diff options
| -rw-r--r-- | configure.in | 4 | ||||
| -rw-r--r-- | doc/Makefile.am | 5 | ||||
| -rw-r--r-- | doc/examples/Makefile.am | 4 | ||||
| -rw-r--r-- | doc/examples/ex-alert.c (renamed from doc/tex/ex-alert.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-cert-select.c (renamed from doc/tex/ex-cert-select.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-client-resume.c (renamed from doc/tex/ex-client-resume.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-client-srp.c (renamed from doc/tex/ex-client-srp.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-client2.c (renamed from doc/tex/ex-client2.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-crq.c (renamed from doc/tex/ex-crq.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-pkcs12.c (renamed from doc/tex/ex-pkcs12.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-serv-export.c (renamed from doc/tex/ex-serv-export.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-serv-pgp.c (renamed from doc/tex/ex-serv-pgp.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-serv-srp.c (renamed from doc/tex/ex-serv-srp.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-serv1.c (renamed from doc/tex/ex-serv1.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-session-info.c (renamed from doc/tex/ex-session-info.tex) | 2 | ||||
| -rw-r--r-- | doc/examples/ex-verify.c (renamed from doc/tex/ex-verify.tex) | 4 | ||||
| -rw-r--r-- | doc/examples/ex-x509-info.c (renamed from doc/tex/ex-x509-info.tex) | 2 | ||||
| -rw-r--r-- | doc/internals.dia (renamed from doc/tex/figures/internals.dia) | bin | 2146 -> 2146 bytes | |||
| -rw-r--r-- | doc/layers.dia (renamed from doc/tex/figures/layers.dia) | bin | 1090 -> 1090 bytes | |||
| -rw-r--r-- | doc/pgp1.dia (renamed from doc/tex/figures/pgp1.dia) | bin | 1734 -> 1734 bytes | |||
| -rw-r--r-- | doc/scripts/Makefile.am | 2 | ||||
| -rwxr-xr-x | doc/scripts/sort1.pl | 21 | ||||
| -rw-r--r-- | doc/tex/.cvsignore | 24 | ||||
| -rw-r--r-- | doc/tex/Makefile.am | 80 | ||||
| -rw-r--r-- | doc/tex/alert.tex | 30 | ||||
| -rw-r--r-- | doc/tex/appendix.tex | 21 | ||||
| -rw-r--r-- | doc/tex/auth.tex | 150 | ||||
| -rw-r--r-- | doc/tex/callbacks.tex | 23 | ||||
| -rw-r--r-- | doc/tex/cert_auth.tex | 127 | ||||
| -rw-r--r-- | doc/tex/certificate.tex | 256 | ||||
| -rw-r--r-- | doc/tex/ciphers.tex | 65 | ||||
| -rw-r--r-- | doc/tex/ciphersuites.tex | 27 | ||||
| -rw-r--r-- | doc/tex/compression.tex | 39 | ||||
| -rw-r--r-- | doc/tex/cover.tex.in | 69 | ||||
| -rw-r--r-- | doc/tex/errors.tex | 26 | ||||
| -rw-r--r-- | doc/tex/examples.tex | 121 | ||||
| -rw-r--r-- | doc/tex/fdl.tex | 489 | ||||
| -rw-r--r-- | doc/tex/funcs.tex | 35 | ||||
| -rw-r--r-- | doc/tex/gnutls-logo.ps | 154 | ||||
| -rw-r--r-- | doc/tex/gnutls.bib | 161 | ||||
| -rw-r--r-- | doc/tex/gnutls.tex | 62 | ||||
| -rw-r--r-- | doc/tex/handshake.tex | 95 | ||||
| -rw-r--r-- | doc/tex/howto.tex | 131 | ||||
| -rw-r--r-- | doc/tex/internals.eps | 320 | ||||
| -rw-r--r-- | doc/tex/layers.eps | 183 | ||||
| -rw-r--r-- | doc/tex/layers.tex | 30 | ||||
| -rw-r--r-- | doc/tex/library.tex | 109 | ||||
| -rw-r--r-- | doc/tex/macros.tex | 23 | ||||
| -rw-r--r-- | doc/tex/memory.tex | 17 | ||||
| -rw-r--r-- | doc/tex/openssl.tex | 20 | ||||
| -rw-r--r-- | doc/tex/pgp-fig1.eps | 479 | ||||
| -rw-r--r-- | doc/tex/pgpcert.xml.tex | 59 | ||||
| -rw-r--r-- | doc/tex/preface.tex | 26 | ||||
| -rw-r--r-- | doc/tex/preparation.tex | 133 | ||||
| -rw-r--r-- | doc/tex/programs.tex | 245 | ||||
| -rw-r--r-- | doc/tex/record.tex | 28 | ||||
| -rw-r--r-- | doc/tex/record_weaknesses.tex | 16 | ||||
| -rw-r--r-- | doc/tex/srp.tex | 80 | ||||
| -rw-r--r-- | doc/tex/supported_ciphersuites.tex | 69 | ||||
| -rw-r--r-- | doc/tex/tls_extensions.tex | 41 | ||||
| -rw-r--r-- | doc/tex/tlsintro.tex | 29 | ||||
| -rw-r--r-- | doc/tex/translayer.tex | 31 | ||||
| -rw-r--r-- | doc/tex/x509-1.eps | 251 | ||||
| -rw-r--r-- | doc/tex/x509cert.xml.tex | 190 | ||||
| -rw-r--r-- | doc/x509-1.dia (renamed from doc/tex/figures/x509-1.dia) | bin | 1638 -> 1638 bytes |
65 files changed, 4 insertions, 4626 deletions
diff --git a/configure.in b/configure.in index 34ebeb9d2c..a6e778739f 100644 --- a/configure.in +++ b/configure.in @@ -582,8 +582,8 @@ libextra/openpgp/Makefile libextra/opencdk/Makefile \ lib/libgnutls-config libextra/libgnutls-extra-config \ doc/Makefile src/x509/Makefile src/srp/Makefile src/openpgp/Makefile \ src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile \ -doc/tex/Makefile doc/tex/cover.tex doc/scripts/Makefile \ -doc/examples/Makefile lib/minitasn1/Makefile lib/x509/Makefile \ +doc/scripts/Makefile doc/examples/Makefile \ +lib/minitasn1/Makefile lib/x509/Makefile \ includes/Makefile includes/gnutls/Makefile doc/manpages/Makefile \ tests/Makefile]) diff --git a/doc/Makefile.am b/doc/Makefile.am index 9d720dcb68..8aea340406 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -1,6 +1,6 @@ EXTRA_DIST = TODO README.CVS README.autoconf certtool.cfg \ gnutls.ps gnutls.pdf gnutls.html -SUBDIRS = tex examples scripts manpages +SUBDIRS = scripts manpages info_TEXINFOS = gnutls.texi gnutls_TEXINFOS = gnutls.texi fdl.texi error_codes.texi \ @@ -40,8 +40,5 @@ x509-api.texi: ../lib/x509/x509-api.texi pgp-api.texi: ../libextra/openpgp/pgp-api.texi -scripts/sort2.pl < ../libextra/openpgp/pgp-api.texi > pgp-api.texi -examples/ex-client2.c examples/ex-session-info.c examples/ex-verify.c examples/ex-cert-select.c examples/ex-client-resume.c examples/ex-client-srp.c examples/ex-serv1.c examples/ex-serv-export.c examples/ex-serv-pgp.c examples/ex-serv-srp.c examples/ex-alert.c examples/ex-x509-info.c examples/ex-crq.c examples/ex-pkcs12.c: - cd tex && make examples - error_codes.texi: ../lib/gnutls_errors_int.h ../lib/gnutls_errors.c ../src/errcodes.c -../src/errcodes > error_codes.texi diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am deleted file mode 100644 index 2cf3cd4a67..0000000000 --- a/doc/examples/Makefile.am +++ /dev/null @@ -1,4 +0,0 @@ -EXTRA_DIST = ex-alert.c ex-client-resume.c ex-client-srp.c \ - ex-client2.c ex-x509-info.c ex-verify.c ex-serv-export.c ex-serv-pgp.c \ - ex-serv-srp.c ex-serv1.c ex-cert-select.c \ - ex-crq.c ex-session-info.c ex-pkcs12.c diff --git a/doc/tex/ex-alert.tex b/doc/examples/ex-alert.c index 464a652f66..c0ddfe64e9 100644 --- a/doc/tex/ex-alert.tex +++ b/doc/examples/ex-alert.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -29,4 +28,3 @@ void check_alert(gnutls_session_t session, int ret) } } -\end{verbatim} diff --git a/doc/tex/ex-cert-select.tex b/doc/examples/ex-cert-select.c index 9e3ae809a4..fb65f03ecb 100644 --- a/doc/tex/ex-cert-select.tex +++ b/doc/examples/ex-cert-select.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -240,4 +239,3 @@ static int cert_callback(gnutls_session_t session, } -\end{verbatim} diff --git a/doc/tex/ex-client-resume.tex b/doc/examples/ex-client-resume.c index 26c403b5b8..b75a40c892 100644 --- a/doc/tex/ex-client-resume.tex +++ b/doc/examples/ex-client-resume.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -122,4 +121,3 @@ int main() return 0; } -\end{verbatim} diff --git a/doc/tex/ex-client-srp.tex b/doc/examples/ex-client-srp.c index 548c3e541f..ff164c7897 100644 --- a/doc/tex/ex-client-srp.tex +++ b/doc/examples/ex-client-srp.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -114,4 +113,3 @@ int main() return 0; } -\end{verbatim} diff --git a/doc/tex/ex-client2.tex b/doc/examples/ex-client2.c index 9be2bf4037..8e762f8c73 100644 --- a/doc/tex/ex-client2.tex +++ b/doc/examples/ex-client2.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -136,4 +135,3 @@ int main() return 0; } -\end{verbatim} diff --git a/doc/tex/ex-crq.tex b/doc/examples/ex-crq.c index a307a935c3..a37c50b70b 100644 --- a/doc/tex/ex-crq.tex +++ b/doc/examples/ex-crq.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -80,4 +79,3 @@ int main() } -\end{verbatim} diff --git a/doc/tex/ex-pkcs12.tex b/doc/examples/ex-pkcs12.c index 4ba81b9535..9b988b9f92 100644 --- a/doc/tex/ex-pkcs12.tex +++ b/doc/examples/ex-pkcs12.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -121,4 +120,3 @@ int write_pkcs12(const gnutls_datum_t * cert, const gnutls_datum_t * pkcs8_key, } -\end{verbatim} diff --git a/doc/tex/ex-serv-export.tex b/doc/examples/ex-serv-export.c index b83d3cda3d..3f0d57d860 100644 --- a/doc/tex/ex-serv-export.tex +++ b/doc/examples/ex-serv-export.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -323,4 +322,3 @@ static int wrap_db_delete(void *dbf, gnutls_datum_t key) } -\end{verbatim} diff --git a/doc/tex/ex-serv-pgp.tex b/doc/examples/ex-serv-pgp.c index 44f98ad231..b082a87224 100644 --- a/doc/tex/ex-serv-pgp.tex +++ b/doc/examples/ex-serv-pgp.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -149,4 +148,3 @@ int main() } -\end{verbatim} diff --git a/doc/tex/ex-serv-srp.tex b/doc/examples/ex-serv-srp.c index 5fb7ba2796..e73baf048f 100644 --- a/doc/tex/ex-serv-srp.tex +++ b/doc/examples/ex-serv-srp.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -167,4 +166,3 @@ int main() } -\end{verbatim} diff --git a/doc/tex/ex-serv1.tex b/doc/examples/ex-serv1.c index 8b935a2b1d..7f57d8cde0 100644 --- a/doc/tex/ex-serv1.tex +++ b/doc/examples/ex-serv1.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -179,4 +178,3 @@ int main() } -\end{verbatim} diff --git a/doc/tex/ex-session-info.tex b/doc/examples/ex-session-info.c index cc0ffb8b8e..a68af6eebb 100644 --- a/doc/tex/ex-session-info.tex +++ b/doc/examples/ex-session-info.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -82,4 +81,3 @@ int print_info(gnutls_session_t session) return 0; } -\end{verbatim} diff --git a/doc/tex/ex-verify.tex b/doc/examples/ex-verify.c index 164ee58e03..a82a7baa13 100644 --- a/doc/tex/ex-verify.tex +++ b/doc/examples/ex-verify.c @@ -1,7 +1,4 @@ -\index{Verifying certificate chains} -\label{ex:verify-chain} -\begin{verbatim} #include <stdio.h> #include <gnutls/gnutls.h> @@ -191,4 +188,3 @@ static void verify_last_cert(gnutls_x509_crt_t crt, } } -\end{verbatim} diff --git a/doc/tex/ex-x509-info.tex b/doc/examples/ex-x509-info.c index a6b27a4c37..10f752eaf5 100644 --- a/doc/tex/ex-x509-info.tex +++ b/doc/examples/ex-x509-info.c @@ -1,4 +1,3 @@ -\begin{verbatim} #include <stdio.h> #include <stdlib.h> @@ -97,4 +96,3 @@ static void print_x509_certificate_info(gnutls_session_t session) } } -\end{verbatim} diff --git a/doc/tex/figures/internals.dia b/doc/internals.dia Binary files differindex 25088e7b15..25088e7b15 100644 --- a/doc/tex/figures/internals.dia +++ b/doc/internals.dia diff --git a/doc/tex/figures/layers.dia b/doc/layers.dia Binary files differindex ad1384e35f..ad1384e35f 100644 --- a/doc/tex/figures/layers.dia +++ b/doc/layers.dia diff --git a/doc/tex/figures/pgp1.dia b/doc/pgp1.dia Binary files differindex 3c767cde09..3c767cde09 100644 --- a/doc/tex/figures/pgp1.dia +++ b/doc/pgp1.dia diff --git a/doc/scripts/Makefile.am b/doc/scripts/Makefile.am index 67b9fead24..a07d476aec 100644 --- a/doc/scripts/Makefile.am +++ b/doc/scripts/Makefile.am @@ -1 +1 @@ -EXTRA_DIST = gdoc sort1.pl +EXTRA_DIST = gdoc sort2.pl diff --git a/doc/scripts/sort1.pl b/doc/scripts/sort1.pl deleted file mode 100755 index 9d31ed4e81..0000000000 --- a/doc/scripts/sort1.pl +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/perl - -sub key_of_record { - local($record) = @_; - - # Split record into lines: - my @lines = split /\n/, $record; - - my ($i) = 1; - my ($key) = $lines[$i]; - - while( !($key =~ m/^\\label(.*)/) && ($i < 5)) { $i=$i+1; $key = $lines[$i]; } - - return $key; -} - -$/="\n\n\n"; # Records are separated by blank lines. -@records = <>; # Read in whole file, one record per array element. - -@records = sort { key_of_record($a) cmp key_of_record($b) } @records; -print @records; diff --git a/doc/tex/.cvsignore b/doc/tex/.cvsignore deleted file mode 100644 index 2ca808de78..0000000000 --- a/doc/tex/.cvsignore +++ /dev/null @@ -1,24 +0,0 @@ -Makefile -Makefile.in -gnutls-api.tex -gnutls-extra-api.tex -*.aux -*.ps -*.dvi -*.toc -*.log -*.png -*.html -WARNINGS -*.css -asn1-api.tex -*.pl -cover.tex -error_codes.tex -*.bbl -*.blg -*.idx -*.ilg -*.ind -pgp-api.tex -x509-api.tex diff --git a/doc/tex/Makefile.am b/doc/tex/Makefile.am deleted file mode 100644 index 5ca4392194..0000000000 --- a/doc/tex/Makefile.am +++ /dev/null @@ -1,80 +0,0 @@ -EXTRA_DIST = gnutls.tex gnutls.ps \ - fdl.tex cover.tex.in gnutls-logo.ps layers.eps pgp-fig1.eps \ - x509-1.eps internals.eps gnutls.bib $(TEX_OBJECTS) - -# If you add any examples here, also change the ../examples/Makefile.am -# to include the C source. -EXAMPLE_OBJECTS = ex-alert.tex ex-client-srp.tex ex-serv-export.tex \ - ex-client2.tex ex-x509-info.tex ex-verify.tex \ - ex-serv1.tex ex-client-resume.tex ex-serv-srp.tex \ - ex-serv-pgp.tex ex-cert-select.tex \ - ex-crq.tex ex-session-info.tex ex-pkcs12.tex - -TEX_OBJECTS = gnutls.tex ../../lib/gnutls-api.tex fdl.tex ../../lib/x509/x509-api.tex \ - ../../libextra/openpgp/pgp-api.tex \ - macros.tex cover.tex ciphersuites.tex handshake.tex translayer.tex \ - auth.tex ciphers.tex errors.tex layers.tex alert.tex record.tex \ - funcs.tex examples.tex ../../libextra/gnutls-extra-api.tex \ - memory.tex cert_auth.tex howto.tex openssl.tex \ - appendix.tex x509cert.xml.tex pgpcert.xml.tex \ - programs.tex library.tex certificate.tex record_weaknesses.tex \ - tlsintro.tex compression.tex $(EXAMPLE_OBJECTS) preface.tex \ - tls_extensions.tex srp.tex preparation.tex callbacks.tex \ - supported_ciphersuites.tex - -gnutls.html: build_api_pgp build_api_lib build_api_x509 build_api_extra $(TEX_OBJECTS) - -latex2html gnutls.tex -no_navigation -split 0 \ - -local_icons -html_version 3.2,math -info "" -white - -build_api_lib: - cd ../../lib && make gnutls-api.tex - -build_api_x509: - cd ../../lib/x509 && make x509-api.tex - -build_api_pgp: - cd ../../libextra/openpgp && make pgp-api.tex - -build_api_extra: - cd ../../libextra && make gnutls-extra-api.tex - -error_codes.tex: ../../lib/gnutls_errors_int.h ../../lib/gnutls_errors.c - -../../src/retcodes > error_codes.tex - -gnutls-api.tex: ../../lib/gnutls-api.tex - -../scripts/sort1.pl < ../../lib/gnutls-api.tex > gnutls-api.tex - -gnutls-extra-api.tex: ../../libextra/gnutls-extra-api.tex - -../scripts/sort1.pl < ../../libextra/gnutls-extra-api.tex > gnutls-extra-api.tex - -x509-api.tex: ../../lib/x509/x509-api.tex - -../scripts/sort1.pl < ../../lib/x509/x509-api.tex > x509-api.tex - -pgp-api.tex: ../../libextra/openpgp/pgp-api.tex - -../scripts/sort1.pl < ../../libextra/openpgp/pgp-api.tex > pgp-api.tex - -DOC_OBJECTS = pgp-api.tex x509-api.tex gnutls-api.tex gnutls-extra-api.tex error_codes.tex - -gnutls.ps: build_api_lib build_api_x509 build_api_extra $(TEX_OBJECTS) $(DOC_OBJECTS) - -latex gnutls.tex - -bibtex gnutls - -makeindex gnutls.idx - -latex gnutls.tex && latex gnutls.tex && dvips gnutls.dvi -o gnutls.ps - -clean: - @-rm *.log *.aux *.toc *.png *.old *.html *.css *~ - @-rm *.pl gnutls.dvi - @-rm WARNINGS gnutls-api.tex gnutls-extra-api.tex error_codes.tex x509-api.tex - -examples: $(EXAMPLE_OBJECTS) - @echo "Generating example programs... " - @echo "They will be placed in doc/examples/ directory." - @echo "" - @for i in $(EXAMPLE_OBJECTS); do \ - out=`echo -n $$i|sed s/\.tex//`; \ - cat $$i|grep -v "^\\\\" > ../examples/$$out.c; \ - done - -dist-hook: examples - -.PHONY: build_api_lib build_api_x509 build_api_extra diff --git a/doc/tex/alert.tex b/doc/tex/alert.tex deleted file mode 100644 index 58ae1727c1..0000000000 --- a/doc/tex/alert.tex +++ /dev/null @@ -1,30 +0,0 @@ -\section{The TLS alert protocol} -\label{alert} - -The Alert\index{TLS protocols!Alert} protocol -is there to allow signals to be sent between peers. -These signals are mostly used to inform the peer about the cause of -a protocol failure. Some of these signals are used internally by the -protocol and the application protocol does not have to cope with them -(see \emph{GNUTLS\_A\_CLOSE\_NOTIFY}), and others refer to the -application protocol solely (see \emph{GNUTLS\_A\_USER\_CANCELLED}). -An alert signal includes a level indication which may be either -fatal or warning. Fatal alerts always terminate the current connection, -and prevent future renegotiations using the current session ID. - -\par The alert messages are protected by the record protocol, thus -the information that is included does not leak. You must take -extreme care for the alert information not to leak to a possible attacker, -via public log files etc. - -\par -\begin{itemize} -\item \printfunc{gnutls_alert_send}{gnutls\_alert\_send}: -to send an alert signal. -\item \printfunc{gnutls_error_to_alert}{gnutls\_error\_to\_alert}: -to map a gnutls error number to an alert signal. -\item \printfunc{gnutls_alert_get}{gnutls\_alert\_get}: -returns the last received alert. -\item \printfunc{gnutls_alert_get_name}{gnutls\_alert\_get\_name}: -returns the name, in a character array, of the given alert. -\end{itemize} diff --git a/doc/tex/appendix.tex b/doc/tex/appendix.tex deleted file mode 100644 index d25a7c61c2..0000000000 --- a/doc/tex/appendix.tex +++ /dev/null @@ -1,21 +0,0 @@ - -\chapter{Certificate to XML\index{Certificate to XML convertion} convertion functions} - -\label{ap:xml} - -This appendix contains some example output of the XML convertion -functions: -\begin{itemize} -\item \printfunc{gnutls_x509_crt_to_xml}{gnutls\_x509\_crt\_to\_xml} -\item \printfunc{gnutls_openpgp_key_to_xml}{gnutls\_openpgp\_key\_to\_xml} -\end{itemize} - -\section{An X.509 certificate} -\input{x509cert.xml} - -\section{An OpenPGP key} -\input{pgpcert.xml} - -\input{error_codes} - -\input{supported_ciphersuites} diff --git a/doc/tex/auth.tex b/doc/tex/auth.tex deleted file mode 100644 index 5dddd552ed..0000000000 --- a/doc/tex/auth.tex +++ /dev/null @@ -1,150 +0,0 @@ -\chapter{Authentication methods} - -The \tls{} protocol provides confidentiality and encryption, but -also offers authentication, which is a prerequisite -for a secure connection. -The available authentication methods in \gnutls{} are: -\begin{enumerate} - \item Certificate authentication - \item Anonymous authentication - \item SRP authentication -\end{enumerate} - -\input{cert_auth} - -\section{Anonymous authentication\index{Anonymous authentication}} -The anonymous key exchange perform encryption but there is no indication of -the identity of the peer. This kind of authentication is vulnerable to a -man in the middle attack, -but this protocol can be used even if there is no prior communication and -trusted parties with the peer, or when full anonymity is required. -Unless really required, do not use anonymous authentication. -Available key exchange methods are shown in \hyperref{figure}{figure }{}{fig:anon}. -\par -Note that the key exchange methods for anonymous authentication -require Diffie Hellman parameters to be generated and associated with an -anonymous credentials structure. - -\begin{figure}[hbtp] -\begin{tabular}{|l|p{9cm}|} - -\hline -ANON\_DH & This algorithm exchanges Diffie Hellman parameters. -\\ -\hline -\end{tabular} - -\caption{Supported anonymous key exchange algorithms} -\label{fig:anon} - -\end{figure} - -\input{srp} - -\section{Authentication and credentials} -In \gnutls{} every key exchange method is associated with a -credentials type. So in order to enable to enable a specific -method, the corresponding credentials type should be initialized -and set using \printfunc{gnutls_credentials_set}{gnutls\_credentials\_set}. -A mapping is shown in \hyperref{figure}{figure }{}{fig:kxcred}. - -\begin{figure}[hbtp] -\begin{tabular}{|l|l|p{4.5cm}|} - -\hline -\bf{Key exchange} & \bf{Client credentials} & \bf{Server credentials} -\\ -\hline -\hline -KX\_RSA && -\\ -\cline{1-1} -KX\_DHE\_RSA & CRD\_CERTIFICATE & CRD\_CERTIFICATE -\\ -\cline{1-1} -KX\_DHE\_DSS && -\\ -\cline{1-1} -KX\_RSA\_EXPORT && -\\ -\hline -KX\_SRP\_RSA & CRD\_SRP & CRD\_SRP -\\ -\cline{1-1} -KX\_SRP\_DSS && CRD\_CERTIFICATE -\\ -\hline -KX\_SRP & CRD\_SRP & CRD\_SRP -\\ -\hline -KX\_ANON\_DH & CRD\_ANON & CRD\_ANON -\\ -\hline -\end{tabular} - -\caption{Key exchange algorithms and the corresponding credential types} -\label{fig:kxcred} - -\end{figure} - - - -\section{Parameters stored in credentials} - -Several parameters such as the ones used for Diffie-Hellman authentication -are stored within the credentials structures, so all sessions can access -them. Those parameters are stored in structures such as {\bf gnutls\_dh\_params} -and {\bf gnutls\_rsa\_params}, and functions like -\printfunc{gnutls_certificate_set_dh_params}{gnutls\_certificate\_set\_dh\_params} -and -\printfunc{gnutls_certificate_set_rsa_export_params}{gnutls\_certificate\_set\_rsa\_export\_params} -can be used to associate those parameters with the given credentials structure. -\par -Since those parameters need to be renewed from time to time and a -global structure such as the credentials, may not be easy to modify -since it is accessible by all sessions, an alternative interface is -available using a callback function. -This can be set using the -\printfunc{gnutls_certificate_set_params_function}{gnutls\_certificate\_set\_params\_function}. -An example is shown below. - -\begin{verbatim} -#include <gnutls.h> - -gnutls_rsa_params rsa_params; -gnutls_dh_params dh_params; - -/* This function will be called once a session requests DH - * or RSA parameters. The parameters returned (if any) will - * be used for the first handshake only. - */ -static int get_params( gnutls_session session, gnutls_params_type_t type, - gnutls_params_st *st) -{ - if (type == GNUTLS_PARAMS_RSA_EXPORT) - st->params.rsa_export = rsa_params; - else if (type == GNUTLS_PARAMS_DH) - st->params.dh = dh_params; - else return -1; - - st->type = type; - /* do not deinitialize those parameters. - */ - st->deinit = 0; - - return 0; -} - -int main() -{ - gnutls_certificate_credentials_t cert_cred; - - initialize_params(); - - /* ... - */ - - gnutls_certificate_set_params_function( cert_cred, get_params); - -} -\end{verbatim} diff --git a/doc/tex/callbacks.tex b/doc/tex/callbacks.tex deleted file mode 100644 index edd718a802..0000000000 --- a/doc/tex/callbacks.tex +++ /dev/null @@ -1,23 +0,0 @@ -\section{Callback functions} -\index{Callback functions} - -There are several cases where \gnutls{} may need some out of band input from -your program. This is now implemented using some callback functions, -which your program is expected to register. - -An example of this type of functions are the push and pull callbacks -which are used to specify the functions that will retrieve and send -data to the transport layer. -\begin{itemize} -\item \printfunc{gnutls_transport_set_push_function}{gnutls\_transport\_set\_push\_function} -\item \printfunc{gnutls_transport_set_pull_function}{gnutls\_transport\_set\_pull\_function} -\end{itemize} - -Other callback functions such as the one set by -\printfunc{gnutls_srp_set_server_credentials_function}{gnutls\_srp\_set\_server\_credentials\_function}, -may require more complicated input, including data to be allocated. -These callbacks should allocate and free memory using the functions shown below. -\begin{itemize} -\item \printfunc{gnutls_malloc}{gnutls\_malloc} -\item \printfunc{gnutls_free}{gnutls\_free} -\end{itemize} diff --git a/doc/tex/cert_auth.tex b/doc/tex/cert_auth.tex deleted file mode 100644 index 2e32918b64..0000000000 --- a/doc/tex/cert_auth.tex +++ /dev/null @@ -1,127 +0,0 @@ -\section{Certificate authentication} - -% x.509 section -\subsection*{Authentication using X.509\index{X.509 certificates} certificates} - -X.509 certificates contain the public parameters, -of a public key algorithm, and an authority's signature, which proves the -authenticity of the parameters. -See section \ref{x509:trust} on page \pageref{x509:trust} for more information -on X.509 protocols. - -% openpgp section - -\subsection*{Authentication using OpenPGP\index{OpenPGP!Keys} keys} -\label{sec:pgp} - -OpenPGP keys also contain public parameters of a public key algorithm, and -signatures from several other parties. Depending on whether a signer is -trusted the key is considered trusted or not. -\gnutls{}'s OpenPGP authentication implementation is based on the -\cite{TLSPGP} proposal. - -See \ref{pgp:trust} on page \pageref{pgp:trust} for more information -about the OpenPGP trust model. For a more detailed introduction to OpenPGP -and GnuPG see \cite{GPGH}. - -\subsection*{Using certificate authentication} - -In \gnutls{} both the OpenPGP and X.509 certificates are part of the -certificate authentication and thus are handled using a common API. -\par -When using certificates the server is required -to have at least one certificate and private key pair. A client -may or may not have such a pair. The certificate and key pair -should be loaded, before any \tls{} session is initialized, -in a certificate credentials structure. This should be done by using -\printfunc{gnutls_certificate_set_x509_key_file}{gnutls\_certificate\_set\_x509\_key\_file} -or -\printfunc{gnutls_certificate_set_openpgp_key_file}{gnutls\_certificate\_set\_openpgp\_key\_file} -depending on the certificate type. -In the X.509 case, the functions will also accept and use a certificate list -that leads to a trusted authority. The certificate list must be ordered in such -way that every certificate certifies the one before it. The trusted authority's -certificate need not to be included, since the peer should possess it already. -\par -As an alternative, a callback may be used -so the server or the client specify the certificate and the key at the handshake time. -That callback can be set using the functions: -\begin{itemize} -\item \printfunc{gnutls_certificate_server_set_retrieve_function}{gnutls\_certificate\_server\_set\_retrieve\_function} -\item \printfunc{gnutls_certificate_client_set_retrieve_function}{gnutls\_certificate\_client\_set\_retrieve\_function} -\end{itemize} -Certificate verification is possible by loading the trusted authorities -into the credentials structure by using -\printfunc{gnutls_certificate_set_x509_trust_file}{gnutls\_certificate\_set\_x509\_trust\_file} -or -\printfunc{gnutls_certificate_set_openpgp_keyring_file}{gnutls\_certificate\_set\_openpgp\_keyring\_file} -for openpgp keys. Note however that the peer's certificate is not automatically verified, -you should call \printfunc{gnutls_certificate_verify_peers}{gnutls\_certificate\_verify\_peers}, -after a successful handshake, -to verify the signatures of the certificate. An alternative way, which reports -a more detailed verification output, is to use -\printfunc{gnutls_certificate_get_peers}{gnutls\_certificate\_get\_peers} to obtain -the raw certificate of the peer and verify it using the functions discussed in -section \ref{x509:trust} on page \pageref{x509:trust}. - -\par -In a handshake, the negotiated cipher suite depends on the -certificate's parameters, so not all key exchange methods will be available -with some certificates. \gnutls{} will disable ciphersuites that are not compatible with the key, or -the enabled authentication methods. For example keys marked as sign-only, will not be able to -access the plain RSA ciphersuites, but only the DHE\_RSA ones. It is -recommended not to use RSA keys for both signing and encryption. If possible -use the same key for the DHE\_RSA and RSA\_EXPORT ciphersuites, which use signing, -and a different key for the plain RSA ciphersuites, which use encryption. -All the key exchange methods shown in \hyperref{figure}{figure }{}{fig:cert} are -available in certificate authentication. - -Note that the DHE key exchange methods are generally slower\footnote{It really depends -on the group used. Primes with lesser bits are always faster, but also easier to break. -Values less than 768 should not be used today} -than plain RSA and require Diffie Hellman parameters to be generated and associated with a credentials -structure. The RSA-EXPORT method also requires 512 bit RSA parameters, that should -also be generated and associated with the credentials structure. See the functions: -\begin{itemize} -\item \printfunc{gnutls_dh_params_generate2}{gnutls\_dh\_params\_generate2} -\item \printfunc{gnutls_certificate_set_dh_params}{gnutls\_certificate\_set\_dh\_params} -\item \printfunc{gnutls_rsa_params_generate2}{gnutls\_rsa\_params\_generate2} -\item \printfunc{gnutls_certificate_set_rsa_export_params}{gnutls\_certificate\_set\_rsa\_export\_params} -\end{itemize} - - -\begin{figure}[hbtp] -\index{Key exchange algorithms} -\begin{tabular}{|l|p{9cm}|} -\hline -RSA & The RSA algorithm is used to encrypt a key and send it to the peer. -The certificate must allow the key to be used for encryption. -\\ -\hline -RSA\_EXPORT & The RSA algorithm is used to encrypt a key and send it to the peer. -In the EXPORT algorithm, the server signs temporary RSA parameters of 512 -bits -- which are considered weak -- and sends them to the client. -\\ -\hline -DHE\_RSA & The RSA algorithm is used to sign Ephemeral Diffie Hellman -parameters which are sent to the peer. The key in the certificate must allow -the key to be used for signing. Note that key exchange algorithms which use -Ephemeral Diffie Hellman parameters, offer perfect forward secrecy. That means -that even if the private key used for signing is compromised, it cannot be -used to reveal past session data. -\\ -\hline -DHE\_DSS & The DSS algorithm is used to sign Ephemeral Diffie Hellman -parameters which are sent to the peer. The certificate must contain DSA -parameters to use this key exchange algorithm. DSS stands for Digital Signature -Standard. -\\ -\hline -\end{tabular} - -\caption{Key exchange algorithms for OpenPGP and X.509 certificates.} -\label{fig:cert} - -\end{figure} - - diff --git a/doc/tex/certificate.tex b/doc/tex/certificate.tex deleted file mode 100644 index e93b032f59..0000000000 --- a/doc/tex/certificate.tex +++ /dev/null @@ -1,256 +0,0 @@ -\chapter{More on certificate authentication} -\index{Certificate authentication} -\label{certificate} - -\section{The X.509\index{X.509 certificates} trust model} -\label{x509:trust} - -The X.509 protocols rely on a hierarchical trust model. In this trust model -Certification Authorities (CAs) are used to certify entities. -Usually more than one certification authorities exist, and certification -authorities may certify other authorities to issue certificates as well, -following a hierarchical model. - -\begin{figure}[tbp] -\caption{X.509 certification} -\includegraphics[height=9.5cm,width=7cm]{x509-1} -\label{fig:x509-1} -\end{figure} - -One needs to trust one or more CAs for his secure -communications. In that case only the certificates issued by the trusted -authorities are acceptable. See figure \ref{fig:x509-1} for a typical example. -The API for handling X.509 certificates is described at section \ref{sec:x509api} -on page \pageref{sec:x509api}. Some examples are listed below. - - - -\subsection{X.509 certificates} -An X.509 certificate usually contains information about the certificate -holder, the signer, a unique serial number, expiration dates and some other -fields \cite{RFC3280} as shown in the table below. - -\label{fig:x509} -\begin{tabular}{|l||l|} -\hline -version & the field that indicates the version of the certificate. -\\ -\hline -serialNumber & this field holds a unique serial number per certificate. -\\ -\hline -issuer & holds the issuer's distinguished name -\\ -\hline -validity & the activation and expiration dates. -\\ -\hline -subject & the subject's distinguished name of the certificate. -\\ -\hline -\rowcolor[gray]{0.9} -extensions & The extensions are fields only present in version 3 certificates. -\\ -\hline -\end{tabular} -\\ -\\ -\par -The certificate's \emph{subject or issuer name} is not just a single string. It is -a Distinguished name and in the ASN.1 notation is a sequence of several object -IDs with their corresponding values. Some of available OIDs to be used in an X.509 -distinguished name are defined in \emph{gnutls/x509.h}. -\\ -\\ -The \emph{Version} field in a certificate has values either 1 or 3 for version 3 certificates. -Version 1 certificates do not support the extensions field so it is not possible -to distinguish a CA from a person, thus their usage should be avoided. -\\ -\\ -The \emph{validity} dates are there to indicate the date that the specific certificate -was activated and the date the certificate's key would be considered invalid. -\\ -\\ -Certificate \emph{extensions} are there to include information about the certificate's -subject that did not fit in the typical certificate fields. Those may be -e-mail addresses, flags that indicate whether the belongs to a CA etc. -All the supported X.509 version 3 extensions are shown in the table below. - -\label{fig:x509_ext} -\begin{tabular}{|l|l|p{6cm}|} -\hline -subject key id & 2.5.29.14 & An identifier of the key of the subject. -\\ -\hline -authority key id & 2.5.29.35 & An identifier of the authority's key used to sign the certificate. -\\ -\hline -subject alternative name & 2.5.29.17 & Alternative names to subject's distinguished name. -\\ -\hline -key usage & 2.5.29.15 & Constraints the key's usage of the certificate. -\\ -\hline -extended key usage & 2.5.29.37 & Constraints the purpose of the certificate. -\\ -\hline -basic constraints & 2.5.29.19 & Indicates whether this is a CA certificate or not. -\\ -\hline -CRL distribution points & 2.5.29.31 & This extension is set by the CA, in order to inform about the issued CRLs. -\\ -\hline -\end{tabular} -\\ -\\ -\par -In \gnutls{} the X.509 certificate structures are handled using the -\emph{gnutls\_x509\_crt\_t} type and the corresponding private keys with -the \emph{gnutls\_x509\_privkey\_t} type. -All the available functions for X.509 certificate handling have their -prototypes in \emph{gnutls/x509.h}. An example program to demonstrate the -X.509 parsing capabilities can be found at section \ref{ex:x509-info} on -page \pageref{ex:x509-info}. - -\subsection{Verifying X.509 certificate paths} -Verifying certificate\index{Verifying certificate paths} paths is important -in X.509 authentication. For this purpose the function -\printfunc{gnutls_x509_crt_verify}{gnutls\_x509\_crt\_verify} is provided. The -output of this function is the bitwise OR of the elements of the -``gnutls\_certificate\_status'' enumeration. A detailed description of -these elements can be found in figure \ref{fig:verify}. -The function \printfunc{gnutls_certificate_verify_peers}{gnutls\_certificate\_verify\_peers} -is equivalent to the previous one, and will verify the peer's certificate in a TLS session. - -\begin{figure}[hbtp] -\begin{tabular}{|l|p{7cm}|} - -\hline -CERT\_INVALID & The certificate is not signed by one of the known authorities, or -the signature is invalid. -\\ -\hline -CERT\_REVOKED & The certificate has been revoked. -\\ -\hline -CERT\_SIGNER\_NOT\_FOUND & The certificate's issuer is not known. -\\ -\hline -\end{tabular} -\caption{X.509 certificate verification} -\label{fig:verify} -\end{figure} - -\par -Although the verification of a certificate path indicates that the -certificate is signed by trusted authority, does not reveal anything -about the peer's identity. It is required to verify if the certificate's -owner is the one you expect. See \cite{RFC2818} and section \ref{ex:verify-chain} -on page \pageref{ex:verify-chain} for an example. - - -\subsection{PKCS \#10 certificate requests\index{Certificate requests}\index -{PKCS \#10}} -A certificate request is a structure, which -contain information about an applicant of a certificate service. -It usually contains a private key, a distinguished name and secondary -data such as a challenge password. \gnutls{} supports the requests -defined in PKCS \#10 \cite{RFC2986}. Other certificate request's format such as -PKIX's RFC2511 \cite{RFC2511} are not currently supported. - -In \gnutls{} the PKCS \#10 structures are handled using the -\emph{gnutls\_x509\_crq\_t} type. -An example of a certificate request generation can be found at section \ref{ex:crq} -on page \pageref{ex:crq}. - -\subsection{PKCS \#12 structures\index{PKCS \#12}} -A PKCS \#12 structure \cite{PKCS12} usually contains a user's private keys and -certificates. It is commonly used in browsers to export and import -the user's identities. -\par -In \gnutls{} the PKCS \#12 structures are handled using the -\emph{gnutls\_pkcs12\_t} type. This is an abstract type that -may hold several \emph{gnutls\_pkcs12\_bag\_t} types. The Bag types are the -holders of the actual data, which may be certificates, private -keys or encrypted data. An Bag of type encrypted should be decrypted -in order for its data to be accessed. - -An example of a PKCS \#12 structure generation can be found at section \ref{ex:pkcs12} -on page \pageref{ex:pkcs12}. - -\section{The OpenPGP\index{OpenPGP!Keys} trust model} -\label{pgp:trust} - -The OpenPGP key authentication relies on a distributed trust model, called -the "web of trust". The "web of trust" uses a decentralized system of -trusted introducers, which are the same as a CA. OpenPGP allows anyone to -sign anyone's else public key. When Alice signs Bob's key, she is introducing -Bob's key to anyone who trusts Alice. If someone trusts Alice to introduce -keys, then Alice is a trusted introducer in the mind of that observer. - -\begin{figure}[hbtp] -\includegraphics[height=9cm,width=11cm]{pgp-fig1} -\label{fig:pgp1} -\end{figure} - -For example: If David trusts Alice to be an introducer, and Alice signed -Bob's key, Dave also trusts Bob's key to be the real one. - -There are some key points that are important in that model. In the example -Alice has to sign Bob's key, only if she is sure that the key belongs -to Bob. Otherwise she may also make Dave falsely believe that this -is Bob's key. Dave has also the responsibility to know who to trust. -This model is similar to real life relations. - -Just see how Charlie behaves in the previous example. Although he has -signed Bob's key - because he knows, somehow, that it belongs to Bob - -he does not trust Bob to be an introducer. Charlie decided to trust only -Kevin, for some reason. A reason could be that Bob is lazy enough, and -signs other people's keys without being sure that they belong to the -actual owner. - -\subsection*{OpenPGP keys} -In \gnutls{} the OpenPGP key structures \cite{RFC2440} are handled using the -\emph{gnutls\_openpgp\_key\_t} type and the corresponding private keys with -the \emph{gnutls\_openpgp\_privkey\_t} type. All the prototypes for the key handling -functions can be found at \emph{gnutls/openpgp.h}. - -\subsection*{Verifying an OpenPGP key} -The verification functions of OpenPGP keys, included in \gnutls{}, -are simple ones, and do not use the features of the ``web of trust''. -For that reason, if the verification needs are complex, -the assistance of external tools like GnuPG and GPGME\footnote{ -Available at \htmladdnormallink{http://www.gnupg.org/related\_software/gpgme/}} -is recommended. -\par -There are two verification functions in \gnutls{}, -The \printfunc{gnutls_openpgp_key_verify_ring}{gnutls\_openpgp\_key\_verify\_ring} -and the \printfunc{gnutls_openpgp_key_verify_trustdb}{gnutls\_openpgp\_key\_verify\_trustdb}. -The first one checks an OpenPGP key against a given set of public keys (keyring) and -returns the key status. The key verification status is the same as in X.509 certificates, -although the meaning and interpretation are different. For example an OpenPGP key may -be valid, if the self signature is ok, even if no signers were found. -The meaning of verification status is shown in figure \ref{fig:pgp_verify}. -\\ -The latter function checks a GnuPG trust database for the given key. This function does not -check the key signatures, only checks for disabled and revoked keys. - -\begin{figure}[hbtp] -\begin{tabular}{|l|p{7cm}|} - -\hline -CERT\_INVALID & A signature on the key is invalid. That means that the key was modified -by somebody, or corrupted during transport. -\\ -\hline -CERT\_REVOKED & The key has been revoked by its owner. -\\ -\hline -CERT\_SIGNER\_NOT\_FOUND & The key was not signed by a known signer. -\\ -\hline -\end{tabular} -\caption{OpenPGP key verification} -\label{fig:pgp_verify} -\end{figure} - diff --git a/doc/tex/ciphers.tex b/doc/tex/ciphers.tex deleted file mode 100644 index 6c4c5d48bc..0000000000 --- a/doc/tex/ciphers.tex +++ /dev/null @@ -1,65 +0,0 @@ -\subsection*{Encryption algorithms used in the record layer} -\index{Symmetric encryption algorithms} -Confidentiality in the record layer is achieved by using symmetric block -encryption algorithms like {\bf 3DES}, {\bf AES\footnote{AES or Advanced -Encryption Standard is actually the RIJNDAEL algorithm. This is the -algorithm that replaced DES.}}, or -stream algorithms like {\bf ARCFOUR\_128\footnote{ARCFOUR\_128 is a compatible -algorithm with RSA's RC4 algorithm, which is considered to be a trade secret.}} See \hyperref{fig:ciphers}{figure }{}{fig:ciphers} for a complete list. -Ciphers are encryption algorithms that use a single, secret, key -to encrypt and decrypt data. Block algorithms in TLS also provide protection -against statistical analysis of the data. -Thus, if you're using the \tlsI{} protocol, a random number of blocks will be -appended to data, to prevent eavesdroppers from guessing the -actual data size. - -\begin{figure}[hbtp] -\begin{tabular}{|l|p{9cm}|} - -\hline -3DES\_CBC & 3DES\_CBC is the DES block cipher algorithm used with triple -encryption (EDE). Has 64 bits block size and is used in CBC mode. -\\ -\hline -ARCFOUR\_128 & ARCFOUR is a fast stream cipher. -\\ -\hline -ARCFOUR\_40 & This is the ARCFOUR cipher that is fed with a 40 bit key, -which is considered weak. -\\ -\hline -AES\_CBC & AES or RIJNDAEL is the block cipher algorithm that replaces -the old DES algorithm. Has -128 bits block size and is used in CBC mode. This is not officially -supported in TLS. -\\ -\hline -\end{tabular} -\caption{Supported cipher algorithms} -\label{fig:ciphers} -\end{figure} - - - -\addvspace{1.5cm} - -\begin{figure}[hbtp] -\begin{tabular}{|l|p{9cm}|} - -\hline -MAC\_MD5 & MD5 is a cryptographic hash algorithm designed by Ron Rivest. Outputs 128 bits of data. -\\ -\hline -MAC\_SHA & SHA is a cryptographic hash algorithm designed by NSA. Outputs 160 bits of data. -\\ -\hline -MAC\_RMD160 & RIPEMD is a cryptographic hash algorithm developed in the framework -of the EU project RIPE. Outputs 160 bits of data. -\\ -\hline -\end{tabular} -\caption{Supported MAC algorithms} -\index{MAC algorithms} -\label{fig:mac} -\end{figure} - diff --git a/doc/tex/ciphersuites.tex b/doc/tex/ciphersuites.tex deleted file mode 100644 index 87c3a99135..0000000000 --- a/doc/tex/ciphersuites.tex +++ /dev/null @@ -1,27 +0,0 @@ -\subsection*{TLS cipher suites} -\par -The Handshake Protocol of \tlsI{} negotiates cipher suites -of the form \\ -{\bf TLS\_DHE\_RSA\_WITH\_3DES\_CBC\_SHA}. -The usual cipher suites contain these parameters: -\begin{itemize} -\item The key exchange algorithm ---DHE\_RSA in the example. -\item The Symmetric encryption algorithm and mode ---3DES\_CBC in this -example. -\item The MAC\footnote{MAC stands for Message Authentication Code. It can -be described as a keyed hash algorithm. See RFC2104.} algorithm used for authentication. -MAC\_SHA is used in the above example. -\end{itemize} - -The cipher suite negotiated in the handshake protocol will affect -the Record Protocol, by enabling encryption and data authentication. -Note that you should not over rely on \tls{} to negotiate the strongest -available cipher suite. Do not enable ciphers and algorithms that you consider weak. -\par -The priority functions, dicussed above, allow the application layer to enable -and set priorities on the individual ciphers. It may imply that all combinations of ciphersuites -are allowed, but this is not true. For several reasons, not discussed here, some combinations -were not defined in the \tls{} protocol. The supported ciphersuites are shown -in appendix \ref{ap:ciphersuites} on page \pageref{ap:ciphersuites}. - -\addvspace{1.5cm} diff --git a/doc/tex/compression.tex b/doc/tex/compression.tex deleted file mode 100644 index 508fa07619..0000000000 --- a/doc/tex/compression.tex +++ /dev/null @@ -1,39 +0,0 @@ -\subsection*{Compression algorithms used in the record layer} -\index{Compression algorithms} -The TLS' record layer also supports compression. The algorithms -implemented in \gnutls{} can be found in figure \ref{fig:compression}. -All the algorithms except for DEFLATE which is referenced in \cite{TLSCOMP}, should be -considered as \gnutls' extensions\footnote{You should use \printfunc{gnutls_handshake_set_private_extensions}{gnutls\_handshake\_set\_private\_extensions} -to enable private extensions.