4031 lines
138 KiB
Diff
4031 lines
138 KiB
Diff
diff -up gnutls-2.8.6/AUTHORS.reneg gnutls-2.8.6/AUTHORS
|
|
--- gnutls-2.8.6/AUTHORS.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/AUTHORS 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -51,6 +51,9 @@ OpenPGP discussion and improvements.
|
|
David Marín Carreño <davefx@gmail.com>
|
|
Added gnutls_x509_crq_get_key_id.
|
|
|
|
+Steve Dispensa <dispensa@phonefactor.com>
|
|
+TLS safe renegotiation fix.
|
|
+
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
URL: http://josefsson.org/key.txt (always latest version)
|
|
Comment: This 0xB565716F key is used to sign releases of GnuTLS.
|
|
diff -up gnutls-2.8.6/configure.reneg gnutls-2.8.6/configure
|
|
--- gnutls-2.8.6/configure.reneg 2010-05-31 22:52:31.000000000 +0200
|
|
+++ gnutls-2.8.6/configure 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -28559,7 +28559,7 @@ subdirs="$subdirs libextra"
|
|
|
|
ac_config_files="$ac_config_files guile/pre-inst-guile"
|
|
|
|
-ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile"
|
|
+ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/safe-renegotiation/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile"
|
|
|
|
cat >confcache <<\_ACEOF
|
|
# This file is a shell script that caches the results of configure
|
|
@@ -29783,6 +29783,7 @@ do
|
|
"tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;;
|
|
"tests/key-id/Makefile") CONFIG_FILES="$CONFIG_FILES tests/key-id/Makefile" ;;
|
|
"tests/openpgp-certs/Makefile") CONFIG_FILES="$CONFIG_FILES tests/openpgp-certs/Makefile" ;;
|
|
+ "tests/safe-renegotiation/Makefile") CONFIG_FILES="$CONFIG_FILES tests/safe-renegotiation/Makefile" ;;
|
|
"tests/pathlen/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pathlen/Makefile" ;;
|
|
"tests/pkcs1-padding/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs1-padding/Makefile" ;;
|
|
"tests/pkcs12-decode/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs12-decode/Makefile" ;;
|
|
diff -up gnutls-2.8.6/doc/gnutls-api.texi.reneg gnutls-2.8.6/doc/gnutls-api.texi
|
|
--- gnutls-2.8.6/doc/gnutls-api.texi.reneg 2010-03-15 11:35:23.000000000 +0100
|
|
+++ gnutls-2.8.6/doc/gnutls-api.texi 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -3307,6 +3307,20 @@ This function will initialize the tempor
|
|
@strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, or an negative error code.
|
|
@end deftypefun
|
|
|
|
+@subheading gnutls_safe_renegotiation_status
|
|
+@anchor{gnutls_safe_renegotiation_status}
|
|
+@deftypefun {int} {gnutls_safe_renegotiation_status} (gnutls_session_t @var{session})
|
|
+@var{session}: is a @code{gnutls_session_t} structure.
|
|
+
|
|
+Can be used to check whether safe renegotiation is being used
|
|
+in the current session.
|
|
+
|
|
+@strong{Returns:} 0 when safe renegotiation is not used and non zero when
|
|
+safe renegotiation is used.
|
|
+
|
|
+@strong{Since:} 2.10.0
|
|
+@end deftypefun
|
|
+
|
|
@subheading gnutls_server_name_get
|
|
@anchor{gnutls_server_name_get}
|
|
@deftypefun {int} {gnutls_server_name_get} (gnutls_session_t @var{session}, void * @var{data}, size_t * @var{data_length}, unsigned int * @var{type}, unsigned int @var{indx})
|
|
diff -up gnutls-2.8.6/doc/gnutls.texi.reneg gnutls-2.8.6/doc/gnutls.texi
|
|
--- gnutls-2.8.6/doc/gnutls.texi.reneg 2009-06-02 21:07:14.000000000 +0200
|
|
+++ gnutls-2.8.6/doc/gnutls.texi 2010-06-02 10:23:27.000000000 +0200
|
|
@@ -565,6 +565,7 @@ also supports @acronym{X.509} and @acron
|
|
* Selecting cryptographic key sizes::
|
|
* On SSL 2 and older protocols::
|
|
* On Record Padding::
|
|
+* Safe Renegotiation::
|
|
@end menu
|
|
|
|
@node TLS layers
|
|
@@ -1202,6 +1203,94 @@ here are some links:
|
|
|
|
@url{http://thread.gmane.org/gmane.ietf.tls/3079}
|
|
|
|
+@node Safe Renegotiation
|
|
+@section Safe Renegotiation
|
|
+@cindex renegotiation
|
|
+
|
|
+Some application protocols and implementations uses the TLS
|
|
+renegotiation feature in a manner that enables attackers to insert
|
|
+content of his choice in the beginning of a TLS session.
|
|
+
|
|
+One easy to understand vulnerability is HTTPS when servers request
|
|
+client certificates optionally for certain parts of a web site. The
|
|
+attack works by having the attacker simulate a client and connect to a
|
|
+server, with server-only authentication, and send some data intended
|
|
+to cause harm. When the proper client attempts to contact the server,
|
|
+the attacker hijacks that connection and uses the TLS renegotiation
|
|
+feature with the server and splices in the client connection to the
|
|
+already established connection between the attacker and server. The
|
|
+attacker will not be able to read the data exchanged between the
|
|
+client and the server. However, the server will (incorrectly) assume
|
|
+that the data sent by the attacker was sent by the now authenticated
|
|
+client. The result is a prefix plain-text injection attack.
|
|
+
|
|
+The above is just one example. Other vulnerabilities exists that do
|
|
+not rely on the TLS renegotiation to change the client's authenticated
|
|
+status (either TLS or application layer).
|
|
+
|
|
+While fixing these application protocols and implementations would be
|
|
+one natural reaction, an extension to TLS has been designed that
|
|
+cryptographically binds together any renegotiated handshakes with the
|
|
+initial negotiation. When the extension is used, the attack is
|
|
+detected and the session can be terminated. The extension is
|
|
+specified in @xcite{RFC5746}.
|
|
+
|
|
+GnuTLS supports the safe renegotiation extension. The default
|
|
+behavior is as follows. Clients will attempt to negotiate the safe
|
|
+renegotiation extension when talking to servers. Servers will accept
|
|
+the extension when presented by clients. Clients and servers will
|
|
+permit an initial handshake to complete even when the other side does
|
|
+not support the safe renegotiation extension. Clients and servers
|
|
+will refuse renegotiation attempts when the extension has not been
|
|
+negotiated.
|
|
+
|
|
+Note that permitting clients to connect to servers even when the safe
|
|
+renegotiation extension is not negotiated open up for some attacks.
|
|
+Changing this default behaviour would prevent interoperability against
|
|
+the majority of deployed servers out there. We will reconsider this
|
|
+default behaviour in the future when more servers have been upgraded.
|
|
+Note that it is easy to configure clients to always require the safe
|
|
+renegotiation extension from servers (see below on the
|
|
+%SAFE_RENEGOTIATION priority string).
|
|
+
|
|
+To modify the default behaviour, we have introduced some new priority
|
|
+strings. The priority strings can be used by applications
|
|
+(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority}
|
|
+parameter to @code{gnutls-cli} and @code{gnutls-serv}).
|
|
+
|
|
+The @code{%UNSAFE_RENEGOTIATION} priority string permits
|
|
+(re-)handshakes even when the safe renegotiation extension was not
|
|
+negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will
|
|
+prevent renegotiation with clients and servers not supporting the
|
|
+extension. This is secure for servers but leaves clients vulnerable
|
|
+to some attacks, but this is a tradeoff between security and compatibility
|
|
+with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes
|
|
+clients and servers require the extension for every handshake. The latter
|
|
+is the most secure option for clients, at the cost of not being able
|
|
+to connect to legacy servers. Servers will also deny clients that
|
|
+do not support the extension from connecting.
