]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
updated examples and added new "handling alerts" section.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 28 Dec 2011 08:49:56 +0000 (10:49 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 28 Dec 2011 14:08:55 +0000 (16:08 +0200)
14 files changed:
doc/Makefile.am
doc/cha-gtls-app.texi
doc/cha-gtls-examples.texi
doc/cha-intro-tls.texi
doc/examples/Makefile.am
doc/examples/ex-client-anon.c [moved from doc/examples/ex-client1.c with 95% similarity]
doc/examples/ex-client-dtls.c [moved from doc/examples/ex-client-udp.c with 92% similarity]
doc/examples/ex-client-psk.c
doc/examples/ex-client-resume.c
doc/examples/ex-client-srp.c
doc/examples/ex-client-x509.c [moved from doc/examples/ex-rfc2818.c with 97% similarity]
doc/examples/ex-serv-anon.c
doc/examples/ex-serv-srp.c
doc/examples/ex-serv-x509.c [moved from doc/examples/ex-serv1.c with 94% similarity]

index 41619a8863b2e439d23f3c47c3552c59e7588223..d391260171d0ceda5aafc80ae746a26f113fe7ec 100644 (file)
@@ -39,14 +39,14 @@ gnutls_TEXINFOS = gnutls.texi fdl-1.3.texi lgpl-2.1.texi gpl-3.0.texi       \
        cha-shared-key.texi cha-gtls-examples.texi
 
 # Examples.
-gnutls_TEXINFOS += examples/ex-client1.c                               \
+gnutls_TEXINFOS += examples/ex-client-anon.c                           \
        examples/ex-session-info.c examples/ex-verify.c                 \
        examples/ex-cert-select.c examples/ex-client-resume.c           \
-       examples/ex-client-srp.c examples/ex-rfc2818.c                  \
-       examples/ex-serv1.c examples/ex-serv-anon.c                     \
+       examples/ex-client-srp.c examples/ex-client-x509.c              \
+       examples/ex-serv-x509.c examples/ex-serv-anon.c                 \
        examples/ex-serv-pgp.c examples/ex-serv-srp.c                   \
        examples/ex-alert.c examples/ex-x509-info.c examples/ex-crq.c   \
-       examples/ex-pkcs12.c
+       examples/ex-pkcs12.c examples/ex-client-dtls.c
 
 # Images.  Make sure there are eps + png + pdf of each, plus the source dia.
 gnutls_TEXINFOS += gnutls-internals.dia gnutls-internals.eps           \
index 103703815628cdf89a4619e1d53c39aced4277f8..03993a5ef2c8924363a3c491c57a2fa1d0013e9f 100644 (file)
@@ -9,6 +9,7 @@
 * Setting up the transport layer::
 * TLS handshake::
 * Data transfer and termination::
+* Handling alerts::
 * Priority Strings::
 * Advanced and other topics::
 * Using the cryptographic library::
@@ -643,6 +644,24 @@ A session can be deinitialized with the @funcref{gnutls_deinit} function.
 @showfuncdesc{gnutls_bye}
 @showfuncdesc{gnutls_deinit}
 
+@node Handling alerts
+@section Handling alerts
+During a TLS connection alert messages may be exchanged by the
+two peers. Those messages may be fatal, meaning the connection
+must be terminated afterwards, or warning when something needs
+to be reported to the peer, but without interrupting the session.
+The error codes @code{GNUTLS_E_WARNING_ALERT_RECEIVED}
+or @code{GNUTLS_E_FATAL_ALERT_RECEIVED} signal those alerts
+when received, and may be returned by all GnuTLS functions that receive 
+data from the peer, being @funcref{gnutls_handshake} and @funcref{gnutls_record_recv}.
+Alerts messages may be sent to the peer using @funcref{gnutls_alert_send}.
+
+@showfuncdesc{gnutls_alert_get}
+
+@showfuncdesc{gnutls_alert_send}
+
+@showfuncB{gnutls_error_to_alert,gnutls_alert_get_name}
+
 