}, and -should be advertised only when the peer is known to have a compliant client, -to avoid interoperability problems. -\par -The included algorithms perform really good when text, or other -compressable data are to be transfered, but offer nothing on already -compressed data, such as compressed images, zipped archives etc. -These compression algorithms, may be useful in high bandwidth TLS tunnels, -and in cases where network usage has to be minimized. As a drawback, -compression increases latency. - -\par -The record layer compression in \gnutls{} is implemented based on -the paper \cite{TLSCOMP}. - -\begin{figure}[hbtp] -\begin{tabular}{|l|p{9cm}|} - -\hline -DEFLATE & Zlib compression, using the deflate algorithm. -\\ -\hline -LZO & LZO is a very fast compression algorithm. This algorithm is only -available if the \gnutlse{} library has been initialized and the -private extensions are enabled. -\\ -\hline -\end{tabular} -\caption{Supported compression algorithms} -\label{fig:compression} -\end{figure} - - diff --git a/doc/tex/cover.tex.in b/doc/tex/cover.tex.in deleted file mode 100644 index 300ea355e5..0000000000 --- a/doc/tex/cover.tex.in +++ /dev/null @@ -1,69 +0,0 @@ -\begin{latexonly} - -\thispagestyle{empty} - -\setlength{\parindent}{0mm} - -\setlength{\parskip}{0mm} - -\hspace{\linewidth} -\hspace{-2cm} -\includegraphics{gnutls-logo} -\vspace{-.3cm} -\\ -\HRule -\vspace{.2cm} -\\ -\begin{tabular}{l@{\extracolsep{3cm}}p{7cm}} -{\Large{GNUTLS}} -& -\vspace{-.6cm} -\begin{flushright} -a Transport Layer Security Library\\ -This is a Draft document\\ -Applies to GnuTLS @VERSION@ -\end{flushright} -\end{tabular} - -\vspace*{\stretch{2}} - -\begin{flushright} -by Nikos Mavroyanopoulos -\end{flushright} -\vspace{-0.6cm} -\HRule - -\end{latexonly} - -\begin{htmlonly} - -{\Large{GNUTLS}} -\begin{flushright} -a Transport Layer Security Library\\ -This is a Draft document\\ -Applies to GnuTLS @VERSION@ -\end{flushright} - -\end{htmlonly} - -\newpage - - -\vspace*{\stretch{2}} - -\begin{center} -\par -Copyright \copyright\ 2001,2002,2003,2004 Nikos Mavroyanopoulos\\ -\setlength{\parskip}{4mm} -\par -Permission is granted to copy, distribute and/or modify this document -under the terms of the GNU Free Documentation License, Version 1.2 -or any later version published by the Free Software Foundation; -with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. -A copy of the license is included in the section entitled "GNU -Free Documentation License". -\end{center} - -\setlength{\parindent}{2mm} - -\setlength{\parskip}{1mm} diff --git a/doc/tex/errors.tex b/doc/tex/errors.tex deleted file mode 100644 index ef5c95af02..0000000000 --- a/doc/tex/errors.tex +++ /dev/null @@ -1,26 +0,0 @@ -\section{Error handling\index{Error!handling}} -\par -In \gnutls{} most functions return an integer type as a result. -In almost all cases a zero or a positive number means success, and -a negative number indicates failure, or a situation that some -action has to be taken. Thus negative error codes may be fatal -or not. -\par -Fatal errors terminate the connection immediately and -further sends and receives will be disallowed. An example of -a fatal error code is GNUTLS\_E\_DECRYPTION\_FAILED. Non-fatal errors -may warn about something, ie a warning alert was received, or -indicate the some action has to be taken. This is the case with -the error code GNUTLS\_E\_REHANDSHAKE returned by -\printfunc{gnutls_record_recv}{gnutls\_record\_recv}. -This error code indicates that the server requests a re-handshake. The client -may ignore this request, or may reply with an alert. -You can test if an error code is a fatal one by using the -\printfunc{gnutls_error_is_fatal}{gnutls\_error\_is\_fatal}. -\par -If any non fatal errors, that require an action, are to be returned by a -function, these error codes will be documented -in the function's reference. All the error codes are documented -in appendix \ref{ap:error_codes} on page \pageref{ap:error_codes}. - - diff --git a/doc/tex/examples.tex b/doc/tex/examples.tex deleted file mode 100644 index 0b1fccaba5..0000000000 --- a/doc/tex/examples.tex +++ /dev/null @@ -1,121 +0,0 @@ -\chapter{How to use \gnutls{}\index{Example programs} in applications} - -\input{preparation} - -\label{examples} -\section{Client examples} -This section contains examples of \tls{} and \ssl{} clients, using \gnutls{}. -Note that these examples contain little or no error checking. - -\subsection{Simple client example with X.509 certificate support} -Let's assume now that we want to create a TCP client which communicates -with servers that use X.509 or OpenPGP certificate authentication. The following client -is a very simple \tls{} client, it does not support session resuming, not -even certificate verification. The TCP functions defined in this example -are used in most of the other examples below, without redefining them. -\input{ex-client2} - -\subsection{Obtaining session information} -Most of the times it is desirable to know the security properties of -the current established session. This includes the underlying ciphers and -the protocols involved. That is the purpose of the following function. -Note that this function will print meaningful values only if -called after a successful \printfunc{gnutls_handshake}{gnutls\_handshake} - -\input{ex-session-info} - -\subsection{Verifying peer's certificate} -A \tls{} session is not secure just after the handshake procedure has finished. -It must be considered secure, only after the peer's certificate and identity have been -verified. That is, you have to verify the signature in peer's -certificate, the hostname in the certificate, and expiration dates. -Just after this step you should treat the connection as being a secure one. -The following function is an example on how to verify the peer's certificate chain. -This is an advanced case. Things in a TLS session may be simplified by using -\printfunc{gnutls_certificate_verify_peers2}{gnutls\_certificate\_verify\_peers2}. - -\input{ex-verify} - -\subsection{Using a callback to select the certificate to use} -There are cases where a client holds several certificate and key pairs, -and may not want to load all of them in the credentials structure. -The following example demonstrates the use of the certificate selection callback. -\par - -\input{ex-cert-select} - - -\subsection{Client with Resume capability example} -\label{resume-example} -This is a modification of the simple client example. Here we demonstrate -the use of session resumption. The client tries to connect once using -\tls{}, close the connection and then try to establish a new connection -using the previously negotiated data. -\input{ex-client-resume} - -\subsection{Simple client example with SRP authentication} -The following client -is a very simple SRP \tls{} client which connects to a server -and authenticates using a {\it username} and a {\it password}. The -server may authenticate itself using a certificate, and in that case it -has to be verified. -\input{ex-client-srp} - -\section{Server examples} -This section contains examples of \tls{} and \ssl{} servers, using \gnutls{}. - -\subsection{Echo Server with X.509 authentication} -This example is a very simple echo server which supports {\bf X.509} authentication, -using the RSA ciphersuites. -\input{ex-serv1} - -\subsection{Echo Server with X.509 authentication II} -The following example is a server which supports {\bf X.509} authentication. -This server supports the export-grade cipher suites, the DHE ciphersuites -and session resuming. -\input{ex-serv-export} - -\subsection{Echo Server with OpenPGP\index{OpenPGP!Server} authentication} -The following example is an echo server which supports {\bf OpenPGP} key -authentication. You can easily combine this functionality --that is have -a server that supports both X.509 and OpenPGP certificates-- but we -separated them to keep these examples as simple as possible. -\input{ex-serv-pgp} - - -\subsection{Echo Server with SRP authentication} -This is a server which supports {\bf SRP} authentication. It is also -possible to combine this functionality with a certificate server. Here it -is separate for simplicity. -\input{ex-serv-srp} - -\section{Miscellaneous examples} - -\subsection{Checking for an alert} -This is a function that checks if an alert has been received -in the current session. -\input{ex-alert} - -\subsection{X.509 certificate parsing example} -\label{ex:x509-info} -To demonstrate the X.509 parsing capabilities an example program is listed below. -That program reads the peer's certificate, and prints information about it. -\input{ex-x509-info} - -\subsection{Certificate request generation} -\label{ex:crq} -The following example is about generating a certificate request, and -a private key. A certificate request can be later be processed by a CA, -which should return a signed certificate. - -\input{ex-crq} - -\subsection{PKCS \#12 structure generation} -\label{ex:pkcs12} -The following example is about generating a PKCS \#12 structure. - -\input{ex-pkcs12} - - - -\input{openssl} diff --git a/doc/tex/fdl.tex b/doc/tex/fdl.tex deleted file mode 100644 index 27cedd00ac..0000000000 --- a/doc/tex/fdl.tex +++ /dev/null @@ -1,489 +0,0 @@ -\chapter{GNU Free Documentation License} -%\label{label_fdl} - - \begin{center} - - Version 1.2, November 2002 - - - Copyright \copyright 2000,2001,2002 Free Software Foundation, Inc. - - \bigskip - - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - \bigskip - - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. -\end{center} - - -\begin{center} -{\bf\large Preamble} -\end{center} - -The purpose of this License is to make a manual, textbook, or other -functional and useful document "free" in the sense of freedom: to -assure everyone the effective freedom to copy and redistribute it, -with or without modifying it, either commercially or noncommercially. -Secondarily, this License preserves for the author and publisher a way -to get credit for their work, while not being considered responsible -for modifications made by others. - -This License is a kind of "copyleft", which means that derivative -works of the document must themselves be free in the same sense. It -complements the GNU General Public License, which is a copyleft -license designed for free software. - -We have designed this License in order to use it for manuals for free -software, because free software needs free documentation: a free -program should come with manuals providing the same freedoms that the -software does. But this License is not limited to software manuals; -it can be used for any textual work, regardless of subject matter or -whether it is published as a printed book. We recommend this License -principally for works whose purpose is instruction or reference. - - -\begin{center} -{\Large\bf 1. APPLICABILITY AND DEFINITIONS} -\addcontentsline{toc}{section}{1. APPLICABILITY AND DEFINITIONS} -\end{center} - -This License applies to any manual or other work, in any medium, that -contains a notice placed by the copyright holder saying it can be -distributed under the terms of this License. Such a notice grants a -world-wide, royalty-free license, unlimited in duration, to use that -work under the conditions stated herein. The \textbf{"Document"}, below, -refers to any such manual or work. Any member of the public is a -licensee, and is addressed as \textbf{"you"}. You accept the license if you -copy, modify or distribute the work in a way requiring permission -under copyright law. - -A \textbf{"Modified Version"} of the Document means any work containing the -Document or a portion of it, either copied verbatim, or with -modifications and/or translated into another language. - -A \textbf{"Secondary Section"} is a named appendix or a front-matter section of -the Document that deals exclusively with the relationship of the -publishers or authors of the Document to the Document's overall subject -(or to related matters) and contains nothing that could fall directly -within that overall subject. (Thus, if the Document is in part a -textbook of mathematics, a Secondary Section may not explain any -mathematics.) The relationship could be a matter of historical -connection with the subject or with related matters, or of legal, -commercial, philosophical, ethical or political position regarding -them. - -The \textbf{"Invariant Sections"} are certain Secondary Sections whose titles -are designated, as being those of Invariant Sections, in the notice -that says that the Document is released under this License. If a -section does not fit the above definition of Secondary then it is not -allowed to be designated as Invariant. The Document may contain zero -Invariant Sections. If the Document does not identify any Invariant -Sections then there are none. - -The \textbf{"Cover Texts"} are certain short passages of text that are listed, -as Front-Cover Texts or Back-Cover Texts, in the notice that says that -the Document is released under this License. A Front-Cover Text may -be at most 5 words, and a Back-Cover Text may be at most 25 words. - -A \textbf{"Transparent"} copy of the Document means a machine-readable copy, -represented in a format whose specification is available to the -general public, that is suitable for revising the document -straightforwardly with generic text editors or (for images composed of -pixels) generic paint programs or (for drawings) some widely available -drawing editor, and that is suitable for input to text formatters or -for automatic translation to a variety of formats suitable for input -to text formatters. A copy made in an otherwise Transparent file -format whose markup, or absence of markup, has been arranged to thwart -or discourage subsequent modification by readers is not Transparent. -An image format is not Transparent if used for any substantial amount -of text. A copy that is not "Transparent" is called \textbf{"Opaque"}. - -Examples of suitable formats for Transparent copies include plain -ASCII without markup, Texinfo input format, LaTeX input format, SGML -or XML using a publicly available DTD, and standard-conforming simple -HTML, PostScript or PDF designed for human modification. Examples of -transparent image formats include PNG, XCF and JPG. Opaque formats -include proprietary formats that can be read and edited only by -proprietary word processors, SGML or XML for which the DTD and/or -processing tools are not generally available, and the -machine-generated HTML, PostScript or PDF produced by some word -processors for output purposes only. - -The \textbf{"Title Page"} means, for a printed book, the title page itself, -plus such following pages as are needed to hold, legibly, the material -this License requires to appear in the title page. For works in -formats which do not have any title page as such, "Title Page" means -the text near the most prominent appearance of the work's title, -preceding the beginning of the body of the text. - -A section \textbf{"Entitled XYZ"} means a named subunit of the Document whose -title either is precisely XYZ or contains XYZ in parentheses following -text that translates XYZ in another language. (Here XYZ stands for a -specific section name mentioned below, such as \textbf{"Acknowledgements"}, -\textbf{"Dedications"}, \textbf{"Endorsements"}, or \textbf{"History"}.) -To \textbf{"Preserve the Title"} -of such a section when you modify the Document means that it remains a -section "Entitled XYZ" according to this definition. - -The Document may include Warranty Disclaimers next to the notice which -states that this License applies to the Document. These Warranty -Disclaimers are considered to be included by reference in this -License, but only as regards disclaiming warranties: any other -implication that these Warranty Disclaimers may have is void and has -no effect on the meaning of this License. - - -\begin{center} -{\Large\bf 2. VERBATIM COPYING} -\addcontentsline{toc}{section}{2. VERBATIM COPYING} -\end{center} - -You may copy and distribute the Document in any medium, either -commercially or noncommercially, provided that this License, the -copyright notices, and the license notice saying this License applies -to the Document are reproduced in all copies, and that you add no other -conditions whatsoever to those of this License. You may not use -technical measures to obstruct or control the reading or further -copying of the copies you make or distribute. However, you may accept -compensation in exchange for copies. If you distribute a large enough -number of copies you must also follow the conditions in section 3. - -You may also lend copies, under the same conditions stated above, and -you may publicly display copies. - - -\begin{center} -{\Large\bf 3. COPYING IN QUANTITY} -\addcontentsline{toc}{section}{3. COPYING IN QUANTITY} -\end{center} - - -If you publish printed copies (or copies in media that commonly have -printed covers) of the Document, numbering more than 100, and the -Document's license notice requires Cover Texts, you must enclose the -copies in covers that carry, clearly and legibly, all these Cover -Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on -the back cover. Both covers must also clearly and legibly identify -you as the publisher of these copies. The front cover must present -the full title with all words of the title equally prominent and -visible. You may add other material on the covers in addition. -Copying with changes limited to the covers, as long as they preserve -the title of the Document and satisfy these conditions, can be treated -as verbatim copying in other respects. - -If the required texts for either cover are too voluminous to fit -legibly, you should put the first ones listed (as many as fit -reasonably) on the actual cover, and continue the rest onto adjacent -pages. - -If you publish or distribute Opaque copies of the Document numbering -more than 100, you must either include a machine-readable Transparent -copy along with each Opaque copy, or state in or with each Opaque copy -a computer-network location from which the general network-using -public has access to download using public-standard network protocols -a complete Transparent copy of the Document, free of added material. -If you use the latter option, you must take reasonably prudent steps, -when you begin distribution of Opaque copies in quantity, to ensure -that this Transparent copy will remain thus accessible at the stated -location until at least one year after the last time you distribute an -Opaque copy (directly or through your agents or retailers) of that -edition to the public. - -It is requested, but not required, that you contact the authors of the -Document well before redistributing any large number of copies, to give -them a chance to provide you with an updated version of the Document. - - -\begin{center} -{\Large\bf 4. MODIFICATIONS} -\addcontentsline{toc}{section}{4. MODIFICATIONS} -\end{center} - -You may copy and distribute a Modified Version of the Document under -the conditions of sections 2 and 3 above, provided that you release -the Modified Version under precisely this License, with the Modified -Version filling the role of the Document, thus licensing distribution -and modification of the Modified Version to whoever possesses a copy -of it. In addition, you must do these things in the Modified Version: - -\begin{itemize} -\item[A.] - Use in the Title Page (and on the covers, if any) a title distinct - from that of the Document, and from those of previous versions - (which should, if there were any, be listed in the History section - of the Document). You may use the same title as a previous version - if the original publisher of that version gives permission. - -\item[B.] - List on the Title Page, as authors, one or more persons or entities - responsible for authorship of the modifications in the Modified - Version, together with at least five of the principal authors of the - Document (all of its principal authors, if it has fewer than five), - unless they release you from this requirement. - -\item[C.] - State on the Title page the name of the publisher of the - Modified Version, as the publisher. - -\item[D.] - Preserve all the copyright notices of the Document. - -\item[E.] - Add an appropriate copyright notice for your modifications - adjacent to the other copyright notices. - -\item[F.] - Include, immediately after the copyright notices, a license notice - giving the public permission to use the Modified Version under the - terms of this License, in the form shown in the Addendum below. - -\item[G.] - Preserve in that license notice the full lists of Invariant Sections - and required Cover Texts given in the Document's license notice. - -\item[H.] - Include an unaltered copy of this License. - -\item[I.] - Preserve the section Entitled "History", Preserve its Title, and add - to it an item stating at least the title, year, new authors, and - publisher of the Modified Version as given on the Title Page. If - there is no section Entitled "History" in the Document, create one - stating the title, year, authors, and publisher of the Document as - given on its Title Page, then add an item describing the Modified - Version as stated in the previous sentence. - -\item[J.] - Preserve the network location, if any, given in the Document for - public access to a Transparent copy of the Document, and likewise - the network locations given in the Document for previous versions - it was based on. These may be placed in the "History" section. - You may omit a network location for a work that was published at - least four years before the Document itself, or if the original - publisher of the version it refers to gives permission. - -\item[K.] - For any section Entitled "Acknowledgements" or "Dedications", - Preserve the Title of the section, and preserve in the section all - the substance and tone of each of the contributor acknowledgements - and/or dedications given therein. - -\item[L.] - Preserve all the Invariant Sections of the Document, - unaltered in their text and in their titles. Section