|
|
+
|
|
+It is possible to disable use of the extension completely, in both
|
|
+clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION}
|
|
+priority string however we strongly recommend you to only do this for
|
|
+debugging and test purposes.
|
|
+
|
|
+The default values if the flags above are not specified are:
|
|
+@table @code
|
|
+
|
|
+@item Server:
|
|
+%PARTIAL_RENEGOTIATION
|
|
+
|
|
+@item Client:
|
|
+%PARTIAL_RENEGOTIATION
|
|
+
|
|
+@end table
|
|
+
|
|
+For applications we have introduced a new API related to safe
|
|
+renegotiation. The @ref{gnutls_safe_renegotiation_status} function is
|
|
+used to check if the extension has been negotiated on a session, and
|
|
+can be used both by clients and servers.
|
|
+
|
|
@node Authentication methods
|
|
@chapter Authentication Methods
|
|
|
|
@@ -4179,6 +4268,11 @@ Pasi Eronen and Hannes Tschofenig, "Pre-
|
|
TLS", December 2005, Available from
|
|
@url{http://www.ietf.org/rfc/rfc4279.txt}.
|
|
|
|
+@item @anchor{RFC5746}[RFC5746]
|
|
+E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "Transport Layer
|
|
+Security (TLS) Renegotiation Indication Extension", February 2010,
|
|
+available from @url{http://www.ietf.org/rfc/rfc5746}.
|
|
+
|
|
@item @anchor{TOMSRP}[TOMSRP]
|
|
Tom Wu, "The Stanford SRP Authentication Project", Available at
|
|
@url{http://srp.stanford.edu/}.
|
|
diff -up gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg gnutls-2.8.6/doc/manpages/gnutls-cli.1
|
|
--- gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/doc/manpages/gnutls-cli.1 2010-06-02 10:23:27.000000000 +0200
|
|
@@ -75,6 +75,15 @@ Special keywords:
|
|
"%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client
|
|
hello. This is to avoid buggy servers from terminating connection.
|
|
.IP
|
|
+"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones.
|
|
+.IP
|
|
+"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not
|
|
+supporting the safe renegotiation extension. (default)
|
|
+.IP
|
|
+"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most
|
|
+secure and recommended option for clients. However this will prevent from
|
|
+connecting to legacy servers.
|
|
+.IP
|
|
To avoid collisions in order to specify a compression algorithm in
|
|
this string you have to prefix it with "COMP-", protocol versions
|
|
with "VERS-" and certificate types with "CTYPE-". All other
|
|
diff -up gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg gnutls-2.8.6/doc/manpages/gnutls_priority_init.3
|
|
--- gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg 2010-03-15 11:32:37.000000000 +0100
|
|
+++ gnutls-2.8.6/doc/manpages/gnutls_priority_init.3 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -67,6 +67,21 @@ compression methods.
|
|
|
|
"%COMPAT" will enable compatibility features for a server.
|
|
|
|
+"%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now
|
|
+the default for clients, but will change once more servers support the safe renegotiation
|
|
+TLS fix).
|
|
+
|
|
+"%SAFE_RENEGOTIATION" will allow safe renegotiation only (this is the
|
|
+default for servers \- that will reject clients trying to perform an
|
|
+unsafe renegotiation).
|
|
+
|
|
+"%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if
|
|
+renegotiation wasn't requested. Only valid for server side and implies
|
|
+"%SAFE_RENEGOTIATION".
|
|
+
|
|
+"%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use
|
|
+unless you know what you are doing. Testing purposes only.
|
|
+
|
|
"%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello.
|
|
|
|
"%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA\-MD5 signatures in
|
|
diff -up gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3.reneg gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3
|
|
--- gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3.reneg 2010-05-31 22:52:31.000000000 +0200
|
|
+++ gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -0,0 +1,41 @@
|
|
+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
|
|
+.TH "gnutls_safe_renegotiation_status" 3 "2.9.11" "gnutls" "gnutls"
|
|
+.SH NAME
|
|
+gnutls_safe_renegotiation_status \- API function
|
|
+.SH SYNOPSIS
|
|
+.B #include <gnutls/gnutls.h>
|
|
+.sp
|
|
+.BI "int gnutls_safe_renegotiation_status(gnutls_session_t " session ");"
|
|
+.SH ARGUMENTS
|
|
+.IP "gnutls_session_t session" 12
|
|
+is a \fBgnutls_session_t\fP structure.
|
|
+.SH "DESCRIPTION"
|
|
+Can be used to check whether safe renegotiation is being used
|
|
+in the current session.
|
|
+.SH "RETURNS"
|
|
+0 when safe renegotiation is not used and non zero when
|
|
+safe renegotiation is used.
|
|
+.SH "SINCE"
|
|
+2.10.0
|
|
+.SH "REPORTING BUGS"
|
|
+Report bugs to <bug-gnutls@gnu.org>.
|
|
+GnuTLS home page: http://www.gnu.org/software/gnutls/
|
|
+General help using GNU software: http://www.gnu.org/gethelp/
|
|
+.SH COPYRIGHT
|
|
+Copyright \(co 2008 Free Software Foundation.
|
|
+.br
|
|
+Copying and distribution of this file, with or without modification,
|
|
+are permitted in any medium without royalty provided the copyright
|
|
+notice and this notice are preserved.
|
|
+.SH "SEE ALSO"
|
|
+The full documentation for
|
|
+.B gnutls
|
|
+is maintained as a Texinfo manual. If the
|
|
+.B info
|
|
+and
|
|
+.B gnutls
|
|
+programs are properly installed at your site, the command
|
|
+.IP
|
|
+.B info gnutls
|
|
+.PP
|
|
+should give you access to the complete manual.
|
|
diff -up gnutls-2.8.6/doc/manpages/gnutls-serv.1.reneg gnutls-2.8.6/doc/manpages/gnutls-serv.1
|
|
--- gnutls-2.8.6/doc/manpages/gnutls-serv.1.reneg 2009-06-02 21:07:14.000000000 +0200
|
|
+++ gnutls-2.8.6/doc/manpages/gnutls-serv.1 2010-06-02 10:23:27.000000000 +0200
|
|
@@ -75,6 +75,15 @@ Special keywords:
|
|
.IP
|
|
'%COMPAT' will enable compatibility features for a server.
|
|
.IP
|
|
+"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones.
|
|
+.IP
|
|
+"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not
|
|
+supporting the safe renegotiation extension. (default)
|
|
+.IP
|
|
+"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most
|
|
+secure and recommended option for clients. However this will prevent from
|
|
+connecting to legacy servers.