 @node Priority Strings
 @section Priority strings
index 68230a9d33a03752d3f146f95a1df26589990051..8d364b635bfc64a3a722957da0ad98f51d18933e 100644 (file)
@@ -25,7 +25,7 @@ implemented by another example.
 * Obtaining session information::
 * Using a callback to select the certificate to use::
 * Verifying a certificate::
-* Client using a PKCS 11 token with TLS::
+* Client using a smart card with TLS::
 * Client with Resume capability example::
 * Simple client example with SRP authentication::
 * Simple client example in C++::
@@ -40,9 +40,10 @@ The simplest client using TLS is the one that doesn't do any
 authentication.  This means no external certificates or passwords are
 needed to set up the connection.  As could be expected, the connection
 is vulnerable to man-in-the-middle (active or redirection) attacks.
-However, the data is integrity and privacy protected.
+However, the data are integrity protected and encrypted from
+passive eavesdroppers.
 
-@verbatiminclude examples/ex-client1.c
+@verbatiminclude examples/ex-client-anon.c
 
 @node Simple client example with X.509 certificate support
 @subsection Simple client example with @acronym{X.509} certificate support
@@ -55,16 +56,16 @@ a very simple @acronym{TLS} client, which uses the high level verification
 functions for certificates, but does not support session
 resumption. 
 
-@verbatiminclude examples/ex-rfc2818.c
+@verbatiminclude examples/ex-client-x509.c
 
 @node Simple Datagram TLS client example
 @subsection Simple datagram @acronym{TLS} client example
 
 This is a client that uses @acronym{UDP} to connect to a
-server. This is the @acronym{DTLS} equivalent to the example
-in @ref{Simple client example with X.509 certificate support}.
+server. This is the @acronym{DTLS} equivalent to the TLS example
+with X.509 certificates.
 
-@verbatiminclude examples/ex-client-udp.c
+@verbatiminclude examples/ex-client-dtls.c
 
 @node Obtaining session information
 @subsection Obtaining session information
@@ -96,12 +97,14 @@ functions to verify a given certificate list.
 
 @verbatiminclude examples/ex-verify.c
 
-@node Client using a PKCS 11 token with TLS
-@subsection Using a @acronym{PKCS} #11 token with TLS
+@node Client using a smart card with TLS
+@subsection Using a smart card with TLS
 @anchor{ex:pkcs11-client}
+@cindex Smart card example
 
 This example will demonstrate how to load keys and certificates
-from a @acronym{PKCS} #11 token, and use it with a TLS connection.
+from a smart-card or any other @acronym{PKCS} #11 token, and 
+use it in a TLS connection.
 
 @verbatiminclude examples/ex-cert-select-pkcs11.c
 
@@ -163,7 +166,7 @@ servers, using @acronym{GnuTLS}.
 * Echo server with OpenPGP authentication::
 * Echo server with SRP authentication::
 * Echo server with anonymous authentication::
-* Echo DTLS server with X.509 authentication::
+* DTLS echo server with X.509 authentication::
 @end menu
 
 @node Echo server with X.509 authentication
@@ -172,7 +175,7 @@ servers, using @acronym{GnuTLS}.
 This example is a very simple echo server which supports
 @acronym{X.509} authentication.
 
-@verbatiminclude examples/ex-serv1.c
+@verbatiminclude examples/ex-serv-x509.c
 
 @node Echo server with OpenPGP authentication
 @subsection Echo server with @acronym{OpenPGP} authentication
@@ -203,8 +206,8 @@ used to serve the example client for anonymous authentication.
 