numbers - or the equivalent are not considered part of the section titles. - -\item[M.] - Delete any section Entitled "Endorsements". Such a section - may not be included in the Modified Version. - -\item[N.] - Do not retitle any existing section to be Entitled "Endorsements" - or to conflict in title with any Invariant Section. - -\item[O.] - Preserve any Warranty Disclaimers. -\end{itemize} - -If the Modified Version includes new front-matter sections or -appendices that qualify as Secondary Sections and contain no material -copied from the Document, you may at your option designate some or all -of these sections as invariant. To do this, add their titles to the -list of Invariant Sections in the Modified Version's license notice. -These titles must be distinct from any other section titles. - -You may add a section Entitled "Endorsements", provided it contains -nothing but endorsements of your Modified Version by various -parties--for example, statements of peer review or that the text has -been approved by an organization as the authoritative definition of a -standard. - -You may add a passage of up to five words as a Front-Cover Text, and a -passage of up to 25 words as a Back-Cover Text, to the end of the list -of Cover Texts in the Modified Version. Only one passage of -Front-Cover Text and one of Back-Cover Text may be added by (or -through arrangements made by) any one entity. If the Document already -includes a cover text for the same cover, previously added by you or -by arrangement made by the same entity you are acting on behalf of, -you may not add another; but you may replace the old one, on explicit -permission from the previous publisher that added the old one. - -The author(s) and publisher(s) of the Document do not by this License -give permission to use their names for publicity for or to assert or -imply endorsement of any Modified Version. - - -\begin{center} -{\Large\bf 5. COMBINING DOCUMENTS} -\addcontentsline{toc}{section}{5. COMBINING DOCUMENTS} -\end{center} - - -You may combine the Document with other documents released under this -License, under the terms defined in section 4 above for modified -versions, provided that you include in the combination all of the -Invariant Sections of all of the original documents, unmodified, and -list them all as Invariant Sections of your combined work in its -license notice, and that you preserve all their Warranty Disclaimers. - -The combined work need only contain one copy of this License, and -multiple identical Invariant Sections may be replaced with a single -copy. If there are multiple Invariant Sections with the same name but -different contents, make the title of each such section unique by -adding at the end of it, in parentheses, the name of the original -author or publisher of that section if known, or else a unique number. -Make the same adjustment to the section titles in the list of -Invariant Sections in the license notice of the combined work. - -In the combination, you must combine any sections Entitled "History" -in the various original documents, forming one section Entitled -"History"; likewise combine any sections Entitled "Acknowledgements", -and any sections Entitled "Dedications". You must delete all sections -Entitled "Endorsements". - -\begin{center} -{\Large\bf 6. COLLECTIONS OF DOCUMENTS} -\addcontentsline{toc}{section}{6. COLLECTIONS OF DOCUMENTS} -\end{center} - -You may make a collection consisting of the Document and other documents -released under this License, and replace the individual copies of this -License in the various documents with a single copy that is included in -the collection, provided that you follow the rules of this License for -verbatim copying of each of the documents in all other respects. - -You may extract a single document from such a collection, and distribute -it individually under this License, provided you insert a copy of this -License into the extracted document, and follow this License in all -other respects regarding verbatim copying of that document. - - -\begin{center} -{\Large\bf 7. AGGREGATION WITH INDEPENDENT WORKS} -\addcontentsline{toc}{section}{7. AGGREGATION WITH INDEPENDENT WORKS} -\end{center} - - -A compilation of the Document or its derivatives with other separate -and independent documents or works, in or on a volume of a storage or -distribution medium, is called an "aggregate" if the copyright -resulting from the compilation is not used to limit the legal rights -of the compilation's users beyond what the individual works permit. -When the Document is included in an aggregate, this License does not -apply to the other works in the aggregate which are not themselves -derivative works of the Document. - -If the Cover Text requirement of section 3 is applicable to these -copies of the Document, then if the Document is less than one half of -the entire aggregate, the Document's Cover Texts may be placed on -covers that bracket the Document within the aggregate, or the -electronic equivalent of covers if the Document is in electronic form. -Otherwise they must appear on printed covers that bracket the whole -aggregate. - - -\begin{center} -{\Large\bf 8. TRANSLATION} -\addcontentsline{toc}{section}{8. TRANSLATION} -\end{center} - - -Translation is considered a kind of modification, so you may -distribute translations of the Document under the terms of section 4. -Replacing Invariant Sections with translations requires special -permission from their copyright holders, but you may include -translations of some or all Invariant Sections in addition to the -original versions of these Invariant Sections. You may include a -translation of this License, and all the license notices in the -Document, and any Warranty Disclaimers, provided that you also include -the original English version of this License and the original versions -of those notices and disclaimers. In case of a disagreement between -the translation and the original version of this License or a notice -or disclaimer, the original version will prevail. - -If a section in the Document is Entitled "Acknowledgements", -"Dedications", or "History", the requirement (section 4) to Preserve -its Title (section 1) will typically require changing the actual -title. - - -\begin{center} -{\Large\bf 9. TERMINATION} -\addcontentsline{toc}{section}{9. TERMINATION} -\end{center} - - -You may not copy, modify, sublicense, or distribute the Document except -as expressly provided for under this License. Any other attempt to -copy, modify, sublicense or distribute the Document is void, and will -automatically terminate your rights under this License. However, -parties who have received copies, or rights, from you under this -License will not have their licenses terminated so long as such -parties remain in full compliance. - - -\begin{center} -{\Large\bf 10. FUTURE REVISIONS OF THIS LICENSE} -\addcontentsline{toc}{section}{10. FUTURE REVISIONS OF THIS LICENSE} -\end{center} - - -The Free Software Foundation may publish new, revised versions -of the GNU Free Documentation License from time to time. Such new -versions will be similar in spirit to the present version, but may -differ in detail to address new problems or concerns. See -http://www.gnu.org/copyleft/. - -Each version of the License is given a distinguishing version number. -If the Document specifies that a particular numbered version of this -License "or any later version" applies to it, you have the option of -following the terms and conditions either of that specified version or -of any later version that has been published (not as a draft) by the -Free Software Foundation. If the Document does not specify a version -number of this License, you may choose any version ever published (not -as a draft) by the Free Software Foundation. - - -\begin{center} -{\Large\bf ADDENDUM: How to use this License for your documents} -\addcontentsline{toc}{section}{ADDENDUM: How to use this License for your documents} -\end{center} - -To use this License in a document you have written, include a copy of -the License in the document and put the following copyright and -license notices just after the title page: - -\bigskip -\begin{quote} - Copyright \copyright YEAR YOUR NAME. - Permission is granted to copy, distribute and/or modify this document - under the terms of the GNU Free Documentation License, Version 1.2 - or any later version published by the Free Software Foundation; - with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. - A copy of the license is included in the section entitled "GNU - Free Documentation License". -\end{quote} -\bigskip - -If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, -replace the "with...Texts." line with this: - -\bigskip -\begin{quote} - with the Invariant Sections being LIST THEIR TITLES, with the - Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. -\end{quote} -\bigskip - -If you have Invariant Sections without Cover Texts, or some other -combination of the three, merge those two alternatives to suit the -situation. - -If your document contains nontrivial examples of program code, we -recommend releasing these examples in parallel under your choice of -free software license, such as the GNU General Public License, -to permit their use in free software. - diff --git a/doc/tex/funcs.tex b/doc/tex/funcs.tex deleted file mode 100644 index 72c96f022a..0000000000 --- a/doc/tex/funcs.tex +++ /dev/null @@ -1,35 +0,0 @@ -\chapter{Function\index{Function reference!for \gnutls{}} reference} - -\section{\gnutls{} library} -The prototypes for the following functions lie -in ``gnutls/gnutls.h''. -\input{gnutls-api} - -\newpage - -\section{\gnutls{} X.509 certificate handling\index{Function reference!for X.509 certificates}} -\label{sec:x509api} -The following functions are to be used for X.509 certificate handling. -Their prototypes lie in ``gnutls/x509.h''. - -\input{x509-api} - - -\newpage - - -\section{\gnutlse{} library\index{Function reference!for \gnutlse{}}} -These functions are only available in the GPL version of the -library called ``gnutls-extra''. The prototypes for this library lie -in ``gnutls/extra.h''. - -\input{gnutls-extra-api} - -\section{\gnutls{} OpenPGP key handling\index{Function reference!for OpenPGP keys}} -\label{sec:openpgpapi} -The following functions are to be used for OpenPGP certificate handling. -Their prototypes lie in ``gnutls/openpgp.h''. - -\input{pgp-api} - - diff --git a/doc/tex/gnutls-logo.ps b/doc/tex/gnutls-logo.ps deleted file mode 100644 index 8ca3af9e19..0000000000 --- a/doc/tex/gnutls-logo.ps +++ /dev/null @@ -1,154 +0,0 @@ -%!PS-Adobe-3.0 EPSF-3.0 -%%Creator: GIMP PostScript file plugin V 1.11 by Peter Kirchgessner -%%Title: /usr/home/nmav/cvs/gnutls/doc/tex/gnutls-logo.ps -%%CreationDate: Thu Jan 17 13:17:01 2002 -%%DocumentData: Clean7Bit -%%LanguageLevel: 2 -%%Pages: 1 -%%BoundingBox: 14 14 60 56 -%%EndComments -%%BeginPreview: 94 86 1 86 -% 0000001ff000000000000000 -% 000000ffff00000000000000 -% 000003ffffc0000000000000 -% 00000ffffff0000000000000 -% 00003ffffffc000000000000 -% 00007ffffffe000000000000 -% 0000ffc007ff000000000000 -% 0001ff0000ff800000000000 -% 0003fc00003fc00000000000 -% 0007f800001fe00000000000 -% 0007f000000fe00000000000 -% 000fe0000007f00000000000 -% 000fc0000003f00000000000 -% 001f80000001f80000000000 -% 001f80000001f80000000000 -% 003f00000000fc0000000000 -% 003f00000000fc0000000000 -% 003e000000007c0000000000 -% 007e000000007e0000000000 -% 007e000000007e0000000000 -% 007e000000007e0000000000 -% 007c000000007e0000000000 -% 007e000000003e0000000000 -% 007c000000007e0000000000 -% 007c000000003e0000000000 -% 007e000000007e0000000000 -% 007c000000003e0000000000 -% 077ffffff7ffffc000000000 -% 03ffffffffffffc000000000 -% 07ffffffffffffe000000000 -% 07ffffffffffffc000000000 -% 07ffffffffffffe000000000 -% 03ffffffffffffc000000000 -% 07ffffffffffffe000000000 -% 07ffffffffffffc000000000 -% 87ffffffffffffe000000000 -% 03ffffffffffffc000000000 -% 87ffffff7fffffe000000000 -% 07fffff81fffffc0fffffe00 -% 87fffff00fffffe0fffffe00 -% 03fffff00fffffc0ffffff00 -% 87ffffe00fffffe0ffffff00 -% 07fffff007ffffc0f8000700 -% 83fffff00fffffe0f8000780 -% 07fffff00fffffc0f8000380 -% 07fffff81fffffe0f80003c0 -% 87fffffc3fffffc0f80003c0 -% 83fffff81fffffe0f80001c0 -% 07fffff81fffffc0f80001e0 -% 87fffff00fffffe0f80001e0 -% 07fffff00fffffc0f80000e0 -% 83ffffe007ffffe0f80000f0 -% 07ffffe007ffffc0f80000f0 -% 87ffffffffffffe0f8000070 -% 07ffffffffffffc0f8000078 -% 83ffffffffffffe0f8000078 -% 07ffffffffffffc0f800003c -% 87ffffffffffffe0fdb5b5bc -% 07ffffffffffffc0fffffffc -% 83ffffffffffffe0fffffffc -% 07ffffffffffffc0fffffffc -% 87ffffffffffffe0fffffffc -% 07ffffffffffffc0fffffffc -% 8000000000000000fffffffc -% 0000000000000000fffffffc -% 8000000000000000fffffffc -% aab5b5b5b5b5b5b7fffffffc -% fffffffffffffffffffffffc -% fffc0fffe07ffffffff07ffc -% fff003ff801fffffffc00ffc -% ffe3f1ff1f87ffffff0fc7fc -% ffcffcfe7fe3fffffe3ff3fc -% ff9ffe7cfff3fffffe7ff9fc -% ff3fff39fff9fffffcfff9fc -% ff3fff39fffdfffffdfffcfc -% fe7fff9bfffcfffff9fffcfc -% fe7fff93fffcfffff9fffe7c -% 807fff83fffc000003fffe00 -% 007fff83fffc000001fffe00 -% 807fff83fffc000001fffe00 -% 007fff83fffc000001fffc00 -% 003fff01fff8000000fffc00 -% 803fff00fff8000000fffc00 -% 801ffe00fff00000007ff800 -% 000ffc003fe00000003fe000 -% 8003f0001f800000000f8000 -%%EndPreview -%%BeginProlog -% Use own dictionary to avoid conflicts -10 dict begin -%%EndProlog -%%Page: 1 1 -% Translate for offset -14.173228 14.173228 translate -% Translate to begin of first scanline -0.000000 41.290570 translate -45.131554 -41.290570 scale -% Image geometry -94 86 8 -% Transformation matrix -[ 94 0 0 86 0 0 ] -currentfile /ASCII85Decode filter /RunLengthDecode filter -%%BeginData: 2608 ASCII Bytes -image -kl2+`\s,o`!WW3(9hgqeoZI4"rr_u)9cNa*"!)!bps&j*rrJN8mf3A=T$IB(rrK\TlMpr3^sN,M -rrIQWkl:bpK(IFjnc&[]7KN5`!%Rq=!%7I?!CQM.s760jffT!0"<Mcoqu-Kn"o\>?F<CV\!!,@@ -eGo.?!V/AL!!4U8o(;q_Y:TMM!CHD.s7H<lnilpN!X4\_nc&[\MZ`hV!)M/Fp&>'kAGZ?--ctcU -!S\[n!!31;rn%2CrrBP*!!+>5li."I6Mg`_^XrMYrr=>B!!+J8l2Le<*;fd:/D'pqrrAPd!!*8\ -kPkS8"T/6"LY2Y$rrMjCqu?_ojo5=Pqu?a>pt>]ArrAkm!!,7[jo5AX2Z*OTXP*XKrrN*Vr;Zj! -Z/bibWWE%u!BpG9s7lToh#%-P3T9u<0`1nNjP'Y/rrASe!!&#;rrAPd!!&hKs7lTo;Z$LpiSje: -g&(gM>2'#Orr=VK!!+8AiVrrR*W5s<1tr!)rr<-!!!#UJrr>=_!!!D\s7lTo!rW*!HJe`&Er>t< -$ekXUrr<-!!!&;ArrA&W!!!D\s7uZqklUe`!0uIA!-\;@!"7N\q#:<qr;Zh_hu<\9r;Zg*gAgsJ -!!<*!!0uIA!0-pW!"7N\q#:<qr;Zh_hu<\9r;Zg*gAh*N!-/!D!!3#u!&i_?!&OQR!!N:,!5%+f -r;Qb0bl@`_hZ*NR!,'OV!-$fpr;Qb0bl@`_hZ*NR!,'OV!-$fpr;Qb0bl@`_hZ*NR!,'OV!-$fp -r;Qb0bl@`_hZ*NR!,'OV!-$fpr;Qb0bl@`_hZ*NR!,(Nr"!MAm*U*P(E8LWmrr?]t!!`girVuoq -T*OZ^!-%o:!2Jj6!C68Rs8;lsBC#U!#-n(*!NZCi!!%!:rrB(a!!&_is8;lsBC#Tu8GW8c5jSIN -E;fe:Wp0Qa7f35`rr?]u!!%`Krr@K6!!%!:rrB(s!!"_E1^#T7!!2Tes8;lsBC#TuPkk=ZU[.s\ -E;fe:Wr)hsm.:5[r>#A5LA_)Lrr?]u!!$*rrr>j]!!%!:rrB(s!!)BVrrZs8!&FKPr;Qb0li7%m -e,0.Gh?E6G!-%o:!35qs!:9:V"MFd8"kW_Qr;Qb0lMpr?li$hagd(0*!-%o:!35qs!:9:V"S<]7 -!-8&<r;Qb0l2UforVlk%l2Ug'rVlktqu?``nc&`(!!"/7rr;or!,(Tt!=73RrrL@LlMpp(rVlkt -qu?``nc&U#rVur7rr;or!,(Tt!*K-u!)Vt]!-%o:!35qs!:97U"Sic4!,_`8r;Qb0li7%kgACmN -eHG4=!-%o:!35qs!:94T#&4,<!r;lrr;Qb0li7#jq>UFoli7$)rVlktqu?``nG`L'rW!"rs8W#s -!,(Wu!8.,I!71!3!-%o:!35qs!:94T#6#>;!)`drr;Qb0m/R,dq!.tC4RE+KE;fe:Wr)hsm-jrX -BE/#<h>dEQ!,'OV!-%o:!35qs!:91S!5/:2!KmE[rr?]V!!%!:rrB(s!!)BSrrr$7!!#1^r;Qb0 -bl@`_rVlktqu?``mf*E$!!!&Br;Qb0bl@`_rVlktqu?``mf*9trVuq@r;Qb0bl@`_rVlktqu?_/ -mV`5A#64`Ir;Qb0bl@`_rVlktirK#W!,'OV!-%o:!35&Zr;Qb0bl@`_rVlktirK#W!,'OV!-%o: -!35&Zr;Qb0bl@`_rVlktirK#W!9qb^!:'O_!35&Z_Z'V9irHsr!35&Z_K5cPirJTLrs8#m!<ikb -!!*E2o)SF`#m3bi^%(I&Qp^uK!!r]\KY?.?^p-?;iW'5t;l@>*jLpR3p&Odd$Tc0)s8'ULrr<#0 -1&(_L,,P;=#1:<Qs8V"_jT#\i?/GV]o"rNKs8&o?p]1'h%KUkMr2`C!!!!Qf[J]c7qZ%--3UZgb -8Iu")$T!S5rLO,T!"K'us8&'/%0-G@=3:Es9_e\`!!@QIlU1IJ"#Sg5CA\&64TG+Fq#CLOgAeJC -!!EFls2H\e!!?R#peU_dq#CLWrmVk\!!=n:p+ZIG"!m=-9D8Dg'@-PHl2Uois1f';!!?=&jph1f -q>^TuaSo'0!!l6r\,cR0V>kW0!!=87i!o#Q!snbg'(l5+M#V_s!;ZZs49)PV!!]q45l`##c1:o: -LAtTH!!79BE:a,4&F/KdquHQn!g!@So)Jtis*ar_s*=29!ZM*Eli7+.mM5<n!g!@SquHQn!m:NE -o)Jt.s1/2ls#flQ!sR<>#jhTmm,%:5!^$FFr;Zg!qR?UrrrVcl"q0V\\F9G'nc/a+s1@[.!W&#N -!!5%Xir-@ec1q;=!qQBm&+oi#!!r,q!5Ih!!2K)b!&aWQq#:<so)Jb(r;Qalo)JdskN`'IhspaI -2Z!IKrr?0m!!#pprr@04!!"V8rrMgBo)JcJqZ$?j!5nC.!7UlG!TOU\!!&t]rrA_a!!*SmqZ$?j -!W?F!!!-4$qu6YJo`,"WqWRq[qC;.<!."D?p\t9a48/^U8+ucY!G;H.!!+5,k5PJD-2.B>@/0cq -rrMX\q#CFqo_8@dJ.28S!C?><rrM(:q>^R3K)>?Cp&>?s_,V<P!$,7_rq69shej>4!!HH,p>Z)R -q6`Wi!!4Nqg@kPs~> -%%EndData -showpage -%%Trailer -end -%%EOF diff --git a/doc/tex/gnutls.bib b/doc/tex/gnutls.bib deleted file mode 100644 index 0c3f7f03cf..0000000000 --- a/doc/tex/gnutls.bib +++ /dev/null @@ -1,161 +0,0 @@ -@Misc{RFC2246, - author = "Tim Dierks and Christopher Allen", - title = "The TLS Protocol Version 1.0", - month = "January", - year = {1999}, - note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2246.txt", - url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2246.txt" -} - -@Misc{RFC2440, - author = "Jon Callas and Lutz Donnerhacke and Hal Finney and Rodney Thayer", - title = "OpenPGP Message Format", - month = "November", - year = {1998}, - note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2440.txt", - url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2440.txt" -} - -@Misc{RFC2511, - author = "Michael Myers and Carlisle Adams and Dave Solo and David Kemp", - title = "Internet X.509 Certificate Request Message Format", - month = "March", - year = {1999}, - note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2511.txt", - url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2511.txt" -} - -@Misc{RFC2817, - author = "Rohit Khare and Scott Lawrence", - title = "Upgrading to TLS Within HTTP/1.1", - month = "May", - year = {2000}, - note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2817.txt", - url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2817.txt" -} - -@Misc{RFC2818, - author = "Eric Rescola", - title = "HTTP Over TLS", - month = "May", - year = {2000}, - note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2818.txt", - url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2818.txt" -} - - -@Misc{RFC2945, - author = "Tom Wu", - title = "The SRP Authentication and Key Exchange System", - month = "September", - year = {2000}, - note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2945.txt", - url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2945.txt" -} - -@Misc{RFC2986, - author = "Magnus Nystrom and Burt Kaliski", - title = "PKCS 10 v1.7: Certification Request Syntax Specification", - month = "November", - year = {2000}, - note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2986.txt", - url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2986.txt" -} - -@Misc{RFC3280, - author = "Russell Housley and Tim Polk and Warwick Ford and David Solo", - title = "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", - month = "April", - year = {2002}, - note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc3280.txt", - url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc3280.txt" -} - -@Misc{SSL3, - author = "Alan Freier and Philip Karlton and Paul Kocher", - title = "The SSL Protocol Version 3.0", - month = "November", - year = {1996}, - note = "Available from http://wp.netscape.com/eng/ssl3/draft302.txt", - url = "http://wp.netscape.com/eng/ssl3/draft302.txt" -} - -@Misc{PKCS12, - author = "RSA Laboratories", - title = "PKCS 12 v1.0: Personal Information Exchange Syntax", - month = "June", - year = {1999}, -} - -@Misc{RESCOLA, - author = "Eric Rescola", - title = "SSL and TLS: Designing and Building Secure Systems", - year = {2001}, -} - -@Misc{TLSEXT, - author = "Simon Blake-Wilson and Magnus Nystrom and David Hopwood and Jan Mikkelsen and Tim Wright", - title = "Transport Layer Security (TLS) Extensions", - month = "June", - year = {2003}, - note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc3546.txt", - url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc3546.txt" -} - -@Misc{TLSSRP, - author = "David Taylor and Trevor Perrin and Tom Wu and Nikos Mavroyanopoulos", - title = "Using SRP for TLS Authentication", - month = "June", - year = {2004}, - note = "Internet draft, work in progress. Available from http://www.normos.org/ietf/draft/draft-ietf-tls-srp-07.txt", - url = "http://www.normos.org/ietf/draft/draft-ietf-tls-srp-07.txt" -} - -@Misc{TLSPGP, - author = "Nikos Mavroyanopoulos", - title = "Using OpenPGP keys for TLS authentication", - month = "April", - year = {2004}, - note = "Internet draft, work in progress. Available from http://www.normos.org/ietf/draft/draft-ietf-tls-openpgp-keys-05.txt", - url = "http://www.normos.org/ietf/draft/draft-ietf-tls-openpgp-keys-05.txt" -} - -@Misc{TLSCOMP, - author = "Scott Hollenbeck", - title = "Transport Layer Security Protocol Compression Methods", - month = "January", - year = {2004}, - note = "Internet draft, work in progress. Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc3749.txt", - url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc3749.txt" -} - -@Misc{CBCATT, - author = "Bodo Moeller", - title = "Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures", - year = {2002}, - note = "Available from http://www.openssl.org/\~\ bodo/tls-cbc.txt", - url = "http://www.openssl.org/~bodo/tls-cbc.txt" -} - -@Misc{GUTPKI, - author = "Peter Gutmann", - title = "Everything you never wanted to know about PKI but were forced to find out", - year = {2002}, - note = "Available from http://www.cs.auckland.ac.nz/\~\ pgut001/pubs/pkitutorial.pdf", - url = "http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf" -} - -@Misc{GPGH, - author = "Mike Ashley", - title = "The GNU Privacy Handbook", - year = {2002}, - note = "Available from http://www.gnupg.org/gph/en/manual.pdf", - url = "http://www.gnupg.org/gph/en/manual.pdf" -} - -@Misc{TOMSRP, - author = "Tom Wu", - title = "The Stanford SRP Authentication Project", - note = "Available at http://srp.stanford.edu/", - url = "http://srp.stanford.edu/" -} diff --git a/doc/tex/gnutls.tex b/doc/tex/gnutls.tex deleted file mode 100644 index 2e1bf7d68e..0000000000 --- a/doc/tex/gnutls.tex +++ /dev/null @@ -1,62 +0,0 @@ -\documentclass{book} -\bibliographystyle{plain} - -\usepackage{html} -\usepackage{fancyhdr} -\usepackage{graphicx} -\usepackage{makeidx} -\usepackage{supertabular} -\usepackage{color} -\usepackage{colortbl} - -\input{macros} - -\makeindex - -\begin{document} - -\frontmatter - -\input{cover} - -\tableofcontents - -\pagestyle{fancy} -\fancyhead[RE]{\slshape \rightmark} -\fancyhead[LO]{\slshape \leftmark} -\fancyhead[RO,LE]{\empty} -\fancyfoot[C]{\thepage} - -\input{preface} - -\mainmatter -\input{library} - -\input{tlsintro} - -\input{auth} - -\input{certificate} - -\input{howto} - -\input{examples} - -\input{programs} - -\input{funcs} - -\appendix - -\input{appendix} - -\input{fdl} - -\backmatter - -\printindex - -\bibliography{gnutls} - -\end{document} - diff --git a/doc/tex/handshake.tex b/doc/tex/handshake.tex deleted file mode 100644 index 657fef695d..0000000000 --- a/doc/tex/handshake.tex +++ /dev/null @@ -1,95 +0,0 @@ -\section{The TLS handshake protocol\index{TLS protocols!Handshake}} -\label{handshake} - -The Handshake protocol is responsible for the ciphersuite negotiation, -the initial key exchange, and the authentication of the two peers. -This is fully controlled by the application layer, thus your program -has to set up the required parameters. Available functions to control -the handshake protocol include: - -\begin{itemize} -\item \printfunc{gnutls_cipher_set_priority}{gnutls\_cipher\_set\_priority}: -to set the priority of bulk cipher algorithms. -\item \printfunc{gnutls_mac_set_priority}{gnutls\_mac\_set\_priority}: -to set the priority of MAC algorithms. -\item \printfunc{gnutls_kx_set_priority}{gnutls\_kx\_set\_priority}: -to set the priority of key exchange algorithms. -\item \printfunc{gnutls_compression_set_priority}{gnutls\_compression\_set\_priority}: -to set the priority of compression methods. -\item \printfunc{gnutls_certificate_type_set_priority}{gnutls\_certificate\_type\_set\_priority}: -to set the priority of certificate types (ie. OpenPGP, X.509). -\item \printfunc{gnutls_protocol_set_priority}{gnutls\_protocol\_set\_priority}: -to set the priority of protocol versions (ie. \sslIII{}, \tlsI). -\item \printfunc{gnutls_set_default_priority}{gnutls\_set\_default\_priority}: -to set some defaults in the current session. That way you don't have to call each -priority function, independently, but you have to live with the defaults. -\item \printfunc{gnutls_credentials_set}{gnutls\_credentials\_set}: to set the -appropriate credentials structures. -\item \printfunc{gnutls_certificate_server_set_request} -{gnutls\_certificate\_server\_set\_request}: to set -whether client certificate is required or not. -\item \printfunc{gnutls_handshake}{gnutls\_handshake}: to initiate the -handshake. -\end{itemize} - -\input{ciphersuites} - -\subsection*{Client authentication} -In the case of ciphersuites that use certificate authentication, the -authentication\index{Certificate authentication!Client} of the client is -optional in \tls{}. A server may request a certificate from the client -- using the -\printfunc{gnutls_certificate_server_set_request}{gnutls\_certificate\_server\_set\_request} -function. If a certificate is to be requested from the client during the handshake, -the server will send a certificate request message that contains -a list of acceptable certificate signers. The client may then send a certificate, signed -by one of the server's acceptable signers. In \gnutls{} the server's acceptable -signers list is constructed using the trusted CA certificates in the -credentials structure. - -\subsection*{Resuming Sessions\index{Resuming sessions}} -\label{resume} -\par -The -\printfunc{gnutls_handshake}{gnutls\_handshake} - function, is expensive since a lot of calculations are performed. In order to support many fast connections to -the same server a client may use session resuming. {\bf Session resuming} is a -feature of the {\bf TLS} protocol which allows a client to connect to a server, -after a successful handshake, without the expensive calculations. This is -achieved by using the previously -established keys. \gnutls{} supports this feature, and the -example \hyperref{resume client}{resume client (see section }{)}{resume-example} illustrates a typical use of it. -\par -Keep in mind that sessions are expired after some time, for security reasons, thus -it may be normal for a server not to resume a session even if you requested that. -Also note that you must enable, using the priority functions, at least the -algorithms used in the last session. - -\subsection*{Resuming internals} -The resuming capability, mostly in the server side, is one of the problems of a thread-safe TLS -implementations. The problem is that all threads must share information in -order to be able to resume sessions. The gnutls approach is, in case of a -client, to leave all the burden of resuming to the client. Ie. copy and keep the -necessary parameters. See the functions: -\begin{itemize} -\item \printfunc{gnutls_session_get_data}{gnutls\_session\_get\_data} -\item \printfunc{gnutls_session_get_id}{gnutls\_session\_get\_id} -\item \printfunc{gnutls_session_set_data}{gnutls\_session\_set\_data} -\end{itemize} - -\par -The server side is different. A server has to specify some callback functions -which store, retrieve and delete session data. These can be registered with: -\begin{itemize} -\item \printfunc{gnutls_db_set_remove_function}{gnutls\_db\_set\_remove\_function} -\item \printfunc{gnutls_db_set_store_function}{gnutls\_db\_set\_store\_function} -\item \printfunc{gnutls_db_set_retrieve_function}{gnutls\_db\_set\_retrieve\_function} -\item \printfunc{gnutls_db_set_ptr}{gnutls\_db\_set\_ptr} -\end{itemize} - -\par -It might also be useful to be able to check for expired sessions in order to remove -them, and save space. The function -\printfunc{gnutls_db_check_entry}{gnutls\_db\_check\_entry} is provided for that -reason. - - diff --git a/doc/tex/howto.tex b/doc/tex/howto.tex deleted file mode 100644 index d4ebd935d8..0000000000 --- a/doc/tex/howto.tex +++ /dev/null @@ -1,131 +0,0 @@ -\chapter{How to use \tls{} in application protocols} -\label{apps} - -\section{Introduction} -This chapter is intended to provide some hints on how to use the \tls{} -over simple custom made application protocols. -The discussion below mainly refers to the \emph{TCP/IP} transport layer -but may be extended to other ones too. - -\section{Separate ports} - -Traditionally \ssl{} was used in application protocols by assigning -a new port number for the secure services. That way two separate -ports were assigned, one for the -non secure sessions, and one for the secured ones. This has the benefit -that if a user requests a secure session then the client will try to -connect to the secure port and fail otherwise. The only possible attack -with this method is a denial of service one. The most famous -example of this method is the famous ``HTTP over TLS'' or HTTPS\footnote{RFC2818} -protocol \cite{RFC2818}. -\par -Despite its wide use, this method is not as good as it seems. -This approach starts the \tls{} Handshake procedure just after the -client connects on the --so called-- secure port. -That way the \tls{} protocol does not know anything -about the client, and popular methods like the host advertising in -HTTP do not work\footnote{see also the Server Name Indication extension on \ref{serverind}, page \pageref{serverind}.}. -There is no way for the client to say ``I connected -to YYY server'' before the Handshake starts, so the server cannot -possibly know which certificate to use. - -\par -Other than that it requires two separate ports to run a single service, which is -unnecessary complication. Due to the fact that there is a limitation on -the available privileged ports, this approach was soon obsoleted. - - -\section{Upward negotiation} -Other application protocols\footnote{See LDAP, IMAP etc.} -use a different approach to enable the secure layer. -They use something called the ``TLS upgrade'' method. This method -is quite tricky but it is more flexible. The idea is to extend -the application protocol to have a ``STARTTLS'' request, whose purpose -it to start the TLS protocols just after the client requests it. -This is a really neat idea and does not require an extra port. -\par -This method is used by almost all modern protocols and there is -even the \cite{RFC2817} paper which proposes extensions to HTTP -to support it. -\par -The tricky part, in this method, is that the ``STARTTLS'' request is sent -in the clear, thus is vulnerable to modifications. -A typical attack is to modify the -messages in a way that the client is fooled and thinks that the server -does not have the ``STARTTLS'' capability. See a typical conversation -of a hypothetical protocol: -\begin{verbatim} -(client connects to the server) - -CLIENT: HELLO I'M MR. XXX - -SERVER: NICE TO MEET YOU XXX - -CLIENT: PLEASE START TLS - -SERVER: OK - -*** TLS STARTS - -CLIENT: HERE ARE SOME CONFIDENTIAL DATA - -\end{verbatim} - -And see an example of a conversation where someone is acting -in between: - -\begin{verbatim} -(client connects to the server) - -CLIENT: HELLO I'M MR. XXX - -SERVER: NICE TO MEET YOU XXX - -CLIENT: PLEASE START TLS - -(here someone inserts this message) - -SERVER: SORRY I DON'T HAVE THIS CAPABILITY - -CLIENT: HERE ARE SOME CONFIDENTIAL DATA - -\end{verbatim} - -As you can see above the client was fooled, and was dummy enough -to send the confidential data in the clear. -\par -How to avoid the above attack? As you may have already thought -this one is easy to avoid. The client has to ask the user before it connects -whether the user requests \tls{} or not. If the user answered that he -certainly wants the secure layer the last conversation should be: - -\begin{verbatim} -(client connects to the server) - -CLIENT: HELLO I'M MR. XXX - -SERVER: NICE TO MEET YOU XXX - -CLIENT: PLEASE START TLS - -(here someone inserts this message) - -SERVER: SORRY I DON'T HAVE THIS CAPABILITY - -CLIENT: BYE - -(the client notifies the user that the secure connection was not possible) - -\end{verbatim} - - -\par -This method, if implemented properly, is far better than the -traditional method, and the security properties remain the same, since only -denial of service is possible. The benefit is that the server may request -additional data before the \tls{} Handshake protocol -starts, in order to send the correct certificate, use the correct -password file\footnote{in SRP authentication}, or anything else! - - - diff --git a/doc/tex/internals.eps b/doc/tex/internals.eps deleted file mode 100644 index bde99ae489..0000000000 --- a/doc/tex/internals.eps +++ /dev/null @@ -1,320 +0,0 @@ -%!PS-Adobe-2.0 EPSF-2.0 -%%Title: internals.dia -%%Creator: Dia v0.90 -%%CreationDate: Fri Sep 6 14:13:40 2002 -%%For: a user -%%Magnification: 1.0000 -%%Orientation: Portrait -%%BoundingBox: 0 0 898 560 -%%Pages: 1 -%%EndComments -%%BeginProlog -/cp {closepath} bind def -/c {curveto} bind def -/f {fill} bind def -/a {arc} bind def -/ef {eofill} bind def -/ex {exch} bind def -/gr {grestore} bind def -/gs {gsave} bind def -/sa {save} bind def -/rs {restore} bind def -/l {lineto} bind def -/m {moveto} bind def -/rm {rmoveto} bind def -/n {newpath} bind def -/s {stroke} bind def -/sh {show} bind def -/slc {setlinecap} bind def -/slj {setlinejoin} bind def -/slw {setlinewidth} bind def -/srgb {setrgbcolor} bind def -/rot {rotate} bind def -/sc {scale} bind def -/sd {setdash} bind def -/ff {findfont} bind def -/sf {setfont} bind def -/scf {scalefont} bind def -/sw {stringwidth pop} bind def -/tr {translate} bind def - -/ellipsedict 8 dict def -ellipsedict /mtrx matrix put -/ellipse -{ ellipsedict begin - /endangle exch def - /startangle exch def - /yrad exch def - /xrad exch def - /y exch def - /x exch def /savematrix mtrx currentmatrix def - x y tr xrad yrad sc - 0 0 1 startangle endangle arc - savematrix setmatrix - end -} def - -/mergeprocs { -dup length -3 -1 roll -dup -length -dup -5 1 roll -3 -1 roll -add -array cvx -dup -3 -1 roll -0 exch -putinterval -dup -4 2 roll -putinterval -} bind def -%%EndProlog - -%%BeginSetup -%%EndSetup -28.346000 -28.346000 scale --0.100000 -19.950000 translate - -1.000000 1.000000 1.000000 srgb -n 0.152022 0.250000 m 0.152022 19.900000 l 31.702022 19.900000 l 31.702022 0.250000 l f -0.100000 slw -[] 0 sd -[] 0 sd -0 slj -0.000000 0.000000 0.000000 srgb -n 0.152022 0.250000 m 0.152022 19.900000 l 31.702022 19.900000 l 31.702022 0.250000 l cp s -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 2.049996 9.864442 m 2.049996 12.014442 l 7.977996 12.014442 l 7.977996 9.864442 l f -0.000000 0.000000 0.000000 srgb -n 2.049996 9.864442 m 2.049996 12.014442 l 7.977996 12.014442 l 7.977996 9.864442 l cp s -1.000000 1.000000 1.000000 srgb -n 2.049996 9.864442 m 2.549996 9.364442 l 8.477996 9.364442 l 7.977996 9.864442 l f -0.000000 0.000000 0.000000 srgb -n 2.049996 9.864442 m 2.549996 9.364442 l 8.477996 9.364442 l 7.977996 9.864442 l cp s -1.000000 1.000000 1.000000 srgb -n 7.977996 9.864442 m 8.477996 9.364442 l 8.477996 11.514442 l 7.977996 12.014442 l f -0.000000 0.000000 0.000000 srgb -n 7.977996 9.864442 m 8.477996 9.364442 l 8.477996 11.514442 l 7.977996 12.014442 l cp s -2.549996 10.977345 m [ /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /T /L /S /space /e /s /i /o /xi /xi /n /G /l /b /a /t - /D /B /c /k /d /r /p /y /C /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi -] /e0 exch def -/Helvetica_e0 undefinefont -/Helvetica_e0 - /Helvetica findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding e0 def - currentdict end -definefont pop -/Helvetica_e0 ff 0.800000 scf sf -( !"#"$%%&'*) - gs 1 -1 sc sh gr -0.050000 slw -n 2.549996 11.164442 m 7.477996 11.164442 l s -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 10.921846 9.744442 m 10.921846 11.894442 l 16.849846 11.894442 l 16.849846 9.744442 l f -0.000000 0.000000 0.000000 srgb -n 10.921846 9.744442 m 10.921846 11.894442 l 16.849846 11.894442 l 16.849846 9.744442 l cp s -1.000000 1.000000 1.000000 srgb -n 10.921846 9.744442 m 11.421846 9.244442 l 17.349846 9.244442 l 16.849846 9.744442 l f -0.000000 0.000000 0.000000 srgb -n 10.921846 9.744442 m 11.421846 9.244442 l 17.349846 9.244442 l 16.849846 9.744442 l cp s -1.000000 1.000000 1.000000 srgb -n 16.849846 9.744442 m 17.349846 9.244442 l 17.349846 11.394442 l 16.849846 11.894442 l f -0.000000 0.000000 0.000000 srgb -n 16.849846 9.744442 m 17.349846 9.244442 l 17.349846 11.394442 l 16.849846 11.894442 l cp s -11.421846 10.857345 m /Helvetica_e0 ff 0.800000 scf sf -( !"#"$%%&'*) - gs 1 -1 sc sh gr -0.050000 slw -n 11.421846 11.044442 m 16.349846 11.044442 l s -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 6.586246 1.665909 3.514400 1.171467 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 6.586246 1.665909 3.514400 1.171467 0 360 ellipse cp s -/Helvetica_e0 ff 0.800000 scf sf -(+,'-.,#%/./$) sw -2 div 6.586246 ex sub 1.878812 m (+,'-.,#%/./$) - gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -0 slj -0 slc -n 13.885846 9.744442 m 13.885846 4.744442 l 9.071302 4.744442 l 9.071302 2.494261 l s -0 slj -1.000000 1.000000 1.000000 srgb -n 13.485846 8.944442 m 13.885846 9.744442 l 14.285846 8.944442 l f -0.100000 slw -[] 0 sd -0 slj -0.000000 0.000000 0.000000 srgb -n 13.485846 8.944442 m 13.885846 9.744442 l 14.285846 8.944442 l cp s -0.100000 slw -[] 0 sd -0 slj -0 slc -n 5.013996 9.864442 m 5.013996 3.794442 l 8.571846 3.794442 l 8.571846 2.644442 l s -0 slj -1.000000 1.000000 1.000000 srgb -n 4.613996 9.064442 m 5.013996 9.864442 l 5.413996 9.064442 l f -0.100000 slw -[] 0 sd -0 slj -0.000000 0.000000 0.000000 srgb -n 4.613996 9.064442 m 5.013996 9.864442 l 5.413996 9.064442 l cp s -0.100000 slw -[1.000000] 0 sd -[0.400000] 0 sd -0 slj -0 slc -n 25.988246 3.023182 m 25.988246 7.144442 l 6.999996 7.144442 l 6.999996 9.594442 l s -0.100000 slw -[] 0 sd -0 slj -0 slc -n 6.749996 8.794442 m 6.999996 9.594442 l 7.249996 8.794442 l s -0.100000 slw -[0.400000] 0 sd -[0.400000] 0 sd -0 slj -0 slc -n 23.590305 2.692096 m 23.590305 8.194442 l 15.850046 8.194442 l 15.850046 9.594442 l s -0.100000 slw -[] 0 sd -0 slj -0 slc -n 15.600046 8.794442 m 15.850046 9.594442 l 16.100046 8.794442 l s -0.100000 slw -[] 0 sd -[] 0 sd -0 slc -0 slj -0 slc -0 slj -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 25.407947 11.885335 m 25.407947 15.102499 l 29.054065 15.102499 l 29.054065 11.885335 l f -0 slc -0 slj -[] 0 sd -n 27.231006 15.102499 1.823059 0.536194 0 360 ellipse f -0 slc -0 slj -[] 0 sd -n 27.231006 11.885335 1.823059 0.536194 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 27.231006 11.885335 1.823059 0.536194 0 360 ellipse cp s -0 slc -0 slj -[] 0 sd -n 29.054065 11.885335 m 29.054065 15.102499 l 29.054065 15.398631 28.237854 15.638693 27.231006 15.638693 c 26.224158 15.638693 25.407947 15.398631 25.407947 15.102499 c 25.407947 11.885335 l s -/Courier_e0 undefinefont -/Courier_e0 - /Courier findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding e0 def - currentdict end -definefont pop -/Courier_e0 ff 0.800000 scf sf -("$%%&'*#0./.-.%$) sw -2 div 27.552722 ex sub 16.255836 m ("$%%&'*#0./.-.%$) - gs 1 -1 sc sh gr -(1.23$*4) sw -2 div 27.552722 ex sub 17.055836 m (1.23$*4) - gs 1 -1 sc sh gr -1.000000 1.000000 1.000000 srgb -n 6.925000 18.544442 6.775000 1.200000 0 360 ellipse f -0.100000 slw -[] 0 sd -[] 0 sd -0.000000 0.000000 0.000000 srgb -n 6.925000 18.544442 6.775000 1.200000 0 360 ellipse cp s -/Courier_e0 ff 0.800000 scf sf -( 5.*%6'5/#!.7$5) sw -2 div 6.399996 ex sub 18.744442 m ( 5.*%6'5/#!.7$5) - gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 25.988246 1.892782 3.391200 1.130400 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 25.988246 1.892782 3.391200 1.130400 0 360 ellipse cp s -/Helvetica_e0 ff 0.800000 scf sf -(85$4$*/&.,%) sw -2 div 25.988246 ex sub 2.105685 m (85$4$*/&.,%) - gs 1 -1 sc sh gr -0.100000 slw -0 slc -[] 0 sd -1.000000 0.000000 0.000000 srgb -n 11.715648 17.695914 m 13.885846 11.894442 l s -0 slj -n 11.761788 16.859032 m 11.715648 17.695914 l 12.230094 17.034215 l f -0.100000 slw -0 slc -[] 0 sd -n 13.513746 11.849542 m 11.297046 17.533342 l s -0 slj -n 13.455981 12.685702 m 13.513746 11.849542 l 12.990154 12.504028 l f -0.100000 slw -0 slc -[] 0 sd -n 4.590206 12.020142 m 4.590306 17.362842 l s -0 slj -n 4.840221 12.820137 m 4.590206 12.020142 l 4.340221 12.820147 l f -0.100000 slw -[1.000000] 0 sd -[0.400000] 0 sd -0 slj -0 slc -0.000000 0.000000 0.000000 srgb -n 6.011256 12.133742 m 6.011256 12.929542 l 25.393046 12.929542 l 25.393046 12.929542 l s -0.100000 slw -[] 0 sd -0 slj -0 slc -n 24.593046 13.179542 m 25.393046 12.929542 l 24.593046 12.679542 l s -0.100000 slw -[0.400000] 0 sd -[0.400000] 0 sd -0 slj -0 slc -n 17.208346 10.258142 m 17.208346 10.258142 l 27.155046 10.258142 l 27.155046 11.792742 l s -0.100000 slw -[] 0 sd -0 slj -0 slc -n 26.905046 10.992742 m 27.155046 11.792742 l 27.405046 10.992742 l s -0.100000 slw -0 slc -[] 0 sd -1.000000 0.000000 0.000000 srgb -n 4.988176 17.476542 m 5.013996 12.014442 l s -0 slj -n 4.741960 16.675369 m 4.988176 17.476542 l 5.241955 16.677733 l f -showpage diff --git a/doc/tex/layers.eps b/doc/tex/layers.eps deleted file mode 100644 index 48115d0485..0000000000 --- a/doc/tex/layers.eps +++ /dev/null @@ -1,183 +0,0 @@ -%!PS-Adobe-2.0 EPSF-2.0 -%%Title: layers.dia -%%Creator: Dia v0.90 -%%CreationDate: Fri Sep 6 21:01:53 2002 -%%For: a user -%%Magnification: 1.0000 -%%Orientation: Portrait -%%BoundingBox: 0 0 698 396 -%%Pages: 1 -%%EndComments -%%BeginProlog -/cp {closepath} bind def -/c {curveto} bind def -/f {fill} bind def -/a {arc} bind def -/ef {eofill} bind def -/ex {exch} bind def -/gr {grestore} bind def -/gs {gsave} bind def -/sa {save} bind def -/rs {restore} bind def -/l {lineto} bind def -/m {moveto} bind def -/rm {rmoveto} bind def -/n {newpath} bind def -/s {stroke} bind def -/sh {show} bind def -/slc {setlinecap} bind def -/slj {setlinejoin} bind def -/slw {setlinewidth} bind def -/srgb {setrgbcolor} bind def -/rot {rotate} bind def -/sc {scale} bind def -/sd {setdash} bind def -/ff {findfont} bind def -/sf {setfont} bind def -/scf {scalefont} bind def -/sw {stringwidth pop} bind def -/tr {translate} bind def - -/ellipsedict 8 dict def -ellipsedict /mtrx matrix put -/ellipse -{ ellipsedict begin - /endangle exch def - /startangle exch def - /yrad exch def - /xrad exch def - /y exch def - /x exch def /savematrix mtrx currentmatrix def - x y tr xrad yrad sc - 0 0 1 startangle endangle arc - savematrix setmatrix - end -} def - -/mergeprocs { -dup length -3 -1 roll -dup -length -dup -5 1 roll -3 -1 roll -add -array cvx -dup -3 -1 roll -0 exch -putinterval -dup -4 2 roll -putinterval -} bind def -%%EndProlog - -%%BeginSetup -%%EndSetup -28.346000 -28.346000 scale --2.853249 -14.882857 translate - -0.100000 slw -[] 0 sd -[] 0 sd -0 slc -0 slj -0 slc -0 slj -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 2.925202 11.305475 m 7.825202 10.776368 10.275202 10.599999 15.175202 10.599999 c 20.075202 10.599999 22.525202 10.776368 27.425202 11.305475 c 27.425202 14.127381 l 22.525202 14.656488 20.075202 14.832857 15.175202 14.832857 c 10.275202 14.832857 7.825202 14.656488 2.925202 14.127381 c 2.925202 11.305475 l f -0.000000 0.000000 0.000000 srgb -n 2.925202 11.305475 m 7.825202 10.776368 10.275202 10.599999 15.175202 10.599999 c 20.075202 10.599999 22.525202 10.776368 27.425202 11.305475 c 27.425202 14.127381 l 22.525202 14.656488 20.075202 14.832857 15.175202 14.832857 c 10.275202 14.832857 7.825202 14.656488 2.925202 14.127381 c 2.925202 11.305475 l s -0 slc -0 slj -[] 0 sd -n 2.925202 11.305475 m 7.825202 11.834583 10.275202 12.010952 15.175202 12.010952 c 20.075202 12.010952 22.525202 11.834583 27.425202 11.305475 c s - [ /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /space /T /r /a /n /s /p /o /xi /xi /t /L /y /e /S /R - /c /d /P /l /A /i /H /h /k /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi -] /e0 exch def -/Courier_e0 undefinefont -/Courier_e0 - /Courier findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding e0 def - currentdict end -definefont pop -/Courier_e0 ff 0.800000 scf sf -( !"#$%&'"* +#,-" ) sw -2 div 15.175202 ex sub 13.286309 m ( !"