 */
-	if ((ret = read_key_mem( res, KEY->data, KEY->size)) < 0)
-		return ret;
-
-	if ((ret = read_cert_mem( res, CERT->data, CERT->size)) < 0)
-		return ret;
-
-	return 0;
-}
-
-/**
-  * gnutls_x509pki_set_trust_mem - Used to set trusted CAs in a GNUTLS_X509PKI_CREDENTIALS structure
-  * @res: is an &GNUTLS_X509PKI_CREDENTIALS structure.
-  * @CA: is a PEM encoded list of trusted CAs
-  * @CRL: is a PEM encoded list of CRLs (ignored for now)
-  *
-  * This function sets the trusted CAs in order to verify client
-  * certificates.
-  **/
-int gnutls_x509pki_set_trust_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum *CA,
-			     const gnutls_datum *CRL)
-{
-	int ret, size, i;
-	opaque *pdata;
-	gnutls_datum tmp;
-
-	if ((ret = read_ca_mem(res, CA->data, CA->size)) < 0)
-		return ret;
-
-	/* Generate the RDN sequence 
-	 * This will be sent to clients when a certificate
-	 * request message is sent.
-	 */
-
-	/* FIXME: in case of a client it is not needed
-	 * to do that. This would save time and memory.
-	 * However we don't have that information available
-	 * here.
-	 */
-
-	size = 0;
-	for (i = 0; i < res->ncas; i++) {
-		if ((ret = _gnutls_find_dn(&tmp, &res->ca_list[i])) < 0) {
-			gnutls_assert();
-			return ret;
-		}
-		size += (2 + tmp.size);
-	}
-
-	res->rdn_sequence.data = gnutls_malloc(size);
-	if (res->rdn_sequence.data == NULL) {
-		gnutls_assert();
-		return GNUTLS_E_MEMORY_ERROR;
-	}
-	res->rdn_sequence.size = size;
-
-	pdata = res->rdn_sequence.data;
-
-	for (i = 0; i < res->ncas; i++) {
-		if ((ret = _gnutls_find_dn(&tmp, &res->ca_list[i])) < 0) {
-			gnutls_free(res->rdn_sequence.data);
-			res->rdn_sequence.size = 0;
-			res->rdn_sequence.data = NULL;
-			gnutls_assert();
-			return ret;
-		}
-		WRITEdatum16(pdata, tmp);
-		pdata += (2 + tmp.size);
-	}
-
-	return 0;
-}
-
-/**
-  * gnutls_dh_set_dhe_bits - Used to set the bits for a DHE_* ciphersuite
+  * gnutls_x509pki_set_dh_bits - Used to set the bits for a DHE_* ciphersuite
   * @state: is a &GNUTLS_STATE structure.
   * @bits: is the number of bits
   *
@@ -613,17 +518,11 @@ int gnutls_x509pki_set_trust_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_da
   * This value will only be used in case of DHE ciphersuite.
   *
   **/
-void gnutls_dh_set_dhe_bits(GNUTLS_STATE state, int bits)
+void gnutls_x509pki_set_dh_bits(GNUTLS_STATE state, int bits)
 {
-	state->gnutls_internals.dhe_bits = bits;
+	state->gnutls_internals.x509pki_dhe_bits = bits;
 }
 
-#ifdef DEBUG
-# warning REMOVE THIS ON LIBRARY VERSION CHANGE
-#endif
-void gnutls_x509pki_set_dh_bits(GNUTLS_STATE state, int bits) {
-	gnutls_dh_set_dhe_bits( state, bits);
-}
 
 static int _read_rsa_params(opaque * der, int dersize, MPI * params)
 {
@@ -1102,7 +1001,7 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert,
 {
 	if (_gnutls_map_kx_get_cred(alg) == GNUTLS_X509PKI) {
 		switch (alg) {
-		case GNUTLS_KX_RSA:
+		case GNUTLS_KX_X509PKI_RSA:
 			if (cert->keyUsage != 0) {
 				if (!
 				    (cert->
@@ -1113,8 +1012,7 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert,
 					return 0;
 			}
 			return 0;
-		case GNUTLS_KX_DHE_RSA:
-		case GNUTLS_KX_DHE_DSS:
+		case GNUTLS_KX_X509PKI_DHE_RSA:
 			if (cert->keyUsage != 0) {
 				if (!
 				    (cert->
@@ -1135,7 +1033,7 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert,
 