 @verbatiminclude examples/ex-serv-anon.c
 
-@node Echo DTLS server with X.509 authentication
-@subsection Echo DTLS server with @acronym{X.509} authentication
+@node DTLS echo server with X.509 authentication
+@subsection DTLS echo server with @acronym{X.509} authentication
 
 This example is a very simple echo server using Datagram TLS and 
 @acronym{X.509} authentication.
index 5f5f77d1ecbe54fc99fde90aa928678a0607d547..6b1bb7272ea75c6746c57f2594ed324fa8d5650f 100644 (file)
@@ -271,18 +271,10 @@ warning. Fatal alerts always terminate the current connection, and
 prevent future re-negotiations using the current session ID. All alert
 messages are summarized in @ref{tab:alerts}.
 
-
 The alert messages are protected by the record protocol, thus the
 information that is included does not leak. You must take extreme care
 for the alert information not to leak to a possible attacker, via
-public log files etc. The available functions to control the alert
-protocol are shown below.
-
-@showfuncdesc{gnutls_alert_get}
-
-@showfuncdesc{gnutls_alert_send}
-
-@showfuncB{gnutls_error_to_alert,gnutls_alert_get_name}
+public log files etc. 
 
 @include alerts.texi
 
index 38d25a5dd206243d175f0a29a3b5a6bd34715f4d..aac8421610812c857cbc5bef869c5a20dec69b69 100644 (file)
@@ -41,11 +41,11 @@ LDADD = libexamples.la                              \
 CXX_LDADD = $(LDADD) \
        ../../lib/libgnutlsxx.la
 
-noinst_PROGRAMS = ex-client-resume ex-client-udp
-noinst_PROGRAMS += ex-cert-select ex-rfc2818
+noinst_PROGRAMS = ex-client-resume ex-client-dtls
+noinst_PROGRAMS += ex-cert-select ex-client-x509
 
 if ENABLE_PKI
-noinst_PROGRAMS += ex-crq ex-serv1 ex-serv-dtls
+noinst_PROGRAMS += ex-crq ex-serv-x509 ex-serv-dtls
 endif
 
 if ENABLE_CXX
@@ -55,7 +55,7 @@ noinst_PROGRAMS += ex-cxx
 endif
 
 if ENABLE_ANON
-noinst_PROGRAMS += ex-client1 ex-serv-anon
+noinst_PROGRAMS += ex-client-anon ex-serv-anon
 endif
 
 if ENABLE_OPENPGP
similarity index 95%
rename from doc/examples/ex-client1.c
rename to doc/examples/ex-client-anon.c
index 322e400ec08d3473e23dad9720aabae3677a6d65..8c06bda9004a2212ed25dc9f5a883dc826c389db 100644 (file)
@@ -55,7 +55,11 @@ main (void)
 
   /* Perform the TLS handshake
    */
-  ret = gnutls_handshake (session);
+  do
+    {
+      ret = gnutls_handshake (session);
+    }
+  while (gnutls_error_is_fatal (ret) == 0);
 
   if (ret < 0)
     {
similarity index 92%
rename from doc/examples/ex-client-udp.c
rename to doc/examples/ex-client-dtls.c
index 7a0721a8562afe25e05e71be55c4c9e196c70fda..222762a0b582e7cc1220502e80d3d9c97c572152 100644 (file)
@@ -59,6 +59,8 @@ main (void)
 
   /* put the x509 credentials to the current session */
   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+  gnutls_server_name_set (session, GNUTLS_NAME_DNS, "my_host_name", 
+                          strlen("my_host_name"));
 
   /* connect to the peer */
   sd = udp_connect ();
@@ -69,7 +71,11 @@ main (void)
   gnutls_dtls_set_mtu (session, 1000);
 
   /* Perform the TLS handshake */
-  ret = gnutls_handshake (session);
+  do
+    {
+      ret = gnutls_handshake (session);
+    }
+  while (gnutls_error_is_fatal (ret) == 0);
 
   if (ret < 0)
     {
index 2264f076b2a5e8892394eded507a12279986013c..7c0bd7e146c79ea943f7685f76e695fdfa7b9aec 100644 (file)
@@ -65,7 +65,11 @@ main (void)
 