#$%&'"* +#,-" ) - gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -[] 0 sd -0 slc -0 slj -0 slc -0 slj -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 2.925202 7.452368 m 7.815202 6.850591 10.260202 6.649999 15.150202 6.649999 c 20.040202 6.649999 22.485202 6.850591 27.375202 7.452368 c 27.375202 10.661842 l 22.485202 11.263619 20.040202 11.464211 15.150202 11.464211 c 10.260202 11.464211 7.815202 11.263619 2.925202 10.661842 c 2.925202 7.452368 l f -0.000000 0.000000 0.000000 srgb -n 2.925202 7.452368 m 7.815202 6.850591 10.260202 6.649999 15.150202 6.649999 c 20.040202 6.649999 22.485202 6.850591 27.375202 7.452368 c 27.375202 10.661842 l 22.485202 11.263619 20.040202 11.464211 15.150202 11.464211 c 10.260202 11.464211 7.815202 11.263619 2.925202 10.661842 c 2.925202 7.452368 l s -0 slc -0 slj -[] 0 sd -n 2.925202 7.452368 m 7.815202 8.054144 10.260202 8.254736 15.150202 8.254736 c 20.040202 8.254736 22.485202 8.054144 27.375202 7.452368 c s -/Courier_e0 ff 0.800000 scf sf -( !+. /-0'"1 ) sw -2 div 15.150202 ex sub 9.275432 m ( !+. /-0'"1 ) - gs 1 -1 sc sh gr -(2"'*'0'3) sw -2 div 15.150202 ex sub 10.075432 m (2"'*'0'3) - gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -[] 0 sd -0 slc -0 slj -0 slc -0 slj -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 2.903249 3.602368 m 7.799070 3.000591 10.246981 2.799999 15.142802 2.799999 c 20.038623 2.799999 22.486534 3.000591 27.382355 3.602368 c 27.382355 6.811842 l 22.486534 7.413619 20.038623 7.614211 15.142802 7.614211 c 10.246981 7.614211 7.799070 7.413619 2.903249 6.811842 c 2.903249 3.602368 l f -0.000000 0.000000 0.000000 srgb -n 2.903249 3.602368 m 7.799070 3.000591 10.246981 2.799999 15.142802 2.799999 c 20.038623 2.799999 22.486534 3.000591 27.382355 3.602368 c 27.382355 6.811842 l 22.486534 7.413619 20.038623 7.614211 15.142802 7.614211 c 10.246981 7.614211 7.799070 7.413619 2.903249 6.811842 c 2.903249 3.602368 l s -0 slc -0 slj -[] 0 sd -n 2.903249 3.602368 m 7.799070 4.204144 10.246981 4.404736 15.142802 4.404736 c 20.038623 4.404736 22.486534 4.204144 27.382355 3.602368 c s -/Courier_e0 ff 0.800000 scf sf -( 4&&350#*5'$ !+. 6#$1%7#8- !+. 43-"*) sw -2 div 15.142802 ex sub 5.425432 m ( 4&&350#*5'$ !+. 6#$1%7#8- !+. 43-"*) - gs 1 -1 sc sh gr -( 2"'*'0'3 2"'*'0'3 2"'*'0'3) sw -2 div 15.142802 ex sub 6.225432 m ( 2"'*'0'3 2"'*'0'3 2"'*'0'3) - gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -[] 0 sd -0 slc -n 20.275302 4.378604 m 20.312578 7.538693 l s -0.100000 slw -[] 0 sd -[] 0 sd -0 slc -n 12.075202 7.582857 m 12.125202 4.382857 l s -showpage diff --git a/doc/tex/layers.tex b/doc/tex/layers.tex deleted file mode 100644 index 40f6d504e3..0000000000 --- a/doc/tex/layers.tex +++ /dev/null @@ -1,30 +0,0 @@ -\section{TLS layers\index{TLS Layers}} - -\tlsI{} is a layered protocol, and consists of the Record Protocol, -the Handshake Protocol and the Alert Protocol. The Record Protocol -is to serve all other protocols and is above the transport layer. -The Record protocol offers symmetric encryption, data authenticity, and -optionally compression. - -\par -The Alert protocol offers some signaling to the other protocols. It can -help informing the peer for the cause of failures and other error -conditions. See section \ref{alert} on page \pageref{alert} for more information. -The alert protocol is above the record protocol. - -\par -The Handshake protocol is responsible for the security parameters' -negotiation, the initial key exchange and -authentication. -See section \ref{handshake} on page \pageref{handshake} for more information -about the handshake protocol. -The protocol layering in TLS is shown at \hyperref{figure}{figure }{}{fig:layers}. - -\begin{figure}[hbtp] -\includegraphics[height=8cm,width=12cm]{layers} -\label{fig:layers} -\caption{Layers in the TLS protocol} -\end{figure} - -\addvspace{1.5cm} - diff --git a/doc/tex/library.tex b/doc/tex/library.tex deleted file mode 100644 index 6600aff909..0000000000 --- a/doc/tex/library.tex +++ /dev/null @@ -1,109 +0,0 @@ -\chapter{The Library} - -\section{Description} -\par -In brief \gnutls{} can be described as a library which offers -an API to access secure communication protocols. These protocols provide -privacy over insecure lines, and were designed to prevent -eavesdropping, tampering, or message forgery. - -\par -Technically \gnutls{} is a portable ANSI {\bf C} based library which implements the -\tlsI{}\footnote{See section \ref{sec:tlsintro} on page \pageref{sec:tlsintro} for -a more detailed description of the protocols.} and \sslIII{} protocols, -accompanied with the required framework for authentication and -public key infrastructure. -The library is available under the GNU Lesser GPL license\footnote{A copy of the license is included -in the distribution}. -Important features of the \gnutls{} library include: - -\begin{itemize} -\item Support for \tlsI{}, \tlsII{} and \sslIII{} protocols. -\item Support for both {\bf X.509} and {\bf OpenPGP} certificates. -\item Support for handling and verification of certificates. -\item Support for {\bf SRP} for \tls{} authentication. -\item Support for \tls{} {\bf Extension mechanism}. -\item Support for \tls{} {\bf Compression Methods}. -\end{itemize} - -Additionally \gnutls{} provides a limited emulation API for the widely used -OpenSSL\footnote{\htmladdnormallink{http://www.openssl.org/}{http://www.openssl.org/}} -library, to ease integration with existing applications. - -\par -\gnutls{} consists of three -independent parts, namely the ``TLS protocol part'', the ``Certificate part'', and -the ``Crypto backend'' part. -The `TLS protocol part' is the actual protocol implementation, and is entirely -implemented within the \gnutls{} library. -The `Certificate part' consists of the certificate parsing, and verification -functions which is partially implemented in the \gnutls{} library. The -Libtasn1\footnote{\htmladdnormallink{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/libtasn1/}{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/libtasn1/}} -a library which offers ASN.1 parsing capabilities, is used for the -X.509 certificate parsing functions, and -Opencdk\footnote{\htmladdnormallink{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/opencdk/}{ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/opencdk/}} -is used for the OpenPGP key support in \gnutls{}. -The `Crypto backend' is provided by the -libgcrypt\footnote{\htmladdnormallink{ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/}{ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/}} -library. -\par -In order to ease integration in embedded systems, parts of the \gnutls{} library -can be disabled at compile time. That way a small library, with the required features, -can be generated. - -\section{General Idea} -% explain how it works -A brief description of how \gnutls{} works internally is shown at -the figure \ref{fig:internals}. This section may be easier to understand -after having seen the examples on page \pageref{examples}. - -\begin{figure}[htp] -\includegraphics[height=8cm,width=12cm]{internals} -\label{fig:internals} -\end{figure} - -\par -As shown in the figure, there is a read-only global state that -is initialized once by the global initialization function. -This global structure, among others, contains the memory allocation -functions used, and some structures needed for the ASN.1 parser. -This structure is never modified by any \gnutls{} function, except -for the deinitialization function which frees all memory allocated in -the global structure and is called after the program has permanently finished -using \gnutls{}. - -\par -The credentials structure is used by some authentication methods, -such as certificate authentication\footnote{see section \ref{certificate} on page \pageref{certificate}}. -A credentials structure may contain certificates, private keys, temporary parameters -for diffie hellman or RSA key exchange, and other stuff that may be shared -between several TLS sessions. - -This structure should be initialized using the appropriate initialization -functions. For example an application which uses certificate authentication -would probably initialize the credentials, using the appropriate functions, -and put its trusted certificates in this structure. The next step is to -associate the credentials structure with each \tls{} session. - -\par A \gnutls{} session contains all the required stuff for a -session to handle one secure connection. This session calls directly -to the transport layer functions, in order to communicate with the peer. -Every session has a unique session ID shared with the peer. - -\par -Since TLS sessions can be resumed, servers would probably need a database -backend to hold the session's parameters. Every \gnutls{} session after -a successful handshake calls the appropriate backend function\footnote{see section \ref{resume} -on \pageref{resume} for information on initialization} to store the -newly negotiated session. The session database is examined by the server -just after having received the client hello\footnote{The first message -in a \tls{} handshake}, and if the session ID sent by the client, -matches a stored session, the stored session will be retrieved, and the -new session will be a resumed one, and will share the same session ID -with the previous one. - -\input{errors} - -\input{memory} - -\input{callbacks} diff --git a/doc/tex/macros.tex b/doc/tex/macros.tex deleted file mode 100644 index 550dcc05c5..0000000000 --- a/doc/tex/macros.tex +++ /dev/null @@ -1,23 +0,0 @@ -\newcommand{\gnutls}{{\emph{GnuTLS}}} -\newcommand{\gnutlse}{{\emph{GnuTLS-extra}}} -\newcommand{\tlsI}{{\emph{TLS 1.0}}} -\newcommand{\tlsII}{{\emph{TLS 1.1}}} -\newcommand{\tls}{{\emph{TLS}}} -\newcommand{\sslIII}{{\emph{SSL 3.0}}} -\newcommand{\sslII}{{\emph{SSL 2.0}}} -\newcommand{\ssl}{{\emph{SSL}}} -\newcommand{\HRule}{\rule{\linewidth}{0.4mm}} - -\newcommand{\option}[1]{% - {\tt{#1}} -} - -\newcommand{\command}[1]{% - ``{\tt{#1}}'' -} - -% accepts section name, function name -\newcommand{\printfunc}[2]{% - \hyperref{#2}{#2() (see section }{ p.\pageref{#1})}{#1} -} - diff --git a/doc/tex/memory.tex b/doc/tex/memory.tex deleted file mode 100644 index d353cd6914..0000000000 --- a/doc/tex/memory.tex +++ /dev/null @@ -1,17 +0,0 @@ -\section{Memory handling} - -\gnutls{} internally handles heap allocated objects differently, depending -on the sensitivity of the data they contain. However for performance -reasons, the default memory functions do not overwrite sensitive data from -memory, nor protect such objects from being written to the swap. -In order to change the default behavior the -\printfunc{gnutls_global_set_mem_functions}{gnutls\_global\_set\_mem\_functions} -function is available which can be used to set other memory -handlers than the defaults. -\par -The \emph{libgcrypt} library on which \gnutls{} depends, has such secure -memory allocation functions available. These should be used in cases -where even the system's swap memory is not considered secure. See -the documentation of \emph{libgcrypt} for more information. - - diff --git a/doc/tex/openssl.tex b/doc/tex/openssl.tex deleted file mode 100644 index f44af5e603..0000000000 --- a/doc/tex/openssl.tex +++ /dev/null @@ -1,20 +0,0 @@ -\section{Compatibility with the OpenSSL\index{OpenSSL} library} - -To ease \gnutls{}' integration with existing applications, a compatibility -layer with the widely used OpenSSL library is included in the \emph{gnutls-openssl} -library. This compatibility layer is not complete and it is not -intended to completely reimplement the OpenSSL API with \gnutls{}. -It only provides source-level compatibility. There is currently no -attempt to make it binary-compatible with OpenSSL. -\par -The prototypes for the compatibility functions are in the -``gnutls/openssl.h'' header file. - -Current limitations imposed by the compatibility layer include: - -\begin{itemize} - -\item Error handling is not thread safe. - -\end{itemize} - diff --git a/doc/tex/pgp-fig1.eps b/doc/tex/pgp-fig1.eps deleted file mode 100644 index a24985a5e3..0000000000 --- a/doc/tex/pgp-fig1.eps +++ /dev/null @@ -1,479 +0,0 @@ -%!PS-Adobe-2.0 EPSF-2.0 -%%Title: /usr/home/nmav/pgp1.dia -%%Creator: Dia v0.88.1 -%%CreationDate: Mon Jun 10 16:43:25 2002 -%%For: nmav -%%Magnification: 1.0000 -%%Orientation: Portrait -%%BoundingBox: 0 0 471 433 -%%Pages: 1 -%%BeginSetup -%%EndSetup -%%EndComments -%%BeginProlog -[ /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -/.notdef /.notdef /space /exclam /quotedbl /numbersign /dollar /percent /ampersand /quoteright -/parenleft /parenright /asterisk /plus /comma /hyphen /period /slash /zero /one -/two /three /four /five /six /seven /eight /nine /colon /semicolon -/less /equal /greater /question /at /A /B /C /D /E -/F /G /H /I /J /K /L /M /N /O -/P /Q /R /S /T /U /V /W /X /Y -/Z /bracketleft /backslash /bracketright /asciicircum /underscore /quoteleft /a /b /c -/d /e /f /g /h /i /j /k /l /m -/n /o /p /q /r /s /t /u /v /w -/x /y /z /braceleft /bar /braceright /asciitilde /.notdef /.notdef /.notdef -/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -/space /exclamdown /cent /sterling /currency /yen /brokenbar /section /dieresis /copyright -/ordfeminine /guillemotleft /logicalnot /hyphen /registered /macron /degree /plusminus /twosuperior /threesuperior -/acute /mu /paragraph /periodcentered /cedilla /onesuperior /ordmasculine /guillemotright /onequarter /onehalf -/threequarters /questiondown /Agrave /Aacute /Acircumflex /Atilde /Adieresis /Aring /AE /Ccedilla -/Egrave /Eacute /Ecircumflex /Edieresis /Igrave /Iacute /Icircumflex /Idieresis /Eth /Ntilde -/Ograve /Oacute /Ocircumflex /Otilde /Odieresis /multiply /Oslash /Ugrave /Uacute /Ucircumflex -/Udieresis /Yacute /Thorn /germandbls /agrave /aacute /acircumflex /atilde /adieresis /aring -/ae /ccedilla /egrave /eacute /ecircumflex /edieresis /igrave /iacute /icircumflex /idieresis -/eth /ntilde /ograve /oacute /ocircumflex /otilde /odieresis /divide /oslash /ugrave -/uacute /ucircumflex /udieresis /yacute /thorn /ydieresis] /isolatin1encoding exch def -/Times-Roman-latin1 - /Times-Roman findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Times-Italic-latin1 - /Times-Italic findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Times-Bold-latin1 - /Times-Bold findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Times-BoldItalic-latin1 - /Times-BoldItalic findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/AvantGarde-Book-latin1 - /AvantGarde-Book findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/AvantGarde-BookOblique-latin1 - /AvantGarde-BookOblique findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/AvantGarde-Demi-latin1 - /AvantGarde-Demi findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/AvantGarde-DemiOblique-latin1 - /AvantGarde-DemiOblique findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Bookman-Light-latin1 - /Bookman-Light findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Bookman-LightItalic-latin1 - /Bookman-LightItalic findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Bookman-Demi-latin1 - /Bookman-Demi findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Bookman-DemiItalic-latin1 - /Bookman-DemiItalic findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Courier-latin1 - /Courier findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Courier-Oblique-latin1 - /Courier-Oblique findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Courier-Bold-latin1 - /Courier-Bold findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Courier-BoldOblique-latin1 - /Courier-BoldOblique findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Helvetica-latin1 - /Helvetica findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Helvetica-Oblique-latin1 - /Helvetica-Oblique findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Helvetica-Bold-latin1 - /Helvetica-Bold findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Helvetica-BoldOblique-latin1 - /Helvetica-BoldOblique findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Helvetica-Narrow-latin1 - /Helvetica-Narrow findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Helvetica-Narrow-Oblique-latin1 - /Helvetica-Narrow-Oblique findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Helvetica-Narrow-Bold-latin1 - /Helvetica-Narrow-Bold findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Helvetica-Narrow-BoldOblique-latin1 - /Helvetica-Narrow-BoldOblique findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/NewCenturySchoolbook-Roman-latin1 - /NewCenturySchoolbook-Roman findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/NewCenturySchoolbook-Italic-latin1 - /NewCenturySchoolbook-Italic findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/NewCenturySchoolbook-Bold-latin1 - /NewCenturySchoolbook-Bold findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/NewCenturySchoolbook-BoldItalic-latin1 - /NewCenturySchoolbook-BoldItalic findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Palatino-Roman-latin1 - /Palatino-Roman findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Palatino-Italic-latin1 - /Palatino-Italic findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Palatino-Bold-latin1 - /Palatino-Bold findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Palatino-BoldItalic-latin1 - /Palatino-BoldItalic findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/Symbol-latin1 - /Symbol findfont -definefont pop -/ZapfChancery-MediumItalic-latin1 - /ZapfChancery-MediumItalic findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/ZapfDingbats-latin1 - /ZapfDingbats findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding isolatin1encoding def - currentdict end -definefont pop -/cp {closepath} bind def -/c {curveto} bind def -/f {fill} bind def -/a {arc} bind def -/ef {eofill} bind def -/ex {exch} bind def -/gr {grestore} bind def -/gs {gsave} bind def -/sa {save} bind def -/rs {restore} bind def -/l {lineto} bind def -/m {moveto} bind def -/rm {rmoveto} bind def -/n {newpath} bind def -/s {stroke} bind def -/sh {show} bind def -/slc {setlinecap} bind def -/slj {setlinejoin} bind def -/slw {setlinewidth} bind def -/srgb {setrgbcolor} bind def -/rot {rotate} bind def -/sc {scale} bind def -/sd {setdash} bind def -/ff {findfont} bind def -/sf {setfont} bind def -/scf {scalefont} bind def -/sw {stringwidth pop} bind def -/tr {translate} bind def - -/ellipsedict 8 dict def -ellipsedict /mtrx matrix put -/ellipse -{ ellipsedict begin - /endangle exch def - /startangle exch def - /yrad exch def - /xrad exch def - /y exch def - /x exch def /savematrix mtrx currentmatrix def - x y tr xrad yrad sc - 0 0 1 startangle endangle arc - savematrix setmatrix - end -} def - -/mergeprocs { -dup length -3 -1 roll -dup -length -dup -5 1 roll -3 -1 roll -add -array cvx -dup -3 -1 roll -0 exch -putinterval -dup -4 2 roll -putinterval -} bind def -28.346000 -28.346000 scale -0.024000 -15.632857 translate -%%EndProlog - - -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 4.162000 3.350000 2.512000 1.000000 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 4.162000 3.350000 2.512000 1.000000 0 360 ellipse cp s -/Courier-Bold-latin1 ff 0.800000 scf sf -(Alice) dup sw 2 div 4.162000 ex sub 3.555217 m gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 2.604400 11.000000 1.654400 1.000000 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 2.604400 11.000000 1.654400 1.000000 0 360 ellipse cp s -/Courier-Bold-latin1 ff 0.800000 scf sf -(Bob) dup sw 2 div 2.604400 ex sub 11.205217 m gs 1 -1 sc sh gr -0.100000 slw -0 slc -[] 0 sd -n 2.385748 4.057107 m 2.604400 10.000000 l s -0 slj -n 2.664993 4.847374 m 2.385748 4.057107 l 2.165331 4.865758 l f -/Helvetica-latin1 ff 0.800000 scf sf -0.100000 slw -0 slc -[] 0 sd -n 3.774237 10.292893 m 4.162000 4.350000 l s -0 slj -n 3.576856 9.478313 m 3.774237 10.292893 l 4.075795 9.510868 l f -/Helvetica-latin1 ff 0.800000 scf sf -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 8.589200 7.050000 2.139200 1.000000 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 8.589200 7.050000 2.139200 1.000000 0 360 ellipse cp s -/Courier-Bold-latin1 ff 0.800000 scf sf -(Dave) dup sw 2 div 8.589200 ex sub 7.255217 m gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -[] 0 sd -0 slc -0 slj -0 slc -0 slj -[] 0 sd -n 0.500000 0.900000 m 16.050000 0.900000 l s -0 slc -0 slj -[] 0 sd -n 0.500000 13.550000 m 16.050000 13.550000 l s -0 slc -0 slj -[] 0 sd -n 0.500000 0.900000 m 0.500000 13.550000 l s -0 slc -0 slj -[] 0 sd -n 16.050000 0.900000 m 16.050000 13.550000 l s -/Courier-latin1 ff 0.800000 scf sf -(An example of the) dup sw 2 div 8.200000 ex sub 14.650000 m gs 1 -1 sc sh gr -( web of trust model) dup sw 2 div 8.200000 ex sub 15.450000 m gs 1 -1 sc sh gr -0.100000 slw -0 slc -[] 0 sd -n 5.938252 4.057107 m 7.076557 6.342893 l s -0 slj -n 6.518659 4.661779 m 5.938252 4.057107 l 6.071086 4.884666 l f -/Helvetica-latin1 ff 0.800000 scf sf -0.100000 slw -[] 0 sd -[0.400000] 0 sd -0 slc -n 8.589200 6.050000 m 6.674000 3.350000 l s -0.100000 slw -[] 0 sd -0 slj -0 slc -n 7.340758 3.857872 m 6.674000 3.350000 l 6.932938 4.147152 l s -/Courier-latin1 ff 0.800000 scf sf -({Trust}) 7.631600 4.700000 m gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 10.396800 10.950000 2.996800 1.000000 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 10.396800 10.950000 2.996800 1.000000 0 360 ellipse cp s -/Courier-Bold-latin1 ff 0.800000 scf sf -(Charlie) dup sw 2 div 10.396800 ex sub 11.155217 m gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 12.562000 2.900000 2.512000 1.000000 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 12.562000 2.900000 2.512000 1.000000 0 360 ellipse cp s -/Courier-Bold-latin1 ff 0.800000 scf sf -(Kevin) dup sw 2 div 12.562000 ex sub 3.105217 m gs 1 -1 sc sh gr -0.100000 slw -0 slc -[] 0 sd -n 10.101843 6.342893 m 12.562000 3.900000 l s -0 slj -n 10.493363 5.601805 m 10.101843 6.342893 l 10.845670 5.956601 l f -/Helvetica-latin1 ff 0.800000 scf sf -0.100000 slw -[] 0 sd -[0.400000] 0 sd -0 slc -n 10.396800 9.950000 m 14.338252 3.607107 l s -0.100000 slw -[] 0 sd -0 slj -0 slc -n 14.128358 4.418553 m 14.338252 3.607107 l 13.703672 4.154655 l s -/Courier-latin1 ff 0.800000 scf sf -({Trust}) 12.367476 6.778548 m gs 1 -1 sc sh gr -0.100000 slw -0 slc -[] 0 sd -n 4.258800 11.000000 m 7.400000 10.950000 l s -0 slj -n 5.054720 10.737299 m 4.258800 11.000000 l 5.062678 11.237236 l f -/Helvetica-latin1 ff 0.800000 scf sf -0.100000 slw -0 slc -[] 0 sd -n 14.338252 3.607107 m 12.515858 10.242893 l s -0 slj -n 14.367466 4.444750 m 14.338252 3.607107 l 13.885317 4.312337 l f -/Helvetica-latin1 ff 0.800000 scf sf -showpage diff --git a/doc/tex/pgpcert.xml.tex b/doc/tex/pgpcert.xml.tex deleted file mode 100644 index 1e11aeb4fe..0000000000 --- a/doc/tex/pgpcert.xml.tex +++ /dev/null @@ -1,59 +0,0 @@ -\begin{verbatim} - -<?xml version="1.0"?