diff --git a/.gitignore b/.gitignore index 50c6da1..1f800a0 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ gnutls-2.10.1-nosrp.tar.bz2 /gnutls-2.10.3-nosrp.tar.bz2 /gnutls-2.10.4-nosrp.tar.bz2 /gnutls-2.10.5-nosrp.tar.bz2 +/gnutls-2.12.2-nosrp.tar.bz2 diff --git a/gnutls-2.10.1-handshake-errors.patch b/gnutls-2.10.1-handshake-errors.patch deleted file mode 100644 index 1c11dc7..0000000 --- a/gnutls-2.10.1-handshake-errors.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff -up gnutls-2.10.1/lib/gnutls_handshake.c.errors gnutls-2.10.1/lib/gnutls_handshake.c ---- gnutls-2.10.1/lib/gnutls_handshake.c.errors 2010-07-25 10:35:31.000000000 +0200 -+++ gnutls-2.10.1/lib/gnutls_handshake.c 2010-09-13 17:16:05.000000000 +0200 -@@ -2769,7 +2769,7 @@ _gnutls_handshake_client (gnutls_session - case STATE1: - ret = _gnutls_send_hello (session, AGAIN (STATE1)); - STATE = STATE1; -- IMED_RET ("send hello", ret, 0); -+ IMED_RET ("send hello", ret, 1); - - case STATE2: - /* receive the server hello */ -@@ -2849,7 +2849,7 @@ _gnutls_handshake_client (gnutls_session - ret = - _gnutls_send_client_certificate_verify (session, AGAIN (STATE9)); - STATE = STATE9; -- IMED_RET ("send client certificate verify", ret, 0); -+ IMED_RET ("send client certificate verify", ret, 1); - - STATE = STATE0; - default: -@@ -3002,7 +3002,7 @@ _gnutls_handshake_server (gnutls_session - case STATE2: - ret = _gnutls_send_hello (session, AGAIN (STATE2)); - STATE = STATE2; -- IMED_RET ("send hello", ret, 0); -+ IMED_RET ("send hello", ret, 1); - - case STATE70: - if (session->security_parameters.extensions.do_send_supplemental) -@@ -3044,7 +3044,7 @@ _gnutls_handshake_server (gnutls_session - GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, - AGAIN (STATE6)); - STATE = STATE6; -- IMED_RET ("send server hello done", ret, 0); -+ IMED_RET ("send server hello done", ret, 1); - - case STATE71: - if (session->security_parameters.extensions.do_recv_supplemental) -@@ -3119,7 +3119,7 @@ _gnutls_handshake_common (gnutls_session - #endif - - ret = _gnutls_send_handshake_final (session, FALSE); -- IMED_RET ("send handshake final", ret, 0); -+ IMED_RET ("send handshake final", ret, 1); - - /* only store if we are not resuming */ - if (session->security_parameters.entity == GNUTLS_SERVER) -@@ -3132,7 +3132,7 @@ _gnutls_handshake_common (gnutls_session - { /* if we are a client not resuming - or we are a server resuming */ - - ret = _gnutls_send_handshake_final (session, TRUE); -- IMED_RET ("send handshake final 2", ret, 0); -+ IMED_RET ("send handshake final 2", ret, 1); - - #ifdef ENABLE_SESSION_TICKET - switch (STATE) diff --git a/gnutls-2.10.1-nosrp.patch b/gnutls-2.12.2-nosrp.patch similarity index 73% rename from gnutls-2.10.1-nosrp.patch rename to gnutls-2.12.2-nosrp.patch index 46ae493..eb31172 100644 --- a/gnutls-2.10.1-nosrp.patch +++ b/gnutls-2.12.2-nosrp.patch @@ -1,16 +1,7 @@ -diff -up gnutls-2.10.1/doc/gnutls.texi.nosrp gnutls-2.10.1/doc/gnutls.texi ---- gnutls-2.10.1/doc/gnutls.texi.nosrp 2010-06-21 09:50:55.000000000 +0200 -+++ gnutls-2.10.1/doc/gnutls.texi 2010-08-04 11:58:22.000000000 +0200 -@@ -524,7 +524,7 @@ data to the transport layer. - @end itemize - - Other callback functions such as the one set by --@ref{gnutls_srp_set_server_credentials_function}, may require more -+gnutls_srp_set_server_credentials_function, may require more - complicated input, including data to be allocated. These callbacks - should allocate and free memory using the functions shown below. - -@@ -1576,9 +1576,9 @@ authenticated using a certificate with R +diff -up gnutls-2.12.2/doc/cha-auth.texi.nosrp gnutls-2.12.2/doc/cha-auth.texi +--- gnutls-2.12.2/doc/cha-auth.texi.nosrp 2011-04-08 02:30:44.000000000 +0200 ++++ gnutls-2.12.2/doc/cha-auth.texi 2011-04-19 09:46:25.000000000 +0200 +@@ -255,9 +255,9 @@ authenticated using a certificate with R If clients supporting @acronym{SRP} know the username and password before the connection, should initialize the client credentials and @@ -22,7 +13,7 @@ diff -up gnutls-2.10.1/doc/gnutls.texi.nosrp gnutls-2.10.1/doc/gnutls.texi the advantage that allows probing the server for @acronym{SRP} support. In that case the callback function will be called twice per handshake. The first time is before the ciphersuite is negotiated, -@@ -1593,20 +1593,20 @@ In server side the default behaviour of +@@ -272,20 +272,20 @@ In server side the default behaviour of the usernames and @acronym{SRP} verifiers from password files. These password files are the ones used by the @emph{Stanford srp libraries} and can be specified using the @@ -48,3 +39,15 @@ diff -up gnutls-2.10.1/doc/gnutls.texi.nosrp gnutls-2.10.1/doc/gnutls.texi @end itemize +diff -up gnutls-2.12.2/doc/cha-library.texi.nosrp gnutls-2.12.2/doc/cha-library.texi +--- gnutls-2.12.2/doc/cha-library.texi.nosrp 2011-04-08 02:30:44.000000000 +0200 ++++ gnutls-2.12.2/doc/cha-library.texi 2011-04-19 09:44:58.000000000 +0200 +@@ -174,7 +174,7 @@ data to the transport layer. + @end itemize + + Other callback functions such as the one set by +-@ref{gnutls_srp_set_server_credentials_function}, may require more ++gnutls_srp_set_server_credentials_function, may require more + complicated input, including data to be allocated. These callbacks + should allocate and free memory using the functions shown below. + diff --git a/gnutls-2.10.4-rpath.patch b/gnutls-2.12.2-rpath.patch similarity index 69% rename from gnutls-2.10.4-rpath.patch rename to gnutls-2.12.2-rpath.patch index beaa957..5b80f70 100644 --- a/gnutls-2.10.4-rpath.patch +++ b/gnutls-2.12.2-rpath.patch @@ -1,8 +1,8 @@ -diff -up gnutls-2.10.4/build-aux/config.rpath gnutls-2.10.4/build-aux/config -diff -up gnutls-2.10.4/configure.rpath gnutls-2.10.4/configure ---- gnutls-2.10.4/configure.rpath 2010-12-06 14:53:28.000000000 +0100 -+++ gnutls-2.10.4/configure 2010-12-08 21:29:22.000000000 +0100 -@@ -15112,7 +15112,7 @@ shlibpath_var= +diff -up gnutls-2.12.2/build-aux/config.rpath gnutls-2.12.2/build-aux/config +diff -up gnutls-2.12.2/configure.rpath gnutls-2.12.2/configure +--- gnutls-2.12.2/configure.rpath 2011-04-08 18:18:09.000000000 +0200 ++++ gnutls-2.12.2/configure 2011-04-19 10:55:42.000000000 +0200 +@@ -16740,7 +16740,7 @@ shlibpath_var= shlibpath_overrides_runpath=unknown version_type=none dynamic_linker="$host_os ld.so" @@ -11,16 +11,16 @@ diff -up gnutls-2.10.4/configure.rpath gnutls-2.10.4/configure need_lib_prefix=unknown hardcode_into_libs=no -@@ -15510,7 +15510,7 @@ fi +@@ -17125,7 +17125,7 @@ rm -f core conftest.err conftest.$ac_obj # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra" fi # We used to test for /lib/ld.so.1 and disable shared libraries on -@@ -18777,7 +18777,7 @@ shlibpath_var= +@@ -20209,7 +20209,7 @@ shlibpath_var= shlibpath_overrides_runpath=unknown version_type=none dynamic_linker="$host_os ld.so" @@ -29,20 +29,20 @@ diff -up gnutls-2.10.4/configure.rpath gnutls-2.10.4/configure need_lib_prefix=unknown hardcode_into_libs=no -@@ -19173,7 +19173,7 @@ fi +@@ -20593,7 +20593,7 @@ rm -f core conftest.err conftest.$ac_obj # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra" fi # We used to test for /lib/ld.so.1 and disable shared libraries on -diff -up gnutls-2.10.4/lib/build-aux/config.rpath gnutls-2.10.4/lib/build-aux/config -diff -up gnutls-2.10.4/lib/configure.rpath gnutls-2.10.4/lib/configure ---- gnutls-2.10.4/lib/configure.rpath 2010-12-06 14:53:11.000000000 +0100 -+++ gnutls-2.10.4/lib/configure 2010-12-08 21:30:09.000000000 +0100 -@@ -10839,7 +10839,7 @@ shlibpath_var= +diff -up gnutls-2.12.2/lib/build-aux/config.rpath gnutls-2.12.2/lib/build-aux/config +diff -up gnutls-2.12.2/lib/configure.rpath gnutls-2.12.2/lib/configure +--- gnutls-2.12.2/lib/configure.rpath 2011-04-08 18:17:13.000000000 +0200 ++++ gnutls-2.12.2/lib/configure 2011-04-19 10:57:03.000000000 +0200 +@@ -10842,7 +10842,7 @@ shlibpath_var= shlibpath_overrides_runpath=unknown version_type=none dynamic_linker="$host_os ld.so" @@ -51,16 +51,16 @@ diff -up gnutls-2.10.4/lib/configure.rpath gnutls-2.10.4/lib/configure need_lib_prefix=unknown hardcode_into_libs=no -@@ -11237,7 +11237,7 @@ fi +@@ -11227,7 +11227,7 @@ rm -f core conftest.err conftest.$ac_obj # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra" fi # We used to test for /lib/ld.so.1 and disable shared libraries on -@@ -25790,7 +25790,7 @@ shlibpath_var= +@@ -28572,7 +28572,7 @@ shlibpath_var= shlibpath_overrides_runpath=unknown version_type=none dynamic_linker="$host_os ld.so" @@ -69,20 +69,20 @@ diff -up gnutls-2.10.4/lib/configure.rpath gnutls-2.10.4/lib/configure need_lib_prefix=unknown hardcode_into_libs=no -@@ -26186,7 +26186,7 @@ fi +@@ -28956,7 +28956,7 @@ rm -f core conftest.err conftest.$ac_obj # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra" fi # We used to test for /lib/ld.so.1 and disable shared libraries on -diff -up gnutls-2.10.4/libextra/build-aux/config.rpath gnutls-2.10.4/libextra/build-aux/config -diff -up gnutls-2.10.4/libextra/configure.rpath gnutls-2.10.4/libextra/configure ---- gnutls-2.10.4/libextra/configure.rpath 2010-12-06 14:53:20.000000000 +0100 -+++ gnutls-2.10.4/libextra/configure 2010-12-08 21:30:27.000000000 +0100 -@@ -10013,7 +10013,7 @@ shlibpath_var= +diff -up gnutls-2.12.2/libextra/build-aux/config.rpath gnutls-2.12.2/libextra/build-aux/config +diff -up gnutls-2.12.2/libextra/configure.rpath gnutls-2.12.2/libextra/configure +--- gnutls-2.12.2/libextra/configure.rpath 2011-04-08 18:17:42.000000000 +0200 ++++ gnutls-2.12.2/libextra/configure 2011-04-19 10:57:59.000000000 +0200 +@@ -9971,7 +9971,7 @@ shlibpath_var= shlibpath_overrides_runpath=unknown version_type=none dynamic_linker="$host_os ld.so" @@ -91,10 +91,10 @@ diff -up gnutls-2.10.4/libextra/configure.rpath gnutls-2.10.4/libextra/configure need_lib_prefix=unknown hardcode_into_libs=no -@@ -10411,7 +10411,7 @@ fi +@@ -10356,7 +10356,7 @@ rm -f core conftest.err conftest.$ac_obj # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64 $lt_ld_extra" fi diff --git a/gnutls-2.8.6-safe-renegotiation.patch b/gnutls-2.8.6-safe-renegotiation.patch deleted file mode 100644 index 3f386a2..0000000 --- a/gnutls-2.8.6-safe-renegotiation.patch +++ /dev/null @@ -1,4030 +0,0 @@ -diff -up gnutls-2.8.6/AUTHORS.reneg gnutls-2.8.6/AUTHORS ---- gnutls-2.8.6/AUTHORS.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/AUTHORS 2010-05-31 22:52:31.000000000 +0200 -@@ -51,6 +51,9 @@ OpenPGP discussion and improvements. - David Marín Carreño - Added gnutls_x509_crq_get_key_id. - -+Steve Dispensa -+TLS safe renegotiation fix. -+ - -----BEGIN PGP PUBLIC KEY BLOCK----- - URL: http://josefsson.org/key.txt (always latest version) - Comment: This 0xB565716F key is used to sign releases of GnuTLS. -diff -up gnutls-2.8.6/configure.reneg gnutls-2.8.6/configure ---- gnutls-2.8.6/configure.reneg 2010-05-31 22:52:31.000000000 +0200 -+++ gnutls-2.8.6/configure 2010-05-31 22:52:31.000000000 +0200 -@@ -28559,7 +28559,7 @@ subdirs="$subdirs libextra" - - ac_config_files="$ac_config_files guile/pre-inst-guile" - --ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile" -+ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/safe-renegotiation/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile" - - cat >confcache <<\_ACEOF - # This file is a shell script that caches the results of configure -@@ -29783,6 +29783,7 @@ do - "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;; - "tests/key-id/Makefile") CONFIG_FILES="$CONFIG_FILES tests/key-id/Makefile" ;; - "tests/openpgp-certs/Makefile") CONFIG_FILES="$CONFIG_FILES tests/openpgp-certs/Makefile" ;; -+ "tests/safe-renegotiation/Makefile") CONFIG_FILES="$CONFIG_FILES tests/safe-renegotiation/Makefile" ;; - "tests/pathlen/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pathlen/Makefile" ;; - "tests/pkcs1-padding/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs1-padding/Makefile" ;; - "tests/pkcs12-decode/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs12-decode/Makefile" ;; -diff -up gnutls-2.8.6/doc/gnutls-api.texi.reneg gnutls-2.8.6/doc/gnutls-api.texi ---- gnutls-2.8.6/doc/gnutls-api.texi.reneg 2010-03-15 11:35:23.000000000 +0100 -+++ gnutls-2.8.6/doc/gnutls-api.texi 2010-05-31 22:52:31.000000000 +0200 -@@ -3307,6 +3307,20 @@ This function will initialize the tempor - @strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, or an negative error code. - @end deftypefun - -+@subheading gnutls_safe_renegotiation_status -+@anchor{gnutls_safe_renegotiation_status} -+@deftypefun {int} {gnutls_safe_renegotiation_status} (gnutls_session_t @var{session}) -+@var{session}: is a @code{gnutls_session_t} structure. -+ -+Can be used to check whether safe renegotiation is being used -+in the current session. -+ -+@strong{Returns:} 0 when safe renegotiation is not used and non zero when -+safe renegotiation is used. -+ -+@strong{Since:} 2.10.0 -+@end deftypefun -+ - @subheading gnutls_server_name_get - @anchor{gnutls_server_name_get} - @deftypefun {int} {gnutls_server_name_get} (gnutls_session_t @var{session}, void * @var{data}, size_t * @var{data_length}, unsigned int * @var{type}, unsigned int @var{indx}) -diff -up gnutls-2.8.6/doc/gnutls.texi.reneg gnutls-2.8.6/doc/gnutls.texi ---- gnutls-2.8.6/doc/gnutls.texi.reneg 2009-06-02 21:07:14.000000000 +0200 -+++ gnutls-2.8.6/doc/gnutls.texi 2010-06-02 10:23:27.000000000 +0200 -@@ -565,6 +565,7 @@ also supports @acronym{X.509} and @acron - * Selecting cryptographic key sizes:: - * On SSL 2 and older protocols:: - * On Record Padding:: -+* Safe Renegotiation:: - @end menu - - @node TLS layers -@@ -1202,6 +1203,94 @@ here are some links: - - @url{http://thread.gmane.org/gmane.ietf.tls/3079} - -+@node Safe Renegotiation -+@section Safe Renegotiation -+@cindex renegotiation -+ -+Some application protocols and implementations uses the TLS -+renegotiation feature in a manner that enables attackers to insert -+content of his choice in the beginning of a TLS session. -+ -+One easy to understand vulnerability is HTTPS when servers request -+client certificates optionally for certain parts of a web site. The -+attack works by having the attacker simulate a client and connect to a -+server, with server-only authentication, and send some data intended -+to cause harm. When the proper client attempts to contact the server, -+the attacker hijacks that connection and uses the TLS renegotiation -+feature with the server and splices in the client connection to the -+already established connection between the attacker and server. The -+attacker will not be able to read the data exchanged between the -+client and the server. However, the server will (incorrectly) assume -+that the data sent by the attacker was sent by the now authenticated -+client. The result is a prefix plain-text injection attack. -+ -+The above is just one example. Other vulnerabilities exists that do -+not rely on the TLS renegotiation to change the client's authenticated -+status (either TLS or application layer). -+ -+While fixing these application protocols and implementations would be -+one natural reaction, an extension to TLS has been designed that -+cryptographically binds together any renegotiated handshakes with the -+initial negotiation. When the extension is used, the attack is -+detected and the session can be terminated. The extension is -+specified in @xcite{RFC5746}. -+ -+GnuTLS supports the safe renegotiation extension. The default -+behavior is as follows. Clients will attempt to negotiate the safe -+renegotiation extension when talking to servers. Servers will accept -+the extension when presented by clients. Clients and servers will -+permit an initial handshake to complete even when the other side does -+not support the safe renegotiation extension. Clients and servers -+will refuse renegotiation attempts when the extension has not been -+negotiated. -+ -+Note that permitting clients to connect to servers even when the safe -+renegotiation extension is not negotiated open up for some attacks. -+Changing this default behaviour would prevent interoperability against -+the majority of deployed servers out there. We will reconsider this -+default behaviour in the future when more servers have been upgraded. -+Note that it is easy to configure clients to always require the safe -+renegotiation extension from servers (see below on the -+%SAFE_RENEGOTIATION priority string). -+ -+To modify the default behaviour, we have introduced some new priority -+strings. The priority strings can be used by applications -+(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority} -+parameter to @code{gnutls-cli} and @code{gnutls-serv}). -+ -+The @code{%UNSAFE_RENEGOTIATION} priority string permits -+(re-)handshakes even when the safe renegotiation extension was not -+negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will -+prevent renegotiation with clients and servers not supporting the -+extension. This is secure for servers but leaves clients vulnerable -+to some attacks, but this is a tradeoff between security and compatibility -+with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes -+clients