|
|
+.IP
|
|
To avoid collisions in order to specify a compression algorithm in
|
|
this string you have to prefix it with "COMP-", protocol versions
|
|
with "VERS-" and certificate types with "CTYPE-". All other
|
|
diff -up gnutls-2.8.6/doc/manpages/Makefile.in.reneg gnutls-2.8.6/doc/manpages/Makefile.in
|
|
--- gnutls-2.8.6/doc/manpages/Makefile.in.reneg 2010-03-15 11:32:23.000000000 +0100
|
|
+++ gnutls-2.8.6/doc/manpages/Makefile.in 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -525,7 +525,6 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
|
|
PACKAGE_NAME = @PACKAGE_NAME@
|
|
PACKAGE_STRING = @PACKAGE_STRING@
|
|
PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
|
-PACKAGE_URL = @PACKAGE_URL@
|
|
PACKAGE_VERSION = @PACKAGE_VERSION@
|
|
PATH_SEPARATOR = @PATH_SEPARATOR@
|
|
PKG_CONFIG = @PKG_CONFIG@
|
|
@@ -684,7 +683,8 @@ APIMANS = gnutls_crypto_single_cipher_re
|
|
gnutls_crypto_bigint_register2.3 gnutls_crypto_pk_register2.3 \
|
|
gnutls_crypto_cipher_register2.3 gnutls_crypto_mac_register2.3 \
|
|
gnutls_crypto_digest_register2.3 gnutls_oprfi_enable_client.3 \
|
|
- gnutls_oprfi_enable_server.3 gnutls_server_name_get.3 \
|
|
+ gnutls_oprfi_enable_server.3 \
|
|
+ gnutls_safe_renegotiation_status.3 gnutls_server_name_get.3 \
|
|
gnutls_server_name_set.3 gnutls_alert_get_name.3 \
|
|
gnutls_alert_send.3 gnutls_error_to_alert.3 \
|
|
gnutls_alert_send_appropriate.3 gnutls_alert_get.3 \
|
|
diff -up gnutls-2.8.6/lib/ext_safe_renegotiation.c.reneg gnutls-2.8.6/lib/ext_safe_renegotiation.c
|
|
--- gnutls-2.8.6/lib/ext_safe_renegotiation.c.reneg 2010-05-31 22:52:31.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/ext_safe_renegotiation.c 2010-06-02 10:23:27.000000000 +0200
|
|
@@ -0,0 +1,139 @@
|
|
+/*
|
|
+ * Copyright (C) 2009 Free Software Foundation
|
|
+ *
|
|
+ * Author: Steve Dispensa (<dispensa@phonefactor.com>)
|
|
+ *
|
|
+ * This file is part of GNUTLS.
|
|
+ *
|
|
+ * The GNUTLS library is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU Lesser General Public License
|
|
+ * as published by the Free Software Foundation; either version 2.1 of
|
|
+ * the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This library is distributed in the hope that it will be useful, but
|
|
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+ * Lesser General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU Lesser General Public
|
|
+ * License along with this library; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
|
|
+ * USA
|
|
+ *
|
|
+ */
|
|
+
|
|
+#include <gnutls_int.h>
|
|
+#include <ext_safe_renegotiation.h>
|
|
+#include <gnutls_errors.h>
|
|
+
|
|
+int
|
|
+_gnutls_safe_renegotiation_recv_params (gnutls_session_t session,
|
|
+ const opaque * data, size_t _data_size)
|
|
+{
|
|
+ tls_ext_st *ext = &session->security_parameters.extensions;
|
|
+ int len = data[0];
|
|
+ ssize_t data_size = _data_size;
|
|
+
|
|
+ DECR_LEN (data_size, len+1 /* count the first byte and payload */);
|
|
+
|
|
+ if (session->internals.priorities.sr == SR_DISABLED)
|
|
+ {
|
|
+ gnutls_assert ();
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ /* It is not legal to receive this extension on a renegotiation and
|
|
+ * not receive it on the initial negotiation.
|
|
+ */
|
|
+ if (session->internals.initial_negotiation_completed != 0 &&
|
|
+ session->internals.connection_using_safe_renegotiation == 0)
|
|
+ {
|
|
+ gnutls_assert();
|
|
+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
|
|
+ }
|
|
+
|
|
+ if (len > sizeof (ext->ri_extension_data))
|
|
+ {
|
|
+ gnutls_assert();
|
|
+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
|
|
+ }
|
|
+
|
|
+ if (len > 0)
|
|
+ memcpy (ext->ri_extension_data, &data[1], len);
|
|
+ ext->ri_extension_data_len = len;
|
|
+
|
|
+ /* "safe renegotiation received" means on *this* handshake; "connection using
|
|
+ * safe renegotiation" means that the initial hello received on the connection
|
|
+ * indicated safe renegotiation.
|
|
+ */
|
|
+ session->internals.safe_renegotiation_received = 1;
|
|
+ session->internals.connection_using_safe_renegotiation = 1;
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+int
|
|
+_gnutls_safe_renegotiation_send_params (gnutls_session_t session,
|
|
+ opaque * data, size_t _data_size)
|
|
+{
|
|
+ /* The format of this extension is a one-byte length of verify data followed
|
|
+ * by the verify data itself. Note that the length byte does not include
|
|
+ * itself; IOW, empty verify data is represented as a length of 0. That means
|
|
+ * the minimum extension is one byte: 0x00.
|
|
+ */
|
|
+ ssize_t data_size = _data_size;
|
|
+ tls_ext_st *ext = &session->security_parameters.extensions;
|
|
+
|
|
+
|
|
+ if (session->internals.priorities.sr == SR_DISABLED)
|
|
+ {
|
|
+ gnutls_assert();
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ data[0] = 0;
|
|
+
|
|
+ /* Always offer the extension if we're a client */
|
|
+ if (session->internals.connection_using_safe_renegotiation ||
|
|
+ session->security_parameters.entity == GNUTLS_CLIENT)
|
|
+ {
|
|
+ DECR_LEN (data_size, 1);
|
|
+ data[0] = ext->client_verify_data_len;
|
|
+
|
|
+ DECR_LEN (data_size, ext->client_verify_data_len);
|
|
+
|
|
+ if (ext->client_verify_data_len > 0)
|
|
+ memcpy(&data[1],
|
|
+ ext->client_verify_data,
|
|
+ ext->client_verify_data_len);
|
|
+
|
|
+ if (session->security_parameters.entity == GNUTLS_SERVER)
|
|
+ {
|
|
+ data[0] += ext->server_verify_data_len;
|
|
+
|
|
+ DECR_LEN (data_size, ext->server_verify_data_len);
|
|
+
|
|
+ if (ext->server_verify_data_len > 0)
|
|
+ memcpy(&data[1 + ext->client_verify_data_len],
|
|
+ ext->server_verify_data,
|
|
+ ext->server_verify_data_len);
|
|
+ }
|
|
+ }
|
|
+ else
|
|
+ return 0;
|
|
+
|
|
+ return 1 + data[0]; /* don't forget the length byte */
|
|
+}
|
|
+
|
|
+/**
|
|
+ * gnutls_safe_renegotiation_status:
|
|
+ * @session: is a #gnutls_session_t structure.
|
|
+ *
|
|
+ * Can be used to check whether safe renegotiation is being used
|
|
+ * in the current session. Returns 0 when not and non zero when
|
|
+ * used.
|
|
+ **/
|
|
+int gnutls_safe_renegotiation_status (gnutls_session_t session)
|
|
+{
|
|
+ return session->internals.connection_using_safe_renegotiation;
|
|
+}
|
|
diff -up gnutls-2.8.6/lib/ext_safe_renegotiation.h.reneg gnutls-2.8.6/lib/ext_safe_renegotiation.h
|
|
--- gnutls-2.8.6/lib/ext_safe_renegotiation.h.reneg 2010-05-31 22:52:31.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/ext_safe_renegotiation.h 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -0,0 +1,33 @@
|
|
+/*
|
|
+ * Copyright (C) 2009 Free Software Foundation
|
|
+ *
|
|
+ * Author: Steve Dispensa (<dispensa@phonefactor.com>)
|
|
+ *
|
|
+ * This file is part of GNUTLS.