> - -<gnutls:openpgp:key version="1.0"> - <OPENPGPKEY> - <MAINKEY> - <KEYID>BD572CDCCCC07C3</KEYID> - <FINGERPRINT>BE615E88D6CFF27225B8A2E7BD572CDCCCC07C35</FINGERPRINT> - <PKALGO>DSA</PKALGO> - <KEYLEN>1024</KEYLEN> - <CREATED>1011533164</CREATED> - <REVOKED>0</REVOKED> - <KEY ENCODING="HEX"/> - <DSA-P>0400E72E76B62EEFA9A3BD594093292418050C02D7029D6CA2066EFC34C86038627C643EB1A652A7AF1D37CF46FC505AC1E0C699B37895B4BCB3E53541FFDA4766D6168C2B8AAFD6AB22466D06D18034D5DAC698E6993BA5B350FF822E1CD8702A75114E8B73A6B09CB3B93CE44DBB516C9BB5F95BB666188602A0A1447236C0658F</DSA-P> - <DSA-Q>00A08F5B5E78D85F792CC2072F9474645726FB4D9373</DSA-Q> - <DSA-G>03FE3578D689D6606E9118E9F9A7042B963CF23F3D8F1377A273C0F0974DBF44B3CABCBE14DD64412555863E39A9C627662D77AC36662AE449792C3262D3F12E9832A7565309D67BA0AE4DF25F5EDA0937056AD5BE89F4069EBD7EC76CE432441DF5D52FFFD06D39E5F61E36947B698A77CB62AB81E4A4122BF9050671D9946C865E</DSA-G> - <DSA-Y>0400D061437A964DDE318818C2B24DE008E60096B60DB8A684B85A838D119FC930311889AD57A3B927F448F84EB253C623EDA73B42FF78BCE63A6A531D75A64CE8540513808E9F5B10CE075D3417B801164918B131D3544C8765A8ECB9971F61A09FC73D509806106B5977D211CB0E1D04D0ED96BCE89BAE8F73D800B052139CBF8D</DSA-Y> - </MAINKEY> - <USERID> - <NAME>OpenCDK test key (Only intended for test purposes!)</NAME> - <EMAIL>opencdk@foo-bar.org</EMAIL> - <PRIMARY>0</PRIMARY> - <REVOKED>0</REVOKED> - </USERID> - <SIGNATURE> - <VERSION>4</VERSION> - <SIGCLASS>19</SIGCLASS> - <EXPIRED>0</EXPIRED> - <PKALGO>DSA</PKALGO> - <MDALGO>SHA1</MDALGO> - <CREATED>1011533164</CREATED> - <KEYID>BD572CDCCCC07C3</KEYID> - </SIGNATURE> - <SUBKEY> - <KEYID>FCB0CF3A5261E06</KEYID> - <FINGERPRINT>297B48ACC09C0FF683CA1ED1FCB0CF3A5261E067</FINGERPRINT> - <PKALGO>ELG</PKALGO> - <KEYLEN>1024</KEYLEN> - <CREATED>1011533167</CREATED> - <REVOKED>0</REVOKED> - <KEY ENCODING="HEX"/> - <ELG-P>0400E20156526069D067D24F4D71E6D38658E08BE3BF246C1ADCE08DB69CD8D459C1ED335738410798755AFDB79F1797CF022E70C7960F12CA6896D27CFD24A11CD316DDE1FBCC1EA615C5C31FEC656E467078C875FC509B1ECB99C8B56C2D875C50E2018B5B0FA378606EB6425A2533830F55FD21D649015615D49A1D09E9510F5F</ELG-P> - <ELG-G>000305</ELG-G> - <ELG-Y>0400D0BDADE40432758675C87D0730C360981467BAE1BEB6CC105A3C1F366BFDBEA12E378456513238B8AD414E52A2A9661D1DF1DB6BB5F33F6906166107556C813224330B30932DB7C8CC8225672D7AE24AF2469750E539B661EA6475D2E03CD8D3838DC4A8AC4AFD213536FE3E96EC9D0AEA65164B576E01B37A8DCA89F2B257D0</ELG-Y> - </SUBKEY> - <SIGNATURE> - <VERSION>4</VERSION> - <SIGCLASS>24</SIGCLASS> - <EXPIRED>0</EXPIRED> - <PKALGO>DSA</PKALGO> - <MDALGO>SHA1</MDALGO> - <CREATED>1011533167</CREATED> - <KEYID>BD572CDCCCC07C3</KEYID> - </SIGNATURE> - </OPENPGPKEY> -</gnutls:openpgp:key> - -\end{verbatim} diff --git a/doc/tex/preface.tex b/doc/tex/preface.tex deleted file mode 100644 index 77730ea34b..0000000000 --- a/doc/tex/preface.tex +++ /dev/null @@ -1,26 +0,0 @@ -\chapter*{Preface} - -\section*{Introduction} -This document tries to demonstrate and explain the \gnutls{} library API. -A brief introduction to the protocols and the technology involved, is -also included so that an application programmer can better understand -the \gnutls{} purpose and actual offerings. -Even if \gnutls{} is a typical library software, it operates over several -security and cryptographic protocols, which require the programmer -to make careful and correct usage of them, otherwise he risks to offer -just a false sense of security. Security and the network security terms -are very general terms even for computer software thus cannot be easily -restricted to a single cryptographic library. -For that reason, do not consider a program secure just because it uses \gnutls{}; -there are several ways to compromise a program or a communication line -and \gnutls{} only helps with some of them. -\par -This document tries to be self contained, although basic -network programming and PKI knowlegde is assumed in most of it. -\cite{GUTPKI} is a good introduction to Public Key Infrastructure. - -\section*{Availability} -Updated versions of the \gnutls{} software and this document will -be available from -\htmladdnormallink{http://www.gnutls.org/}{http://www.gnutls.org/} -and \htmladdnormallink{http://www.gnu.org/software/gnutls/}{http://www.gnu.org/software/gnutls/}. diff --git a/doc/tex/preparation.tex b/doc/tex/preparation.tex deleted file mode 100644 index f356441705..0000000000 --- a/doc/tex/preparation.tex +++ /dev/null @@ -1,133 +0,0 @@ -%\section{Preparation\footnote{This section is heavily based on the `libksba' documentation}} -\section{Preparation} - -To use \gnutls{}, you have to perform some changes to your sources and -your build system. The necessary changes are explained in the following -subsections. - -\subsection*{Headers} - -All the data types and functions of the \gnutls{} library are defined in -the header file `gnutls/gnutls.h'. This must be included in all programs that -make use of the \gnutls{} library. -\par -The extra functionality of the \gnutlse{} library is available by -including the header file `gnutls/extra.h' in your programs. - -\subsection*{Version check} -It is often desirable to check that the version of `gnutls' used is indeed -one which fits all requirements. Even with binary compatibility new -features may have been introduced but due to problem with the dynamic -linker an old version is actually used. So you may want to check that -the version is okay right after program startup. -See the function \printfunc{gnutls_check_version}{gnutls\_check\_version} - - -\subsection*{Building the source} - -If you want to compile a source file including the `gnutls/gnutls.h' header -file, you must make sure that the compiler can find it in the -directory hierarchy. This is accomplished by adding the path to the -directory in which the header file is located to the compilers include -file search path (via the -I option). - -However, the path to the include file is determined at the time the -source is configured. To solve this problem, \gnutls{} ships with two small -helper programs \command{libgnutls-config} and \command{libgnutls-extra-config} -that knows about the path to the -include file and other configuration options. The options that need -to be added to the compiler invocation at compile time are output by -the \option{--cflags} option to \option{libgnutls-config}. The following -example shows how it can be used at the command line: - -\begin{verbatim} -gcc -c foo.c `libgnutls-config --cflags` -\end{verbatim} - -Adding the output of \command{libgnutls-config --cflags} to the compilers -command line will ensure that the compiler can find the \gnutls{} header -file. - -A similar problem occurs when linking the program with the library. -Again, the compiler has to find the library files. For this to work, -the path to the library files has to be added to the library search -path (via the -L option). For this, the option -\option{--libs} to \command{libgnutls-config} can be used. For -convenience, this option also outputs all other options that are -required to link the program with the \gnutls{} libararies. -The example shows how to link `foo.o' -with the \gnutls{} libraries to a program \emph{foo}. - -\begin{verbatim} -gcc -o foo foo.o `libgnutls-config --libs` -\end{verbatim} - -Of course you can also combine both examples to a single command by -specifying both options to `libgnutls-config': - -\begin{verbatim} -gcc -o foo foo.c `libgnutls-config --cflags --libs` -\end{verbatim} - - -\section{Multi-threaded applications} - -Although the \gnutls{} library is thread safe by design, some parts of the crypto -backend, such as the random generator, are not. Since \emph{libgcrypt 1.1.92} -there was an automatic detection of the thread library used by the -application, so most applications wouldn't need to do any changes to -ensure thread-safety. Due to the unportability of the automatic thread -detection, this was removed from later releases of \emph{libgcrypt}, so -applications have now to register callback functions to ensure proper locking -in sensitive parts of \emph{libgcrypt}. -\par -There are helper macros to help you properly initialize the libraries. -Examples are shown below. -\begin{itemize} - -\item POSIX threads -\begin{verbatim} -#include <gnutls.h> -#include <gcrypt.h> -#include <errno.h> -#include <pthread.h> -GCRY_THREAD_OPTION_PTHREAD_IMPL; - -int main() -{ - /* The order matters. - */ - gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); - gnutls_global_init(); -} -\end{verbatim} - -\item GNU PTH threads -\begin{verbatim} -#include <gnutls.h> -#include <gcrypt.h> -#include <errno.h> -#include <pth.h> -GCRY_THREAD_OPTION_PTH_IMPL; - -int main() -{ - gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pth); - gnutls_global_init(); -} -\end{verbatim} - -\item Other thread packages -\begin{verbatim} -/* The gcry_thread_cbs structure must have been - * initialized. - */ -static struct gcry_thread_cbs gcry_threads_other = { ... }; - -int main() -{ - gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_other); -} -\end{verbatim} -\end{itemize} - diff --git a/doc/tex/programs.tex b/doc/tex/programs.tex deleted file mode 100644 index 4aea3994cb..0000000000 --- a/doc/tex/programs.tex +++ /dev/null @@ -1,245 +0,0 @@ -\chapter{Included programs} - -\section{The ``srptool'' program\index{srptool}} -\label{srptool} - -The ``srptool'' is a very simple program that emulates the programs in the -\emph{Stanford SRP libraries}. -It is intended for use in places where you don't expect SRP -authentication to be the used for system users. -Traditionally \emph{libsrp} used two files. One called 'tpasswd' which holds usernames -and verifiers, and 'tpasswd.conf' which holds generators and primes. -\par -How to use srptool: - -\begin{itemize} - - -\item To create tpasswd.conf which holds the g and n values for -SRP protocol (generator and a large prime), run: -\begin{verbatim} -$ srptool --create-conf /etc/tpasswd.conf -\end{verbatim} - - -\item This command will create /etc/tpasswd and will add user 'test' (you will also -be prompted for a password). Verifiers are stored by default in the -way libsrp expects. -\begin{verbatim} -$ srptool --passwd /etc/tpasswd \ - --passwd-conf /etc/tpasswd.conf -u test -\end{verbatim} - -\item This command will check against a password. If the password matches -the one in /etc/tpasswd you will get an ok. -\begin{verbatim} -$ srptool --passwd /etc/tpasswd \ - --passwd-conf /etc/tpasswd.conf --verify -u test -\end{verbatim} - -\end{itemize} - - - -\section{The ``gnutls-cli-debug'' program\index{gnutls-cli-debug}} - -This program was created to assist in debugging \gnutls{}, but it -might be useful to extract a \tls{} server's capabilities. -It's purpose is to connect onto a \tls{} server, perform -some tests and print the server's capabilities. If called with the -`-v' parameter a more checks will be performed. An example output is: - -\begin{verbatim} -crystal:/cvs/gnutls/src$ ./gnutls-cli-debug localhost -p 5556 -Resolving 'localhost'... -Connecting to '127.0.0.1:5556'... -Checking for TLS 1.1 support... yes -Checking fallback from TLS 1.1 to... N/A -Checking for TLS 1.0 support... yes -Checking for SSL 3.0 support... yes -Checking for version rollback bug in RSA PMS... no -Checking for version rollback bug in Client Hello... no -Checking whether we need to disable TLS 1.0... N/A -Checking whether the server ignores the RSA PMS version... no -Checking whether the server can accept Hello Extensions... yes -Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes -Checking whether the server can accept a bogus TLS record version in the client hello... yes -Checking for certificate information... N/A -Checking for trusted CAs... N/A -Checking whether the server understands TLS closure alerts... yes -Checking whether the server supports session resumption... yes -Checking for export-grade ciphersuite support... no -Checking RSA-export ciphersuite info... N/A -Checking for anonymous authentication support... no -Checking anonymous Diffie Hellman group info... N/A -Checking for ephemeral Diffie Hellman support... no -Checking ephemeral Diffie Hellman group info... N/A -Checking for AES cipher support (TLS extension)... yes -Checking for 3DES cipher support... yes -Checking for ARCFOUR 128 cipher support... yes -Checking for ARCFOUR 40 cipher support... no -Checking for MD5 MAC support... yes -Checking for SHA1 MAC support... yes -Checking for RIPEMD160 MAC support (TLS extension)... yes -Checking for ZLIB compression support (TLS extension)... yes -Checking for LZO compression support (GnuTLS extension)... yes -Checking for max record size (TLS extension)... yes -Checking for SRP authentication support (TLS extension)... yes -Checking for OpenPGP authentication support (TLS extension)... no - -\end{verbatim} - -\section{The ``certtool'' program\index{certtool}} - -This is a program to generate X.509 certificates, certificate requests, CRLs and -private keys. The program can be used interactively or non interactively by -specifying the \emph{--template} command line option. See \emph{doc/certtool.cfg}, -in the distribution, for an example of a template file. - -How to use certtool interactively: - -\begin{itemize} - -\item To create a self signed certificate, use the command: -\begin{verbatim} -$ certtool --generate-privkey --outfile ca-key.pem -$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem -\end{verbatim} -Note that a self-signed certificate usually belongs to a certificate -authority, that signs other certificates. - -\item To create a private key, run: -\begin{verbatim} -$ certtool --generate-privkey --outfile key.pem -\end{verbatim} - -\item To create a certificate request, run: -\begin{verbatim} -$ certtool --generate-request --load-privkey key.pem --outfile request.pem -\end{verbatim} - -\item To generate a certificate using the previous request, use the command: -\begin{verbatim} -$ certtool --generate-certificate --load-request request.pem --outfile cert.pem \ - --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem -\end{verbatim} - -\item To view the certificate information, use: -\begin{verbatim} -$ certtool --certificate-info --infile cert.pem -\end{verbatim} - -\item To generate a PKCS \#12 structure using the previous key and certificate, use the command: -\begin{verbatim} -$ certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 \ - --outder --outfile key.p12 -\end{verbatim} - - -\end{itemize} -\par -Certtool's template file format: - -\begin{itemize} -\item Firstly create a file named 'cert.cfg' that contains the information -about the certificate. An example file is listed below. -\item Then execute -\begin{verbatim} -$ certtool --generate-certificate cert.pem --load-privkey key.pem \ - --template cert.cfg \ - --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem -\end{verbatim} -\end{itemize} -\par -An example certtool template file: - -\begin{verbatim} -# X.509 Certificate options -# -# DN options - -# The organization of the subject. -organization = "Koko inc." - -# The organizational unit of the subject. -unit = "sleeping dept." - -# The locality of the subject. -# locality = - -# The state of the certificate owner. -state = "Attiki" - -# The country of the subject. Two letter code. -country = GR - -# The common name of the certificate owner. -cn = "Cindy Lauper" - -# A user id of the certificate owner. -#uid = "clauper" - -# If the supported DN OIDs are not adequate you can set -# any OID here. -# For example set the X.520 Title and the X.520 Pseudonym -# by using OID and string pairs. -#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal" - -# This is deprecated and should not be used in new -# certificates. -# pkcs9_email = "none@none.org" - -# The serial number of the certificate -serial = 007 - -# In how many days, counting from today, this certificate will expire. -expiration_days = 700 - -# X.509 v3 extensions - -# A dnsname in case of a WWW server. -#dns_name = "www.none.org" - -# An IP address in case of a server. -#ip_address = "192.168.1.1" - -# An email in case of a person -email = "none@none.org" - -# An URL that has CRLs (certificate revocation lists) -# available. Needed in CA certificates. -#crl_dist_points = "http://www.getcrl.crl/getcrl/" - -# Whether this is a CA certificate or not -#ca - -# Whether this certificate will be used for a TLS client -#tls_www_client - -# Whether this certificate will be used for a TLS server -#tls_www_server - -# Whether this certificate will be used to sign data (needed -# in TLS DHE ciphersuites). -signing_key - -# Whether this certificate will be used to encrypt data (needed -# in TLS RSA ciphersuites). Note that it is prefered to use different -# keys for encryption and signing. -#encryption_key - -# Whether this key will be used to sign other certificates. -#cert_signing_key - -# Whether this key will be used to sign CRLs. -#crl_signing_key - -# Whether this key will be used to sign code. -#code_signing_key - -# Whether this key will be used to sign OCSP data. -#ocsp_signing_key - -# Whether this key will be used for time stamping. -#time_stamping_key -\end{verbatim} diff --git a/doc/tex/record.tex b/doc/tex/record.tex deleted file mode 100644 index 19defc52e9..0000000000 --- a/doc/tex/record.tex +++ /dev/null @@ -1,28 +0,0 @@ -\section{The TLS record protocol\index{TLS protocols!Record}} - -The Record protocol is the secure communications provider. Its purpose -is to encrypt, authenticate and --optionally-- compress packets. -The following functions are available: -\par -\begin{itemize} -\item \printfunc{gnutls_record_send}{gnutls\_record\_send}: -to send a record packet (with application data). -\item \printfunc{gnutls_record_recv}{gnutls\_record\_recv}: -to receive a record packet (with application data). -\end{itemize} - -As you may have already noticed, the functions which access the Record protocol, -are quite limited, given the importance of this protocol in \tls{}. -This is because the Record protocol's parameters are all set by -the Handshake protocol. -\par -The Record protocol initially starts with NULL parameters, which means -no encryption, and no MAC is used. Encryption and authentication begin -just after the handshake protocol has finished. - -\input{ciphers} - -\input{compression} - -\input{record_weaknesses} - diff --git a/doc/tex/record_weaknesses.tex b/doc/tex/record_weaknesses.tex deleted file mode 100644 index 21845dd1e1..0000000000 --- a/doc/tex/record_weaknesses.tex +++ /dev/null @@ -1,16 +0,0 @@ -\subsection*{Weaknesses and countermeasures} -\index{TLS protocols!Record} - -Some weaknesses that may affect the security of the Record layer have been -found in \tlsI{} protocol. These weaknesses can be exploited by active attackers, -and exploit the facts that -\begin{enumerate} -\item \tls{} has separate alerts for ``decryption\_failed'' and ``bad\_record\_mac'' -\item the decryption failure reason can be detected by timing the response time -\item the IV for CBC encrypted packets is the last block of the previous encrypted packet -\end{enumerate} - -Those weaknesses were solved in \tlsII{} which is implemented in -\gnutls{}. For a detailed discussion see the archives of the TLS Working Group mailing list -and the paper \cite{CBCATT}. - diff --git a/doc/tex/srp.tex b/doc/tex/srp.tex deleted file mode 100644 index 3966f58014..0000000000 --- a/doc/tex/srp.tex +++ /dev/null @@ -1,80 +0,0 @@ -\section{Authentication using SRP\index{SRP authentication}} - -Authentication using the SRP\footnote{SRP stands for Secure Remote Password and -is described in \cite{RFC2945}. The SRP key exchange is an extension to the \tlsI{} protocol} -protocol is actually password authentication. The two peers can be identified using a -single password, or there can be combinations where the client is -authenticated using SRP and the server using a certificate. -\par -The advantage of SRP authentication, over other proposed secure password -authentication schemas, is that SRP does not require the server to hold -the user's password. This kind of protection is similar to the one used traditionally -in the \emph{UNIX} ``passwd'' file, where the contents of this file did not cause -harm to the system security if they were revealed. -The SRP needs instead of the plain password something called a verifier, -which is calculated using the user's password, and if stolen cannot -be used to impersonate the user. See \cite{TOMSRP} for a detailed description -of the SRP protocol and the Stanford SRP libraries, which includes a PAM module -that synchronizes the system's users passwords with the SRP password files. That -way SRP authentication could be used for all the system's users. - -\par -The implementation in \gnutls{} is based on paper \cite{TLSSRP}. -The available key exchange methods are shown in \hyperref{figure}{figure }{}{fig:srp}. - -\begin{figure}[hbtp] -\begin{tabular}{|l|p{9cm}|} - -\hline -SRP & Authentication using the SRP protocol. -\\ -\hline -SRP\_DSS & Client authentication using the SRP protocol. Server is -authenticated using a certificate with DSA parameters. -\\ -\hline -SRP\_RSA & Client authentication using the SRP protocol. Server is -authenticated using a certificate with RSA parameters. -\\ -\hline -\end{tabular} - -\caption{Supported SRP key exchange algorithms} -\label{fig:srp} - -\end{figure} - -If clients supporting SRP know the username and password before the connection, -should initialize the client credentials and call the -function \printfunc{gnutls_srp_set_client_credentials}{gnutls\_srp\_set\_client\_credentials}. -Alternatively they could specify a callback function by using the -function \printfunc{gnutls_srp_set_client_credentials_function}{gnutls\_srp\_set\_client\_credentials\_function}. -This has the advantage that allows probing the server for SRP support. -In that case the callback function will be called twice per handshake. -The first time is before the ciphersuite