and servers require the extension for every handshake. The latter -+is the most secure option for clients, at the cost of not being able -+to connect to legacy servers. Servers will also deny clients that -+do not support the extension from connecting. -+ -+It is possible to disable use of the extension completely, in both -+clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION} -+priority string however we strongly recommend you to only do this for -+debugging and test purposes. -+ -+The default values if the flags above are not specified are: -+@table @code -+ -+@item Server: -+%PARTIAL_RENEGOTIATION -+ -+@item Client: -+%PARTIAL_RENEGOTIATION -+ -+@end table -+ -+For applications we have introduced a new API related to safe -+renegotiation. The @ref{gnutls_safe_renegotiation_status} function is -+used to check if the extension has been negotiated on a session, and -+can be used both by clients and servers. -+ - @node Authentication methods - @chapter Authentication Methods - -@@ -4179,6 +4268,11 @@ Pasi Eronen and Hannes Tschofenig, "Pre- - TLS", December 2005, Available from - @url{http://www.ietf.org/rfc/rfc4279.txt}. - -+@item @anchor{RFC5746}[RFC5746] -+E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "Transport Layer -+Security (TLS) Renegotiation Indication Extension", February 2010, -+available from @url{http://www.ietf.org/rfc/rfc5746}. -+ - @item @anchor{TOMSRP}[TOMSRP] - Tom Wu, "The Stanford SRP Authentication Project", Available at - @url{http://srp.stanford.edu/}. -diff -up gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg gnutls-2.8.6/doc/manpages/gnutls-cli.1 ---- gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/doc/manpages/gnutls-cli.1 2010-06-02 10:23:27.000000000 +0200 -@@ -75,6 +75,15 @@ Special keywords: - "%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client - hello. This is to avoid buggy servers from terminating connection. - .IP -+"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones. -+.IP -+"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not -+supporting the safe renegotiation extension. (default) -+.IP -+"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most -+secure and recommended option for clients. However this will prevent from -+connecting to legacy servers. -+.IP - To avoid collisions in order to specify a compression algorithm in - this string you have to prefix it with "COMP-", protocol versions - with "VERS-" and certificate types with "CTYPE-". All other -diff -up gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg gnutls-2.8.6/doc/manpages/gnutls_priority_init.3 ---- gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg 2010-03-15 11:32:37.000000000 +0100 -+++ gnutls-2.8.6/doc/manpages/gnutls_priority_init.3 2010-05-31 22:52:31.000000000 +0200 -@@ -67,6 +67,21 @@ compression methods. - - "%COMPAT" will enable compatibility features for a server. - -+"%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now -+the default for clients, but will change once more servers support the safe renegotiation -+TLS fix). -+ -+"%SAFE_RENEGOTIATION" will allow safe renegotiation only (this is the -+default for servers \- that will reject clients trying to perform an -+unsafe renegotiation). -+ -+"%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if -+renegotiation wasn't requested. Only valid for server side and implies -+"%SAFE_RENEGOTIATION". -+ -+"%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use -+unless you know what you are doing. Testing purposes only. -+ - "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello. - - "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA\-MD5 signatures in -diff -up gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3.reneg gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3 ---- gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3.reneg 2010-05-31 22:52:31.000000000 +0200 -+++ gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3 2010-05-31 22:52:31.000000000 +0200 -@@ -0,0 +1,41 @@ -+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. -+.TH "gnutls_safe_renegotiation_status" 3 "2.9.11" "gnutls" "gnutls" -+.SH NAME -+gnutls_safe_renegotiation_status \- API function -+.SH SYNOPSIS -+.B #include -+.sp -+.BI "int gnutls_safe_renegotiation_status(gnutls_session_t " session ");" -+.SH ARGUMENTS -+.IP "gnutls_session_t session" 12 -+is a \fBgnutls_session_t\fP structure. -+.SH "DESCRIPTION" -+Can be used to check whether safe renegotiation is being used -+in the current session. -+.SH "RETURNS" -+0 when safe renegotiation is not used and non zero when -+safe renegotiation is used. -+.SH "SINCE" -+2.10.0 -+.SH "REPORTING BUGS" -+Report bugs to . -+GnuTLS home page: http://www.gnu.org/software/gnutls/ -+General help using GNU software: http://www.gnu.org/gethelp/ -+.SH COPYRIGHT -+Copyright \(co 2008 Free Software Foundation. -+.br -+Copying and distribution of this file, with or without modification, -+are permitted in any medium without royalty provided the copyright -+notice and this notice are preserved. -+.SH "SEE ALSO" -+The full documentation for -+.B gnutls -+is maintained as a Texinfo manual. If the -+.B info -+and -+.B gnutls -+programs are properly installed at your site, the command -+.IP -+.B info gnutls -+.PP -+should give you access to the complete manual. -diff -up gnutls-2.8.6/doc/manpages/gnutls-serv.1.reneg gnutls-2.8.6/doc/manpages/gnutls-serv.1 ---- gnutls-2.8.6/doc/manpages/gnutls-serv.1.reneg 2009-06-02 21:07:14.000000000 +0200 -+++ gnutls-2.8.6/doc/manpages/gnutls-serv.1 2010-06-02 10:23:27.000000000 +0200 -@@ -75,6 +75,15 @@ Special keywords: - .IP - '%COMPAT' will enable compatibility features for a server. - .IP -+"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones. -+.IP -+"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not -+supporting the safe renegotiation extension. (default) -+.IP -+"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most -+secure and recommended option for clients. However this will prevent from -+connecting to legacy servers. -+.IP - To avoid collisions in order to specify a compression algorithm in - this string you have to prefix it with "COMP-", protocol versions - with "VERS-" and certificate types with "CTYPE-". All other -diff -up gnutls-2.8.6/doc/manpages/Makefile.in.reneg gnutls-2.8.6/doc/manpages/Makefile.in ---- gnutls-2.8.6/doc/manpages/Makefile.in.reneg 2010-03-15 11:32:23.000000000 +0100 -+++ gnutls-2.8.6/doc/manpages/Makefile.in 2010-05-31 22:52:31.000000000 +0200 -@@ -525,7 +525,6 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ - PACKAGE_NAME = @PACKAGE_NAME@ - PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ --PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PKG_CONFIG = @PKG_CONFIG@ -@@ -684,7 +683,8 @@ APIMANS = gnutls_crypto_single_cipher_re - gnutls_crypto_bigint_register2.3 gnutls_crypto_pk_register2.3 \ - gnutls_crypto_cipher_register2.3 gnutls_crypto_mac_register2.3 \ - gnutls_crypto_digest_register2.3 gnutls_oprfi_enable_client.3 \ -- gnutls_oprfi_enable_server.3 gnutls_server_name_get.3 \ -+ gnutls_oprfi_enable_server.3 \ -+ gnutls_safe_renegotiation_status.3 gnutls_server_name_get.3 \ - gnutls_server_name_set.3 gnutls_alert_get_name.3 \ - gnutls_alert_send.3 gnutls_error_to_alert.3 \ - gnutls_alert_send_appropriate.3 gnutls_alert_get.3 \ -diff -up gnutls-2.8.6/lib/ext_safe_renegotiation.c.reneg gnutls-2.8.6/lib/ext_safe_renegotiation.c ---- gnutls-2.8.6/lib/ext_safe_renegotiation.c.reneg 2010-05-31 22:52:31.000000000 +0200 -+++ gnutls-2.8.6/lib/ext_safe_renegotiation.c 2010-06-02 10:23:27.000000000 +0200 -@@ -0,0 +1,139 @@ -+/* -+ * Copyright (C) 2009 Free Software Foundation -+ * -+ * Author: Steve Dispensa () -+ * -+ * This file is part of GNUTLS. -+ * -+ * The GNUTLS library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, -+ * USA -+ * -+ */ -+ -+#include -+#include -+#include -+ -+int -+_gnutls_safe_renegotiation_recv_params (gnutls_session_t session, -+ const opaque * data, size_t _data_size) -+{ -+ tls_ext_st *ext = &session->security_parameters.extensions; -+ int len = data[0]; -+ ssize_t data_size = _data_size; -+ -+ DECR_LEN (data_size, len+1 /* count the first byte and payload */); -+ -+ if (session->internals.priorities.sr == SR_DISABLED) -+ { -+ gnutls_assert (); -+ return 0; -+ } -+ -+ /* It is not legal to receive this extension on a renegotiation and -+ * not receive it on the initial negotiation. -+ */ -+ if (session->internals.initial_negotiation_completed != 0 && -+ session->internals.connection_using_safe_renegotiation == 0) -+ { -+ gnutls_assert(); -+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; -+ } -+ -+ if (len > sizeof (ext->ri_extension_data)) -+ { -+ gnutls_assert(); -+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; -+ } -+ -+ if (len > 0) -+ memcpy (ext->ri_extension_data, &data[1], len); -+ ext->ri_extension_data_len = len; -+ -+ /* "safe renegotiation received" means on *this* handshake; "connection using -+ * safe renegotiation" means that the initial hello received on the connection -+ * indicated safe renegotiation. -+ */ -+ session->internals.safe_renegotiation_received = 1; -+ session->internals.connection_using_safe_renegotiation = 1; -+ -+ return 0; -+} -+ -+int -+_gnutls_safe_renegotiation_send_params (gnutls_session_t session, -+ opaque * data, size_t _data_size) -+{ -+ /* The format of this extension is a one-byte length of verify data followed -+ * by the verify data itself. Note that the length byte does not include -+ * itself; IOW, empty verify data is represented as a length of 0. That means -+ * the minimum extension is one byte: 0x00. -+ */ -+ ssize_t data_size = _data_size; -+ tls_ext_st *ext = &session->security_parameters.extensions; -+ -+ -+ if (session->internals.priorities.sr == SR_DISABLED) -+ { -+ gnutls_assert(); -+ return 0; -+ } -+ -+ data[0] = 0; -+ -+ /* Always offer the extension if we're a client */ -+ if (session->internals.connection_using_safe_renegotiation || -+ session->security_parameters.entity == GNUTLS_CLIENT) -+ { -+ DECR_LEN (data_size, 1); -+ data[0] = ext->client_verify_data_len; -+ -+ DECR_LEN (data_size, ext->client_verify_data_len); -+ -+ if (ext->client_verify_data_len > 0) -+ memcpy(&data[1], -+ ext->client_verify_data, -+ ext->client_verify_data_len); -+ -+ if (session->security_parameters.entity == GNUTLS_SERVER) -+ { -+ data[0] += ext->server_verify_data_len; -+ -+ DECR_LEN (data_size, ext->server_verify_data_len); -+ -+ if (ext->server_verify_data_len > 0) -+ memcpy(&data[1 + ext->client_verify_data_len], -+ ext->server_verify_data, -+ ext->server_verify_data_len); -+ } -+ } -+ else -+ return 0; -+ -+ return 1 + data[0]; /* don't forget the length byte */ -+} -+ -+/** -+ * gnutls_safe_renegotiation_status: -+ * @session: is a #gnutls_session_t structure. -+ * -+ * Can be used to check whether safe renegotiation is being used -+ * in the current session. Returns 0 when not and non zero when -+ * used. -+ **/ -+int gnutls_safe_renegotiation_status (gnutls_session_t session) -+{ -+ return session->internals.connection_using_safe_renegotiation; -+} -diff -up gnutls-2.8.6/lib/ext_safe_renegotiation.h.reneg gnutls-2.8.6/lib/ext_safe_renegotiation.h ---- gnutls-2.8.6/lib/ext_safe_renegotiation.h.reneg 2010-05-31 22:52:31.000000000 +0200 -+++ gnutls-2.8.6/lib/ext_safe_renegotiation.h 2010-05-31 22:52:31.000000000 +0200 -@@ -0,0 +1,33 @@ -+/* -+ * Copyright (C) 2009 Free Software Foundation -+ * -+ * Author: Steve Dispensa () -+ * -+ * This file is part of GNUTLS. -+ * -+ * The GNUTLS library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, -+ * USA -+ * -+ */ -+ -+#ifndef EXT_SAFE_RENEGOTIATION_H -+# define EXT_SAFE_RENEGOTIATION_H -+ -+int _gnutls_safe_renegotiation_recv_params (gnutls_session_t state, -+ const opaque * data, size_t data_size); -+int _gnutls_safe_renegotiation_send_params (gnutls_session_t state, -+ opaque * data, size_t); -+ -+#endif /* EXT_SAFE_RENEGOTIATION_H */ -diff -up gnutls-2.8.6/lib/gnutls_alert.c.reneg gnutls-2.8.6/lib/gnutls_alert.c ---- gnutls-2.8.6/lib/gnutls_alert.c.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/lib/gnutls_alert.c 2010-05-31 22:52:31.000000000 +0200 -@@ -180,6 +180,10 @@ gnutls_error_to_alert (int err, int *lev - ret = GNUTLS_A_ILLEGAL_PARAMETER; - _level = GNUTLS_AL_FATAL; - break; -+ case GNUTLS_E_UNKNOWN_SRP_USERNAME: -+ ret = GNUTLS_A_UNKNOWN_PSK_IDENTITY; -+ _level = GNUTLS_AL_FATAL; -+ break; - case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND: - case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND: - case GNUTLS_E_ASN1_DER_ERROR: -@@ -199,6 +203,7 @@ gnutls_error_to_alert (int err, int *lev - case GNUTLS_E_INSUFFICIENT_CREDENTIALS: - case GNUTLS_E_NO_CIPHER_SUITES: - case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: -+ case GNUTLS_E_SAFE_RENEGOTIATION_FAILED: - ret = GNUTLS_A_HANDSHAKE_FAILURE; - _level = GNUTLS_AL_FATAL; - break; -@@ -212,6 +217,7 @@ gnutls_error_to_alert (int err, int *lev - _level = GNUTLS_AL_FATAL; - break; - case GNUTLS_E_REHANDSHAKE: -+ case GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED: - ret = GNUTLS_A_NO_RENEGOTIATION; - _level = GNUTLS_AL_WARNING; - break; -diff -up gnutls-2.8.6/lib/gnutls_algorithms.c.reneg gnutls-2.8.6/lib/gnutls_algorithms.c ---- gnutls-2.8.6/lib/gnutls_algorithms.c.reneg 2009-08-12 08:58:22.000000000 +0200 -+++ gnutls-2.8.6/lib/gnutls_algorithms.c 2010-05-31 22:52:31.000000000 +0200 -@@ -457,6 +457,10 @@ typedef struct - #define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x88 } - #endif - -+/* Safe renegotiation */ -+ -+#define GNUTLS_RENEGO_PROTECTION_REQUEST { GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR, GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR } -+ - #define CIPHER_SUITES_COUNT sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1 - - static const gnutls_cipher_suite_entry cs_algorithms[] = { -@@ -624,6 +628,9 @@ static const gnutls_cipher_suite_entry c - GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA1, GNUTLS_TLS1), - #endif -+ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RENEGO_PROTECTION_REQUEST, -+ GNUTLS_CIPHER_UNKNOWN, GNUTLS_KX_UNKNOWN, -+ GNUTLS_MAC_UNKNOWN, GNUTLS_SSL3), - {0, {{0, 0}}, 0, 0, 0, 0} - }; - -diff -up gnutls-2.8.6/lib/gnutls_algorithms.h.reneg gnutls-2.8.6/lib/gnutls_algorithms.h ---- gnutls-2.8.6/lib/gnutls_algorithms.h.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/lib/gnutls_algorithms.h 2010-05-31 22:52:31.000000000 +0200 -@@ -27,6 +27,9 @@ - - #include "gnutls_auth.h" - -+#define GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR 0x00 -+#define GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR 0xFF -+ - /* Functions for version handling. */ - gnutls_protocol_t _gnutls_version_lowest (gnutls_session_t session); - gnutls_protocol_t _gnutls_version_max (gnutls_session_t session); -diff -up gnutls-2.8.6/lib/gnutls_constate.c.reneg gnutls-2.8.6/lib/gnutls_constate.c ---- gnutls-2.8.6/lib/gnutls_constate.c.reneg 2009-11-06 09:39:42.000000000 +0100 -+++ gnutls-2.8.6/lib/gnutls_constate.c 2010-05-31 22:52:31.000000000 +0200 -@@ -380,6 +380,17 @@ _gnutls_set_write_keys (gnutls_session_t - export_flag); - } - -+#define CPY_EXTENSIONS \ -+ memcpy(dst->extensions.server_names, src->extensions.server_names, sizeof(src->extensions.server_names)); \ -+ dst->extensions.server_names_size = src->extensions.server_names_size; \ -+ memcpy(dst->extensions.srp_username, src->extensions.srp_username, sizeof(src->extensions.srp_username)); \ -+ dst->extensions.gnutls_ia_enable = src->extensions.gnutls_ia_enable; \ -+ dst->extensions.gnutls_ia_peer_enable = src->extensions.gnutls_ia_peer_enable; \ -+ dst->extensions.gnutls_ia_allowskip = src->extensions.gnutls_ia_allowskip; \ -+ dst->extensions.gnutls_ia_peer_allowskip = src->extensions.gnutls_ia_peer_allowskip; \ -+ dst->extensions.do_recv_supplemental = src->extensions.do_recv_supplemental; \ -+ dst->extensions.do_send_supplemental = src->extensions.do_send_supplemental -+ - #define CPY_COMMON dst->entity = src->entity; \ - dst->kx_algorithm = src->kx_algorithm; \ - memcpy( &dst->current_cipher_suite, &src->current_cipher_suite, sizeof(cipher_suite_st)); \ -@@ -393,8 +404,8 @@ _gnutls_set_write_keys (gnutls_session_t - dst->max_record_recv_size = src->max_record_recv_size; \ - dst->max_record_send_size = src->max_record_send_size; \ - dst->version = src->version; \ -- memcpy( &dst->extensions, &src->extensions, sizeof(tls_ext_st)); \ -- memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE); -+ CPY_EXTENSIONS; \ -+ memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE) - - static void - _gnutls_cpy_read_security_parameters (security_parameters_st * -diff -up gnutls-2.8.6/lib/gnutls_errors.c.reneg gnutls-2.8.6/lib/gnutls_errors.c ---- gnutls-2.8.6/lib/gnutls_errors.c.