|
|
+ *
|
|
+ * The GNUTLS library is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU Lesser General Public License
|
|
+ * as published by the Free Software Foundation; either version 2.1 of
|
|
+ * the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This library is distributed in the hope that it will be useful, but
|
|
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+ * Lesser General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU Lesser General Public
|
|
+ * License along with this library; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
|
|
+ * USA
|
|
+ *
|
|
+ */
|
|
+
|
|
+#ifndef EXT_SAFE_RENEGOTIATION_H
|
|
+# define EXT_SAFE_RENEGOTIATION_H
|
|
+
|
|
+int _gnutls_safe_renegotiation_recv_params (gnutls_session_t state,
|
|
+ const opaque * data, size_t data_size);
|
|
+int _gnutls_safe_renegotiation_send_params (gnutls_session_t state,
|
|
+ opaque * data, size_t);
|
|
+
|
|
+#endif /* EXT_SAFE_RENEGOTIATION_H */
|
|
diff -up gnutls-2.8.6/lib/gnutls_alert.c.reneg gnutls-2.8.6/lib/gnutls_alert.c
|
|
--- gnutls-2.8.6/lib/gnutls_alert.c.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/gnutls_alert.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -180,6 +180,10 @@ gnutls_error_to_alert (int err, int *lev
|
|
ret = GNUTLS_A_ILLEGAL_PARAMETER;
|
|
_level = GNUTLS_AL_FATAL;
|
|
break;
|
|
+ case GNUTLS_E_UNKNOWN_SRP_USERNAME:
|
|
+ ret = GNUTLS_A_UNKNOWN_PSK_IDENTITY;
|
|
+ _level = GNUTLS_AL_FATAL;
|
|
+ break;
|
|
case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND:
|
|
case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND:
|
|
case GNUTLS_E_ASN1_DER_ERROR:
|
|
@@ -199,6 +203,7 @@ gnutls_error_to_alert (int err, int *lev
|
|
case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
|
|
case GNUTLS_E_NO_CIPHER_SUITES:
|
|
case GNUTLS_E_NO_COMPRESSION_ALGORITHMS:
|
|
+ case GNUTLS_E_SAFE_RENEGOTIATION_FAILED:
|
|
ret = GNUTLS_A_HANDSHAKE_FAILURE;
|
|
_level = GNUTLS_AL_FATAL;
|
|
break;
|
|
@@ -212,6 +217,7 @@ gnutls_error_to_alert (int err, int *lev
|
|
_level = GNUTLS_AL_FATAL;
|
|
break;
|
|
case GNUTLS_E_REHANDSHAKE:
|
|
+ case GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED:
|
|
ret = GNUTLS_A_NO_RENEGOTIATION;
|
|
_level = GNUTLS_AL_WARNING;
|
|
break;
|
|
diff -up gnutls-2.8.6/lib/gnutls_algorithms.c.reneg gnutls-2.8.6/lib/gnutls_algorithms.c
|
|
--- gnutls-2.8.6/lib/gnutls_algorithms.c.reneg 2009-08-12 08:58:22.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/gnutls_algorithms.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -457,6 +457,10 @@ typedef struct
|
|
#define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x88 }
|
|
#endif
|
|
|
|
+/* Safe renegotiation */
|
|
+
|
|
+#define GNUTLS_RENEGO_PROTECTION_REQUEST { GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR, GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR }
|
|
+
|
|
#define CIPHER_SUITES_COUNT sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1
|
|
|
|
static const gnutls_cipher_suite_entry cs_algorithms[] = {
|
|
@@ -624,6 +628,9 @@ static const gnutls_cipher_suite_entry c
|
|
GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA,
|
|
GNUTLS_MAC_SHA1, GNUTLS_TLS1),
|
|
#endif
|
|
+ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RENEGO_PROTECTION_REQUEST,
|
|
+ GNUTLS_CIPHER_UNKNOWN, GNUTLS_KX_UNKNOWN,
|
|
+ GNUTLS_MAC_UNKNOWN, GNUTLS_SSL3),
|
|
{0, {{0, 0}}, 0, 0, 0, 0}
|
|
};
|
|
|
|
diff -up gnutls-2.8.6/lib/gnutls_algorithms.h.reneg gnutls-2.8.6/lib/gnutls_algorithms.h
|
|
--- gnutls-2.8.6/lib/gnutls_algorithms.h.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/gnutls_algorithms.h 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -27,6 +27,9 @@
|
|
|
|
#include "gnutls_auth.h"
|
|
|
|
+#define GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR 0x00
|
|
+#define GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR 0xFF
|
|
+
|
|
/* Functions for version handling. */
|
|
gnutls_protocol_t _gnutls_version_lowest (gnutls_session_t session);
|
|
gnutls_protocol_t _gnutls_version_max (gnutls_session_t session);
|
|
diff -up gnutls-2.8.6/lib/gnutls_constate.c.reneg gnutls-2.8.6/lib/gnutls_constate.c
|
|
--- gnutls-2.8.6/lib/gnutls_constate.c.reneg 2009-11-06 09:39:42.000000000 +0100
|
|
+++ gnutls-2.8.6/lib/gnutls_constate.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -380,6 +380,17 @@ _gnutls_set_write_keys (gnutls_session_t
|
|
export_flag);
|
|
}
|
|
|
|
+#define CPY_EXTENSIONS \
|
|
+ memcpy(dst->extensions.server_names, src->extensions.server_names, sizeof(src->extensions.server_names)); \
|
|
+ dst->extensions.server_names_size = src->extensions.server_names_size; \
|
|
+ memcpy(dst->extensions.srp_username, src->extensions.srp_username, sizeof(src->extensions.srp_username)); \
|
|
+ dst->extensions.gnutls_ia_enable = src->extensions.gnutls_ia_enable; \
|
|
+ dst->extensions.gnutls_ia_peer_enable = src->extensions.gnutls_ia_peer_enable; \
|
|
+ dst->extensions.gnutls_ia_allowskip = src->extensions.gnutls_ia_allowskip; \
|
|
+ dst->extensions.gnutls_ia_peer_allowskip = src->extensions.gnutls_ia_peer_allowskip; \
|
|
+ dst->extensions.do_recv_supplemental = src->extensions.do_recv_supplemental; \
|
|
+ dst->extensions.do_send_supplemental = src->extensions.do_send_supplemental
|
|
+
|
|
#define CPY_COMMON dst->entity = src->entity; \
|
|
dst->kx_algorithm = src->kx_algorithm; \
|
|
memcpy( &dst->current_cipher_suite, &src->current_cipher_suite, sizeof(cipher_suite_st)); \
|
|
@@ -393,8 +404,8 @@ _gnutls_set_write_keys (gnutls_session_t
|
|
dst->max_record_recv_size = src->max_record_recv_size; \
|
|
dst->max_record_send_size = src->max_record_send_size; \
|
|
dst->version = src->version; \
|
|
- memcpy( &dst->extensions, &src->extensions, sizeof(tls_ext_st)); \
|
|
- memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE);
|
|
+ CPY_EXTENSIONS; \
|
|
+ memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE)
|
|
|
|
static void
|
|
_gnutls_cpy_read_security_parameters (security_parameters_st *
|
|
diff -up gnutls-2.8.6/lib/gnutls_errors.c.reneg gnutls-2.8.6/lib/gnutls_errors.c
|
|
--- gnutls-2.8.6/lib/gnutls_errors.c.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/gnutls_errors.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -220,9 +220,15 @@ static const gnutls_error_entry error_al
|
|
GNUTLS_E_OPENPGP_GETKEY_FAILED, 1),
|
|
ERROR_ENTRY (N_("Could not find OpenPGP subkey."),
|
|
GNUTLS_E_OPENPGP_SUBKEY_ERROR, 1),
|
|
+ ERROR_ENTRY (N_("Safe renegotiation failed."),
|
|
+ GNUTLS_E_SAFE_RENEGOTIATION_FAILED, 1),
|
|
+ ERROR_ENTRY (N_("Unsafe renegotiation denied."),
|
|
+ GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED, 1),
|
|
|
|
ERROR_ENTRY (N_("The SRP username supplied is illegal."),
|
|
GNUTLS_E_ILLEGAL_SRP_USERNAME, 1),
|
|
+ ERROR_ENTRY (N_("The SRP username supplied is unknown."),
|
|
+ GNUTLS_E_UNKNOWN_SRP_USERNAME, 1),
|
|
|
|
ERROR_ENTRY (N_("The OpenPGP fingerprint is not supported."),
|
|
GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1),
|
|
diff -up gnutls-2.8.6/lib/gnutls_extensions.c.reneg gnutls-2.8.6/lib/gnutls_extensions.c
|
|
--- gnutls-2.8.6/lib/gnutls_extensions.c.reneg 2009-06-08 19:11:03.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/gnutls_extensions.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -35,6 +35,7 @@
|
|
#include <ext_server_name.h>
|
|
#include <ext_oprfi.h>
|
|
#include <ext_srp.h>
|
|
+#include <ext_safe_renegotiation.h>
|
|
#include <gnutls_num.h>
|
|
|
|
typedef struct
|
|
@@ -133,7 +134,7 @@ _gnutls_parse_extensions (gnutls_session
|
|
type = _gnutls_read_uint16 (&data[pos]);
|
|
pos += 2;
|
|
|
|
- _gnutls_debug_log ("EXT[%p]: Received extension '%s/%d'\n", session,
|
|
+ _gnutls_debug_log ("EXT[%p]: Found extension '%s/%d'\n", session,
|
|
_gnutls_extension_get_name (type), type);
|
|
|
|
if ((ret = _gnutls_extension_list_check (session, type)) < 0)
|
|
@@ -153,6 +154,8 @@ _gnutls_parse_extensions (gnutls_session
|
|
ext_recv = _gnutls_ext_func_recv (type, parse_type);
|
|
if (ext_recv == NULL)
|
|
continue;
|
|
+
|
|
+
|
|
if ((ret = ext_recv (session, sdata, size)) < 0)
|
|
{
|
|
gnutls_assert ();
|
|
@@ -170,7 +173,7 @@ _gnutls_parse_extensions (gnutls_session
|
|
* This list is used to check whether the (later) received
|
|
* extensions are the ones we requested.