 /* returns the KX algorithms that are supported by a
  * certificate. (Eg a certificate with RSA params, supports
- * GNUTLS_KX_RSA algorithm).
+ * GNUTLS_KX_X509PKI_RSA algorithm).
  * This function also uses the KeyUsage field of the certificate
  * extensions in order to disable unneded algorithms.
  */
@@ -1145,10 +1043,10 @@ int _gnutls_cert_supported_kx(const gnutls_cert * cert, KXAlgorithm ** alg,
 	KXAlgorithm kx;
 	int i;
 	PKAlgorithm pk;
-	KXAlgorithm kxlist[MAX_KX_ALGOS];
+	KXAlgorithm kxlist[255];
 
 	i = 0;
-	for (kx = 0; kx < MAX_KX_ALGOS; kx++) {
+	for (kx = 0; kx < 255; kx++) {
 		pk = _gnutls_map_pk_get_pk(kx);
 		if (pk == cert->subject_pk_algorithm) {
 			if (_gnutls_check_x509pki_key_usage(cert, kx) == 0) {
@@ -1158,11 +1056,6 @@ int _gnutls_cert_supported_kx(const gnutls_cert * cert, KXAlgorithm ** alg,
 		}
 	}
 
-	if (i==0) {
-		gnutls_assert();
-		return GNUTLS_E_INVALID_PARAMETERS;
-	}
-
 	*alg = gnutls_calloc(1, sizeof(KXAlgorithm) * i);
 	if (*alg == NULL)
 		return GNUTLS_E_MEMORY_ERROR;
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index db68d4714a..2eba02f9a9 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -139,7 +139,7 @@ static int _gnutls_ssl3_finished(GNUTLS_STATE state, int type, int skip,
 		return GNUTLS_E_HASH_FAILED;
 	}
 
-	siz = _gnutls_handshake_buffer_get_size(state) - skip;
+	siz = gnutls_get_handshake_buffer_size(state) - skip;
 	data = gnutls_malloc(siz);
 	if (data == NULL) {
 		gnutls_assert();
@@ -148,7 +148,7 @@ static int _gnutls_ssl3_finished(GNUTLS_STATE state, int type, int skip,
 		return GNUTLS_E_MEMORY_ERROR;
 	}
 
-	_gnutls_handshake_buffer_peek(state, data, siz);
+	gnutls_read_handshake_buffer(state, data, siz);
 
 	gnutls_mac_ssl3(td, data, siz);
 	gnutls_mac_ssl3(td2, data, siz);
@@ -197,7 +197,7 @@ int _gnutls_finished(GNUTLS_STATE state, int type, int skip, void *ret)
 		return GNUTLS_E_HASH_FAILED;
 	}
 
-	siz = _gnutls_handshake_buffer_get_size(state) - skip;
+	siz = gnutls_get_handshake_buffer_size(state) - skip;
 
 	data = gnutls_malloc(siz);
 	if (data == NULL) {
@@ -207,7 +207,7 @@ int _gnutls_finished(GNUTLS_STATE state, int type, int skip, void *ret)
 		return GNUTLS_E_MEMORY_ERROR;
 	}
 
-	_gnutls_handshake_buffer_get(state, data, siz);
+	gnutls_read_handshake_buffer(state, data, siz);
 
 	gnutls_hash(td, data, siz);
 	gnutls_hash(td2, data, siz);
@@ -650,7 +650,7 @@ int _gnutls_send_handshake(GNUTLS_STATE state, void *i_data,
 		/* we are resuming a previously interrupted
 		 * send.
 		 */
-		ret = _gnutls_handshake_io_write_flush(state);
+		ret = _gnutls_handshake_write_flush(state);
 		return ret;
 