   /* Perform the TLS handshake
    */
-  ret = gnutls_handshake (session);
+  do
+    {
+      ret = gnutls_handshake (session);
+    }
+  while (gnutls_error_is_fatal (ret) == 0);
 
   if (ret < 0)
     {
index 9e6e9b60fdc7d8c0c3f93f35a64818b846d4084d..5aeae58c925816ecd8d3f1507b65507780266bd6 100644 (file)
@@ -63,7 +63,11 @@ main (void)
 
       /* Perform the TLS handshake
        */
-      ret = gnutls_handshake (session);
+      do
+        {
+          ret = gnutls_handshake (session);
+        }
+      while (gnutls_error_is_fatal (ret) == 0);
 
       if (ret < 0)
         {
index b8ecc2b5a850f45c5d33d0ec7ea148d2b4228437..5a753abff32273e7470bb8e05ea0a7cfca9be360 100644 (file)
@@ -62,7 +62,11 @@ main (void)
 
   /* Perform the TLS handshake
    */
-  ret = gnutls_handshake (session);
+  do
+    {
+      ret = gnutls_handshake (session);
+    }
+  while (gnutls_error_is_fatal (ret) == 0);
 
   if (ret < 0)
     {
similarity index 97%
rename from doc/examples/ex-rfc2818.c
rename to doc/examples/ex-client-x509.c
index f7aa08d0682dd96de4751f8311304ea4690bf827..c82df6523ba7661c08cd4bb493c4a6cd7edeb236 100644 (file)
@@ -46,6 +46,8 @@ int main (void)
   gnutls_init (&session, GNUTLS_CLIENT);
 
   gnutls_session_set_ptr (session, (void *) "my_host_name");
+  gnutls_server_name_set (session, GNUTLS_NAME_DNS, "my_host_name", 
+                          strlen("my_host_name"));
 
   /* Use default priorities */
   ret = gnutls_priority_set_direct (session, "NORMAL", &err);
index ade01f4a548e7fafeacf79ae5440ff2f3e78ddbb..93c8a70feee847b33c495731a968736d0210eddc 100644 (file)
@@ -116,7 +116,13 @@ main (void)
                          sizeof (topbuf)), ntohs (sa_cli.sin_port));
 
       gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
-      ret = gnutls_handshake (session);
+
+      do
+        {
+          ret = gnutls_handshake (session);
+        }
+      while (gnutls_error_is_fatal (ret) == 0);
+
       if (ret < 0)
         {
           close (sd);
index 5dbd8cfb6958e2e426908e404d7dd6015122153c..0cff30c44823a5f9c983d40a354348c6f9e18f34 100644 (file)
@@ -117,7 +117,13 @@ main (void)
                          sizeof (topbuf)), ntohs (sa_cli.sin_port));
 
       gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
-      ret = gnutls_handshake (session);
+
+      do
+        {
+          ret = gnutls_handshake (session);
+        }
+      while (gnutls_error_is_fatal (ret) == 0);
+
       if (ret < 0)
         {
           close (sd);
similarity index 94%
rename from doc/examples/ex-serv1.c
rename to doc/examples/ex-serv-x509.c
index eaf09f6474f36c095a30157482eb78c6dd424f62..5383fb342503b297bf70c4d358e565c487a2bbb6 100644 (file)
@@ -41,9 +41,10 @@ initialize_tls_session (void)
 
   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
 
-  /* request client certificate if any.
+  /* We don't request any certificate from the client.
+   * If we did we would need to verify it.
    */
-  gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
+  gnutls_certificate_server_set_request (session, GNUTLS_CERT_IGNORE);
 
   return session;
 }
@@ -134,7 +135,13 @@ main (void)
                          sizeof (topbuf)), ntohs (sa_cli.sin_port));
 
       gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
-      ret = gnutls_handshake (session);
+
+      do
+        {
+          ret = gnutls_handshake (session);
+        }
+      while (gnutls_error_is_fatal (ret) == 0);
+
       if (ret < 0)
         {
           close (sd);