|
|
*/
|
|
-static void
|
|
+void
|
|
_gnutls_extension_list_add (gnutls_session_t session, uint16_t type)
|
|
{
|
|
|
|
@@ -192,7 +195,7 @@ _gnutls_extension_list_add (gnutls_sessi
|
|
|
|
int
|
|
_gnutls_gen_extensions (gnutls_session_t session, opaque * data,
|
|
- size_t data_size)
|
|
+ size_t data_size, gnutls_ext_parse_type_t parse_type)
|
|
{
|
|
int size;
|
|
uint16_t pos = 0;
|
|
@@ -223,6 +226,9 @@ _gnutls_gen_extensions (gnutls_session_t
|
|
|
|
if (p->send_func == NULL)
|
|
continue;
|
|
+
|
|
+ if (parse_type != GNUTLS_EXT_ANY && p->parse_type != parse_type)
|
|
+ continue;
|
|
|
|
size = p->send_func (session, sdata, sdata_size);
|
|
if (size > 0)
|
|
@@ -304,6 +310,14 @@ _gnutls_ext_init (void)
|
|
if (ret != GNUTLS_E_SUCCESS)
|
|
return ret;
|
|
|
|
+ ret = gnutls_ext_register (GNUTLS_EXTENSION_SAFE_RENEGOTIATION,
|
|
+ "SAFE_RENEGOTIATION",
|
|
+ GNUTLS_EXT_MANDATORY,
|
|
+ _gnutls_safe_renegotiation_recv_params,
|
|
+ _gnutls_safe_renegotiation_send_params);
|
|
+ if (ret != GNUTLS_E_SUCCESS)
|
|
+ return ret;
|
|
+
|
|
#ifdef ENABLE_OPRFI
|
|
ret = gnutls_ext_register (GNUTLS_EXTENSION_OPAQUE_PRF_INPUT,
|
|
"OPAQUE_PRF_INPUT",
|
|
diff -up gnutls-2.8.6/lib/gnutls_extensions.h.reneg gnutls-2.8.6/lib/gnutls_extensions.h
|
|
--- gnutls-2.8.6/lib/gnutls_extensions.h.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/gnutls_extensions.h 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -26,6 +26,8 @@ int _gnutls_parse_extensions (gnutls_ses
|
|
gnutls_ext_parse_type_t parse_type,
|
|
const opaque *data, int data_size);
|
|
int _gnutls_gen_extensions (gnutls_session_t session, opaque * data,
|
|
- size_t data_size);
|
|
+ size_t data_size, gnutls_ext_parse_type_t);
|
|
int _gnutls_ext_init (void);
|
|
void _gnutls_ext_deinit (void);
|
|
+
|
|
+void _gnutls_extension_list_add (gnutls_session_t session, uint16_t type);
|
|
diff -up gnutls-2.8.6/lib/gnutls_handshake.c.reneg gnutls-2.8.6/lib/gnutls_handshake.c
|
|
--- gnutls-2.8.6/lib/gnutls_handshake.c.reneg 2009-11-02 11:30:39.000000000 +0100
|
|
+++ gnutls-2.8.6/lib/gnutls_handshake.c 2010-06-02 10:29:00.000000000 +0200
|
|
@@ -48,6 +48,7 @@
|
|
#include <gnutls_record.h>
|
|
#include <gnutls_state.h>
|
|
#include <ext_srp.h>
|
|
+#include <ext_safe_renegotiation.h>
|
|
#include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
|
|
#include <auth_anon.h> /* for gnutls_anon_server_credentials_t */
|
|
#include <auth_psk.h> /* for gnutls_psk_server_credentials_t */
|
|
@@ -119,6 +120,7 @@ resume_copy_required_values (gnutls_sess
|
|
sizeof (session->security_parameters.session_id));
|
|
session->security_parameters.session_id_size =
|
|
session->internals.resumed_security_parameters.session_id_size;
|
|
+
|
|
}
|
|
|
|
void
|
|
@@ -404,8 +406,36 @@ _gnutls_read_client_hello (gnutls_sessio
|
|
|
|
if (ret == 0)
|
|
{ /* resumed! */
|
|
+ /* Parse only the safe renegotiation extension
|
|
+ * We don't want to parse any other extensions since
|
|
+ * we don't want new extension values to overwrite the
|
|
+ * resumed ones.
|
|
+ */
|
|
+
|
|
+ /* move forward to extensions */
|
|
+ DECR_LEN (len, 2);
|
|
+ suite_size = _gnutls_read_uint16 (&data[pos]);
|
|
+ pos += 2;
|
|
+
|
|
+ DECR_LEN (len, suite_size);
|
|
+ pos += suite_size;
|
|
+
|
|
+ DECR_LEN (len, 1);
|
|
+ comp_size = data[pos++]; /* z is the number of compression methods */
|
|
+ DECR_LEN (len, comp_size);
|
|
+ pos += comp_size;
|
|
+
|
|
+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
|
|
+ &data[pos], len);
|
|
+ if (ret < 0)
|
|
+ {
|
|
+ gnutls_assert ();
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
resume_copy_required_values (session);
|
|
session->internals.resumed = RESUME_TRUE;
|
|
+
|
|
return _gnutls_user_hello_func (session, adv_version);
|
|
}
|
|
else
|
|
@@ -437,17 +467,17 @@ _gnutls_read_client_hello (gnutls_sessio
|
|
pos += comp_size;
|
|
|
|
/* Parse the extensions (if any)
|
|
- */
|
|
- if (neg_version >= GNUTLS_TLS1)
|
|
+ *
|
|
+ * Unconditionally try to parse extensions; safe renegotiation uses them in
|
|
+ * sslv3 and higher, even though sslv3 doesn't officially support them.