 	}
@@ -685,7 +685,7 @@ int _gnutls_send_handshake(GNUTLS_STATE state, void *i_data,
 	if (type != GNUTLS_HELLO_REQUEST) {
 
 		if ((ret =
-		     _gnutls_handshake_buffer_put(state, data,
+		     gnutls_insert_to_handshake_buffer(state, data,
 						       datasize)) < 0) {
 			gnutls_assert();
 			gnutls_free(data);
@@ -694,7 +694,7 @@ int _gnutls_send_handshake(GNUTLS_STATE state, void *i_data,
 	}
 
 	ret =
-	    _gnutls_handshake_io_send_int(state, GNUTLS_HANDSHAKE, type,
+	    _gnutls_handshake_send_int(state, GNUTLS_HANDSHAKE, type,
 				       data, datasize);
 
 	gnutls_free(data);
@@ -744,7 +744,7 @@ static int _gnutls_recv_handshake_header(GNUTLS_STATE state,
 	if (state->gnutls_internals.handshake_header_buffer.header_size <
 	    SSL2_HEADERS) {
 		ret =
-		    _gnutls_handshake_io_recv_int(state, GNUTLS_HANDSHAKE,
+		    _gnutls_handshake_recv_int(state, GNUTLS_HANDSHAKE,
 					       type, dataptr,
 					       SSL2_HEADERS);
 
@@ -766,7 +766,7 @@ static int _gnutls_recv_handshake_header(GNUTLS_STATE state,
 	if (state->gnutls_internals.v2_hello == 0
 	    || type != GNUTLS_CLIENT_HELLO) {
 		ret =
-		    _gnutls_handshake_io_recv_int(state, GNUTLS_HANDSHAKE,
+		    _gnutls_handshake_recv_int(state, GNUTLS_HANDSHAKE,
 					       type,
 					       &dataptr[state->
 							gnutls_internals.
@@ -831,7 +831,7 @@ static int _gnutls_recv_handshake_header(GNUTLS_STATE state,
 
 	if (*recv_type != GNUTLS_HELLO_REQUEST) {
 		if ((ret =
-		     _gnutls_handshake_buffer_put(state, dataptr,
+		     gnutls_insert_to_handshake_buffer(state, dataptr,
 						       handshake_header_size))
 		    < 0) {
 			gnutls_assert();
@@ -839,7 +839,7 @@ static int _gnutls_recv_handshake_header(GNUTLS_STATE state,
 		}
 	}
 
-	/* This MUST be after handshake_buffer_put(), because
+	/* This MUST be after insert_to_handshake_buffer(), because
 	 * of optional packets.
 	 */
 	if (*recv_type != type) {
@@ -850,7 +850,7 @@ static int _gnutls_recv_handshake_header(GNUTLS_STATE state,
 	return length32;
 }
 
-#define _gnutls_handshake_header_buffer_clear( state) state->gnutls_internals.handshake_header_buffer.header_size = 0
+#define _gnutls_clear_handshake_header_buffer( state) state->gnutls_internals.handshake_header_buffer.header_size = 0
 
 
 /* This function will receive handshake messages of the given types,
@@ -900,7 +900,7 @@ int _gnutls_recv_handshake(GNUTLS_STATE state, uint8 ** data,
 
 	if (length32 > 0) {
 		ret =
-		    _gnutls_handshake_io_recv_int(state, GNUTLS_HANDSHAKE,
+		    _gnutls_handshake_recv_int(state, GNUTLS_HANDSHAKE,
 					       type, dataptr, length32);
 		if (ret <= 0) {
 			gnutls_assert();
@@ -915,7 +915,7 @@ int _gnutls_recv_handshake(GNUTLS_STATE state, uint8 ** data,
 	 * have have received above. if we get here the we clear the handshake
 	 * header we received.
 	 */
-	_gnutls_handshake_header_buffer_clear(state);
+	_gnutls_clear_handshake_header_buffer(state);
 
 	ret = GNUTLS_E_UNKNOWN_ERROR;
 