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/lib/gnutls_errors.c 2010-05-31 22:52:31.000000000 +0200 -@@ -220,9 +220,15 @@ static const gnutls_error_entry error_al - GNUTLS_E_OPENPGP_GETKEY_FAILED, 1), - ERROR_ENTRY (N_("Could not find OpenPGP subkey."), - GNUTLS_E_OPENPGP_SUBKEY_ERROR, 1), -+ ERROR_ENTRY (N_("Safe renegotiation failed."), -+ GNUTLS_E_SAFE_RENEGOTIATION_FAILED, 1), -+ ERROR_ENTRY (N_("Unsafe renegotiation denied."), -+ GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED, 1), - - ERROR_ENTRY (N_("The SRP username supplied is illegal."), - GNUTLS_E_ILLEGAL_SRP_USERNAME, 1), -+ ERROR_ENTRY (N_("The SRP username supplied is unknown."), -+ GNUTLS_E_UNKNOWN_SRP_USERNAME, 1), - - ERROR_ENTRY (N_("The OpenPGP fingerprint is not supported."), - GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1), -diff -up gnutls-2.8.6/lib/gnutls_extensions.c.reneg gnutls-2.8.6/lib/gnutls_extensions.c ---- gnutls-2.8.6/lib/gnutls_extensions.c.reneg 2009-06-08 19:11:03.000000000 +0200 -+++ gnutls-2.8.6/lib/gnutls_extensions.c 2010-05-31 22:52:31.000000000 +0200 -@@ -35,6 +35,7 @@ - #include - #include - #include -+#include - #include - - typedef struct -@@ -133,7 +134,7 @@ _gnutls_parse_extensions (gnutls_session - type = _gnutls_read_uint16 (&data[pos]); - pos += 2; - -- _gnutls_debug_log ("EXT[%p]: Received extension '%s/%d'\n", session, -+ _gnutls_debug_log ("EXT[%p]: Found extension '%s/%d'\n", session, - _gnutls_extension_get_name (type), type); - - if ((ret = _gnutls_extension_list_check (session, type)) < 0) -@@ -153,6 +154,8 @@ _gnutls_parse_extensions (gnutls_session - ext_recv = _gnutls_ext_func_recv (type, parse_type); - if (ext_recv == NULL) - continue; -+ -+ - if ((ret = ext_recv (session, sdata, size)) < 0) - { - gnutls_assert (); -@@ -170,7 +173,7 @@ _gnutls_parse_extensions (gnutls_session - * This list is used to check whether the (later) received - * extensions are the ones we requested. - */ --static void -+void - _gnutls_extension_list_add (gnutls_session_t session, uint16_t type) - { - -@@ -192,7 +195,7 @@ _gnutls_extension_list_add (gnutls_sessi - - int - _gnutls_gen_extensions (gnutls_session_t session, opaque * data, -- size_t data_size) -+ size_t data_size, gnutls_ext_parse_type_t parse_type) - { - int size; - uint16_t pos = 0; -@@ -223,6 +226,9 @@ _gnutls_gen_extensions (gnutls_session_t - - if (p->send_func == NULL) - continue; -+ -+ if (parse_type != GNUTLS_EXT_ANY && p->parse_type != parse_type) -+ continue; - - size = p->send_func (session, sdata, sdata_size); - if (size > 0) -@@ -304,6 +310,14 @@ _gnutls_ext_init (void) - if (ret != GNUTLS_E_SUCCESS) - return ret; - -+ ret = gnutls_ext_register (GNUTLS_EXTENSION_SAFE_RENEGOTIATION, -+ "SAFE_RENEGOTIATION", -+ GNUTLS_EXT_MANDATORY, -+ _gnutls_safe_renegotiation_recv_params, -+ _gnutls_safe_renegotiation_send_params); -+ if (ret != GNUTLS_E_SUCCESS) -+ return ret; -+ - #ifdef ENABLE_OPRFI - ret = gnutls_ext_register (GNUTLS_EXTENSION_OPAQUE_PRF_INPUT, - "OPAQUE_PRF_INPUT", -diff -up gnutls-2.8.6/lib/gnutls_extensions.h.reneg gnutls-2.8.6/lib/gnutls_extensions.h ---- gnutls-2.8.6/lib/gnutls_extensions.h.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/lib/gnutls_extensions.h 2010-05-31 22:52:31.000000000 +0200 -@@ -26,6 +26,8 @@ int _gnutls_parse_extensions (gnutls_ses - gnutls_ext_parse_type_t parse_type, - const opaque *data, int data_size); - int _gnutls_gen_extensions (gnutls_session_t session, opaque * data, -- size_t data_size); -+ size_t data_size, gnutls_ext_parse_type_t); - int _gnutls_ext_init (void); - void _gnutls_ext_deinit (void); -+ -+void _gnutls_extension_list_add (gnutls_session_t session, uint16_t type); -diff -up gnutls-2.8.6/lib/gnutls_handshake.c.reneg gnutls-2.8.6/lib/gnutls_handshake.c ---- gnutls-2.8.6/lib/gnutls_handshake.c.reneg 2009-11-02 11:30:39.000000000 +0100 -+++ gnutls-2.8.6/lib/gnutls_handshake.c 2010-06-02 10:29:00.000000000 +0200 -@@ -48,6 +48,7 @@ - #include - #include - #include -+#include - #include /* for gnutls_get_rsa_params() */ - #include /* for gnutls_anon_server_credentials_t */ - #include /* for gnutls_psk_server_credentials_t */ -@@ -119,6 +120,7 @@ resume_copy_required_values (gnutls_sess - sizeof (session->security_parameters.session_id)); - session->security_parameters.session_id_size = - session->internals.resumed_security_parameters.session_id_size; -+ - } - - void -@@ -404,8 +406,36 @@ _gnutls_read_client_hello (gnutls_sessio - - if (ret == 0) - { /* resumed! */ -+ /* Parse only the safe renegotiation extension -+ * We don't want to parse any other extensions since -+ * we don't want new extension values to overwrite the -+ * resumed ones. -+ */ -+ -+ /* move forward to extensions */ -+ DECR_LEN (len, 2); -+ suite_size = _gnutls_read_uint16 (&data[pos]); -+ pos += 2; -+ -+ DECR_LEN (len, suite_size); -+ pos += suite_size; -+ -+ DECR_LEN (len, 1); -+ comp_size = data[pos++]; /* z is the number of compression methods */ -+ DECR_LEN (len, comp_size); -+ pos += comp_size; -+ -+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, -+ &data[pos], len); -+ if (ret < 0) -+ { -+ gnutls_assert (); -+ return ret; -+ } -+ - resume_copy_required_values (session); - session->internals.resumed = RESUME_TRUE; -+ - return _gnutls_user_hello_func (session, adv_version); - } - else -@@ -437,17 +467,17 @@ _gnutls_read_client_hello (gnutls_sessio - pos += comp_size; - - /* Parse the extensions (if any) -- */ -- if (neg_version >= GNUTLS_TLS1) -+ * -+ * Unconditionally try to parse extensions; safe renegotiation uses them in -+ * sslv3 and higher, even though sslv3 doesn't officially support them. -+ */ -+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION, -+ &data[pos], len); -+ /* len is the rest of the parsed length */ -+ if (ret < 0) - { -- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION, -- &data[pos], len); -- /* len is the rest of the parsed length */ -- if (ret < 0) -- { -- gnutls_assert (); -- return ret; -- } -+ gnutls_assert (); -+ return ret; - } - - ret = _gnutls_user_hello_func (session, adv_version); -@@ -457,16 +487,20 @@ _gnutls_read_client_hello (gnutls_sessio - return ret; - } - -- if (neg_version >= GNUTLS_TLS1) -+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, -+ &data[pos], len); -+ if (ret < 0) - { -- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, -- &data[pos], len); -- /* len is the rest of the parsed length */ -- if (ret < 0) -- { -- gnutls_assert (); -- return ret; -- } -+ gnutls_assert (); -+ return ret; -+ } -+ -+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, -+ &data[pos], len); -+ if (ret < 0) -+ { -+ gnutls_assert (); -+ return ret; - } - - /* select an appropriate cipher suite -@@ -531,7 +565,7 @@ _gnutls_handshake_hash_pending (gnutls_s - static int - _gnutls_send_finished (gnutls_session_t session, int again) - { -- uint8_t data[36]; -+ uint8_t data[MAX_VERIFY_DATA_SIZE]; - int ret; - int data_size = 0; - -@@ -556,7 +590,7 @@ _gnutls_send_finished (gnutls_session_t - data_size = 36; - } - else -- { /* TLS 1.0 */ -+ { /* TLS 1.0+ */ - ret = _gnutls_finished (session, - session->security_parameters.entity, data); - data_size = 12; -@@ -572,6 +606,31 @@ _gnutls_send_finished (gnutls_session_t - session->internals.finished_func (session, data, data_size); - } - -+ /* Save data for safe renegotiation. -+ */ -+ if (data_size > MAX_VERIFY_DATA_SIZE) -+ { -+ gnutls_assert (); -+ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; -+ } -+ -+ if (session->security_parameters.entity == GNUTLS_CLIENT) -+ { -+ session->security_parameters.extensions.client_verify_data_len = -+ data_size; -+ -+ memcpy (session->security_parameters.extensions.client_verify_data, -+ data, data_size); -+ } -+ else -+ { -+ session->security_parameters.extensions.server_verify_data_len = -+ data_size; -+ -+ memcpy (session->security_parameters.extensions.server_verify_data, -+ data, data_size); -+ } -+ - ret = - _gnutls_send_handshake (session, data_size ? data : NULL, data_size, - GNUTLS_HANDSHAKE_FINISHED); -@@ -585,10 +644,11 @@ _gnutls_send_finished (gnutls_session_t - static int - _gnutls_recv_finished (gnutls_session_t session) - { -- uint8_t data[36], *vrfy; -+ uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy; - int data_size; - int ret; - int vrfysize; -+ tls_ext_st *ext; - - ret = - _gnutls_recv_handshake (session, &vrfy, &vrfysize, -@@ -646,6 +706,28 @@ _gnutls_recv_finished (gnutls_session_t - } - gnutls_free (vrfy); - -+ /* Save peer's verify data for safe renegotiation */ -+ if (data_size > MAX_VERIFY_DATA_SIZE) -+ { -+ gnutls_assert (); -+ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; -+ } -+ -+ ext = &session->security_parameters.extensions; -+ -+ if (session->security_parameters.entity == GNUTLS_CLIENT) -+ { -+ memcpy (ext->server_verify_data, data, data_size); -+ ext->server_verify_data_len = data_size; -+ } -+ else -+ { -+ memcpy (ext->client_verify_data, data, data_size); -+ ext->client_verify_data_len = data_size; -+ } -+ -+ session->internals.initial_negotiation_completed = 1; -+ - return ret; - } - -@@ -685,7 +767,6 @@ _gnutls_server_find_pk_algos_in_ciphersu - return algo; - } - -- - /* This selects the best supported ciphersuite from the given ones. Then - * it adds the suite to the session and performs some checks. - */ -@@ -700,11 +781,31 @@ _gnutls_server_select_suite (gnutls_sess - * supported by the peer. - */ - -+ /* First, check for safe renegotiation SCSV. -+ */ -+ if (session->internals.priorities.sr != SR_DISABLED) -+ { -+ int offset; -+ -+ for(offset = 0; offset < datalen; offset += 2) -+ { -+ /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */ -+ if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR && -+ data[offset+1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) -+ { -+ _gnutls_handshake_log ("HSK[%p]: Received safe renegotiation CS\n", session); -+ session->internals.safe_renegotiation_received = 1; -+ session->internals.connection_using_safe_renegotiation = 1; -+ break; -+ } -+ } -+ } -+ - pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites (data, datalen); - - x = _gnutls_supported_ciphersuites (session, &ciphers); - if (x < 0) -- { /* the case x==0 is handled within the function. */ -+ { /* the case x==0 is handled within the function. */ - gnutls_assert (); - return x; - } -@@ -752,21 +853,21 @@ _gnutls_server_select_suite (gnutls_sess - - for (j = 0; j < datalen; j += 2) - { -- for (i = 0; i < x; i++) -- { -- if (memcmp (ciphers[i].suite, &data[j], 2) == 0) -- { -- memcpy (&cs.suite, &data[j], 2); -- -- _gnutls_handshake_log -- ("HSK[%p]: Selected cipher suite: %s\n", session, -- _gnutls_cipher_suite_get_name (&cs)); -- memcpy (session->security_parameters.current_cipher_suite.suite, -- ciphers[i].suite, 2); -- retval = 0; -- goto finish; -- } -- } -+ for (i = 0; i < x; i++) -+ { -+ if (memcmp (ciphers[i].suite, &data[j], 2) == 0) -+ { -+ memcpy (&cs.suite, &data[j], 2); -+ -+ _gnutls_handshake_log -+ ("HSK[%p]: Selected cipher suite: %s\n", session, -+ _gnutls_cipher_suite_get_name (&cs)); -+ memcpy (session->security_parameters.current_cipher_suite.suite, -+ ciphers[i].suite, 2); -+ retval = 0; -+ goto finish; -+ } -+ } - } - - finish: -@@ -960,7 +1061,7 @@ _gnutls_send_handshake (gnutls_session_t - if (i_datasize > 0) - memcpy (&data[pos], i_data, i_datasize); - -- _gnutls_handshake_log ("HSK[%p]: %s was send [%ld bytes]\n", -+ _gnutls_handshake_log ("HSK[%p]: %s was sent [%ld bytes]\n", - session, _gnutls_handshake2str (type), - (long) datasize); - -@@ -1042,7 +1143,6 @@ _gnutls_recv_handshake_header (gnutls_se - - if (ret < 0) - { -- gnutls_assert (); - return ret; - } - -@@ -1525,15 +1625,26 @@ _gnutls_read_server_hello (gnutls_sessio - } - DECR_LEN (len, session_id_len); - -- - /* check if we are resuming and set the appropriate - * values; - */ - if (_gnutls_client_check_if_resuming - (session, &data[pos], session_id_len) == 0) -- return 0; -- pos += session_id_len; -+ { -+ pos += session_id_len + 2 + 1; -+ DECR_LEN (len, 2+1); - -+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, -+ &data[pos], len); -+ if (ret < 0) -+ { -+ gnutls_assert (); -+ return ret; -+ } -+ return 0; -+ } -+ -+ pos += session_id_len; - - /* Check if the given cipher suite is supported and copy - * it to the session. -@@ -1548,8 +1659,6 @@ _gnutls_read_server_hello (gnutls_sessio - } - pos += 2; - -- -- - /* move to compression - */ - DECR_LEN (len, 1); -@@ -1563,32 +1672,32 @@ _gnutls_read_server_hello (gnutls_sessio - - /* Parse extensions. - */ -- if (version >= GNUTLS_TLS1) -+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, -+ &data[pos], len); -+ if (ret < 0) - { -- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, -- &data[pos], len); -- /* len is the rest of the parsed length */ -- if (ret < 0) -- { -- gnutls_assert (); -- return ret; -- } -+ gnutls_assert (); -+ return ret; - } -+ - return ret; - } - - - /* This function copies the appropriate ciphersuites to a locally allocated buffer -- * Needed in client hello messages. Returns the new data length. -+ * Needed in client hello messages. Returns the new data length. If add_scsv is -+ * true, add the special safe renegotiation CS. - */ - static int - _gnutls_copy_ciphersuites (gnutls_session_t session, -- opaque * ret_data, size_t ret_data_size) -+ opaque * ret_data, size_t ret_data_size, -+ int add_scsv) - { - int ret, i; - cipher_suite_st *cipher_suites; - uint16_t cipher_num; - int datalen, pos; -+ uint16_t loop_max; - - ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites); - if (ret < 0) -@@ -1619,6 +1728,9 @@ _gnutls_copy_ciphersuites (gnutls_sessio - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - -+ if (add_scsv) -+ ++ret; -+ - cipher_num = ret; - - cipher_num *= sizeof (uint16_t); /* in order to get bytes */ -@@ -1636,11 +1748,21 @@ _gnutls_copy_ciphersuites (gnutls_sessio - _gnutls_write_uint16 (cipher_num, ret_data); - pos += 2; - -- for (i = 0; i < (cipher_num / 2); i++) -+ loop_max = add_scsv ? cipher_num - 2 : cipher_num; -+ -+ for (i = 0; i < (loop_max / 2); i++) - { - memcpy (&ret_data[pos], cipher_suites[i].suite, 2); - pos += 2; - } -+ -+ if (add_scsv) -+ { -+ /* Safe renegotiation signalling CS value is { 0x00, 0xff } */ -+ ret_data[pos++] = 0x00; -+ ret_data[pos++] = 0xff; -+ } -+ - gnutls_free (cipher_suites); - - return datalen; -@@ -1700,7 +1822,7 @@ _gnutls_send_client_hello (gnutls_sessio - { - opaque *data = NULL; - int extdatalen; -- int pos = 0; -+ int pos = 0, type; - int datalen = 0, ret = 0; - opaque rnd[GNUTLS_RANDOM_SIZE]; - gnutls_protocol_t hver; -@@ -1807,9 +1929,21 @@ _gnutls_send_client_hello (gnutls_sessio - - - /* Copy the ciphersuites. -- */ -- extdatalen = -- _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata)); -+ * -+ * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM -+ * prevention on initial negotiation (but not renegotiation; that's -+ * handled with the RI extension below). -+ */ -+ if(!session->internals.initial_negotiation_completed && -+ session->security_parameters.entity == GNUTLS_CLIENT && -+ gnutls_protocol_get_version (session) == GNUTLS_SSL3) -+ { -+ extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), TRUE); -+ _gnutls_extension_list_add (session, GNUTLS_EXTENSION_SAFE_RENEGOTIATION); -+ } -+ else -+ extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), FALSE); -+ - if (extdatalen > 0) - { - datalen += extdatalen; -@@ -1864,11 +1998,19 @@ _gnutls_send_client_hello (gnutls_sessio - /* Generate and copy TLS extensions. - */ - if (hver >= GNUTLS_TLS1) -+ type = GNUTLS_EXT_ANY; -+ else - { -- extdatalen = -- _gnutls_gen_extensions (session, extdata, sizeof (extdata)); -+ if (session->internals.initial_negotiation_completed != 0) -+ type = GNUTLS_EXT_MANDATORY; -+ else -+ type = GNUTLS_EXT_NONE; -+ } -+ -+ extdatalen = -+ _gnutls_gen_extensions (session, extdata, sizeof (extdata), type); - -- if (extdatalen > 0) -+ if (extdatalen > 0) - { - datalen += extdatalen; - data = gnutls_realloc_fast (data, datalen); -@@ -1880,13 +2022,12 @@ _gnutls_send_client_hello (gnutls_sessio - - memcpy (&data[pos], extdata, extdatalen); - } -- else if (extdatalen < 0) -+ else if (extdatalen < 0) - { - gnutls_assert (); - gnutls_free (data); - return extdatalen; - } -- } - } - - ret = -@@ -1932,15 +2073,7 @@ _gnutls_send_server_hello (gnutls_sessio - * alert and abort. - */ - gnutls_assert (); -- ret = gnutls_alert_send (session, GNUTLS_AL_FATAL, -- GNUTLS_A_UNKNOWN_PSK_IDENTITY); -- if (ret < 0) -- { -- gnutls_assert (); -- return ret; -- } -- -- return GNUTLS_E_ILLEGAL_SRP_USERNAME; -+ return GNUTLS_E_UNKNOWN_SRP_USERNAME; - } - } - #endif -@@ -1949,7 +2082,7 @@ _gnutls_send_server_hello (gnutls_sessio - { - datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3; - extdatalen = -- _gnutls_gen_extensions (session, extdata, sizeof (extdata)); -+ _gnutls_gen_extensions (session, extdata, sizeof (extdata), GNUTLS_EXT_ANY); - - if (extdatalen < 0) - { -@@ -2015,6 +2148,8 @@ _gnutls_send_hello (gnutls_session_t ses - { - int ret; - -+ session->internals.safe_renegotiation_received = 0; -+ - if (session->security_parameters.entity == GNUTLS_CLIENT) - { - ret = _gnutls_send_client_hello (session, again); -@@ -2036,6 +2171,7 @@ int - _gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen) - { - int ret; -+ tls_ext_st *ext; - - if (session->security_parameters.entity == GNUTLS_CLIENT) - { -@@ -2047,7 +2183,7 @@ _gnutls_recv_hello (gnutls_session_t ses - } - } - else -- { /* Server side reading a client hello */ -+ { /* Server side reading a client hello */ - - ret = _gnutls_read_client_hello (session, data, datalen); - if (ret < 0) -@@ -2057,6 +2193,89 @@ _gnutls_recv_hello (gnutls_session_t ses - } - } - -+ if (session->internals.priorities.sr == SR_DISABLED) -+ { -+ gnutls_assert(); -+ return ret; -+ } -+ -+ /* Safe renegotiation */ -+ ext = &session->security_parameters.extensions; -+ -+ if (session->internals.safe_renegotiation_received) -+ { -+ if ((ext->ri_extension_data_len < ext->client_verify_data_len) || -+ (memcmp (ext->ri_extension_data, -+ ext->client_verify_data, -+ ext->client_verify_data_len))) -+ { -+ gnutls_assert(); -+ _gnutls_handshake_log ("Safe renegotiation failed [1]\n"); -+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; -+ } -+ if (session->security_parameters.entity == GNUTLS_CLIENT) -+ { -+ if ((ext->ri_extension_data_len != -+ ext->client_verify_data_len + ext->server_verify_data_len) || -+ memcmp (ext->ri_extension_data + ext->client_verify_data_len, -+ ext->server_verify_data, ext->server_verify_data_len) != 0) -+ { -+ gnutls_assert(); -+ _gnutls_handshake_log ("Safe renegotiation failed [2]\n"); -+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; -+ } -+ } -+ else /* Make sure there are 0 extra bytes */ -+ { -+ if (ext->ri_extension_data_len != ext->client_verify_data_len) -+ { -+ gnutls_assert(); -+ _gnutls_handshake_log ("Safe renegotiation failed [3]\n"); -+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; -+ } -+ } -+ -+ _gnutls_handshake_log ("Safe renegotiation succeeded.