|
|
+ */
|
|
+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
|
|
+ &data[pos], len);
|
|
+ /* len is the rest of the parsed length */
|
|
+ if (ret < 0)
|
|
{
|
|
- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
|
|
- &data[pos], len);
|
|
- /* len is the rest of the parsed length */
|
|
- if (ret < 0)
|
|
- {
|
|
- gnutls_assert ();
|
|
- return ret;
|
|
- }
|
|
+ gnutls_assert ();
|
|
+ return ret;
|
|
}
|
|
|
|
ret = _gnutls_user_hello_func (session, adv_version);
|
|
@@ -457,16 +487,20 @@ _gnutls_read_client_hello (gnutls_sessio
|
|
return ret;
|
|
}
|
|
|
|
- if (neg_version >= GNUTLS_TLS1)
|
|
+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
|
|
+ &data[pos], len);
|
|
+ if (ret < 0)
|
|
{
|
|
- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS,
|
|
- &data[pos], len);
|
|
- /* len is the rest of the parsed length */
|
|
- if (ret < 0)
|
|
- {
|
|
- gnutls_assert ();
|
|
- return ret;
|
|
- }
|
|
+ gnutls_assert ();
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS,
|
|
+ &data[pos], len);
|
|
+ if (ret < 0)
|
|
+ {
|
|
+ gnutls_assert ();
|
|
+ return ret;
|
|
}
|
|
|
|
/* select an appropriate cipher suite
|
|
@@ -531,7 +565,7 @@ _gnutls_handshake_hash_pending (gnutls_s
|
|
static int
|
|
_gnutls_send_finished (gnutls_session_t session, int again)
|
|
{
|
|
- uint8_t data[36];
|
|
+ uint8_t data[MAX_VERIFY_DATA_SIZE];
|
|
int ret;
|
|
int data_size = 0;
|
|
|
|
@@ -556,7 +590,7 @@ _gnutls_send_finished (gnutls_session_t
|
|
data_size = 36;
|
|
}
|
|
else
|
|
- { /* TLS 1.0 */
|
|
+ { /* TLS 1.0+ */
|
|
ret = _gnutls_finished (session,
|
|
session->security_parameters.entity, data);
|
|
data_size = 12;
|
|
@@ -572,6 +606,31 @@ _gnutls_send_finished (gnutls_session_t
|
|
session->internals.finished_func (session, data, data_size);
|
|
}
|
|
|
|
+ /* Save data for safe renegotiation.
|
|
+ */
|
|
+ if (data_size > MAX_VERIFY_DATA_SIZE)
|
|
+ {
|
|
+ gnutls_assert ();
|
|
+ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
|
|
+ }
|
|
+
|
|
+ if (session->security_parameters.entity == GNUTLS_CLIENT)
|
|
+ {
|
|
+ session->security_parameters.extensions.client_verify_data_len =
|
|
+ data_size;
|
|
+
|
|
+ memcpy (session->security_parameters.extensions.client_verify_data,
|
|
+ data, data_size);
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ session->security_parameters.extensions.server_verify_data_len =
|
|
+ data_size;
|
|
+
|
|
+ memcpy (session->security_parameters.extensions.server_verify_data,
|
|
+ data, data_size);
|
|
+ }
|
|
+
|
|
ret =
|
|
_gnutls_send_handshake (session, data_size ? data : NULL, data_size,
|
|
GNUTLS_HANDSHAKE_FINISHED);
|
|
@@ -585,10 +644,11 @@ _gnutls_send_finished (gnutls_session_t
|
|
static int
|
|
_gnutls_recv_finished (gnutls_session_t session)
|
|
{
|
|
- uint8_t data[36], *vrfy;
|
|
+ uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
|
|
int data_size;
|
|
int ret;
|
|
int vrfysize;
|
|
+ tls_ext_st *ext;
|
|
|
|
ret =
|
|
_gnutls_recv_handshake (session, &vrfy, &vrfysize,
|
|
@@ -646,6 +706,28 @@ _gnutls_recv_finished (gnutls_session_t
|
|
}
|
|
gnutls_free (vrfy);
|
|
|
|
+ /* Save peer's verify data for safe renegotiation */
|
|
+ if (data_size > MAX_VERIFY_DATA_SIZE)
|
|
+ {
|
|
+ gnutls_assert ();
|
|
+ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
|
|
+ }
|
|
+
|
|
+ ext = &session->security_parameters.extensions;
|
|
+
|
|
+ if (session->security_parameters.entity == GNUTLS_CLIENT)
|
|
+ {
|
|
+ memcpy (ext->server_verify_data, data, data_size);
|
|
+ ext->server_verify_data_len = data_size;
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ memcpy (ext->client_verify_data, data, data_size);
|
|
+ ext->client_verify_data_len = data_size;
|
|
+ }
|
|
+
|
|
+ session->internals.initial_negotiation_completed = 1;
|
|
+
|
|
return ret;
|
|
}
|
|
|
|
@@ -685,7 +767,6 @@ _gnutls_server_find_pk_algos_in_ciphersu
|
|
return algo;
|
|
}
|
|
|
|
-
|
|
/* This selects the best supported ciphersuite from the given ones. Then
|
|
* it adds the suite to the session and performs some checks.
|
|
*/
|
|
@@ -700,11 +781,31 @@ _gnutls_server_select_suite (gnutls_sess
|
|
* supported by the peer.
|
|
*/
|
|
|
|
+ /* First, check for safe renegotiation SCSV.
|
|
+ */
|
|
+ if (session->internals.priorities.sr != SR_DISABLED)
|
|
+ {
|
|
+ int offset;
|
|
+
|
|
+ for(offset = 0; offset < datalen; offset += 2)
|
|
+ {
|
|
+ /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
|
|
+ if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
|
|
+ data[offset+1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR)
|
|
+ {
|
|
+ _gnutls_handshake_log ("HSK[%p]: Received safe renegotiation CS\n", session);
|
|
+ session->internals.safe_renegotiation_received = 1;
|
|
+ session->internals.connection_using_safe_renegotiation = 1;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites (data, datalen);
|
|
|
|
x = _gnutls_supported_ciphersuites (session, &ciphers);
|
|
if (x < 0)
|
|
- { /* the case x==0 is handled within the function. */
|
|
+ { /* the case x==0 is handled within the function. */
|
|
gnutls_assert ();
|
|
return x;
|
|
}
|
|
@@ -752,21 +853,21 @@ _gnutls_server_select_suite (gnutls_sess
|
|
|
|
for (j = 0; j < datalen; j += 2)
|
|
{
|
|
- for (i = 0; i < x; i++)
|
|
- {
|
|
- if (memcmp (ciphers[i].suite, &data[j], 2) == 0)
|
|
- {
|
|
- memcpy (&cs.suite, &data[j], 2);
|
|
-
|
|
- _gnutls_handshake_log
|
|
- ("HSK[%p]: Selected cipher suite: %s\n", session,
|
|
- _gnutls_cipher_suite_get_name (&cs));
|
|
- memcpy (session->security_parameters.current_cipher_suite.suite,
|
|
- ciphers[i].suite, 2);
|
|
- retval = 0;
|
|
- goto finish;
|
|
- }
|
|
- }
|
|
+ for (i = 0; i < x; i++)
|
|
+ {
|
|
+ if (memcmp (ciphers[i].suite, &data[j], 2) == 0)
|
|
+ {
|
|
+ memcpy (&cs.suite, &data[j], 2);
|
|
+
|
|
+ _gnutls_handshake_log
|
|
+ ("HSK[%p]: Selected cipher suite: %s\n", session,
|
|
+ _gnutls_cipher_suite_get_name (&cs));
|
|
+ memcpy (session->security_parameters.current_cipher_suite.suite,
|
|
+ ciphers[i].suite, 2);
|
|
+ retval = 0;
|
|
+ goto finish;
|
|
+ }
|
|
+ }
|
|
}
|
|
|
|
finish:
|
|
@@ -960,7 +1061,7 @@ _gnutls_send_handshake (gnutls_session_t
|
|
if (i_datasize > 0)
|
|
memcpy (&data[pos], i_data, i_datasize);
|
|
|
|
- _gnutls_handshake_log ("HSK[%p]: %s was send [%ld bytes]\n",
|
|
+ _gnutls_handshake_log ("HSK[%p]: %s was sent [%ld bytes]\n",
|
|
session, _gnutls_handshake2str (type),
|
|
(long) datasize);
|
|
|
|
@@ -1042,7 +1143,6 @@ _gnutls_recv_handshake_header (gnutls_se
|
|
|
|
if (ret < 0)
|
|
{
|
|
- gnutls_assert ();
|
|
return ret;
|
|
}
|
|
|
|
@@ -1525,15 +1625,26 @@ _gnutls_read_server_hello (gnutls_sessio
|
|
}
|
|
DECR_LEN (len, session_id_len);
|
|
|
|
-
|
|
/* check if we are resuming and set the appropriate
|
|
* values;
|
|
*/
|
|
if (_gnutls_client_check_if_resuming
|
|
(session, &data[pos], session_id_len) == 0)
|
|
- return 0;
|
|
- pos += session_id_len;
|
|
+ {
|
|
+ pos += session_id_len + 2 + 1;
|
|
+ DECR_LEN (len, 2+1);
|
|
|
|
+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
|
|
+ &data[pos], len);
|
|
+ if (ret < 0)
|
|
+ {
|
|
+ gnutls_assert ();
|
|
+ return ret;
|
|
+ }
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ pos += session_id_len;
|
|
|
|
/* Check if the given cipher suite is supported and copy
|
|
* it to the session.