@@ -926,7 +926,7 @@ int _gnutls_recv_handshake(GNUTLS_STATE state, uint8 ** data,
 
 	if (recv_type != GNUTLS_HELLO_REQUEST && length32 > 0) {
 		if ((ret =
-		     _gnutls_handshake_buffer_put(state, dataptr,
+		     gnutls_insert_to_handshake_buffer(state, dataptr,
 						       length32)) < 0) {
 			gnutls_assert();
 			return ret;
@@ -943,8 +943,7 @@ int _gnutls_recv_handshake(GNUTLS_STATE state, uint8 ** data,
 		ret = length32;
 		break;
 	case GNUTLS_SERVER_HELLO_DONE:
-		if (length32==0) ret = 0;
-		else ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+		ret = 0;
 		break;
 	case GNUTLS_FINISHED:
 		ret = length32;
@@ -1705,7 +1704,7 @@ int gnutls_handshake(GNUTLS_STATE state)
 
 	STATE = STATE0;
 
-	_gnutls_handshake_io_buffer_clear(state);
+	_gnutls_clear_handshake_buffers(state);
 
 	return 0;
 }
@@ -1715,7 +1714,7 @@ int gnutls_handshake(GNUTLS_STATE state)
 		if (gnutls_error_is_fatal(ret)==0) return ret; \
 		gnutls_assert(); \
 		ERR( str, ret); \
-		_gnutls_handshake_buffer_clear(state); \
+		gnutls_clear_handshake_buffer(state); \
 		return ret; \
 	}
 
@@ -2095,9 +2094,8 @@ int gnutls_handshake_common(GNUTLS_STATE state)
 		/* in order to support session resuming */
 		_gnutls_server_register_current_session(state);
 	}
-
 	/* clear handshake buffer */
-	_gnutls_handshake_buffer_clear(state);
+	gnutls_clear_handshake_buffer(state);
 	return ret;
 
 }
diff --git a/lib/gnutls_random.c b/lib/gnutls_random.c
index 9c363da1f3..241c823359 100644
--- a/lib/gnutls_random.c
+++ b/lib/gnutls_random.c
@@ -76,7 +76,7 @@ int _gnutls_get_random(opaque * res, int bytes, int dev)
 
     memcpy( res, buf, bytes);
     gcry_free(buf);
-
+    
     return 0;
 #endif
 
diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h
index 31b246f553..512525740b 100644
--- a/lib/gnutls_ui.h
+++ b/lib/gnutls_ui.h
@@ -52,16 +52,8 @@ const char* gnutls_srp_server_get_username( GNUTLS_STATE state);
 
 /* ANON */
 
-int gnutls_dh_get_dha_bits( GNUTLS_STATE state);
-
-#define gnutls_anon_server_get_dh_bits gnutls_dh_get_dha_bits
-#define gnutls_anon_client_get_dh_bits gnutls_dh_get_dha_bits
-
-void gnutls_dh_set_dhe_bits( GNUTLS_STATE state, int bits);
-int gnutls_dh_get_dhe_bits( GNUTLS_STATE);
-
-#define gnutls_x509pki_set_dh_bits gnutls_dh_set_dhe_bits
-#define gnutls_x509pki_get_dh_bits gnutls_dh_get_dhe_bits
+int gnutls_anon_server_get_dh_bits( GNUTLS_STATE state);
+int gnutls_anon_client_get_dh_bits( GNUTLS_STATE state);
 