\n"); -+ } -+ else /* safe renegotiation not received... */ -+ { -+ if (session->internals.connection_using_safe_renegotiation) -+ { -+ gnutls_assert(); -+ _gnutls_handshake_log ("Peer previously asked for safe renegotiation!\n"); -+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; -+ } -+ -+ /* Clients can't tell if it's an initial negotiation */ -+ if (session->internals.initial_negotiation_completed) -+ { -+ -+ if (session->internals.priorities.sr < SR_PARTIAL) -+ { -+ _gnutls_handshake_log ("Allowing unsafe (re)negotiation!\n"); -+ } -+ else -+ { -+ gnutls_assert(); -+ _gnutls_handshake_log ("Denying unsafe (re)negotiation.\n"); -+ return GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED; -+ } -+ } -+ else -+ { -+ if (session->internals.priorities.sr < SR_SAFE) -+ { -+ _gnutls_handshake_log ("Allowing unsafe initial negotiation!\n"); -+ } -+ else -+ { -+ gnutls_assert(); -+ _gnutls_handshake_log ("Denying unsafe initial negotiation.\n"); -+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; -+ } -+ } -+ } -+ - return ret; - } - -@@ -2097,6 +2316,13 @@ _gnutls_recv_hello (gnutls_session_t ses - * gnutls_handshake() function in order to negotiate the new - * parameters. - * -+ * Since TLS is full duplex some application data might have been -+ * sent during peer's processing of this message. In that case -+ * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE -+ * is returned to clear any pending data. Care must be taken if -+ * rehandshake is mandatory to terminate if it does not start after -+ * some threshold. -+ * - * If the client does not wish to renegotiate parameters he will - * should with an alert message, thus the return code will be - * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be -diff -up gnutls-2.8.6/lib/gnutls_int.h.reneg gnutls-2.8.6/lib/gnutls_int.h ---- gnutls-2.8.6/lib/gnutls_int.h.reneg 2009-11-02 11:30:39.000000000 +0100 -+++ gnutls-2.8.6/lib/gnutls_int.h 2010-06-02 10:23:27.000000000 +0200 -@@ -171,7 +171,8 @@ typedef enum extensions_t - GNUTLS_EXTENSION_OPAQUE_PRF_INPUT = ENABLE_OPRFI, - #endif - GNUTLS_EXTENSION_SRP = 12, -- GNUTLS_EXTENSION_INNER_APPLICATION = 37703 -+ GNUTLS_EXTENSION_INNER_APPLICATION = 37703, -+ GNUTLS_EXTENSION_SAFE_RENEGOTIATION = 65281, /* aka: 0xff01 */ - } extensions_t; - - typedef enum -@@ -282,6 +283,11 @@ typedef struct - - #define MAX_SERVER_NAME_EXTENSIONS 3 - -+#define MAX_VERIFY_DATA_SIZE 36 /* in SSL 3.0, 12 in TLS 1.0 */ -+ -+/* If you want the extension data to be kept across resuming sessions -+ * then modify CPY_EXTENSIONS in gnutls_constate.c -+ */ - typedef struct - { - server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS]; -@@ -297,6 +303,9 @@ typedef struct - /* Used by extensions that enable supplemental data. */ - int do_recv_supplemental, do_send_supplemental; - -+ /*** Those below do not get copied when resuming session -+ ***/ -+ - /* Opaque PRF input. */ - gnutls_oprfi_callback_func oprfi_cb; - void *oprfi_userdata; -@@ -304,6 +313,15 @@ typedef struct - uint16_t oprfi_client_len; - opaque *oprfi_server; - uint16_t oprfi_server_len; -+ -+ /* Safe renegotiation. */ -+ uint8_t client_verify_data[MAX_VERIFY_DATA_SIZE]; -+ size_t client_verify_data_len; -+ uint8_t server_verify_data[MAX_VERIFY_DATA_SIZE]; -+ size_t server_verify_data_len; -+ uint8_t ri_extension_data[MAX_VERIFY_DATA_SIZE*2]; /* max signal is 72 bytes in s->c sslv3 */ -+ size_t ri_extension_data_len; -+ - } tls_ext_st; - - /* auth_info_t structures now MAY contain malloced -@@ -317,7 +335,7 @@ typedef struct - */ - - /* if you add anything in Security_Parameters struct, then -- * also modify CPY_COMMON in gnutls_constate.c -+ * also modify CPY_COMMON in gnutls_constate.c. - */ - - /* Note that the security parameters structure is set up after the -@@ -361,6 +379,7 @@ typedef struct - /* holds the negotiated certificate type */ - gnutls_certificate_type_t cert_type; - gnutls_protocol_t version; /* moved here */ -+ - /* For TLS/IA. XXX: Move to IA credential? */ - opaque inner_secret[GNUTLS_MASTER_SIZE]; - } security_parameters_st; -@@ -400,6 +419,13 @@ typedef struct - unsigned int algorithms; - } priority_st; - -+typedef enum { -+ SR_DISABLED, -+ SR_UNSAFE, -+ SR_PARTIAL, -+ SR_SAFE, -+} safe_renegotiation_t; -+ - /* For the external api */ - struct gnutls_priority_st - { -@@ -411,7 +437,8 @@ struct gnutls_priority_st - priority_st cert_type; - - /* to disable record padding */ -- int no_padding; -+ int no_padding:1; -+ safe_renegotiation_t sr; - int ssl3_record_version; - int additional_verify_flags; - }; -@@ -673,6 +700,10 @@ typedef struct - */ - uint16_t srp_prime_bits; - -+ int safe_renegotiation_received:1; -+ int initial_negotiation_completed:1; -+ int connection_using_safe_renegotiation:1; -+ - /* If you add anything here, check _gnutls_handshake_internal_state_clear(). - */ - } internals_st; -diff -up gnutls-2.8.6/lib/gnutls_priority.c.reneg gnutls-2.8.6/lib/gnutls_priority.c ---- gnutls-2.8.6/lib/gnutls_priority.c.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/lib/gnutls_priority.c 2010-06-02 10:23:27.000000000 +0200 -@@ -491,6 +491,21 @@ gnutls_priority_set (gnutls_session_t se - * - * "%COMPAT" will enable compatibility features for a server. - * -+ * "%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use -+ * unless you know what you are doing. Testing purposes only. -+ * -+ * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now -+ * the default for clients, but will change once more servers support the safe renegotiation -+ * TLS fix). -+ * -+ * "%PARTIAL_SAFE_RENEGOTIATION" In server side it will enable safe renegotiation -+ * and will protect all clients from known attacks, but will not prevent insecure clients -+ * from connecting. In client side it will disallow from renegotiating with an insecure server -+ * but will not prevent connecting to one (this leaves the client vulnerable to attacks). -+ * -+ * "%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and Servers will refuse -+ * to talk to an insecure peer. -+ * - * "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello. - * - * "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA-MD5 signatures in -@@ -523,7 +538,7 @@ gnutls_priority_init (gnutls_priority_t - { - char *broken_list[MAX_ELEMENTS]; - int broken_list_size, i, j; -- char *darg; -+ char *darg = NULL; - int algo; - rmadd_func *fn; - -@@ -533,6 +548,11 @@ gnutls_priority_init (gnutls_priority_t - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } -+ -+ /* for now unsafe renegotiation is default on everyone. To be removed -+ * when we make it the default. -+ */ -+ (*priority_cache)->sr = SR_PARTIAL; - - if (priorities == NULL) - priorities = "NORMAL"; -@@ -541,9 +561,10 @@ gnutls_priority_init (gnutls_priority_t - if (darg == NULL) - { - gnutls_assert (); -- return GNUTLS_E_MEMORY_ERROR; -+ goto error; - } - -+ - break_comma_list (darg, broken_list, &broken_list_size, MAX_ELEMENTS, ':'); - /* This is our default set of protocol version, certificate types and - * compression methods. -@@ -652,6 +673,25 @@ gnutls_priority_init (gnutls_priority_t - "VERIFY_ALLOW_X509_V1_CA_CRT") == 0) - (*priority_cache)->additional_verify_flags |= - GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT; -+ else if (strcasecmp (&broken_list[i][1], -+ "UNSAFE_RENEGOTIATION") == 0) -+ { -+ (*priority_cache)->sr = SR_UNSAFE; -+ } -+ else if (strcasecmp (&broken_list[i][1], "SAFE_RENEGOTIATION") == 0) -+ { -+ (*priority_cache)->sr = SR_SAFE; -+ } -+ else if (strcasecmp (&broken_list[i][1], -+ "PARTIAL_RENEGOTIATION") == 0) -+ { -+ (*priority_cache)->sr = SR_PARTIAL; -+ } -+ else if (strcasecmp (&broken_list[i][1], -+ "DISABLE_SAFE_RENEGOTIATION") == 0) -+ { -+ (*priority_cache)->sr = SR_DISABLED; -+ } - else - goto error; - } -@@ -672,6 +712,7 @@ error: - } - } - gnutls_free (darg); -+ gnutls_free(*priority_cache); - - return GNUTLS_E_INVALID_REQUEST; - -diff -up gnutls-2.8.6/lib/gnutls_record.c.reneg gnutls-2.8.6/lib/gnutls_record.c ---- gnutls-2.8.6/lib/gnutls_record.c.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/lib/gnutls_record.c 2010-05-31 22:52:31.000000000 +0200 -@@ -744,6 +744,14 @@ record_check_type (gnutls_session_t sess - if (session->security_parameters.entity == GNUTLS_SERVER) - { - gnutls_assert (); -+ ret = -+ _gnutls_record_buffer_put (recv_type, session, (void *) data, -+ data_size); -+ if (ret < 0) -+ { -+ gnutls_assert (); -+ return ret; -+ } - return GNUTLS_E_REHANDSHAKE; - } - -@@ -896,9 +904,13 @@ begin: - _gnutls_io_read_buffered (session, &headers, header_size, - -1)) != header_size) - { -+ _gnutls_handshake_log ("XXX[]: ret: %d %s\n", ret, gnutls_strerror(ret)); -+ - if (ret < 0 && gnutls_error_is_fatal (ret) == 0) - return ret; - -+ _gnutls_handshake_log ("XXX2[]: ret: %d %s\n", ret, gnutls_strerror(ret)); -+ - session_invalidate (session); - if (type == GNUTLS_ALERT) - { -diff -up gnutls-2.8.6/lib/gnutls_state.c.reneg gnutls-2.8.6/lib/gnutls_state.c ---- gnutls-2.8.6/lib/gnutls_state.c.reneg 2009-11-02 11:30:39.000000000 +0100 -+++ gnutls-2.8.6/lib/gnutls_state.c 2010-06-02 10:23:27.000000000 +0200 -@@ -223,6 +223,7 @@ _gnutls_handshake_internal_state_clear ( - session->internals.adv_version_minor = 0; - session->internals.adv_version_minor = 0; - session->internals.direction = 0; -+ session->internals.safe_renegotiation_received = 0; - - /* use out of band data for the last - * handshake messages received. -@@ -338,6 +339,11 @@ gnutls_init (gnutls_session_t * session, - - _gnutls_handshake_internal_state_clear (*session); - -+ /* emulate old gnutls behavior for old applications that do not use the priority_* -+ * functions. -+ */ -+ (*session)->internals.priorities.sr = SR_PARTIAL; -+ - return 0; - } - -diff -up gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in.reneg gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in ---- gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in 2010-05-31 22:52:31.000000000 +0200 -@@ -503,7 +503,9 @@ extern "C" { - { - GNUTLS_EXT_ANY, - GNUTLS_EXT_APPLICATION, -- GNUTLS_EXT_TLS -+ GNUTLS_EXT_TLS, -+ GNUTLS_EXT_MANDATORY, /* parse even if resuming or extensions disabled */ -+ GNUTLS_EXT_NONE, - } gnutls_ext_parse_type_t; - - int gnutls_ext_register (int type, -@@ -525,6 +527,9 @@ extern "C" { - void *data, size_t * data_length, - unsigned int *type, unsigned int indx); - -+ /* Safe renegotiation */ -+ int gnutls_safe_renegotiation_status (gnutls_session_t session); -+ - /* Opaque PRF Input - * http://tools.ietf.org/id/draft-rescorla-tls-opaque-prf-input-00.txt - */ -@@ -1368,6 +1373,9 @@ extern "C" { - #define GNUTLS_E_IA_VERIFY_FAILED -104 - - #define GNUTLS_E_UNKNOWN_ALGORITHM -105 -+#define GNUTLS_E_SAFE_RENEGOTIATION_FAILED -107 -+#define GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED -108 -+#define GNUTLS_E_UNKNOWN_SRP_USERNAME -109 - - #define GNUTLS_E_BASE64_ENCODING_ERROR -201 - #define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202 /* obsolete */ -diff -up gnutls-2.8.6/lib/libgnutls.map.reneg gnutls-2.8.6/lib/libgnutls.map ---- gnutls-2.8.6/lib/libgnutls.map.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/lib/libgnutls.map 2010-05-31 22:52:31.000000000 +0200 -@@ -567,6 +567,12 @@ GNUTLS_2_8 - gnutls_x509_crt_verify_hash; - } GNUTLS_1_4; - -+GNUTLS_2_10 -+{ -+ global: -+ gnutls_safe_renegotiation_status; -+} GNUTLS_2_8; -+ - GNUTLS_PRIVATE { - global: - # Internal symbols needed by libgnutls-extra: -diff -up gnutls-2.8.6/lib/Makefile.in.reneg gnutls-2.8.6/lib/Makefile.in ---- gnutls-2.8.6/lib/Makefile.in.reneg 2010-03-15 11:28:41.000000000 +0100 -+++ gnutls-2.8.6/lib/Makefile.in 2010-05-31 22:52:31.000000000 +0200 -@@ -214,7 +214,7 @@ am__objects_4 = gnutls_record.lo gnutls_ - ext_server_name.lo auth_dh_common.lo gnutls_helper.lo \ - gnutls_supplemental.lo crypto.lo random.lo pk-libgcrypt.lo \ - mpi-libgcrypt.lo rnd-libgcrypt.lo cipher-libgcrypt.lo \ -- mac-libgcrypt.lo $(am__objects_3) -+ mac-libgcrypt.lo ext_safe_renegotiation.lo $(am__objects_3) - am__objects_5 = ext_srp.lo gnutls_srp.lo auth_srp.lo \ - auth_srp_passwd.lo auth_srp_sb64.lo auth_srp_rsa.lo - am__objects_6 = auth_psk.lo auth_psk_passwd.lo gnutls_psk.lo \ -@@ -854,6 +854,7 @@ COBJECTS = gnutls_record.c gnutls_compre - auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \ - crypto.c random.c pk-libgcrypt.c mpi-libgcrypt.c \ - rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c \ -+ ext_safe_renegotiation.c \ - $(am__append_5) - HFILES = debug.h gnutls_compress.h gnutls_cipher.h gnutls_buffers.h \ - gnutls_errors.h gnutls_int.h gnutls_handshake.h gnutls_num.h \ -@@ -868,7 +869,8 @@ HFILES = debug.h gnutls_compress.h gnutl - gnutls_rsa_export.h ext_server_name.h auth_dh_common.h \ - ext_srp.h gnutls_srp.h auth_srp.h auth_srp_passwd.h \ - gnutls_helper.h auth_psk.h auth_psk_passwd.h \ -- gnutls_supplemental.h ext_oprfi.h crypto.h random.h -+ gnutls_supplemental.h ext_oprfi.h crypto.h random.h \ -+ ext_safe_renegotiation.h - - - # Separate so we can create the documentation -@@ -1058,6 +1060,7 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gnutls_x509.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libgnutlsxx_la-gnutlsxx.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mac-libgcrypt.Plo@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ext_safe_renegotiation.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mpi-libgcrypt.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pk-libgcrypt.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkix_asn1_tab.Plo@am__quote@ -diff -up gnutls-2.8.6/NEWS.reneg gnutls-2.8.6/NEWS ---- gnutls-2.8.6/NEWS.reneg 2010-03-15 13:49:42.000000000 +0100 -+++ gnutls-2.8.6/NEWS 2010-05-31 22:52:31.000000000 +0200 -@@ -3,6 +3,23 @@ Copyright (C) 2000, 2001, 2002, 2003, 20 - 2006, 2007, 2008, 2009, 2010 Free Software Foundation - See the end for copying conditions. - -+** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746) -+Solves the issue discussed in: -+ and -+. -+Note that to allow connecting to unpatched servers the full protection -+is only enabled if the priority string %SAFE_RENEGOTIATION is -+specified. You can check whether protection is in place by querying -+gnutls_safe_renegotiation_status(). New error codes -+GNUTLS_E_SAFE_RENEGOTIATION_FAILED and -+GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED added. -+ -+gnutls_safe_renegotiation_status: Added -+ -+%UNSAFE_RENEGOTIATION: Added to priority strings -+%INITIAL_SAFE_RENEGOTIATION: Added to priority strings -+%DISABLE_SAFE_RENEGOTIATION: Added to priority strings (do not use) -+ - * Version 2.8.6 (released 2010-03-15) - - ** libgnutls: For CSRs, don't null pad integers for RSA/DSA value. -diff -up gnutls-2.8.6/src/cli.c.reneg gnutls-2.8.6/src/cli.c ---- gnutls-2.8.6/src/cli.c.