is negotiated, and -if the callback returns a negative error code, the callback will be -called again if SRP has been negotiated. -This uses a special TLS-SRP handshake idiom in order to avoid, in -interactive applications, to ask the user for SRP password and username -if the server does not negotiate an SRP ciphersuite. -\par -In server side the default behaviour of \gnutls{} is to read the usernames -and SRP verifiers from password files. These password files are the ones used -by the \emph{Stanford srp libraries} and can be specified using the -\printfunc{gnutls_srp_set_server_credentials_file}{gnutls\_srp\_set\_server\_credentials\_file}. -If a different password file format is to be used, then the -function \printfunc{gnutls_srp_set_server_credentials_function}{gnutls\_srp\_set\_server\_credentials\_function}, -should be called, in order to set an appropriate callback. -\par -Some helper functions such as -\begin{itemize} -\item \printfunc{gnutls_srp_verifier}{gnutls\_srp\_verifier} -\item \printfunc{gnutls_srp_base64_encode}{gnutls\_srp\_base64\_encode} -\item \printfunc{gnutls_srp_base64_decode}{gnutls\_srp\_base64\_decode} -\end{itemize} -are included in \gnutls{}, and may be used to generate, and maintain -SRP verifiers, and password files. -A program to manipulate the required parameters -for SRP authentication is also included. See section \ref{srptool} on -page \pageref{srptool} for more information. - diff --git a/doc/tex/supported_ciphersuites.tex b/doc/tex/supported_ciphersuites.tex deleted file mode 100644 index 0bf7209c7e..0000000000 --- a/doc/tex/supported_ciphersuites.tex +++ /dev/null @@ -1,69 +0,0 @@ -\chapter{All the supported ciphersuites in \gnutls{}\index{Ciphersuites}}\label{ap:ciphersuites} -\begin{center} -\tablefirsthead{% -\hline -\multicolumn{1}{|c}{Cipher suite} & -\multicolumn{1}{|c|}{TLS value} & -\multicolumn{1}{c|}{defined at} \\ -\hline} -\tablehead{% -\hline -\multicolumn{3}{|l|}{\small\sl continued from previous page}\\ -\hline -\multicolumn{1}{|c}{Cipher suite} & -\multicolumn{1}{|c|}{TLS value} & -\multicolumn{1}{c|}{defined at} \\ -\hline} -\tabletail{% -\hline -\multicolumn{3}{|r|}{\small\sl continued on next page}\\ -\hline} -\tablelasttail{\hline} -\bottomcaption{The ciphersuites table} - - -\begin{supertabular}{|l|l|l|} -{\small{TLS\_RSA\_NULL\_MD5}} & 0x00 0x01 & RFC2246 \\ -{\small{TLS\_ANON\_DH\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x1B & RFC2246\\ -{\small{TLS\_ANON\_DH\_ARCFOUR\_MD5}} & 0x00 0x18 & RFC2246 \\ -{\small{TLS\_ANON\_DH\_AES\_128\_CBC\_SHA}} & 0x00 0x34 & RFC2246 \\ -{\small{TLS\_ANON\_DH\_AES\_256\_CBC\_SHA}} & 0x00 0x3A & RFC2246 \\ -{\small{TLS\_RSA\_ARCFOUR\_SHA}} & 0x00 0x05 & RFC2246 \\ -{\small{TLS\_RSA\_ARCFOUR\_MD5}} & 0x00 0x04 & RFC2246 \\ -{\small{TLS\_RSA\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x0A & RFC2246 \\ -{\small{TLS\_RSA\_EXPORT\_ARCFOUR\_40\_MD5}} & 0x00 0x03 & RFC2246 \\ -{\small{TLS\_DHE\_DSS\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x13 & RFC2246 \\ -{\small{TLS\_DHE\_RSA\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x16 & RFC2246 \\ - -{\small{TLS\_RSA\_AES\_128\_CBC\_SHA}} & 0x00 0x2F & RFC3268 \\ -{\small{TLS\_RSA\_AES\_128\_CBC\_SHA}} & 0x00 0x35 & RFC3268 \\ -{\small{TLS\_DHE\_DSS\_AES\_256\_CBC\_SHA}} & 0x00 0x38 & RFC3268 \\ -{\small{TLS\_DHE\_DSS\_AES\_128\_CBC\_SHA}} & 0x00 0x32 & RFC3268 \\ -{\small{TLS\_DHE\_RSA\_AES\_256\_CBC\_SHA}} & 0x00 0x39 & RFC3268 \\ -{\small{TLS\_DHE\_RSA\_AES\_128\_CBC\_SHA}} & 0x00 0x33 & RFC3268 \\ - -{\small{TLS\_SRP\_SHA\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x50 & draft-ietf-tls-srp \\ -{\small{TLS\_SRP\_SHA\_AES\_128\_CBC\_SHA}} & 0x00 0x53 & draft-ietf-tls-srp \\ -{\small{TLS\_SRP\_SHA\_AES\_256\_CBC\_SHA}} & 0x00 0x56 & draft-ietf-tls-srp \\ -{\small{TLS\_SRP\_SHA\_RSA\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x51 & draft-ietf-tls-srp \\ -{\small{TLS\_SRP\_SHA\_DSS\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x52 & draft-ietf-tls-srp \\ -{\small{TLS\_SRP\_SHA\_RSA\_AES\_128\_CBC\_SHA}} & 0x00 0x54 & draft-ietf-tls-srp \\ -{\small{TLS\_SRP\_SHA\_DSS\_AES\_128\_CBC\_SHA}} & 0x00 0x55 & draft-ietf-tls-srp \\ -{\small{TLS\_SRP\_SHA\_RSA\_AES\_256\_CBC\_SHA}} & 0x00 0x57 & draft-ietf-tls-srp \\ -{\small{TLS\_SRP\_SHA\_DSS\_AES\_256\_CBC\_SHA}} & 0x00 0x58 & draft-ietf-tls-srp \\ - -{\small{TLS\_DHE\_DSS\_3DES\_EDE\_CBC\_RMD}} & 0x00 0x72 & draft-ietf-tls-openpgp-keys \\ -{\small{TLS\_DHE\_RSA\_3DES\_EDE\_CBC\_RMD}} & 0x00 0x77 & draft-ietf-tls-openpgp-keys \\ -{\small{TLS\_DHE\_DSS\_AES\_256\_CBC\_RMD}} & 0x00 0x73 & draft-ietf-tls-openpgp-keys \\ -{\small{TLS\_DHE\_DSS\_AES\_128\_CBC\_RMD}} & 0x00 0x74 & draft-ietf-tls-openpgp-keys \\ -{\small{TLS\_DHE\_RSA\_AES\_128\_CBC\_RMD}} & 0x00 0x78 & draft-ietf-tls-openpgp-keys \\ -{\small{TLS\_DHE\_RSA\_AES\_256\_CBC\_RMD}} & 0x00 0x79 & draft-ietf-tls-openpgp-keys \\ -{\small{TLS\_RSA\_3DES\_EDE\_CBC\_RMD}} & 0x00 0x7C & draft-ietf-tls-openpgp-keys \\ -{\small{TLS\_RSA\_AES\_128\_CBC\_RMD}} & 0x00 0x7D & draft-ietf-tls-openpgp-keys \\ -{\small{TLS\_RSA\_AES\_256\_CBC\_RMD}} & 0x00 0x7E & draft-ietf-tls-openpgp-keys \\ - -{\small{TLS\_DHE\_DSS\_ARCFOUR\_SHA}} & 0x00 0x66 & draft-ietf-tls-56-bit-ciphersuites \\ - -\end{supertabular} - -\end{center} diff --git a/doc/tex/tls_extensions.tex b/doc/tex/tls_extensions.tex deleted file mode 100644 index 9bf698cbd6..0000000000 --- a/doc/tex/tls_extensions.tex +++ /dev/null @@ -1,41 +0,0 @@ -\section{TLS Extensions} -\index{TLS Extensions} - -A number of extensions to the \tls{} protocol have been proposed -mainly in \cite{TLSEXT}. The extensions supported in \gnutls{} are -\begin{itemize} -\item Maximum fragment length negotiation -\item Server name indication -\end{itemize} -discussed in the subsections that follow. - -\subsection*{Maximum fragment length negotiation} -\index{TLS Extensions!Maximum fragment length} - -This extension allows a \tlsI{} implementation to negotiate -a smaller value for record packet maximum length. This extension -may be useful to clients with constrained capabilities. See -the -\printfunc{gnutls_record_set_max_size}{gnutls\_record\_set\_max\_size} -and the -\printfunc{gnutls_record_get_max_size}{gnutls\_record\_get\_max\_size} -functions. - -\subsection*{Server name indication} -\index{TLS Extensions!Server name indication} -\label{serverind} - -A common problem in HTTPS servers is the fact that the \tls{} -protocol is not aware of the hostname that a client connects to, when -the handshake procedure begins. For that reason the \tls{} server -has no way to know which certificate to send. - -This extension solves that problem within the \tls{} protocol -and allows a client to send the HTTP hostname -before the handshake begins --within the first handshake packet. -The functions -\printfunc{gnutls_server_name_set}{gnutls\_server\_name\_set} and -\printfunc{gnutls_server_name_get}{gnutls\_server\_name\_get} -can be used to enable this extension, or to retrieve the name sent -by a client. - diff --git a/doc/tex/tlsintro.tex b/doc/tex/tlsintro.tex deleted file mode 100644 index 636a47eb24..0000000000 --- a/doc/tex/tlsintro.tex +++ /dev/null @@ -1,29 +0,0 @@ -\chapter{Introduction to \tls{}} - -\label{sec:tlsintro} -\tls{} stands for 'Transport Layer Security' and is the successor of \ssl{}, -the Secure Sockets Layer protocol\footnote{described in \cite{SSL3}} designed by Netscape. -\tlsI{} is an Internet protocol, -defined by {IETF}\footnote{IETF or Internet Engineering Task Force -is a large open international community of network -designers, operators, vendors, and researchers concerned with the evolution of -the Internet architecture and the smooth operation of the Internet. It is open -to any interested individual.}, described in \cite{RFC2246} and -also in \cite{RESCOLA}. The protocol provides confidentiality, and -authentication layers over any reliable transport layer. The description, -below, refers to \tlsI{} but also applies to \sslIII{} since the differences -of these protocols are minor. Older protocols such as \sslII{} are not -discussed nor implemented in \gnutls{} since they are not considered secure -today. - -\input{layers} - -\input{translayer} - -\input{record} - -\input{alert} - -\input{handshake} - -\input{tls_extensions} diff --git a/doc/tex/translayer.tex b/doc/tex/translayer.tex deleted file mode 100644 index 8ab54a3b44..0000000000 --- a/doc/tex/translayer.tex +++ /dev/null @@ -1,31 +0,0 @@ -\section{The transport layer} -\par -\tls{} is not limited to one transport layer, it -can be used above any transport layer, as long as it is a reliable -one. A set of functions is provided and their purpose is to load -to \gnutls{} the required callbacks to access the transport layer. - -\begin{itemize} -\item \printfunc{gnutls_transport_set_push_function}{gnutls\_transport\_set\_push\_function} -\item \printfunc{gnutls_transport_set_pull_function}{gnutls\_transport\_set\_pull\_function} -\item \printfunc{gnutls_transport_set_ptr}{gnutls\_transport\_set\_ptr} -\end{itemize} - -These functions accept a callback function as a parameter. -The callback functions should return the number of bytes written, or -1 on -error and should set errno appropriately. -\par -\gnutls{} currently only interprets the EINTR and EAGAIN errno values and -returns the corresponding \gnutls{} error codes GNUTLS\_E\_INTERRUPTED and -GNUTLS\_E\_AGAIN. -These values are usually returned by interrupted system calls, or -when non blocking IO is used. All \gnutls{} functions -can be resumed (called again), if any of these error codes is returned. -The error codes above refer to the system call, not the \gnutls{} function, -since signals do not interrupt \gnutls{}' functions. - -\par -By default, if the transport functions are not set, \gnutls{} will use -the Berkeley Sockets functions. In this case -\gnutls{} will use some hacks in order for \emph{select()} to work, thus -making it easy to add \tls{} support to existing TCP/IP servers. diff --git a/doc/tex/x509-1.eps b/doc/tex/x509-1.eps deleted file mode 100644 index 5129adb383..0000000000 --- a/doc/tex/x509-1.eps +++ /dev/null @@ -1,251 +0,0 @@ -%!PS-Adobe-2.0 EPSF-2.0 -%%Title: tree1 -%%Creator: Dia v0.90 -%%CreationDate: Thu Sep 5 21:44:57 2002 -%%For: a user -%%Magnification: 1.0000 -%%Orientation: Portrait -%%BoundingBox: 0 0 470 617 -%%Pages: 1 -%%EndComments -%%BeginProlog -/cp {closepath} bind def -/c {curveto} bind def -/f {fill} bind def -/a {arc} bind def -/ef {eofill} bind def -/ex {exch} bind def -/gr {grestore} bind def -/gs {gsave} bind def -/sa {save} bind def -/rs {restore} bind def -/l {lineto} bind def -/m {moveto} bind def -/rm {rmoveto} bind def -/n {newpath} bind def -/s {stroke} bind def -/sh {show} bind def -/slc {setlinecap} bind def -/slj {setlinejoin} bind def -/slw {setlinewidth} bind def -/srgb {setrgbcolor} bind def -/rot {rotate} bind def -/sc {scale} bind def -/sd {setdash} bind def -/ff {findfont} bind def -/sf {setfont} bind def -/scf {scalefont} bind def -/sw {stringwidth pop} bind def -/tr {translate} bind def - -/ellipsedict 8 dict def -ellipsedict /mtrx matrix put -/ellipse -{ ellipsedict begin - /endangle exch def - /startangle exch def - /yrad exch def - /xrad exch def - /y exch def - /x exch def /savematrix mtrx currentmatrix def - x y tr xrad yrad sc - 0 0 1 startangle endangle arc - savematrix setmatrix - end -} def - -/mergeprocs { -dup length -3 -1 roll -dup -length -dup -5 1 roll -3 -1 roll -add -array cvx -dup -3 -1 roll -0 exch -putinterval -dup -4 2 roll -putinterval -} bind def -%%EndProlog - -%%BeginSetup -%%EndSetup -28.346000 -28.346000 scale --0.000000 -21.685957 translate - -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 2.600000 13.250000 0.300000 0.300000 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 2.600000 13.250000 0.300000 0.300000 0 360 ellipse cp s -n 1.400000 13.850000 m 3.800000 13.850000 l s -n 2.600000 13.550000 m 2.600000 15.050000 l s -n 2.600000 15.050000 m 1.400000 16.350000 l s -n 2.600000 15.050000 m 3.800000 16.350000 l s - [ /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /A /l /i /c /e /B /o /b /xi /xi /R /t /space /C /I /W - /S /r /v /T /w /y /p /a /X /period /five /zero /nine /f /n /h - /s /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi - /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi /xi -] /e0 exch def -/Courier-Bold_e0 undefinefont -/Courier-Bold_e0 - /Courier-Bold findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding e0 def - currentdict end -definefont pop -/Courier-Bold_e0 ff 0.800000 scf sf -( !"#$) sw -2 div 2.600000 ex sub 17.555217 m ( !"#$) - gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 7.200000 13.450000 0.300000 0.300000 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 7.200000 13.450000 0.300000 0.300000 0 360 ellipse cp s -n 6.000000 14.050000 m 8.400000 14.050000 l s -n 7.200000 13.750000 m 7.200000 15.250000 l s -n 7.200000 15.250000 m 6.000000 16.550000 l s -n 7.200000 15.250000 m 8.400000 16.550000 l s -/Courier-Bold_e0 ff 0.800000 scf sf -(%&') sw -2 div 7.200000 ex sub 17.755217 m (%&') - gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 6.952400 3.067467 3.052400 1.017467 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 6.952400 3.067467 3.052400 1.017467 0 360 ellipse cp s -/Courier-Bold_e0 ff 0.800000 scf sf -(*&&+,- ) sw -2 div 6.952400 ex sub 3.272684 m (*&&+,- ) - gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 3.365200 8.200000 2.015200 1.000000 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 3.365200 8.200000 2.015200 1.000000 0 360 ellipse cp s -/Courier-Bold_e0 ff 0.800000 scf sf -(- ,.) sw -2 div 3.365200 ex sub 8.405217 m (- ,.) - gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 11.671600 8.100000 2.471600 1.000000 0 360 ellipse f -0.000000 0.000000 0.000000 srgb -n 11.671600 8.100000 2.471600 1.000000 0 360 ellipse cp s -/Courier-Bold_e0 ff 0.800000 scf sf -(- ,..) sw -2 div 11.671600 ex sub 8.305217 m (- ,..) - gs 1 -1 sc sh gr -0.100000 slw -[] 0 sd -1.000000 1.000000 1.000000 srgb -n 10.400000 11.650000 m 10.400000 13.450000 l 16.037600 13.450000 l 16.037600 11.650000 l f -0.000000 0.000000 0.000000 srgb -n 10.400000 11.650000 m 10.400000 13.450000 l 16.037600 13.450000 l 16.037600 11.650000 l cp s -/Helvetica_e0 undefinefont -/Helvetica_e0 - /Helvetica findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding e0 def - currentdict end -definefont pop -/Helvetica_e0 ff 0.800000 scf sf -(/$',0$12$1) sw -2 div 13.218800 ex sub 12.762903 m (/$',0$12$1) - gs 1 -1 sc sh gr -0.050000 slw -n 10.900000 12.950000 m 15.537600 12.950000 l s -0.100000 slw -[] 0 sd -[] 0 sd -0 slc -0 slj -0 slc -0 slj -[] 0 sd -n 0.050000 0.000000 m 16.500000 0.000000 l s -0 slc -0 slj -[] 0 sd -n 0.050000 19.950000 m 16.500000 19.950000 l s -0 slc -0 slj -[] 0 sd -n 0.050000 0.000000 m 0.050000 19.950000 l s -0 slc -0 slj -[] 0 sd -n 16.500000 0.000000 m 16.500000 19.950000 l s -0.100000 slw -0 slc -[] 0 sd -n 3.489200 7.200000 m 6.896800 4.050000 l s -0 slj -n 3.906952 6.473376 m 3.489200 7.200000 l 4.246356 6.840534 l f -0.100000 slw -0 slc -[] 0 sd -n 11.712000 7.100000 m 6.896800 4.050000 l s -0 slj -n 10.902394 6.883118 m 11.712000 7.100000 l 11.169943 6.460724 l f -0.100000 slw -0 slc -[] 0 sd -n 2.600000 12.350000 m 3.489200 9.200000 l s -0 slj -n 2.576738 11.512170 m 2.600000 12.350000 l 3.057933 11.648005 l f -0.100000 slw -0 slc -[] 0 sd -n 13.141200 11.650000 m 11.712000 9.100000 l s -0 slj -n 12.531985 11.074364 m 13.141200 11.650000 l 12.968150 10.829906 l f -0.100000 slw -0 slc -[] 0 sd -n 7.200000 12.550000 m 11.712000 9.100000 l s -0 slj -n 7.683658 11.865474 m 7.200000 12.550000 l 7.987363 12.262668 l f -/Courier_e0 undefinefont -/Courier_e0 - /Courier findfont - dup length dict begin - {1 index /FID ne {def} {pop pop} ifelse} forall - /Encoding e0 def - currentdict end -definefont pop -/Courier_e0 ff 0.800000 scf sf -(34&,+56"#7!,89:;<,-$1+"="#7+"&>) sw -2 div 8.307760 ex sub 20.703100 m (34&,+56"#7!,89:;<,-$1+"="#7+"&>) - gs 1 -1 sc sh gr -(67+?@) sw -2 div 8.307760 ex sub 21.503100 m (67+?@) - gs 1 -1 sc sh gr -showpage diff --git a/doc/tex/x509cert.xml.tex b/doc/tex/x509cert.xml.tex deleted file mode 100644 index 331284b879..0000000000 --- a/doc/tex/x509cert.xml.tex +++ /dev/null @@ -1,190 +0,0 @@ -\begin{verbatim} - -<?xml version="1.0" encoding="UTF-8"?> - -<gnutls:x509:certificate version="1.1"> - <certificate type="SEQUENCE"> - <tbsCertificate type="SEQUENCE"> - <version type="INTEGER" encoding="HEX">02</version> - <serialNumber type="INTEGER" encoding="HEX">01</serialNumber> - <signature type="SEQUENCE"> - <algorithm type="OBJECT ID">1.2.840.113549.1.1.4</algorithm> - <parameters type="ANY"> - <md5WithRSAEncryption encoding="HEX">0500</md5WithRSAEncryption> - </parameters> - </signature> - <issuer type="CHOICE"> - <rdnSequence type="SEQUENCE OF"> - <unnamed1 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.6</type> - <value type="ANY"> - <X520countryName>GR</X520countryName> - </value> - </unnamed1> - </unnamed1> - <unnamed2 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.8</type> - <value type="ANY"> - <X520StateOrProvinceName>Attiki</X520StateOrProvinceName> - </value> - </unnamed1> - </unnamed2> - <unnamed3 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.7</type> - <value type="ANY"> - <X520LocalityName>Athina</X520LocalityName> - </value> - </unnamed1> - </unnamed3> - <unnamed4 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.10</type> - <value type="ANY"> - <X520OrganizationName>GNUTLS</X520OrganizationName> - </value> - </unnamed1> - </unnamed4> - <unnamed5 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.11</type> - <value type="ANY"> - <X520OrganizationalUnitName>GNUTLS dev.</X520OrganizationalUnitName> - </value> - </unnamed1> - </unnamed5> - <unnamed6 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.3</type> - <value type="ANY"> - <X520CommonName>GNUTLS TEST CA</X520CommonName> - </value> - </unnamed1> - </unnamed6> - <unnamed7 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">1.2.840.113549.1.9.1</type> - <value type="ANY"> - <Pkcs9email>gnutls-dev@gnupg.org</Pkcs9email> - </value> - </unnamed1> - </unnamed7> - </rdnSequence> - </issuer> - <validity type="SEQUENCE"> - <notBefore type="CHOICE"> - <utcTime type="TIME">010707101845Z</utcTime> - </notBefore> - <notAfter type="CHOICE"> - <utcTime type="TIME">020707101845Z</utcTime> - </notAfter> - </validity> - <subject type="CHOICE"> - <rdnSequence type="SEQUENCE OF"> - <unnamed1 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.6</type> - <value type="ANY"> - <X520countryName>GR</X520countryName> - </value> - </unnamed1> - </unnamed1> - <unnamed2 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.8</type> - <value type="ANY"> - <X520StateOrProvinceName>Attiki</X520StateOrProvinceName> - </value> - </unnamed1> - </unnamed2> - <unnamed3 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.7</type> - <value type="ANY"> - <X520LocalityName>Athina</X520LocalityName> - </value> - </unnamed1> - </unnamed3> - <unnamed4 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.10</type> - <value type="ANY"> - <X520OrganizationName>GNUTLS</X520OrganizationName> - </value> - </unnamed1> - </unnamed4> - <unnamed5 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.11</type> - <value type="ANY"> - <X520OrganizationalUnitName>GNUTLS dev.</X520OrganizationalUnitName> - </value> - </unnamed1> - </unnamed5> - <unnamed6 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">2.5.4.3</type> - <value type="ANY"> - <X520CommonName>localhost</X520CommonName> - </value> - </unnamed1> - </unnamed6> - <unnamed7 type="SET OF"> - <unnamed1 type="SEQUENCE"> - <type type="OBJECT ID">1.2.840.113549.1.9.1</type> - <value type="ANY"> - <Pkcs9email>root@localhost</Pkcs9email> - </value> - </unnamed1> - </unnamed7> - </rdnSequence> - </subject> - <subjectPublicKeyInfo type="SEQUENCE"> - <algorithm type="SEQUENCE"> - <algorithm type="OBJECT ID">1.2.840.113549.1.1.1</algorithm> - <parameters type="ANY"> - <rsaEncryption encoding="HEX">0500</rsaEncryption> - </parameters> - </algorithm> - <subjectPublicKey type="BIT STRING" encoding="HEX" length="1120">30818902818100D00B49EBB226D951F5CC57072199DDF287683D2DA1A0EFCC96BFF73164777C78C3991E92EDA66584E7B97BAB4BE68D595D225557E01E7E57B5C35C04B491948C5C427AD588D8C6989764996D6D44E17B65CCFC86F3B4842DE559B730C1DE3AEF1CE1A328AFF8A357EBA911E1F7E8FC1598E21E4BF721748C587F50CF46157D950203010001</subjectPublicKey> - </subjectPublicKeyInfo> - <extensions type="SEQUENCE OF"> - <unnamed1 type="SEQUENCE"> - <extnID type="OBJECT ID">2.5.29.35</extnID> - <critical type="BOOLEAN">FALSE</critical> - <extnValue type="SEQUENCE"> - <keyIdentifier type="OCTET STRING" encoding="HEX">EFEE94ABC8CA577F5313DB76DC1A950093BAF3C9</keyIdentifier> - </extnValue> - </unnamed1> - <unnamed2 type="SEQUENCE"> - <extnID type="OBJECT ID">2.5.29.37</extnID> - <critical type="BOOLEAN">FALSE</critical> - <extnValue type="SEQUENCE OF"> - <unnamed1 type="OBJECT ID">1.3.6.1.5.5.7.3.1</unnamed1> - <unnamed2 type="OBJECT ID">1.3.6.1.5.5.7.3.2</unnamed2> - <unnamed3 type="OBJECT ID">1.3.6.1.4.1.311.10.3.3</unnamed3> - <unnamed4 type="OBJECT ID">2.16.840.1.113730.4.1</unnamed4> - </extnValue> - </unnamed2> - <unnamed3 type="SEQUENCE"> - <extnID type="OBJECT ID">2.5.29.19</extnID> - <critical type="BOOLEAN">TRUE</critical> - <extnValue type="SEQUENCE"> - <cA type="BOOLEAN">FALSE</cA> - </extnValue> - </unnamed3> - </extensions> - </tbsCertificate> - <signatureAlgorithm type="SEQUENCE"> - <algorithm type="OBJECT ID">1.2.840.113549.1.1.4</algorithm> - <parameters type="ANY"> - <md5WithRSAEncryption encoding="HEX">0500</md5WithRSAEncryption> - </parameters> - </signatureAlgorithm> - <signature type="BIT STRING" encoding="HEX" length="1024">B73945273AF2A395EC54BF5DC669D953885A9D811A3B92909D24792D36A44EC27E1C463AF8738BEFD29B311CCE8C6D9661BEC30911DAABB39B8813382B32D2E259581EBCD26C495C083984763966FF35D1DEFE432891E610C85072578DA7423244A8F5997B41A1F44E61F4F22C94375775055A5E72F25D5E4557467A91BD4251</signature> - </certificate> -</gnutls:x509:certificate> - -\end{verbatim} diff --git a/doc/tex/figures/x509-1.dia b/doc/x509-1.dia Binary files differindex 0742bb3677..0742bb3677 100644 --- a/doc/tex/figures/x509-1.dia +++ b/doc/x509-1.dia |