 /* X509PKI */
 
@@ -70,6 +62,8 @@ void gnutls_x509pki_set_client_cert_callback( GNUTLS_X509PKI_CREDENTIALS, x509pk
 void gnutls_x509pki_set_server_cert_callback( GNUTLS_X509PKI_CREDENTIALS, x509pki_server_cert_callback_func *);
 void gnutls_x509pki_server_set_cert_request( GNUTLS_STATE, CertificateRequest);
 
+void gnutls_x509pki_set_dh_bits( GNUTLS_STATE state, int bits);
+
 /* X.509 certificate handling functions */
 int gnutls_x509pki_extract_dn( const gnutls_datum*, gnutls_DN*);
 int gnutls_x509pki_extract_certificate_dn( const gnutls_datum*, gnutls_DN*);
@@ -80,10 +74,11 @@ time_t gnutls_x509pki_extract_certificate_activation_time( const gnutls_datum*);
 time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum*);
 int gnutls_x509pki_extract_subject_dns_name( const gnutls_datum*, char*, int*);
 
-int gnutls_x509pki_verify_certificate( const gnutls_datum* cert_list, int cert_list_length, const gnutls_datum * CA_list, int CA_list_length, const gnutls_datum* CRL_list, int CRL_list_length);
+int gnutls_x509pki_verify_certificate( const gnutls_datum* cert_list, int cert_list_length, const gnutls_datum * CA_list, int CA_list_length, const gnutls_datum* CRL_list, int CRL_list_length); 
 
 /* get data from the state */
 const gnutls_datum* gnutls_x509pki_get_peer_certificate_list( GNUTLS_STATE, int* list_size);
+int gnutls_x509pki_get_dh_bits( GNUTLS_STATE);
 int gnutls_x509pki_get_certificate_request_status(  GNUTLS_STATE);
 int gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE);
 
diff --git a/lib/x509_b64.c b/lib/x509_b64.c
index 8023455a96..43832d8537 100644
--- a/lib/x509_b64.c
+++ b/lib/x509_b64.c
@@ -279,7 +279,7 @@ int size;
 /* decodes data and puts the result into result (localy alocated)
  * The result_size is the return value
  */
-int _gnutls_base64_decode(const uint8 * data, int data_size, uint8 ** result)
+int _gnutls_base64_decode(uint8 * data, int data_size, uint8 ** result)
 {
 	int i, ret, tmp, j;
 	uint8 tmpres[3];
@@ -309,7 +309,7 @@ int _gnutls_base64_decode(const uint8 * data, int data_size, uint8 ** result)
 /* copies data to result but removes newlines and <CR>
  * returns the size of the data copied.
  */
-inline static int cpydata(const uint8 * data, int data_size, uint8 ** result)
+inline static int cpydata(uint8 * data, int data_size, uint8 ** result)
 {
 	int i, j;
 
@@ -330,7 +330,7 @@ inline static int cpydata(const uint8 * data, int data_size, uint8 ** result)
  * The result_size is the return value
  */
 #define ENDSTR "-----\n"
-int _gnutls_fbase64_decode( const uint8 * data, int data_size,
+int _gnutls_fbase64_decode( uint8 * data, int data_size,
 			   uint8 ** result)
 {
 	int ret;
diff --git a/lib/x509_b64.h b/lib/x509_b64.h
index 34ef20b5c2..259c408609 100644
--- a/lib/x509_b64.h
+++ b/lib/x509_b64.h
@@ -1,6 +1,6 @@
-int _gnutls_base64_encode(uint8 * data, int data_size, uint8 ** result);
-int _gnutls_fbase64_encode(const char *msg, const uint8 * data, int data_size,
+int _gnutls_base64_encode(uint8 * const data, int data_size, uint8 ** result);
+int _gnutls_fbase64_encode( char *msg, const uint8 * data, int data_size,
 			   uint8 ** result);
-int _gnutls_base64_decode(uint8 * data, int data_size, uint8 ** result);
+int _gnutls_base64_decode( const uint8 * data, int data_size, uint8 ** result);
 int _gnutls_fbase64_decode( const uint8 * data, int data_size,
 			   uint8 ** result);