|
|
@@ -1548,8 +1659,6 @@ _gnutls_read_server_hello (gnutls_sessio
|
|
}
|
|
pos += 2;
|
|
|
|
-
|
|
-
|
|
/* move to compression
|
|
*/
|
|
DECR_LEN (len, 1);
|
|
@@ -1563,32 +1672,32 @@ _gnutls_read_server_hello (gnutls_sessio
|
|
|
|
/* Parse extensions.
|
|
*/
|
|
- if (version >= GNUTLS_TLS1)
|
|
+ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY,
|
|
+ &data[pos], len);
|
|
+ if (ret < 0)
|
|
{
|
|
- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY,
|
|
- &data[pos], len);
|
|
- /* len is the rest of the parsed length */
|
|
- if (ret < 0)
|
|
- {
|
|
- gnutls_assert ();
|
|
- return ret;
|
|
- }
|
|
+ gnutls_assert ();
|
|
+ return ret;
|
|
}
|
|
+
|
|
return ret;
|
|
}
|
|
|
|
|
|
/* This function copies the appropriate ciphersuites to a locally allocated buffer
|
|
- * Needed in client hello messages. Returns the new data length.
|
|
+ * Needed in client hello messages. Returns the new data length. If add_scsv is
|
|
+ * true, add the special safe renegotiation CS.
|
|
*/
|
|
static int
|
|
_gnutls_copy_ciphersuites (gnutls_session_t session,
|
|
- opaque * ret_data, size_t ret_data_size)
|
|
+ opaque * ret_data, size_t ret_data_size,
|
|
+ int add_scsv)
|
|
{
|
|
int ret, i;
|
|
cipher_suite_st *cipher_suites;
|
|
uint16_t cipher_num;
|
|
int datalen, pos;
|
|
+ uint16_t loop_max;
|
|
|
|
ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites);
|
|
if (ret < 0)
|
|
@@ -1619,6 +1728,9 @@ _gnutls_copy_ciphersuites (gnutls_sessio
|
|
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
|
|
}
|
|
|
|
+ if (add_scsv)
|
|
+ ++ret;
|
|
+
|
|
cipher_num = ret;
|
|
|
|
cipher_num *= sizeof (uint16_t); /* in order to get bytes */
|
|
@@ -1636,11 +1748,21 @@ _gnutls_copy_ciphersuites (gnutls_sessio
|
|
_gnutls_write_uint16 (cipher_num, ret_data);
|
|
pos += 2;
|
|
|
|
- for (i = 0; i < (cipher_num / 2); i++)
|
|
+ loop_max = add_scsv ? cipher_num - 2 : cipher_num;
|
|
+
|
|
+ for (i = 0; i < (loop_max / 2); i++)
|
|
{
|
|
memcpy (&ret_data[pos], cipher_suites[i].suite, 2);
|
|
pos += 2;
|
|
}
|
|
+
|
|
+ if (add_scsv)
|
|
+ {
|
|
+ /* Safe renegotiation signalling CS value is { 0x00, 0xff } */
|
|
+ ret_data[pos++] = 0x00;
|
|
+ ret_data[pos++] = 0xff;
|
|
+ }
|
|
+
|
|
gnutls_free (cipher_suites);
|
|
|
|
return datalen;
|
|
@@ -1700,7 +1822,7 @@ _gnutls_send_client_hello (gnutls_sessio
|
|
{
|
|
opaque *data = NULL;
|
|
int extdatalen;
|
|
- int pos = 0;
|
|
+ int pos = 0, type;
|
|
int datalen = 0, ret = 0;
|
|
opaque rnd[GNUTLS_RANDOM_SIZE];
|
|
gnutls_protocol_t hver;
|
|
@@ -1807,9 +1929,21 @@ _gnutls_send_client_hello (gnutls_sessio
|
|
|
|
|
|
/* Copy the ciphersuites.
|
|
- */
|
|
- extdatalen =
|
|
- _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata));
|
|
+ *
|
|
+ * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
|
|
+ * prevention on initial negotiation (but not renegotiation; that's
|
|
+ * handled with the RI extension below).
|
|
+ */
|
|
+ if(!session->internals.initial_negotiation_completed &&
|
|
+ session->security_parameters.entity == GNUTLS_CLIENT &&
|
|
+ gnutls_protocol_get_version (session) == GNUTLS_SSL3)
|
|
+ {
|
|
+ extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), TRUE);
|
|
+ _gnutls_extension_list_add (session, GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
|
|
+ }
|
|
+ else
|
|
+ extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), FALSE);
|
|
+
|
|
if (extdatalen > 0)
|
|
{
|
|
datalen += extdatalen;
|
|
@@ -1864,11 +1998,19 @@ _gnutls_send_client_hello (gnutls_sessio
|
|
/* Generate and copy TLS extensions.
|
|
*/
|
|
if (hver >= GNUTLS_TLS1)
|
|
+ type = GNUTLS_EXT_ANY;
|
|
+ else
|
|
{
|
|
- extdatalen =
|
|
- _gnutls_gen_extensions (session, extdata, sizeof (extdata));
|
|
+ if (session->internals.initial_negotiation_completed != 0)
|
|
+ type = GNUTLS_EXT_MANDATORY;
|
|
+ else
|
|
+ type = GNUTLS_EXT_NONE;
|
|
+ }
|
|
+
|
|
+ extdatalen =
|
|
+ _gnutls_gen_extensions (session, extdata, sizeof (extdata), type);
|
|
|
|
- if (extdatalen > 0)
|
|
+ if (extdatalen > 0)
|
|
{
|
|
datalen += extdatalen;
|
|
data = gnutls_realloc_fast (data, datalen);
|
|
@@ -1880,13 +2022,12 @@ _gnutls_send_client_hello (gnutls_sessio
|
|
|
|
memcpy (&data[pos], extdata, extdatalen);
|
|
}
|
|
- else if (extdatalen < 0)
|
|
+ else if (extdatalen < 0)
|
|
{
|
|
gnutls_assert ();
|
|
gnutls_free (data);
|
|
return extdatalen;
|
|
}
|
|
- }
|
|
}
|
|
|
|
ret =
|
|
@@ -1932,15 +2073,7 @@ _gnutls_send_server_hello (gnutls_sessio
|
|
* alert and abort.