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/src/cli.c 2010-05-31 22:52:31.000000000 +0200 -@@ -53,7 +53,7 @@ - #define MAX_BUF 4096 - - /* global stuff here */ --int resume, starttls, insecure; -+int resume, starttls, insecure, rehandshake; - const char *hostname = NULL; - char *service; - int record_max_size; -@@ -674,6 +674,23 @@ after_handshake: - programs to search for when gnutls-cli has reached this point. */ - printf ("\n- Simple Client Mode:\n\n"); - -+ if (rehandshake) -+ { -+ ret = do_handshake (&hd); -+ -+ if (ret < 0) -+ { -+ fprintf (stderr, "*** ReHandshake has failed\n"); -+ gnutls_perror (ret); -+ gnutls_deinit (hd.session); -+ return 1; -+ } -+ else -+ { -+ printf ("- ReHandshake was completed\n"); -+ } -+ } -+ - #ifndef _WIN32 - signal (SIGALRM, &starttls_alarm); - #endif -@@ -838,6 +855,7 @@ gaa_parser (int argc, char **argv) - print_cert = info.print_cert; - starttls = info.starttls; - resume = info.resume; -+ rehandshake = info.rehandshake; - insecure = info.insecure; - service = info.port; - record_max_size = info.record_size; -@@ -962,6 +980,11 @@ do_handshake (socket_st * socket) - socket->secure = 1; - - } -+ else -+ { -+ gnutls_alert_send_appropriate(socket->session, ret); -+ shutdown (socket->fd, SHUT_RDWR); -+ } - return ret; - } - -diff -up gnutls-2.8.6/src/cli-gaa.c.reneg gnutls-2.8.6/src/cli-gaa.c ---- gnutls-2.8.6/src/cli-gaa.c.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/src/cli-gaa.c 2010-05-31 22:52:31.000000000 +0200 -@@ -129,6 +129,7 @@ void gaa_help(void) - printf("GNU TLS test client\nUsage: gnutls-cli [options] hostname\n\n\n"); - __gaa_helpsingle('d', "debug", "integer ", "Enable debugging"); - __gaa_helpsingle('r', "resume", "", "Connect, establish a session. Connect again and resume this session."); -+ __gaa_helpsingle('e', "rehandshake", "", "Connect, establish a session and rehandshake immediately."); - __gaa_helpsingle('s', "starttls", "", "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received."); - __gaa_helpsingle(0, "crlf", "", "Send CR LF instead of LF."); - __gaa_helpsingle(0, "x509fmtder", "", "Use DER format for certificates to read from."); -@@ -250,6 +251,8 @@ struct _gaainfo - int crlf; - #line 20 "cli.gaa" - int starttls; -+#line 20 "cli.gaa" -+ int rehandshake; - #line 17 "cli.gaa" - int resume; - #line 14 "cli.gaa" -@@ -342,8 +345,9 @@ static int gaa_error = 0; - #define GAAOPTID_x509fmtder 31 - #define GAAOPTID_crlf 32 - #define GAAOPTID_starttls 33 --#define GAAOPTID_resume 34 --#define GAAOPTID_debug 35 -+#define GAAOPTID_rehandshake 34 -+#define GAAOPTID_resume 35 -+#define GAAOPTID_debug 36 - - #line 168 "gaa.skel" - -@@ -721,6 +725,7 @@ static int gaa_get_option_num(char *str, - GAA_CHECK1STR("", GAAOPTID_x509fmtder); - GAA_CHECK1STR("", GAAOPTID_crlf); - GAA_CHECK1STR("s", GAAOPTID_starttls); -+ GAA_CHECK1STR("e", GAAOPTID_rehandshake); - GAA_CHECK1STR("r", GAAOPTID_resume); - - #line 277 "gaa.skel" -@@ -759,6 +764,7 @@ static int gaa_get_option_num(char *str, - GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder); - GAA_CHECKSTR("crlf", GAAOPTID_crlf); - GAA_CHECKSTR("starttls", GAAOPTID_starttls); -+ GAA_CHECKSTR("rehandshake", GAAOPTID_rehandshake); - GAA_CHECKSTR("resume", GAAOPTID_resume); - GAA_CHECKSTR("debug", GAAOPTID_debug); - -@@ -1101,6 +1107,13 @@ static int gaa_try(int gaa_num, int gaa_ - - return GAA_OK; - break; -+ case GAAOPTID_rehandshake: -+ OK = 0; -+#line 21 "cli.gaa" -+{ gaaval->rehandshake = 1 ;}; -+ -+ return GAA_OK; -+ break; - case GAAOPTID_resume: - OK = 0; - #line 18 "cli.gaa" -@@ -1164,7 +1177,7 @@ int gaa(int argc, char **argv, gaainfo * - gaaval->srp_username=NULL; gaaval->srp_passwd=NULL; gaaval->fmtder = 0; gaaval->starttls =0; - gaaval->debug = 0; gaaval->print_cert = 0; gaaval->verbose = 0; gaaval->psk_key = NULL; - gaaval->psk_username = NULL; gaaval->priorities = NULL; -- gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; ;}; -+ gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; gaaval->rehandshake = 0; ;}; - - } - inited = 1; -diff -up gnutls-2.8.6/src/cli-gaa.h.reneg gnutls-2.8.6/src/cli-gaa.h ---- gnutls-2.8.6/src/cli-gaa.h.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/src/cli-gaa.h 2010-05-31 22:52:31.000000000 +0200 -@@ -82,6 +82,7 @@ struct _gaainfo - int crlf; - #line 20 "cli.gaa" - int starttls; -+ int rehandshake; - #line 17 "cli.gaa" - int resume; - #line 14 "cli.gaa" -diff -up gnutls-2.8.6/src/cli.gaa.reneg gnutls-2.8.6/src/cli.gaa ---- gnutls-2.8.6/src/cli.gaa.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/src/cli.gaa 2010-05-31 22:52:31.000000000 +0200 -@@ -17,6 +17,9 @@ option (d, debug) INT "integer" { $debug - #int resume; - option (r, resume) { $resume = 1 } "Connect, establish a session. Connect again and resume this session." - -+#int rehandshake; -+option (e, rehandshake) { $rehandshake = 1 } "Connect, establish a session and rehandshake immediately." -+ - #int starttls; - option (s, starttls) { $starttls = 1 } "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received." - -@@ -130,4 +133,4 @@ init { $resume=0; $port="443"; $rest_arg - $srp_username=NULL; $srp_passwd=NULL; $fmtder = 0; $starttls =0; - $debug = 0; $print_cert = 0; $verbose = 0; $psk_key = NULL; - $psk_username = NULL; $priorities = NULL; -- $opaque_prf_input = NULL; $pgp_subkey = NULL; } -+ $opaque_prf_input = NULL; $pgp_subkey = NULL; $rehandshake = 0; } -diff -up gnutls-2.8.6/src/serv.c.reneg gnutls-2.8.6/src/serv.c ---- gnutls-2.8.6/src/serv.c.reneg 2009-11-06 09:39:42.000000000 +0100 -+++ gnutls-2.8.6/src/serv.c 2010-05-31 22:52:31.000000000 +0200 -@@ -764,6 +764,18 @@ get_response (gnutls_session_t session, - } - else - { -+ fprintf(stderr, "received: %s\n", request); -+ if (request[0] == request[1] && request[0] == '*') -+ { -+ if (strncmp(request, "**REHANDSHAKE**", sizeof("**REHANDSHAKE**")-1)==0) -+ { -+ fprintf(stderr, "*** Sending rehandshake request\n"); -+ gnutls_rehandshake(session); -+ } -+ *response = NULL; -+ *response_length = 0; -+ return; -+ } - *response = strdup (request); - *response_length = ((*response) ? strlen (*response) : 0); - } -@@ -1177,7 +1189,7 @@ main (int argc, char **argv) - ret = - gnutls_alert_send_appropriate (j->tls_session, r); - } -- while (ret == GNUTLS_E_AGAIN); -+ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); - j->http_state = HTTP_STATE_CLOSING; - } - else if (r == 0) -@@ -1210,14 +1222,37 @@ main (int argc, char **argv) - } - else if (r <= 0) - { -- j->http_state = HTTP_STATE_CLOSING; -- if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH) -+ if (r == GNUTLS_E_REHANDSHAKE) - { -- check_alert (j->tls_session, r); -- fprintf (stderr, "Error while receiving data\n"); -- GERR (r); -- } -- -+ fprintf(stderr, "*** Received hello message\n"); -+ do -+ { -+ r = gnutls_handshake (j->tls_session); -+ } -+ while (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN); -+ if (r < 0) -+ { -+ -+ do -+ { -+ ret = gnutls_alert_send_appropriate (j->tls_session, r); -+ } -+ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); -+ -+ GERR (r); -+ j->http_state = HTTP_STATE_CLOSING; -+ } -+ } -+ else -+ { -+ j->http_state = HTTP_STATE_CLOSING; -+ if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH) -+ { -+ check_alert (j->tls_session, r); -+ fprintf (stderr, "Error while receiving data\n"); -+ GERR (r); -+ } -+ } - } - else - { -@@ -1299,7 +1334,7 @@ main (int argc, char **argv) - } - } - -- if (j->handshake_ok == 1) -+ if (j->handshake_ok == 1 && j->http_response != NULL) - { - /* FIXME if j->http_response == NULL? */ - r = gnutls_record_send (j->tls_session, -@@ -1351,6 +1386,12 @@ main (int argc, char **argv) - } - } - } -+ else -+ { -+ j->request_length = 0; -+ j->http_request[0] = 0; -+ j->http_state = HTTP_STATE_REQUEST; -+ } - } - } - lloopend (listener_list, j); -diff -up gnutls-2.8.6/src/tests.c.reneg gnutls-2.8.6/src/tests.c ---- gnutls-2.8.6/src/tests.c.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/src/tests.c 2010-05-31 22:52:31.000000000 +0200 -@@ -45,6 +45,7 @@ extern int verbose; - int tls1_ok = 0; - int ssl3_ok = 0; - int tls1_1_ok = 0; -+int tls1_2_ok = 0; - - /* keep session info */ - static char *session_data = NULL; -@@ -103,158 +104,28 @@ do_handshake (gnutls_session_t session) - return TEST_SUCCEED; - } - --static int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; -+char protocol_str[] = "+VERS-TLS1.0:+VERS-SSL3.0"; -+char prio_str[256] = ""; - --static const int kx_priority[16] = -- { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, -- GNUTLS_KX_ANON_DH, -- GNUTLS_KX_RSA_EXPORT, 0 --}; -- --static const int cipher_priority[16] = -- { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, -- GNUTLS_CIPHER_ARCFOUR_40, 0 --}; --static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 }; --static const int mac_priority[16] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 }; --static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 }; -- --#define ADD_ALL_CIPHERS(session) gnutls_cipher_set_priority(session, cipher_priority) --#define ADD_ALL_COMP(session) gnutls_compression_set_priority(session, comp_priority) --#define ADD_ALL_MACS(session) gnutls_mac_set_priority(session, mac_priority) --#define ADD_ALL_KX(session) gnutls_kx_set_priority(session, kx_priority) --#define ADD_ALL_PROTOCOLS(session) gnutls_protocol_set_priority(session, protocol_priority) --#define ADD_ALL_CERTTYPES(session) gnutls_certificate_type_set_priority(session, cert_type_priority) -- --static void --ADD_KX (gnutls_session_t session, int kx) --{ -- static int _kx_priority[] = { 0, 0 }; -- _kx_priority[0] = kx; -- -- gnutls_kx_set_priority (session, _kx_priority); --} -- --static void --ADD_KX2 (gnutls_session_t session, int kx1, int kx2) --{ -- static int _kx_priority[] = { 0, 0, 0 }; -- _kx_priority[0] = kx1; -- _kx_priority[1] = kx2; -- -- gnutls_kx_set_priority (session, _kx_priority); --} -- --static void --ADD_CIPHER (gnutls_session_t session, int cipher) --{ -- static int _cipher_priority[] = { 0, 0 }; -- _cipher_priority[0] = cipher; -- -- gnutls_cipher_set_priority (session, _cipher_priority); --} -- --static void --ADD_CIPHER4 (gnutls_session_t session, int cipher1, int cipher2, int cipher3, -- int cipher4) --{ -- static int _cipher_priority[] = { 0, 0, 0, 0, 0 }; -- _cipher_priority[0] = cipher1; -- _cipher_priority[1] = cipher2; -- _cipher_priority[2] = cipher3; -- _cipher_priority[3] = cipher4; -- -- gnutls_cipher_set_priority (session, _cipher_priority); --} -- --static void --ADD_MAC (gnutls_session_t session, int mac) --{ -- static int _mac_priority[] = { 0, 0 }; -- _mac_priority[0] = mac; -- -- gnutls_mac_set_priority (session, _mac_priority); --} -- --static void --ADD_COMP (gnutls_session_t session, int c) --{ -- static int _comp_priority[] = { 0, 0 }; -- _comp_priority[0] = c; -- -- gnutls_compression_set_priority (session, _comp_priority); --} -- --static void --ADD_CERTTYPE (gnutls_session_t session, int ctype) --{ -- static int _ct_priority[] = { 0, 0 }; -- _ct_priority[0] = ctype; -- -- gnutls_certificate_type_set_priority (session, _ct_priority); --} -- --static void --ADD_PROTOCOL (gnutls_session_t session, int protocol) --{ -- static int _proto_priority[] = { 0, 0 }; -- _proto_priority[0] = protocol; -- -- gnutls_protocol_set_priority (session, _proto_priority); --} -- --static void --ADD_PROTOCOL3 (gnutls_session_t session, int p1, int p2, int p3) --{ -- static int _proto_priority[] = { 0, 0, 0, 0 }; -- _proto_priority[0] = p1; -- _proto_priority[1] = p2; -- _proto_priority[2] = p3; -- -- gnutls_protocol_set_priority (session, _proto_priority); --} -- --#ifdef ENABLE_SRP --static int srp_detected; -- --int --_test_srp_username_callback (gnutls_session_t session, -- char **username, char **password) --{ -- srp_detected = 1; -- -- return -1; --} -- --test_code_t --test_srp (gnutls_session_t session) --{ -- int ret; -- -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- -- ADD_KX (session, GNUTLS_KX_SRP); -- srp_detected = 0; -- -- gnutls_srp_set_client_credentials_function (srp_cred, -- _test_srp_username_callback); -- -- gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); -- -- ret = do_handshake (session); -- -- gnutls_srp_set_client_credentials_function (srp_cred, NULL); -- -- if (srp_detected != 0) -- return TEST_SUCCEED; -- else -- return TEST_FAILED; -+#define ALL_CIPHERS "+3DES-CBC:+ARCFOUR-128:+ARCFOUR-40" -+#define ALL_COMP "+COMP-NULL" -+#define ALL_MACS "+SHA1:+MD5" -+#define ALL_CERTTYPES "+CTYPE-X509" -+#define REST "%%UNSAFE_RENEGOTIATION" -+#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+RSA-EXPORT" -+#define INIT_STR "NONE:" -+ -+static inline void _gnutls_priority_set_direct(gnutls_session_t session, const char* str) -+{ -+ const char* err; -+ int ret = gnutls_priority_set_direct(session, str, &err); -+ -+ if (ret < 0) -+ { -+ fprintf(stderr, "Error in %s\n", err); -+ exit(1); -+ } - } --#endif - - test_code_t - test_server (gnutls_session_t session) -@@ -269,12 +140,8 @@ test_server (gnutls_session_t session) - - buf[sizeof (buf) - 1] = 0; - -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - -@@ -318,13 +185,9 @@ test_export (gnutls_session_t session) - { - int ret; - -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -+ sprintf(prio_str, "+ARCFOUR-40:+RSA-EXPORT:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - -- ADD_KX (session, GNUTLS_KX_RSA_EXPORT); -- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -348,13 +211,9 @@ test_export_info (gnutls_session_t sessi - if (verbose == 0 || export_true == 0) - return TEST_IGNORE; - -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -+ sprintf(prio_str, "+ARCFOUR-40:+RSA-EXPORT:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - -- ADD_KX (session, GNUTLS_KX_RSA_EXPORT); -- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -395,13 +254,9 @@ test_dhe (gnutls_session_t session) - { - int ret; - -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+DHE-RSA:+DHE-DSS:"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - -- ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -411,6 +266,37 @@ test_dhe (gnutls_session_t session) - return ret; - } - -+ -+test_code_t -+test_safe_renegotiation (gnutls_session_t session) -+{ -+ int ret; -+ -+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":%%INITIAL_SAFE_RENEGOTIATION", protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); -+ -+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); -+ -+ ret = do_handshake (session); -+ -+ return ret; -+} -+ -+test_code_t -+test_safe_renegotiation_scsv (gnutls_session_t session) -+{ -+ int ret; -+ -+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-SSL3.0:"ALL_MACS":"ALL_KX":%%INITIAL_SAFE_RENEGOTIATION"); -+ _gnutls_priority_set_direct (session, prio_str); -+ -+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); -+ -+ ret = do_handshake (session); -+ -+ return ret; -+} -+ - test_code_t - test_dhe_group (gnutls_session_t session) - { -@@ -421,13 +307,8 @@ test_dhe_group (gnutls_session_t session - if (verbose == 0 || pubkey.data == NULL) - return TEST_IGNORE; - -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+DHE-RSA:+DHE-DSS:"REST, protocol_str); - -- ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -463,12 +344,9 @@ test_code_t - test_ssl3 (gnutls_session_t session) - { - int ret; -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_PROTOCOL (session, GNUTLS_SSL3); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-SSL3.0:"ALL_MACS":"ALL_KX":"REST); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -496,12 +374,9 @@ test_bye (gnutls_session_t session) - signal (SIGALRM, got_alarm); - #endif - -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -548,12 +423,10 @@ test_code_t - test_aes (gnutls_session_t session) - { - int ret; -- ADD_CIPHER (session, GNUTLS_CIPHER_AES_128_CBC); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST , protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -565,12 +438,10 @@ test_code_t - test_camellia (gnutls_session_t session) - { - int ret; -- ADD_CIPHER (session, GNUTLS_CIPHER_CAMELLIA_128_CBC); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR "+CAMELLIA-128-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -582,12 +453,10 @@ test_code_t - test_openpgp1 (gnutls_session_t session) - { - int ret; -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_CERTTYPE (session, GNUTLS_CRT_OPENPGP); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":+CTYPE-OPENPGP:%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -604,18 +473,16 @@ test_code_t - test_unknown_ciphersuites (gnutls_session_t session) - { - int ret; -+ -+ - #ifdef ENABLE_CAMELLIA -- ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, -- GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_ARCFOUR_128); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - #else -- ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, -- GNUTLS_CIPHER_ARCFOUR_128, 0); -+ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - #endif -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -626,12 +493,10 @@ test_code_t - test_md5 (gnutls_session_t session) - { - int ret; -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_MAC (session, GNUTLS_MAC_MD5); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:+MD5:"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -643,12 +508,10 @@ test_code_t - test_zlib (gnutls_session_t session) - { - int ret; -- ADD_ALL_CIPHERS (session); -- ADD_COMP (session, GNUTLS_COMP_ZLIB); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":+COMP-ZLIB:"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -657,34 +520,25 @@ test_zlib (gnutls_session_t session) - #endif - - test_code_t --test_lzo (gnutls_session_t session) -+test_sha (gnutls_session_t session) - { - int ret; -- gnutls_handshake_set_private_extensions (session, 1); - -- ADD_ALL_CIPHERS (session); -- ADD_COMP (session, GNUTLS_COMP_LZO); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:+SHA1:"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -- - return ret; - } - - test_code_t --test_sha (gnutls_session_t session) -+test_3des (gnutls_session_t session) - { - int ret; -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_MAC (session, GNUTLS_MAC_SHA1); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR "+3DES-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -692,15 +546,12 @@ test_sha (gnutls_session_t session) - } - - test_code_t --test_3des (gnutls_session_t session) -+test_arcfour (gnutls_session_t session) - { - int ret; -- ADD_CIPHER (session, GNUTLS_CIPHER_3DES_CBC); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR "+ARCFOUR-128:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -708,15 +559,13 @@ test_3des (gnutls_session_t session) - } - - test_code_t --test_arcfour (gnutls_session_t session) -+test_arcfour_40 (gnutls_session_t session) - { - int ret; -- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_128); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR "+ARCFOUR-40:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":""+RSA-EXPORT"":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -724,36 +573,36 @@ test_arcfour (gnutls_session_t session) - } - - test_code_t --test_arcfour_40 (gnutls_session_t session) -+test_tls1 (gnutls_session_t session) - { - int ret; -- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.0:"ALL_MACS":"ALL_KX":"REST); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -+ if (ret == TEST_SUCCEED) -+ tls1_ok = 1; -+ - return ret; -+ - } - - test_code_t --test_tls1 (gnutls_session_t session) -+test_tls1_2 (gnutls_session_t session) - { - int ret; -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_PROTOCOL (session, GNUTLS_TLS1); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.2:"ALL_MACS":"ALL_KX":"REST); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); - if (ret == TEST_SUCCEED) -- tls1_ok = 1; -+ tls1_2_ok = 1; - - return ret; - -@@ -763,12 +612,10 @@ test_code_t - test_tls1_1 (gnutls_session_t session) - { - int ret; -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_PROTOCOL (session, GNUTLS_TLS1_1); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.1:"ALL_MACS":"ALL_KX":"REST); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -786,12 +633,9 @@ test_tls1_1_fallback (gnutls_session_t s - if (tls1_1_ok) - return TEST_IGNORE; - -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_PROTOCOL3 (session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0:"ALL_MACS":"ALL_KX":"REST); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -817,12 +661,9 @@ test_tls_disable (gnutls_session_t sessi - if (tls1_ok != 0) - return TEST_IGNORE; - -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); -+ - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -831,8 +672,7 @@ test_tls_disable (gnutls_session_t sessi - /* disable TLS 1.0 */ - if (ssl3_ok != 0) - { -- protocol_priority[0] = GNUTLS_SSL3; -- protocol_priority[1] = 0; -+ strcpy(protocol_str, "+VERS-SSL3.0"); - } - } - return ret; -@@ -849,12 +689,8 @@ test_rsa_pms (gnutls_session_t session) - * If the server is old, buggy and only supports - * SSL 3.0 then the handshake will fail. - */ -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_KX (session, GNUTLS_KX_RSA); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+RSA:"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - - ret = do_handshake (session); -@@ -870,12 +706,8 @@ test_code_t - test_max_record_size (gnutls_session_t session) - { - int ret; -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - gnutls_record_set_max_size (session, 512); - -@@ -894,12 +726,9 @@ test_code_t - test_hello_extension (gnutls_session_t session) - { - int ret; -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - gnutls_record_set_max_size (session, 512); - -@@ -925,12 +754,8 @@ test_version_rollback (gnutls_session_t - * attacks which allow a version downgrade) and this - * connection will fail. - */ -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - _gnutls_record_set_default_version (session, 3, 0); - -@@ -955,12 +780,8 @@ test_version_oob (gnutls_session_t sessi - /* here we enable both SSL 3.0 and TLS 1.0 - * and we connect using a 5.5 record version. - */ -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - _gnutls_record_set_default_version (session, 5, 5); - -@@ -980,12 +801,8 @@ test_rsa_pms_version_check (gnutls_sessi - * - * A normal server would abort this handshake. - */ -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - _gnutls_rsa_pms_set_version (session, 5, 5); /* use SSL 5.5 version */ - -@@ -1000,12 +817,8 @@ test_anonymous (gnutls_session_t session - { - int ret; - -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_KX (session, GNUTLS_KX_ANON_DH); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+ANON-DH:"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); - - ret = do_handshake (session); -@@ -1027,12 +840,8 @@ test_session_resume2 (gnutls_session_t s - if (session == NULL) - return TEST_IGNORE; - -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); -@@ -1074,12 +883,8 @@ test_certificate (gnutls_session_t sessi - if (verbose == 0) - return TEST_IGNORE; - -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - -@@ -1143,12 +948,8 @@ test_server_cas (gnutls_session_t sessio - if (verbose == 0) - return TEST_IGNORE; - -- ADD_ALL_CIPHERS (session); -- ADD_ALL_COMP (session); -- ADD_ALL_CERTTYPES (session); -- ADD_ALL_PROTOCOLS (session); -- ADD_ALL_MACS (session); -- ADD_ALL_KX (session); -+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); -+ _gnutls_priority_set_direct (session, prio_str); - - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); - gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); -diff -up gnutls-2.8.6/src/tests.h.reneg gnutls-2.8.6/src/tests.h ---- gnutls-2.8.6/src/tests.h.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/src/tests.h 2010-05-31 22:52:31.000000000 +0200 -@@ -3,7 +3,6 @@ typedef enum - TEST_SUCCEED, TEST_FAILED, TEST_UNSURE, TEST_IGNORE - } test_code_t; - --test_code_t test_srp (gnutls_session_t state); - test_code_t test_server (gnutls_session_t state); - test_code_t test_export (gnutls_session_t state); - test_code_t test_export_info (gnutls_session_t state); -@@ -21,7 +20,10 @@ test_code_t test_3des (gnutls_session_t - test_code_t test_arcfour (gnutls_session_t state); - test_code_t test_arcfour_40 (gnutls_session_t state); - test_code_t test_tls1 (gnutls_session_t state); -+test_code_t test_safe_renegotiation (gnutls_session_t state); -+test_code_t test_safe_renegotiation_scsv (gnutls_session_t state); - test_code_t test_tls1_1 (gnutls_session_t state); -+test_code_t test_tls1_2 (gnutls_session_t state); - test_code_t test_tls1_1_fallback (gnutls_session_t state); - test_code_t test_tls_disable (gnutls_session_t state); - test_code_t test_rsa_pms (gnutls_session_t state); -@@ -37,6 +39,5 @@ test_code_t test_session_resume2 (gnutls - test_code_t test_rsa_pms_version_check (gnutls_session_t session); - test_code_t test_version_oob (gnutls_session_t session); - test_code_t test_zlib (gnutls_session_t session); --test_code_t test_lzo (gnutls_session_t session); - int _test_srp_username_callback (gnutls_session_t session, - char **username, char **password); -diff -up gnutls-2.8.6/src/tls_test.c.reneg gnutls-2.8.6/src/tls_test.c ---- gnutls-2.8.6/src/tls_test.c.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/src/tls_test.c 2010-05-31 22:52:31.000000000 +0200 -@@ -79,6 +79,9 @@ typedef struct - } TLS_TEST; - - static const TLS_TEST tls_tests[] = { -+ {"for Safe renegotiation support", test_safe_renegotiation, "yes", "no", "dunno"}, -+ {"for Safe renegotiation support (SCSV)", test_safe_renegotiation_scsv, "yes", "no", "dunno"}, -+ {"for TLS 1.2 support", test_tls1_2, "yes", "no", "dunno"}, - {"for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno"}, - {"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "failed", - "SSL 3.0"}, -@@ -139,14 +142,8 @@ static const TLS_TEST tls_tests[] = { - {"for ZLIB compression support (TLS extension)", test_zlib, "yes", - "no", "dunno"}, - #endif -- {"for LZO compression support (GnuTLS extension)", test_lzo, "yes", -- "no", "dunno"}, - {"for max record size (TLS extension)", test_max_record_size, "yes", - "no", "dunno"}, --#ifdef ENABLE_SRP -- {"for SRP authentication support (TLS extension)", test_srp, "yes", -- "no", "dunno"}, --#endif - {"for OpenPGP authentication support (TLS extension)", test_openpgp1, - "yes", "no", "dunno"}, - {NULL, NULL, NULL, NULL, NULL} -@@ -233,7 +230,7 @@ main (int argc, char **argv) - - /* if neither of SSL3 and TLSv1 are supported, exit - */ -- if (i > 3 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) -+ if (i > 6 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) - { - fprintf (stderr, - "\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1\n"); -diff -up gnutls-2.8.6/tests/Makefile.in.reneg gnutls-2.8.6/tests/Makefile.in ---- gnutls-2.8.6/tests/Makefile.in.reneg 2010-03-15 11:29:22.000000000 +0100 -+++ gnutls-2.8.6/tests/Makefile.in 2010-05-31 22:52:31.000000000 +0200 -@@ -422,7 +422,7 @@ CTAGS = ctags - am__tty_colors = \ - red=; grn=; lgn=; blu=; std= - DIST_SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode \ -- pkcs12-decode userid pathlen key-id sha2 openpgp-certs -+ pkcs12-decode userid pathlen key-id sha2 openpgp-certs safe-renegotiation - DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - am__relativize = \ - dir0=`pwd`; \ -@@ -972,7 +972,7 @@ top_build_prefix = @top_build_prefix@ - top_builddir = @top_builddir@ - top_srcdir = @top_srcdir@ - SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode pkcs12-decode \ -- userid pathlen key-id sha2 $(am__append_1) -+ userid pathlen key-id sha2 safe-renegotiation $(am__append_1) - EXTRA_DIST = libgcrypt.supp hostname-check.README - AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) - AM_CPPFLAGS = -I$(top_srcdir)/gl -I$(top_builddir)/gl \ -diff -up gnutls-2.8.6/tests/resume.c.reneg gnutls-2.8.6/tests/resume.c ---- gnutls-2.8.6/tests/resume.c.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/tests/resume.c 2010-05-31 22:52:31.000000000 +0200 -@@ -47,6 +47,8 @@ static int wrap_db_store (void *dbf, gnu - static gnutls_datum_t wrap_db_fetch (void *dbf, gnutls_datum_t key); - static int wrap_db_delete (void *dbf, gnutls_datum_t key); - -+pid_t child; -+ - #define TLS_SESSION_CACHE 50 - - /* A very basic TLS client, with anonymous authentication. -@@ -56,6 +58,12 @@ static int wrap_db_delete (void *dbf, gn - #define MSG "Hello TLS" - - static void -+tls_log_func (int level, const char *str) -+{ -+ fprintf (stderr, "%s |<%d>| %s", child ? "server" : "client", level, str); -+} -+ -+static void - client (void) - { - int ret, sd, ii; -@@ -70,6 +78,11 @@ client (void) - int t; - gnutls_datum session_data; - -+ if (debug) -+ { -+ gnutls_global_set_log_function (tls_log_func); -+ gnutls_global_set_log_level (2); -+ } - gnutls_global_init (); - - gnutls_anon_allocate_client_credentials (&anoncred); -@@ -298,8 +311,13 @@ server (void) - - /* this must be called once in the program, it is mostly for the server. - */ -- gnutls_global_init (); -+ if (debug) -+ { -+ gnutls_global_set_log_function (tls_log_func); -+ gnutls_global_set_log_level (2); -+ } - -+ gnutls_global_init (); - gnutls_anon_allocate_server_credentials (&anoncred); - - success ("Launched, generating DH parameters...\n"); -@@ -385,8 +403,6 @@ server (void) - void - doit (void) - { -- pid_t child; -- - global_start (); - if (error_count) - return; -diff -up gnutls-2.8.6/tests/safe-renegotiation/Makefile.am.reneg gnutls-2.8.6/tests/safe-renegotiation/Makefile.am ---- gnutls-2.8.6/tests/safe-renegotiation/Makefile.am.reneg 2010-05-31 22:52:31.000000000 +0200 -+++ gnutls-2.8.6/tests/safe-renegotiation/Makefile.am 2010-05-31 22:52:31.000000000 +0200 -@@ -0,0 +1,24 @@ -+## Process this file with automake to produce Makefile.in -+# Copyright (C) 2010 Free Software Foundation -+# -+# This file is part of GNUTLS. -+# -+# This file is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by -+# the Free Software Foundation; either version 3 of the License, or -+# (at your option) any later version. -+# -+# This file is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this file; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+EXTRA_DIST = params.dh -+ -+dist_check_SCRIPTS = testsrn -+TESTS = testsrn -+ -diff -up gnutls-2.8.6/tests/safe-renegotiation/Makefile.in.reneg gnutls-2.8.6/tests/safe-renegotiation/Makefile.in ---- gnutls-2.8.6/tests/safe-renegotiation/Makefile.in.reneg 2010-05-31 22:52:31.000000000 +0200 -+++ gnutls-2.8.6/tests/safe-renegotiation/Makefile.in 2010-05-31 22:52:31.000000000 +0200 -@@ -0,0 +1,937 @@ -+# Makefile.in generated by automake 1.11.1 from Makefile.am. -+# @configure_input@ -+ -+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -+# Inc. -+# This Makefile.in is free software; the Free Software Foundation -+# gives unlimited permission to copy and/or distribute it, -+# with or without modifications, as long as this notice is preserved. -+ -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -+# PARTICULAR PURPOSE. -+ -+@SET_MAKE@ -+ -+# Copyright (C) 2006, 2008 Free Software Foundation -+# -+# Author: Simon Josefsson -+# -+# This file is part of GNUTLS. -+# -+# This file is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by -+# the Free Software Foundation; either version 3 of the License, or -+# (at your option) any later version. -+# -+# This file is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this file; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+VPATH = @srcdir@ -+pkgdatadir = $(datadir)/@PACKAGE@ -+pkgincludedir = $(includedir)/@PACKAGE@ -+pkglibdir = $(libdir)/@PACKAGE@ -+pkglibexecdir = $(libexecdir)/@PACKAGE@ -+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -+install_sh_DATA = $(install_sh) -c -m 644 -+install_sh_PROGRAM = $(install_sh) -c -+install_sh_SCRIPT = $(install_sh) -c -+INSTALL_HEADER = $(INSTALL_DATA) -+transform = $(program_transform_name) -+NORMAL_INSTALL = : -+PRE_INSTALL = : -+POST_INSTALL = : -+NORMAL_UNINSTALL = : -+PRE_UNINSTALL = : -+POST_UNINSTALL = : -+build_triplet = @build@ -+host_triplet = @host@ -+subdir = tests/safe-renegotiation -+DIST_COMMON = $(dist_check_SCRIPTS) $(srcdir)/Makefile.am \ -+ $(srcdir)/Makefile.in -+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -+am__aclocal_m4_deps = $(top_srcdir)/libextra/m4/hooks.m4 \ -+ $(top_srcdir)/lib/m4/hooks.m4 $(top_srcdir)/lib/gl/m4/po.m4 \ -+ $(top_srcdir)/gl/m4/00gnulib.m4 $(top_srcdir)/gl/m4/alloca.m4 \ -+ $(top_srcdir)/gl/m4/arpa_inet_h.m4 \ -+ $(top_srcdir)/gl/m4/autobuild.m4 $(top_srcdir)/gl/m4/close.m4 \ -+ $(top_srcdir)/gl/m4/errno_h.m4 $(top_srcdir)/gl/m4/error.m4 \ -+ $(top_srcdir)/gl/m4/extensions.m4 \ -+ $(top_srcdir)/gl/m4/fclose.m4 $(top_srcdir)/gl/m4/float_h.m4 \ -+ $(top_srcdir)/gl/m4/fseeko.m4 \ -+ $(top_srcdir)/gl/m4/getaddrinfo.m4 \ -+ $(top_srcdir)/gl/m4/getdelim.m4 $(top_srcdir)/gl/m4/getline.m4 \ -+ $(top_srcdir)/gl/m4/getpass.m4 \ -+ $(top_srcdir)/gl/m4/gettimeofday.m4 \ -+ $(top_srcdir)/gl/m4/gnulib-common.m4 \ -+ $(top_srcdir)/gl/m4/gnulib-comp.m4 \ -+ $(top_srcdir)/gl/m4/hostent.m4 \ -+ $(top_srcdir)/gl/m4/include_next.m4 \ -+ $(top_srcdir)/gl/m4/inet_ntop.m4 \ -+ $(top_srcdir)/gl/m4/inet_pton.m4 \ -+ $(top_srcdir)/gl/m4/intmax_t.m4 \ -+ $(top_srcdir)/gl/m4/inttypes_h.m4 \ -+ $(top_srcdir)/gl/m4/lib-ld.m4 $(top_srcdir)/gl/m4/lib-link.m4 \ -+ $(top_srcdir)/gl/m4/lib-prefix.m4 \ -+ $(top_srcdir)/gl/m4/longlong.m4 $(top_srcdir)/gl/m4/lseek.m4 \ -+ $(top_srcdir)/gl/m4/malloc.m4 \ -+ $(top_srcdir)/gl/m4/manywarnings.m4 \ -+ $(top_srcdir)/gl/m4/minmax.m4 $(top_srcdir)/gl/m4/multiarch.m4 \ -+ $(top_srcdir)/gl/m4/netdb_h.m4 \ -+ $(top_srcdir)/gl/m4/netinet_in_h.m4 \ -+ $(top_srcdir)/gl/m4/onceonly_2_57.m4 \ -+ $(top_srcdir)/gl/m4/perror.m4 \ -+ $(top_srcdir)/gl/m4/pmccabe2html.m4 \ -+ $(top_srcdir)/gl/m4/printf.m4 $(top_srcdir)/gl/m4/read-file.m4 \ -+ $(top_srcdir)/gl/m4/readline.m4 $(top_srcdir)/gl/m4/realloc.m4 \ -+ $(top_srcdir)/gl/m4/select.m4 $(top_srcdir)/gl/m4/servent.m4 \ -+ $(top_srcdir)/gl/m4/size_max.m4 \ -+ $(top_srcdir)/gl/m4/snprintf.m4 $(top_srcdir)/gl/m4/sockets.m4 \ -+ $(top_srcdir)/gl/m4/socklen.m4 $(top_srcdir)/gl/m4/sockpfaf.m4 \ -+ $(top_srcdir)/gl/m4/stdarg.m4 $(top_srcdir)/gl/m4/stdbool.m4 \ -+ $(top_srcdir)/gl/m4/stdint.m4 $(top_srcdir)/gl/m4/stdint_h.m4 \ -+ $(top_srcdir)/gl/m4/stdio_h.m4 $(top_srcdir)/gl/m4/stdlib_h.m4 \ -+ $(top_srcdir)/gl/m4/strerror.m4 \ -+ $(top_srcdir)/gl/m4/string_h.m4 \ -+ $(top_srcdir)/gl/m4/sys_ioctl_h.m4 \ -+ $(top_srcdir)/gl/m4/sys_select_h.m4 \ -+ $(top_srcdir)/gl/m4/sys_socket_h.m4 \ -+ $(top_srcdir)/gl/m4/sys_stat_h.m4 \ -+ $(top_srcdir)/gl/m4/sys_time_h.m4 \ -+ $(top_srcdir)/gl/m4/ungetc.m4 $(top_srcdir)/gl/m4/unistd_h.m4 \ -+ $(top_srcdir)/gl/m4/vasnprintf.m4 \ -+ $(top_srcdir)/gl/m4/warnings.m4 $(top_srcdir)/gl/m4/wchar.m4 \ -+ $(top_srcdir)/gl/m4/wchar_t.m4 $(top_srcdir)/gl/m4/wint_t.m4 \ -+ $(top_srcdir)/gl/m4/xsize.m4 $(top_srcdir)/m4/gtk-doc.m4 \ -+ $(top_srcdir)/m4/guile.m4 $(top_srcdir)/m4/libtool.m4 \ -+ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ -+ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ -+ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/m4/valgrind.m4 \ -+ $(top_srcdir)/configure.ac -+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ -+ $(ACLOCAL_M4) -+mkinstalldirs = $(install_sh) -d -+CONFIG_HEADER = $(top_builddir)/config.h -+CONFIG_CLEAN_FILES = -+CONFIG_CLEAN_VPATH_FILES = -+SOURCES = -+DIST_SOURCES = -+am__tty_colors = \ -+red=; grn=; lgn=; blu=; std= -+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -+ACLOCAL = @ACLOCAL@ -+ALLOCA = @ALLOCA@ -+ALLOCA_H = @ALLOCA_H@ -+AMTAR = @AMTAR@ -+APPLE_UNIVERSAL_BUILD = @APPLE_UNIVERSAL_BUILD@ -+AR = @AR@ -+ARPA_INET_H = @ARPA_INET_H@ -+AS = @AS@ -+AUTOCONF = @AUTOCONF@ -+AUTOHEADER = @AUTOHEADER@ -+AUTOMAKE = @AUTOMAKE@ -+AWK = @AWK@ -+BITSIZEOF_PTRDIFF_T = @BITSIZEOF_PTRDIFF_T@ -+BITSIZEOF_SIG_ATOMIC_T = @BITSIZEOF_SIG_ATOMIC_T@ -+BITSIZEOF_SIZE_T = @BITSIZEOF_SIZE_T@ -+BITSIZEOF_WCHAR_T = @BITSIZEOF_WCHAR_T@ -+BITSIZEOF_WINT_T = @BITSIZEOF_WINT_T@ -+CC = @CC@ -+CCDEPMODE = @CCDEPMODE@ -+CFLAGS = @CFLAGS@ -+CPP = @CPP@ -+CPPFLAGS = @CPPFLAGS@ -+CXX = @CXX@ -+CXXCPP = @CXXCPP@ -+CXXDEPMODE = @CXXDEPMODE@ -+CXXFLAGS = @CXXFLAGS@ -+CYGPATH_W = @CYGPATH_W@ -+DEFS = @DEFS@ -+DEPDIR = @DEPDIR@ -+DLLTOOL = @DLLTOOL@ -+DLL_VERSION = @DLL_VERSION@ -+DSYMUTIL = @DSYMUTIL@ -+DUMPBIN = @DUMPBIN@ -+ECHO_C = @ECHO_C@ -+ECHO_N = @ECHO_N@ -+ECHO_T = @ECHO_T@ -+EGREP = @EGREP@ -+EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ -+EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ -+ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ -+ENOLINK_VALUE = @ENOLINK_VALUE@ -+EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ -+EOVERFLOW_VALUE = @EOVERFLOW_VALUE@ -+ERRNO_H = @ERRNO_H@ -+EXEEXT = @EXEEXT@ -+FGREP = @FGREP@ -+FLOAT_H = @FLOAT_H@ -+GAA = @GAA@ -+GETADDRINFO_LIB = @GETADDRINFO_LIB@ -+GNULIB_ACCEPT = @GNULIB_ACCEPT@ -+GNULIB_ATOLL = @GNULIB_ATOLL@ -+GNULIB_BIND = @GNULIB_BIND@ -+GNULIB_BTOWC = @GNULIB_BTOWC@ -+GNULIB_CALLOC_POSIX = @GNULIB_CALLOC_POSIX@ -+GNULIB_CHOWN = @GNULIB_CHOWN@ -+GNULIB_CLOSE = @GNULIB_CLOSE@ -+GNULIB_CONNECT = @GNULIB_CONNECT@ -+GNULIB_DPRINTF = @GNULIB_DPRINTF@ -+GNULIB_DUP2 = @GNULIB_DUP2@ -+GNULIB_ENVIRON = @GNULIB_ENVIRON@ -+GNULIB_EUIDACCESS = @GNULIB_EUIDACCESS@ -+GNULIB_FCHDIR = @GNULIB_FCHDIR@ -+GNULIB_FCLOSE = @GNULIB_FCLOSE@ -+GNULIB_FFLUSH = @GNULIB_FFLUSH@ -+GNULIB_FOPEN = @GNULIB_FOPEN@ -+GNULIB_FPRINTF = @GNULIB_FPRINTF@ -+GNULIB_FPRINTF_POSIX = @GNULIB_FPRINTF_POSIX@ -+GNULIB_FPUTC = @GNULIB_FPUTC@ -+GNULIB_FPUTS = @GNULIB_FPUTS@ -+GNULIB_FREOPEN = @GNULIB_FREOPEN@ -+GNULIB_FSEEK = @GNULIB_FSEEK@ -+GNULIB_FSEEKO = @GNULIB_FSEEKO@ -+GNULIB_FSYNC = @GNULIB_FSYNC@ -+GNULIB_FTELL = @GNULIB_FTELL@ -+GNULIB_FTELLO = @GNULIB_FTELLO@ -+GNULIB_FTRUNCATE = @GNULIB_FTRUNCATE@ -+GNULIB_FWRITE = @GNULIB_FWRITE@ -+GNULIB_GETADDRINFO = @GNULIB_GETADDRINFO@ -+GNULIB_GETCWD = @GNULIB_GETCWD@ -+GNULIB_GETDELIM = @GNULIB_GETDELIM@ -+GNULIB_GETDOMAINNAME = @GNULIB_GETDOMAINNAME@ -+GNULIB_GETDTABLESIZE = @GNULIB_GETDTABLESIZE@ -+GNULIB_GETHOSTNAME = @GNULIB_GETHOSTNAME@ -+GNULIB_GETLINE = @GNULIB_GETLINE@ -+GNULIB_GETLOADAVG = @GNULIB_GETLOADAVG@ -+GNULIB_GETLOGIN_R = @GNULIB_GETLOGIN_R@ -+GNULIB_GETPAGESIZE = @GNULIB_GETPAGESIZE@ -+GNULIB_GETPEERNAME = @GNULIB_GETPEERNAME@ -+GNULIB_GETSOCKNAME = @GNULIB_GETSOCKNAME@ -+GNULIB_GETSOCKOPT = @GNULIB_GETSOCKOPT@ -+GNULIB_GETSUBOPT = @GNULIB_GETSUBOPT@ -+GNULIB_GETUSERSHELL = @GNULIB_GETUSERSHELL@ -+GNULIB_INET_NTOP = @GNULIB_INET_NTOP@ -+GNULIB_INET_PTON = @GNULIB_INET_PTON@ -+GNULIB_IOCTL = @GNULIB_IOCTL@ -+GNULIB_LCHMOD = @GNULIB_LCHMOD@ -+GNULIB_LCHOWN = @GNULIB_LCHOWN@ -+GNULIB_LINK = @GNULIB_LINK@ -+GNULIB_LISTEN = @GNULIB_LISTEN@ -+GNULIB_LSEEK = @GNULIB_LSEEK@ -+GNULIB_LSTAT = @GNULIB_LSTAT@ -+GNULIB_MALLOC_POSIX = @GNULIB_MALLOC_POSIX@ -+GNULIB_MBRLEN = @GNULIB_MBRLEN@ -+GNULIB_MBRTOWC = @GNULIB_MBRTOWC@ -+GNULIB_MBSCASECMP = @GNULIB_MBSCASECMP@ -+GNULIB_MBSCASESTR = @GNULIB_MBSCASESTR@ -+GNULIB_MBSCHR = @GNULIB_MBSCHR@ -+GNULIB_MBSCSPN = @GNULIB_MBSCSPN@ -+GNULIB_MBSINIT = @GNULIB_MBSINIT@ -+GNULIB_MBSLEN = @GNULIB_MBSLEN@ -+GNULIB_MBSNCASECMP = @GNULIB_MBSNCASECMP@ -+GNULIB_MBSNLEN = @GNULIB_MBSNLEN@ -+GNULIB_MBSNRTOWCS = @GNULIB_MBSNRTOWCS@ -+GNULIB_MBSPBRK = @GNULIB_MBSPBRK@ -+GNULIB_MBSPCASECMP = @GNULIB_MBSPCASECMP@ -+GNULIB_MBSRCHR = @GNULIB_MBSRCHR@ -+GNULIB_MBSRTOWCS = @GNULIB_MBSRTOWCS@ -+GNULIB_MBSSEP = @GNULIB_MBSSEP@ -+GNULIB_MBSSPN = @GNULIB_MBSSPN@ -+GNULIB_MBSSTR = @GNULIB_MBSSTR@ -+GNULIB_MBSTOK_R = @GNULIB_MBSTOK_R@ -+GNULIB_MEMMEM = @GNULIB_MEMMEM@ -+GNULIB_MEMPCPY = @GNULIB_MEMPCPY@ -+GNULIB_MEMRCHR = @GNULIB_MEMRCHR@ -+GNULIB_MKDTEMP = @GNULIB_MKDTEMP@ -+GNULIB_MKSTEMP = @GNULIB_MKSTEMP@ -+GNULIB_OBSTACK_PRINTF = @GNULIB_OBSTACK_PRINTF@ -+GNULIB_OBSTACK_PRINTF_POSIX = @GNULIB_OBSTACK_PRINTF_POSIX@ -+GNULIB_PERROR = @GNULIB_PERROR@ -+GNULIB_PRINTF = @GNULIB_PRINTF@ -+GNULIB_PRINTF_POSIX = @GNULIB_PRINTF_POSIX@ -+GNULIB_PUTC = @GNULIB_PUTC@ -+GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ -+GNULIB_PUTENV = @GNULIB_PUTENV@ -+GNULIB_PUTS = @GNULIB_PUTS@ -+GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ -+GNULIB_RAWMEMCHR = @GNULIB_RAWMEMCHR@ -+GNULIB_READLINK = @GNULIB_READLINK@ -+GNULIB_REALLOC_POSIX = @GNULIB_REALLOC_POSIX@ -+GNULIB_RECV = @GNULIB_RECV@ -+GNULIB_RECVFROM = @GNULIB_RECVFROM@ -+GNULIB_RPMATCH = @GNULIB_RPMATCH@ -+GNULIB_SELECT = @GNULIB_SELECT@ -+GNULIB_SEND = @GNULIB_SEND@ -+GNULIB_SENDTO = @GNULIB_SENDTO@ -+GNULIB_SETENV = @GNULIB_SETENV@ -+GNULIB_SETSOCKOPT = @GNULIB_SETSOCKOPT@ -+GNULIB_SHUTDOWN = @GNULIB_SHUTDOWN@ -+GNULIB_SLEEP = @GNULIB_SLEEP@ -+GNULIB_SNPRINTF = @GNULIB_SNPRINTF@ -+GNULIB_SOCKET = @GNULIB_SOCKET@ -+GNULIB_SPRINTF_POSIX = @GNULIB_SPRINTF_POSIX@ -+GNULIB_STDIO_H_SIGPIPE = @GNULIB_STDIO_H_SIGPIPE@ -+GNULIB_STPCPY = @GNULIB_STPCPY@ -+GNULIB_STPNCPY = @GNULIB_STPNCPY@ -+GNULIB_STRCASESTR = @GNULIB_STRCASESTR@ -+GNULIB_STRCHRNUL = @GNULIB_STRCHRNUL@ -+GNULIB_STRDUP = @GNULIB_STRDUP@ -+GNULIB_STRERROR = @GNULIB_STRERROR@ -+GNULIB_STRNDUP = @GNULIB_STRNDUP@ -+GNULIB_STRNLEN = @GNULIB_STRNLEN@ -+GNULIB_STRPBRK = @GNULIB_STRPBRK@ -+GNULIB_STRSEP = @GNULIB_STRSEP@ -+GNULIB_STRSIGNAL = @GNULIB_STRSIGNAL@ -+GNULIB_STRSTR = @GNULIB_STRSTR@ -+GNULIB_STRTOD = @GNULIB_STRTOD@ -+GNULIB_STRTOK_R = @GNULIB_STRTOK_R@ -+GNULIB_STRTOLL = @GNULIB_STRTOLL@ -+GNULIB_STRTOULL = @GNULIB_STRTOULL@ -+GNULIB_STRVERSCMP = @GNULIB_STRVERSCMP@ -+GNULIB_UNISTD_H_SIGPIPE = @GNULIB_UNISTD_H_SIGPIPE@ -+GNULIB_UNSETENV = @GNULIB_UNSETENV@ -+GNULIB_VASPRINTF = @GNULIB_VASPRINTF@ -+GNULIB_VDPRINTF = @GNULIB_VDPRINTF@ -+GNULIB_VFPRINTF = @GNULIB_VFPRINTF@ -+GNULIB_VFPRINTF_POSIX = @GNULIB_VFPRINTF_POSIX@ -+GNULIB_VPRINTF = @GNULIB_VPRINTF@ -+GNULIB_VPRINTF_POSIX = @GNULIB_VPRINTF_POSIX@ -+GNULIB_VSNPRINTF = @GNULIB_VSNPRINTF@ -+GNULIB_VSPRINTF_POSIX = @GNULIB_VSPRINTF_POSIX@ -+GNULIB_WCRTOMB = @GNULIB_WCRTOMB@ -+GNULIB_WCSNRTOMBS = @GNULIB_WCSNRTOMBS@ -+GNULIB_WCSRTOMBS = @GNULIB_WCSRTOMBS@ -+GNULIB_WCTOB = @GNULIB_WCTOB@ -+GNULIB_WCWIDTH = @GNULIB_WCWIDTH@ -+GNULIB_WRITE = @GNULIB_WRITE@ -+GREP = @GREP@ -+GTKDOC_CHECK = @GTKDOC_CHECK@ -+GTKDOC_MKPDF = @GTKDOC_MKPDF@ -+GTKDOC_REBASE = @GTKDOC_REBASE@ -+GUILE = @GUILE@ -+GUILE_CFLAGS = @GUILE_CFLAGS@ -+GUILE_CONFIG = @GUILE_CONFIG@ -+GUILE_LDFLAGS = @GUILE_LDFLAGS@ -+GUILE_SITE = @GUILE_SITE@ -+GUILE_TOOLS = @GUILE_TOOLS@ -+HAVE_ARPA_INET_H = @HAVE_ARPA_INET_H@ -+HAVE_ATOLL = @HAVE_ATOLL@ -+HAVE_BTOWC = @HAVE_BTOWC@ -+HAVE_CALLOC_POSIX = @HAVE_CALLOC_POSIX@ -+HAVE_DECL_ENVIRON = @HAVE_DECL_ENVIRON@ -+HAVE_DECL_FREEADDRINFO = @HAVE_DECL_FREEADDRINFO@ -+HAVE_DECL_GAI_STRERROR = @HAVE_DECL_GAI_STRERROR@ -+HAVE_DECL_GETADDRINFO = @HAVE_DECL_GETADDRINFO@ -+HAVE_DECL_GETDELIM = @HAVE_DECL_GETDELIM@ -+HAVE_DECL_GETLINE = @HAVE_DECL_GETLINE@ -+HAVE_DECL_GETLOADAVG = @HAVE_DECL_GETLOADAVG@ -+HAVE_DECL_GETLOGIN_R = @HAVE_DECL_GETLOGIN_R@ -+HAVE_DECL_GETNAMEINFO = @HAVE_DECL_GETNAMEINFO@ -+HAVE_DECL_INET_NTOP = @HAVE_DECL_INET_NTOP@ -+HAVE_DECL_INET_PTON = @HAVE_DECL_INET_PTON@ -+HAVE_DECL_MEMMEM = @HAVE_DECL_MEMMEM@ -+HAVE_DECL_MEMRCHR = @HAVE_DECL_MEMRCHR@ -+HAVE_DECL_OBSTACK_PRINTF = @HAVE_DECL_OBSTACK_PRINTF@ -+HAVE_DECL_SNPRINTF = @HAVE_DECL_SNPRINTF@ -+HAVE_DECL_STRDUP = @HAVE_DECL_STRDUP@ -+HAVE_DECL_STRERROR = @HAVE_DECL_STRERROR@ -+HAVE_DECL_STRNDUP = @HAVE_DECL_STRNDUP@ -+HAVE_DECL_STRNLEN = @HAVE_DECL_STRNLEN@ -+HAVE_DECL_STRSIGNAL = @HAVE_DECL_STRSIGNAL@ -+HAVE_DECL_STRTOK_R = @HAVE_DECL_STRTOK_R@ -+HAVE_DECL_VSNPRINTF = @HAVE_DECL_VSNPRINTF@ -+HAVE_DECL_WCTOB = @HAVE_DECL_WCTOB@ -+HAVE_DECL_WCWIDTH = @HAVE_DECL_WCWIDTH@ -+HAVE_DPRINTF = @HAVE_DPRINTF@ -+HAVE_DUP2 = @HAVE_DUP2@ -+HAVE_EUIDACCESS = @HAVE_EUIDACCESS@ -+HAVE_FSEEKO = @HAVE_FSEEKO@ -+HAVE_FSYNC = @HAVE_FSYNC@ -+HAVE_FTELLO = @HAVE_FTELLO@ -+HAVE_FTRUNCATE = @HAVE_FTRUNCATE@ -+HAVE_GETDOMAINNAME = @HAVE_GETDOMAINNAME@ -+HAVE_GETDTABLESIZE = @HAVE_GETDTABLESIZE@ -+HAVE_GETHOSTNAME = @HAVE_GETHOSTNAME@ -+HAVE_GETPAGESIZE = @HAVE_GETPAGESIZE@ -+HAVE_GETSUBOPT = @HAVE_GETSUBOPT@ -+HAVE_GETUSERSHELL = @HAVE_GETUSERSHELL@ -+HAVE_INTTYPES_H = @HAVE_INTTYPES_H@ -+HAVE_LCHMOD = @HAVE_LCHMOD@ -+HAVE_LIBGCRYPT = @HAVE_LIBGCRYPT@ -+HAVE_LIBTASN1 = @HAVE_LIBTASN1@ -+HAVE_LINK = @HAVE_LINK@ -+HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ -+HAVE_LSTAT = @HAVE_LSTAT@ -+HAVE_MALLOC_POSIX = @HAVE_MALLOC_POSIX@ -+HAVE_MBRLEN = @HAVE_MBRLEN@ -+HAVE_MBRTOWC = @HAVE_MBRTOWC@ -+HAVE_MBSINIT = @HAVE_MBSINIT@ -+HAVE_MBSNRTOWCS = @HAVE_MBSNRTOWCS@ -+HAVE_MBSRTOWCS = @HAVE_MBSRTOWCS@ -+HAVE_MEMPCPY = @HAVE_MEMPCPY@ -+HAVE_MKDTEMP = @HAVE_MKDTEMP@ -+HAVE_NETDB_H = @HAVE_NETDB_H@ -+HAVE_NETINET_IN_H = @HAVE_NETINET_IN_H@ -+HAVE_OS_H = @HAVE_OS_H@ -+HAVE_RANDOM_H = @HAVE_RANDOM_H@ -+HAVE_RANDOM_R = @HAVE_RANDOM_R@ -+HAVE_RAWMEMCHR = @HAVE_RAWMEMCHR@ -+HAVE_READLINK = @HAVE_READLINK@ -+HAVE_REALLOC_POSIX = @HAVE_REALLOC_POSIX@ -+HAVE_RPMATCH = @HAVE_RPMATCH@ -+HAVE_SA_FAMILY_T = @HAVE_SA_FAMILY_T@ -+HAVE_SETENV = @HAVE_SETENV@ -+HAVE_SIGNED_SIG_ATOMIC_T = @HAVE_SIGNED_SIG_ATOMIC_T@ -+HAVE_SIGNED_WCHAR_T = @HAVE_SIGNED_WCHAR_T@ -+HAVE_SIGNED_WINT_T = @HAVE_SIGNED_WINT_T@ -+HAVE_SLEEP = @HAVE_SLEEP@ -+HAVE_STDINT_H = @HAVE_STDINT_H@ -+HAVE_STPCPY = @HAVE_STPCPY@ -+HAVE_STPNCPY = @HAVE_STPNCPY@ -+HAVE_STRCASESTR = @HAVE_STRCASESTR@ -+HAVE_STRCHRNUL = @HAVE_STRCHRNUL@ -+HAVE_STRNDUP = @HAVE_STRNDUP@ -+HAVE_STRPBRK = @HAVE_STRPBRK@ -+HAVE_STRSEP = @HAVE_STRSEP@ -+HAVE_STRTOD = @HAVE_STRTOD@ -+HAVE_STRTOLL = @HAVE_STRTOLL@ -+HAVE_STRTOULL = @HAVE_STRTOULL@ -+HAVE_STRUCT_ADDRINFO = @HAVE_STRUCT_ADDRINFO@ -+HAVE_STRUCT_RANDOM_DATA = @HAVE_STRUCT_RANDOM_DATA@ -+HAVE_STRUCT_SOCKADDR_STORAGE = @HAVE_STRUCT_SOCKADDR_STORAGE@ -+HAVE_STRUCT_TIMEVAL = @HAVE_STRUCT_TIMEVAL@ -+HAVE_STRVERSCMP = @HAVE_STRVERSCMP@ -+HAVE_SYS_BITYPES_H = @HAVE_SYS_BITYPES_H@ -+HAVE_SYS_INTTYPES_H = @HAVE_SYS_INTTYPES_H@ -+HAVE_SYS_IOCTL_H = @HAVE_SYS_IOCTL_H@ -+HAVE_SYS_LOADAVG_H = @HAVE_SYS_LOADAVG_H@ -+HAVE_SYS_PARAM_H = @HAVE_SYS_PARAM_H@ -+HAVE_SYS_SELECT_H = @HAVE_SYS_SELECT_H@ -+HAVE_SYS_SOCKET_H = @HAVE_SYS_SOCKET_H@ -+HAVE_SYS_TIME_H = @HAVE_SYS_TIME_H@ -+HAVE_SYS_TYPES_H = @HAVE_SYS_TYPES_H@ -+HAVE_UNISTD_H = @HAVE_UNISTD_H@ -+HAVE_UNSETENV = @HAVE_UNSETENV@ -+HAVE_UNSIGNED_LONG_LONG_INT = @HAVE_UNSIGNED_LONG_LONG_INT@ -+HAVE_VASPRINTF = @HAVE_VASPRINTF@ -+HAVE_VDPRINTF = @HAVE_VDPRINTF@ -+HAVE_WCHAR_H = @HAVE_WCHAR_H@ -+HAVE_WCRTOMB = @HAVE_WCRTOMB@ -+HAVE_WCSNRTOMBS = @HAVE_WCSNRTOMBS@ -+HAVE_WCSRTOMBS = @HAVE_WCSRTOMBS@ -+HAVE_WINSOCK2_H = @HAVE_WINSOCK2_H@ -+HAVE_WINT_T = @HAVE_WINT_T@ -+HAVE_WS2TCPIP_H = @HAVE_WS2TCPIP_H@ -+HAVE__BOOL = @HAVE__BOOL@ -+HOSTENT_LIB = @HOSTENT_LIB@ -+HTML_DIR = @HTML_DIR@ -+INCLUDE_NEXT = @INCLUDE_NEXT@ -+INCLUDE_NEXT_AS_FIRST_DIRECTIVE = @INCLUDE_NEXT_AS_FIRST_DIRECTIVE@ -+INET_NTOP_LIB = @INET_NTOP_LIB@ -+INET_PTON_LIB = @INET_PTON_LIB@ -+INSTALL = @INSTALL@ -+INSTALL_DATA = @INSTALL_DATA@ -+INSTALL_PROGRAM = @INSTALL_PROGRAM@ -+INSTALL_SCRIPT = @INSTALL_SCRIPT@ -+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -+LD = @LD@ -+LDFLAGS = @LDFLAGS@ -+LIBGCRYPT = @LIBGCRYPT@ -+LIBGCRYPT_PREFIX = @LIBGCRYPT_PREFIX@ -+LIBINTL = @LIBINTL@ -+LIBOBJS = @LIBOBJS@ -+LIBREADLINE = @LIBREADLINE@ -+LIBS = @LIBS@ -+LIBSOCKET = @LIBSOCKET@ -+LIBTASN1 = @LIBTASN1@ -+LIBTASN1_PREFIX = @LIBTASN1_PREFIX@ -+LIBTESTS_LIBDEPS = @LIBTESTS_LIBDEPS@ -+LIBTOOL = @LIBTOOL@ -+LIPO = @LIPO@ -+LN_S = @LN_S@ -+LTALLOCA = @LTALLOCA@ -+LTLIBGCRYPT = @LTLIBGCRYPT@ -+LTLIBINTL = @LTLIBINTL@ -+LTLIBOBJS = @LTLIBOBJS@ -+LTLIBREADLINE = @LTLIBREADLINE@ -+LTLIBTASN1 = @LTLIBTASN1@ -+LT_AGE = @LT_AGE@ -+LT_CURRENT = @LT_CURRENT@ -+LT_REVISION = @LT_REVISION@ -+LZO_LIBS = @LZO_LIBS@ -+MAKEINFO = @MAKEINFO@ -+MKDIR_P = @MKDIR_P@ -+NETDB_H = @NETDB_H@ -+NETINET_IN_H = @NETINET_IN_H@ -+NEXT_ARPA_INET_H = @NEXT_ARPA_INET_H@ -+NEXT_ERRNO_H = @NEXT_ERRNO_H@ -+NEXT_FLOAT_H = @NEXT_FLOAT_H@ -+NEXT_NETDB_H = @NEXT_NETDB_H@ -+NEXT_NETINET_IN_H = @NEXT_NETINET_IN_H@ -+NEXT_STDARG_H = @NEXT_STDARG_H@ -+NEXT_STDINT_H = @NEXT_STDINT_H@ -+NEXT_STDIO_H = @NEXT_STDIO_H@ -+NEXT_STDLIB_H = @NEXT_STDLIB_H@ -+NEXT_STRING_H = @NEXT_STRING_H@ -+NEXT_SYS_IOCTL_H = @NEXT_SYS_IOCTL_H@ -+NEXT_SYS_SELECT_H = @NEXT_SYS_SELECT_H@ -+NEXT_SYS_SOCKET_H = @NEXT_SYS_SOCKET_H@ -+NEXT_SYS_STAT_H = @NEXT_SYS_STAT_H@ -+NEXT_SYS_TIME_H = @NEXT_SYS_TIME_H@ -+NEXT_UNISTD_H = @NEXT_UNISTD_H@ -+NEXT_WCHAR_H = @NEXT_WCHAR_H@ -+NM = @NM@ -+NMEDIT = @NMEDIT@ -+OBJDUMP = @OBJDUMP@ -+OBJEXT = @OBJEXT@ -+OTOOL = @OTOOL@ -+OTOOL64 = @OTOOL64@ -+PACKAGE = @PACKAGE@ -+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -+PACKAGE_NAME = @PACKAGE_NAME@ -+PACKAGE_STRING = @PACKAGE_STRING@ -+PACKAGE_TARNAME = @PACKAGE_TARNAME@ -+PACKAGE_URL = @PACKAGE_URL@ -+PACKAGE_VERSION = @PACKAGE_VERSION@ -+PATH_SEPARATOR = @PATH_SEPARATOR@ -+PKG_CONFIG = @PKG_CONFIG@ -+PMCCABE = @PMCCABE@ -+PRAGMA_SYSTEM_HEADER = @PRAGMA_SYSTEM_HEADER@ -+PTRDIFF_T_SUFFIX = @PTRDIFF_T_SUFFIX@ -+RANLIB = @RANLIB@ -+REPLACE_BTOWC = @REPLACE_BTOWC@ -+REPLACE_CHOWN = @REPLACE_CHOWN@ -+REPLACE_CLOSE = @REPLACE_CLOSE@ -+REPLACE_DPRINTF = @REPLACE_DPRINTF@ -+REPLACE_FCHDIR = @REPLACE_FCHDIR@ -+REPLACE_FCLOSE = @REPLACE_FCLOSE@ -+REPLACE_FFLUSH = @REPLACE_FFLUSH@ -+REPLACE_FOPEN = @REPLACE_FOPEN@ -+REPLACE_FPRINTF = @REPLACE_FPRINTF@ -+REPLACE_FREOPEN = @REPLACE_FREOPEN@ -+REPLACE_FSEEK = @REPLACE_FSEEK@ -+REPLACE_FSEEKO = @REPLACE_FSEEKO@ -+REPLACE_FTELL = @REPLACE_FTELL@ -+REPLACE_FTELLO = @REPLACE_FTELLO@ -+REPLACE_GETCWD = @REPLACE_GETCWD@ -+REPLACE_GETLINE = @REPLACE_GETLINE@ -+REPLACE_GETPAGESIZE = @REPLACE_GETPAGESIZE@ -+REPLACE_GETTIMEOFDAY = @REPLACE_GETTIMEOFDAY@ -+REPLACE_LCHOWN = @REPLACE_LCHOWN@ -+REPLACE_LSEEK = @REPLACE_LSEEK@ -+REPLACE_LSTAT = @REPLACE_LSTAT@ -+REPLACE_MBRLEN = @REPLACE_MBRLEN@ -+REPLACE_MBRTOWC = @REPLACE_MBRTOWC@ -+REPLACE_MBSINIT = @REPLACE_MBSINIT@ -+REPLACE_MBSNRTOWCS = @REPLACE_MBSNRTOWCS@ -+REPLACE_MBSRTOWCS = @REPLACE_MBSRTOWCS@ -+REPLACE_MBSTATE_T = @REPLACE_MBSTATE_T@ -+REPLACE_MEMMEM = @REPLACE_MEMMEM@ -+REPLACE_MKDIR = @REPLACE_MKDIR@ -+REPLACE_MKSTEMP = @REPLACE_MKSTEMP@ -+REPLACE_OBSTACK_PRINTF = @REPLACE_OBSTACK_PRINTF@ -+REPLACE_PERROR = @REPLACE_PERROR@ -+REPLACE_PRINTF = @REPLACE_PRINTF@ -+REPLACE_PUTENV = @REPLACE_PUTENV@ -+REPLACE_SELECT = @REPLACE_SELECT@ -+REPLACE_SNPRINTF = @REPLACE_SNPRINTF@ -+REPLACE_SPRINTF = @REPLACE_SPRINTF@ -+REPLACE_STDIO_WRITE_FUNCS = @REPLACE_STDIO_WRITE_FUNCS@ -+REPLACE_STRCASESTR = @REPLACE_STRCASESTR@ -+REPLACE_STRDUP = @REPLACE_STRDUP@ -+REPLACE_STRERROR = @REPLACE_STRERROR@ -+REPLACE_STRSIGNAL = @REPLACE_STRSIGNAL@ -+REPLACE_STRSTR = @REPLACE_STRSTR@ -+REPLACE_STRTOD = @REPLACE_STRTOD@ -+REPLACE_VASPRINTF = @REPLACE_VASPRINTF@ -+REPLACE_VDPRINTF = @REPLACE_VDPRINTF@ -+REPLACE_VFPRINTF = @REPLACE_VFPRINTF@ -+REPLACE_VPRINTF = @REPLACE_VPRINTF@ -+REPLACE_VSNPRINTF = @REPLACE_VSNPRINTF@ -+REPLACE_VSPRINTF = @REPLACE_VSPRINTF@ -+REPLACE_WCRTOMB = @REPLACE_WCRTOMB@ -+REPLACE_WCSNRTOMBS = @REPLACE_WCSNRTOMBS@ -+REPLACE_WCSRTOMBS = @REPLACE_WCSRTOMBS@ -+REPLACE_WCTOB = @REPLACE_WCTOB@ -+REPLACE_WCWIDTH = @REPLACE_WCWIDTH@ -+REPLACE_WRITE = @REPLACE_WRITE@ -+SED = @SED@ -+SERVENT_LIB = @SERVENT_LIB@ -+SET_MAKE = @SET_MAKE@ -+SHELL = @SHELL@ -+SIG_ATOMIC_T_SUFFIX = @SIG_ATOMIC_T_SUFFIX@ -+SIZE_T_SUFFIX = @SIZE_T_SUFFIX@ -+STDARG_H = @STDARG_H@ -+STDBOOL_H = @STDBOOL_H@ -+STDINT_H = @STDINT_H@ -+STRIP = @STRIP@ -+SYS_IOCTL_H = @SYS_IOCTL_H@ -+SYS_IOCTL_H_HAVE_WINSOCK2_H = @SYS_IOCTL_H_HAVE_WINSOCK2_H@ -+SYS_SELECT_H = @SYS_SELECT_H@ -+SYS_SOCKET_H = @SYS_SOCKET_H@ -+SYS_STAT_H = @SYS_STAT_H@ -+SYS_TIME_H = @SYS_TIME_H@ -+UNISTD_H_HAVE_WINSOCK2_H = @UNISTD_H_HAVE_WINSOCK2_H@ -+VALGRIND = @VALGRIND@ -+VERSION = @VERSION@ -+VOID_UNSETENV = @VOID_UNSETENV@ -+WARN_CFLAGS = @WARN_CFLAGS@ -+WCHAR_H = @WCHAR_H@ -+WCHAR_T_SUFFIX = @WCHAR_T_SUFFIX@ -+WERROR_CFLAGS = @WERROR_CFLAGS@ -+WINT_T_SUFFIX = @WINT_T_SUFFIX@ -+abs_aux_dir = @abs_aux_dir@ -+abs_builddir = @abs_builddir@ -+abs_srcdir = @abs_srcdir@ -+abs_top_builddir = @abs_top_builddir@ -+abs_top_srcdir = @abs_top_srcdir@ -+ac_ct_CC = @ac_ct_CC@ -+ac_ct_CXX = @ac_ct_CXX@ -+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -+am__include = @am__include@ -+am__leading_dot = @am__leading_dot@ -+am__quote = @am__quote@ -+am__tar = @am__tar@ -+am__untar = @am__untar@ -+bindir = @bindir@ -+build = @build@ -+build_alias = @build_alias@ -+build_cpu = @build_cpu@ -+build_os = @build_os@ -+build_vendor = @build_vendor@ -+builddir = @builddir@ -+datadir = @datadir@ -+datarootdir = @datarootdir@ -+docdir = @docdir@ -+dvidir = @dvidir@ -+exec_prefix = @exec_prefix@ -+gl_LIBOBJS = @gl_LIBOBJS@ -+gl_LTLIBOBJS = @gl_LTLIBOBJS@ -+gltests_LIBOBJS = @gltests_LIBOBJS@ -+gltests_LTLIBOBJS = @gltests_LTLIBOBJS@ -+guile_snarf = @guile_snarf@ -+host = @host@ -+host_alias = @host_alias@ -+host_cpu = @host_cpu@ -+host_os = @host_os@ -+host_vendor = @host_vendor@ -+htmldir = @htmldir@ -+includedir = @includedir@ -+infodir = @infodir@ -+install_sh = @install_sh@ -+libdir = @libdir@ -+libexecdir = @libexecdir@ -+localedir = @localedir@ -+localstatedir = @localstatedir@ -+lt_ECHO = @lt_ECHO@ -+mandir = @mandir@ -+mkdir_p = @mkdir_p@ -+oldincludedir = @oldincludedir@ -+pdfdir = @pdfdir@ -+prefix = @prefix@ -+program_transform_name = @program_transform_name@ -+psdir = @psdir@ -+sbindir = @sbindir@ -+sharedstatedir = @sharedstatedir@ -+srcdir = @srcdir@ -+subdirs = @subdirs@ -+sysconfdir = @sysconfdir@ -+target_alias = @target_alias@ -+top_build_prefix = @top_build_prefix@ -+top_builddir = @top_builddir@ -+top_srcdir = @top_srcdir@ -+EXTRA_DIST = params.dh -+dist_check_SCRIPTS = testsrn -+TESTS = testsrn -+TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) -+all: all-am -+ -+.SUFFIXES: -+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) -+ @for dep in $?; do \ -+ case '$(am__configure_deps)' in \ -+ *$$dep*) \ -+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ -+ && { if test -f $@; then exit 0; else break; fi; }; \ -+ exit 1;; \ -+ esac; \ -+ done; \ -+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile'; \ -+ $(am__cd) $(top_srcdir) && \ -+ $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile -+.PRECIOUS: Makefile -+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status -+ @case '$?' in \ -+ *config.status*) \ -+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ -+ *) \ -+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ -+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ -+ esac; -+ -+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) -+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -+ -+$(top_srcdir)/configure: $(am__configure_deps) -+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -+$(ACLOCAL_M4): $(am__aclocal_m4_deps) -+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -+$(am__aclocal_m4_deps): -+ -+mostlyclean-libtool: -+ -rm -f *.lo -+ -+clean-libtool: -+ -rm -rf .libs _libs -+tags: TAGS -+TAGS: -+ -+ctags: CTAGS -+CTAGS: -+ -+ -+check-TESTS: $(TESTS) -+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \ -+ srcdir=$(srcdir); export srcdir; \ -+ list=' $(TESTS) '; \ -+ $(am__tty_colors); \ -+ if test -n "$$list"; then \ -+ for tst in $$list; do \ -+ if test -f ./$$tst; then dir=./; \ -+ elif test -f $$tst; then dir=; \ -+ else dir="$(srcdir)/"; fi; \ -+ if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ -+ all=`expr $$all + 1`; \ -+ case " $(XFAIL_TESTS) " in \ -+ *[\ \ ]$$tst[\ \ ]*) \ -+ xpass=`expr $$xpass + 1`; \ -+ failed=`expr $$failed + 1`; \ -+ col=$$red; res=XPASS; \ -+ ;; \ -+ *) \ -+ col=$$grn; res=PASS; \ -+ ;; \ -+ esac; \ -+ elif test $$? -ne 77; then \ -+ all=`expr $$all + 1`; \ -+ case " $(XFAIL_TESTS) " in \ -+ *[\ \ ]$$tst[\ \ ]*) \ -+ xfail=`expr $$xfail + 1`; \ -+ col=$$lgn; res=XFAIL; \ -+ ;; \ -+ *) \ -+ failed=`expr $$failed + 1`; \ -+ col=$$red; res=FAIL; \ -+ ;; \ -+ esac; \ -+ else \ -+ skip=`expr $$skip + 1`; \ -+ col=$$blu; res=SKIP; \ -+ fi; \ -+ echo "$${col}$$res$${std}: $$tst"; \ -+ done; \ -+ if test "$$all" -eq 1; then \ -+ tests="test"; \ -+ All=""; \ -+ else \ -+ tests="tests"; \ -+ All="All "; \ -+ fi; \ -+ if test "$$failed" -eq 0; then \ -+ if test "$$xfail" -eq 0; then \ -+ banner="$$All$$all $$tests passed"; \ -+ else \ -+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ -+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ -+ fi; \ -+ else \ -+ if test "$$xpass" -eq 0; then \ -+ banner="$$failed of $$all $$tests failed"; \ -+ else \ -+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ -+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ -+ fi; \ -+ fi; \ -+ dashes="$$banner"; \ -+ skipped=""; \ -+ if test "$$skip" -ne 0; then \ -+ if test "$$skip" -eq 1; then \ -+ skipped="($$skip test was not run)"; \ -+ else \ -+ skipped="($$skip tests were not run)"; \ -+ fi; \ -+ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ -+ dashes="$$skipped"; \ -+ fi; \ -+ report=""; \ -+ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ -+ report="Please report to $(PACKAGE_BUGREPORT)"; \ -+ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ -+ dashes="$$report"; \ -+ fi; \ -+ dashes=`echo "$$dashes" | sed s/./=/g`; \ -+ if test "$$failed" -eq 0; then \ -+ echo "$$grn$$dashes"; \ -+ else \ -+ echo "$$red$$dashes"; \ -+ fi; \ -+ echo "$$banner"; \ -+ test -z "$$skipped" || echo "$$skipped"; \ -+ test -z "$$report" || echo "$$report"; \ -+ echo "$$dashes$$std"; \ -+ test "$$failed" -eq 0; \ -+ else :; fi -+ -+distdir: $(DISTFILES) -+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ -+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ -+ list='$(DISTFILES)'; \ -+ dist_files=`for file in $$list; do echo $$file; done | \ -+ sed -e "s|^$$srcdirstrip/||;t" \ -+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ -+ case $$dist_files in \ -+ */*) $(MKDIR_P) `echo "$$dist_files" | \ -+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ -+ sort -u` ;; \ -+ esac; \ -+ for file in $$dist_files; do \ -+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ -+ if test -d $$d/$$file; then \ -+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ -+ if test -d "$(distdir)/$$file"; then \ -+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ -+ fi; \ -+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ -+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ -+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ -+ fi; \ -+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ -+ else \ -+ test -f "$(distdir)/$$file" \ -+ || cp -p $$d/$$file "$(distdir)/$$file" \ -+ || exit 1; \ -+ fi; \ -+ done -+check-am: all-am -+ $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) -+ $(MAKE) $(AM_MAKEFLAGS) check-TESTS -+check: check-am -+all-am: Makefile -+installdirs: -+install: install-am -+install-exec: install-exec-am -+install-data: install-data-am -+uninstall: uninstall-am -+ -+install-am: all-am -+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am -+ -+installcheck: installcheck-am -+install-strip: -+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ -+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ -+ `test -z '$(STRIP)' || \ -+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -+mostlyclean-generic: -+ -+clean-generic: -+ -+distclean-generic: -+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) -+ -+maintainer-clean-generic: -+ @echo "This command is intended for maintainers to use" -+ @echo "it deletes files that may require special tools to rebuild." -+clean: clean-am -+ -+clean-am: clean-generic clean-libtool mostlyclean-am -+ -+distclean: distclean-am -+ -rm -f Makefile -+distclean-am: clean-am distclean-generic -+ -+dvi: dvi-am -+ -+dvi-am: -+ -+html: html-am -+ -+html-am: -+ -+info: info-am -+ -+info-am: -+ -+install-data-am: -+ -+install-dvi: install-dvi-am -+ -+install-dvi-am: -+ -+install-exec-am: -+ -+install-html: install-html-am -+ -+install-html-am: -+ -+install-info: install-info-am -+ -+install-info-am: -+ -+install-man: -+ -+install-pdf: install-pdf-am -+ -+install-pdf-am: -+ -+install-ps: install-ps-am -+ -+install-ps-am: -+ -+installcheck-am: -+ -+maintainer-clean: maintainer-clean-am -+ -rm -f Makefile -+maintainer-clean-am: distclean-am maintainer-clean-generic -+ -+mostlyclean: mostlyclean-am -+ -+mostlyclean-am: mostlyclean-generic mostlyclean-libtool -+ -+pdf: pdf-am -+ -+pdf-am: -+ -+ps: ps-am -+ -+ps-am: -+ -+uninstall-am: -+ -+.MAKE: check-am install-am install-strip -+ -+.PHONY: all all-am check check-TESTS check-am clean clean-generic \ -+ clean-libtool distclean distclean-generic distclean-libtool \ -+ distdir dvi dvi-am html html-am info info-am install \ -+ install-am install-data install-data-am install-dvi \ -+ install-dvi-am install-exec install-exec-am install-html \ -+ install-html-am install-info install-info-am install-man \ -+ install-pdf install-pdf-am install-ps install-ps-am \ -+ install-strip installcheck installcheck-am installdirs \ -+ maintainer-clean maintainer-clean-generic mostlyclean \ -+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ -+ uninstall uninstall-am -+ -+ -+# Tell versions [3.59,3.63) of GNU make to not export all variables. -+# Otherwise a system limit (for SysV at least) may be exceeded. -+.NOEXPORT: -diff -up gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg gnutls-2.8.6/tests/safe-renegotiation/params.dh ---- gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg 2010-05-31 22:52:31.000000000 +0200 -+++ gnutls-2.8.6/tests/safe-renegotiation/params.dh 2010-05-31 22:52:31.000000000 +0200 -@@ -0,0 +1,35 @@ -+ -+Generator: 05 -+ -+Prime: c9:e9:2d:fc:94:15:1a:10:4f:3c:b5:16 -+ 7e:34:10:7d:eb:3d:d5:7d:61:ff:b0:ce -+ da:7f:6e:0c:ea:db:b4:87:f6:c6:34:a8 -+ 3c:f8:84:52:14:59:ab:17:5c:d0:f0:86 -+ c4:02:93:dc:09:83:57:16:98:21:d0:42 -+ 8e:33:fc:48:69:e6:04:0d:4e:50:09:33 -+ 2e:28:60:4f:05:08:7c:ce:2f:a6:1a:4c -+ 41:d1:a3:dd:f6:37:56:44:1d:b0:54:af -+ f7:4a:a0:c2:19:5d:ce:62:b0:7a:1b:e1 -+ 5c:7f:bb:4d:7e:9e:28:48:00:a4:9a:86 -+ 3e:6e:6e:9c:57:41:c7:ec:bf:7f:09:fc -+ da:25:c2:1e:e0:52:dc:65:8c:40:a3:6e -+ bd:99:4e:0b:1a:04:e0:23:20:46:5a:d0 -+ 3f:b3:a4:d6:76:73:b7:cc:61:33:11:54 -+ a6:32:ff:94:08:d5:66:36:fd:99:69:21 -+ cc:28:5d:11:52:32:48:b6:a5:b5:c3:b0 -+ 21:3f:f9:69:25:83:b1:3d:79:a6:ed:ae -+ db:95:62:fc:72:ca:ad:46:fc:b6:b1:ea -+ 98:68:97:ba:f2:54:aa:86:ed:62:b1:78 -+ 5f:d5:19:80:ce:41:ee:98:a1:71:9f:fa -+ 5b:6b:d8:5e:7e:b3:18:0a:f0:4c:96:76 -+ 6c:0c:b0:a3 -+ -+ -+-----BEGIN DH PARAMETERS----- -+MIIBCAKCAQEAyekt/JQVGhBPPLUWfjQQfes91X1h/7DO2n9uDOrbtIf2xjSoPPiE -+UhRZqxdc0PCGxAKT3AmDVxaYIdBCjjP8SGnmBA1OUAkzLihgTwUIfM4vphpMQdGj -+3fY3VkQdsFSv90qgwhldzmKwehvhXH+7TX6eKEgApJqGPm5unFdBx+y/fwn82iXC -+HuBS3GWMQKNuvZlOCxoE4CMgRlrQP7Ok1nZzt8xhMxFUpjL/lAjVZjb9mWkhzChd -+EVIySLaltcOwIT/5aSWDsT15pu2u25Vi/HLKrUb8trHqmGiXuvJUqobtYrF4X9UZ -+gM5B7pihcZ/6W2vYXn6zGArwTJZ2bAywowIBBQ== -+-----END DH PARAMETERS----- -diff -up gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg gnutls-2.8.6/tests/safe-renegotiation/testsrn ---- gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg 2010-05-31 22:52:31.000000000 +0200 -+++ gnutls-2.8.6/tests/safe-renegotiation/testsrn 2010-06-02 10:23:35.000000000 +0200 -@@ -0,0 +1,103 @@ -+#!/bin/sh -+ -+# Copyright (C) 2010 Free Software Foundation -+# -+# Author: Nikos Mavrogiannopoulos -+# -+# This file is part of GNUTLS. -+# -+# GNUTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GNUTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GNUTLS; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+srcdir="${srcdir:-.}" -+SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q" -+CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" -+PORT="${PORT:-5558}" -+unset RETCODE -+ -+fail() { -+ echo "Failure: $1" >&2 -+ RETCODE=${RETCODE:-${2:-1}} -+} -+ -+echo "Checking Safe renegotiation" -+ -+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%PARTIAL_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & -+pid=$! -+ -+# give the server a chance to initialize -+sleep 2 -+ -+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-SSL3.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ -+ fail "0. Renegotiation should have succeeded!" -+ -+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ -+ fail "1. Safe rehandshake should have succeeded!" -+ -+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ -+ fail "2. Unsafe rehandshake should have succeeded!" -+ -+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ -+ fail "3. Unsafe negotiation should have succeeded!" -+ -+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ -+ fail "4. Unsafe renegotiation should have failed!" -+ -+ -+kill $pid -+wait -+ -+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & -+pid=$! -+ -+# give the server a chance to initialize -+sleep 2 -+ -+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ -+ fail "5. Safe rehandshake should have succeeded!" -+ -+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ -+ fail "6. Unsafe rehandshake should have succeeded!" -+ -+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ -+ fail "7. Unsafe negotiation should have failed!" -+ -+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ -+ fail "8. Unsafe renegotiation should have failed!" -+ -+kill $pid -+wait -+ -+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & -+pid=$! -+ -+# give the server a chance to initialize -+sleep 2 -+ -+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 && \ -+ fail "9. Initial connection should have failed!" -+ -+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ -+ fail "10. Unsafe connection should have succeeded!" -+ -+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ -+ fail "11. Unsafe negotiation should have succeeded!" -+ -+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ -+ fail "12. Unsafe renegotiation should have succeeded!" -+ -+kill $pid -+wait -+ -+exit ${RETCODE:-0} -diff -up gnutls-2.8.6/tests/simple.c.reneg gnutls-2.8.6/tests/simple.c ---- gnutls-2.8.6/tests/simple.c.reneg 2009-06-02 20:59:32.000000000 +0200 -+++ gnutls-2.8.6/tests/simple.c 2010-05-31 22:52:31.000000000 +0200 -@@ -50,7 +50,7 @@ doit (void) - - for (i = 0; algs[i]; i++) - { -- printf ("pk_list[%d] = %d = %s = %d\n", i, algs[i], -+ printf ("pk_list[%d] = %d = %s = %d\n", (int)i, algs[i], - gnutls_pk_algorithm_get_name (algs[i]), - gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i]))); - if (gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i])) -@@ -76,7 +76,7 @@ doit (void) - - for (i = 0; algs[i]; i++) - { -- printf ("sign_list[%d] = %d = %s = %d\n", i, algs[i], -+ printf ("sign_list[%d] = %d = %s = %d\n", (int)i, algs[i], - gnutls_sign_algorithm_get_name (algs[i]), - gnutls_sign_get_id (gnutls_sign_algorithm_get_name - (algs[i]))); diff --git a/gnutls.spec b/gnutls.spec index a576286..cd57968 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,6 +1,6 @@ Summary: A TLS protocol implementation Name: gnutls -Version: 2.10.5 +Version: 2.12.2 Release: 1%{?dist} # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+ License: GPLv3+ and LGPLv2+ @@ -15,12 +15,10 @@ URL: http://www.gnutls.org/ # XXX patent tainted SRP code removed. Source0: %{name}-%{version}-nosrp.tar.bz2 Source1: libgnutls-config -Patch1: gnutls-2.10.4-rpath.patch +Patch1: gnutls-2.12.2-rpath.patch Patch2: gnutls-2.8.6-link-libgcrypt.patch # Remove nonexisting references from texinfo file -Patch3: gnutls-2.10.1-nosrp.patch -# Backport from upstream git -Patch4: gnutls-2.10.1-handshake-errors.patch +Patch3: gnutls-2.12.2-nosrp.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: libgcrypt >= 1.2.2 @@ -76,7 +74,6 @@ This package contains Guile bindings for the library. %patch1 -p1 -b .rpath %patch2 -p1 -b .link %patch3 -p1 -b .nosrp -%patch4 -p1 -b .errors for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do touch lib/$i @@ -89,13 +86,15 @@ export LDFLAGS="-Wl,--no-add-needed" %configure --with-libtasn1-prefix=%{_prefix} \ --with-included-libcfg \ --disable-static \ - --disable-srp-authentication + --disable-srp-authentication \ + --disable-rpath \ + --with-libgcrypt make cp lib/COPYING COPYING.LIB %install rm -fr $RPM_BUILD_ROOT -%makeinstall +make install DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT%{_bindir}/srptool rm -f $RPM_BUILD_ROOT%{_bindir}/gnutls-srpcrypt cp -f %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/libgnutls-config @@ -144,11 +143,13 @@ fi %{_libdir}/pkgconfig/*.pc %{_mandir}/man3/* %{_infodir}/gnutls* +%{_infodir}/pkcs11-vision* %files utils %defattr(-,root,root,-) %{_bindir}/certtool %{_bindir}/psktool +%{_bindir}/p11tool %{_bindir}/gnutls* %{_mandir}/man1/* %doc doc/certtool.cfg @@ -160,6 +161,9 @@ fi %{_datadir}/guile/site/gnutls.scm %changelog +* Mon Apr 18 2011 Tomas Mraz 2.12.2-1 +- new upstream version + * Thu Mar 3 2011 Tomas Mraz 2.10.5-1 - new upstream version diff --git a/sources b/sources index 3378d7f..4e21692 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -9dad7462ffdc3a6866a4aaaa62d8f0ad gnutls-2.10.5-nosrp.tar.bz2 +a9885af1ac3a3825e36f2e046b6d9ee3 gnutls-2.12.2-nosrp.tar.bz2