|
|
*/
|
|
gnutls_assert ();
|
|
- ret = gnutls_alert_send (session, GNUTLS_AL_FATAL,
|
|
- GNUTLS_A_UNKNOWN_PSK_IDENTITY);
|
|
- if (ret < 0)
|
|
- {
|
|
- gnutls_assert ();
|
|
- return ret;
|
|
- }
|
|
-
|
|
- return GNUTLS_E_ILLEGAL_SRP_USERNAME;
|
|
+ return GNUTLS_E_UNKNOWN_SRP_USERNAME;
|
|
}
|
|
}
|
|
#endif
|
|
@@ -1949,7 +2082,7 @@ _gnutls_send_server_hello (gnutls_sessio
|
|
{
|
|
datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3;
|
|
extdatalen =
|
|
- _gnutls_gen_extensions (session, extdata, sizeof (extdata));
|
|
+ _gnutls_gen_extensions (session, extdata, sizeof (extdata), GNUTLS_EXT_ANY);
|
|
|
|
if (extdatalen < 0)
|
|
{
|
|
@@ -2015,6 +2148,8 @@ _gnutls_send_hello (gnutls_session_t ses
|
|
{
|
|
int ret;
|
|
|
|
+ session->internals.safe_renegotiation_received = 0;
|
|
+
|
|
if (session->security_parameters.entity == GNUTLS_CLIENT)
|
|
{
|
|
ret = _gnutls_send_client_hello (session, again);
|
|
@@ -2036,6 +2171,7 @@ int
|
|
_gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen)
|
|
{
|
|
int ret;
|
|
+ tls_ext_st *ext;
|
|
|
|
if (session->security_parameters.entity == GNUTLS_CLIENT)
|
|
{
|
|
@@ -2047,7 +2183,7 @@ _gnutls_recv_hello (gnutls_session_t ses
|
|
}
|
|
}
|
|
else
|
|
- { /* Server side reading a client hello */
|
|
+ { /* Server side reading a client hello */
|
|
|
|
ret = _gnutls_read_client_hello (session, data, datalen);
|
|
if (ret < 0)
|
|
@@ -2057,6 +2193,89 @@ _gnutls_recv_hello (gnutls_session_t ses
|
|
}
|
|
}
|
|
|
|
+ if (session->internals.priorities.sr == SR_DISABLED)
|
|
+ {
|
|
+ gnutls_assert();
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
+ /* Safe renegotiation */
|
|
+ ext = &session->security_parameters.extensions;
|
|
+
|
|
+ if (session->internals.safe_renegotiation_received)
|
|
+ {
|
|
+ if ((ext->ri_extension_data_len < ext->client_verify_data_len) ||
|
|
+ (memcmp (ext->ri_extension_data,
|
|
+ ext->client_verify_data,
|
|
+ ext->client_verify_data_len)))
|
|
+ {
|
|
+ gnutls_assert();
|
|
+ _gnutls_handshake_log ("Safe renegotiation failed [1]\n");
|
|
+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
|
|
+ }
|
|
+ if (session->security_parameters.entity == GNUTLS_CLIENT)
|
|
+ {
|
|
+ if ((ext->ri_extension_data_len !=
|
|
+ ext->client_verify_data_len + ext->server_verify_data_len) ||
|
|
+ memcmp (ext->ri_extension_data + ext->client_verify_data_len,
|
|
+ ext->server_verify_data, ext->server_verify_data_len) != 0)
|
|
+ {
|
|
+ gnutls_assert();
|
|
+ _gnutls_handshake_log ("Safe renegotiation failed [2]\n");
|
|
+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
|
|
+ }
|
|
+ }
|
|
+ else /* Make sure there are 0 extra bytes */
|
|
+ {
|
|
+ if (ext->ri_extension_data_len != ext->client_verify_data_len)
|
|
+ {
|
|
+ gnutls_assert();
|
|
+ _gnutls_handshake_log ("Safe renegotiation failed [3]\n");
|
|
+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ _gnutls_handshake_log ("Safe renegotiation succeeded.\n");
|
|
+ }
|
|
+ else /* safe renegotiation not received... */
|
|
+ {
|
|
+ if (session->internals.connection_using_safe_renegotiation)
|
|
+ {
|
|
+ gnutls_assert();
|
|
+ _gnutls_handshake_log ("Peer previously asked for safe renegotiation!\n");
|
|
+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
|
|
+ }
|
|
+
|
|
+ /* Clients can't tell if it's an initial negotiation */
|
|
+ if (session->internals.initial_negotiation_completed)
|
|
+ {
|
|
+
|
|
+ if (session->internals.priorities.sr < SR_PARTIAL)
|
|
+ {
|
|
+ _gnutls_handshake_log ("Allowing unsafe (re)negotiation!\n");
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ gnutls_assert();
|
|
+ _gnutls_handshake_log ("Denying unsafe (re)negotiation.\n");
|
|
+ return GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED;
|
|
+ }
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ if (session->internals.priorities.sr < SR_SAFE)
|
|
+ {
|
|
+ _gnutls_handshake_log ("Allowing unsafe initial negotiation!\n");
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ gnutls_assert();
|
|
+ _gnutls_handshake_log ("Denying unsafe initial negotiation.\n");
|
|
+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
return ret;
|
|
}
|
|
|
|
@@ -2097,6 +2316,13 @@ _gnutls_recv_hello (gnutls_session_t ses
|
|
* gnutls_handshake() function in order to negotiate the new
|
|
* parameters.
|
|
*
|
|
+ * Since TLS is full duplex some application data might have been
|
|
+ * sent during peer's processing of this message. In that case
|
|
+ * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
|
|
+ * is returned to clear any pending data. Care must be taken if
|
|
+ * rehandshake is mandatory to terminate if it does not start after
|
|
+ * some threshold.
|
|
+ *
|
|
* If the client does not wish to renegotiate parameters he will
|
|
* should with an alert message, thus the return code will be
|
|
* %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
|
|
diff -up gnutls-2.8.6/lib/gnutls_int.h.reneg gnutls-2.8.6/lib/gnutls_int.h
|
|
--- gnutls-2.8.6/lib/gnutls_int.h.reneg 2009-11-02 11:30:39.000000000 +0100
|
|
+++ gnutls-2.8.6/lib/gnutls_int.h 2010-06-02 10:23:27.000000000 +0200
|
|
@@ -171,7 +171,8 @@ typedef enum extensions_t
|
|
GNUTLS_EXTENSION_OPAQUE_PRF_INPUT = ENABLE_OPRFI,
|
|
#endif
|
|
GNUTLS_EXTENSION_SRP = 12,
|
|
- GNUTLS_EXTENSION_INNER_APPLICATION = 37703
|
|
+ GNUTLS_EXTENSION_INNER_APPLICATION = 37703,
|
|
+ GNUTLS_EXTENSION_SAFE_RENEGOTIATION = 65281, /* aka: 0xff01 */
|
|
} extensions_t;
|
|
|
|
typedef enum
|
|
@@ -282,6 +283,11 @@ typedef struct
|
|
|
|
#define MAX_SERVER_NAME_EXTENSIONS 3
|
|
|
|
+#define MAX_VERIFY_DATA_SIZE 36 /* in SSL 3.0, 12 in TLS 1.0 */
|
|
+
|
|
+/* If you want the extension data to be kept across resuming sessions
|
|
+ * then modify CPY_EXTENSIONS in gnutls_constate.c
|
|
+ */
|
|
typedef struct
|
|
{
|
|
server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS];
|
|
@@ -297,6 +303,9 @@ typedef struct
|
|
/* Used by extensions that enable supplemental data. */
|
|
int do_recv_supplemental, do_send_supplemental;
|
|
|
|
+ /*** Those below do not get copied when resuming session
|
|
+ ***/
|
|
+
|
|
/* Opaque PRF input. */
|
|
gnutls_oprfi_callback_func oprfi_cb;
|
|
void *oprfi_userdata;
|
|
@@ -304,6 +313,15 @@ typedef struct
|
|
uint16_t oprfi_client_len;
|
|
opaque *oprfi_server;
|
|
uint16_t oprfi_server_len;
|
|
+
|
|
+ /* Safe renegotiation. */
|
|
+ uint8_t client_verify_data[MAX_VERIFY_DATA_SIZE];
|
|
+ size_t client_verify_data_len;
|
|
+ uint8_t server_verify_data[MAX_VERIFY_DATA_SIZE];
|
|
+ size_t server_verify_data_len;
|
|
+ uint8_t ri_extension_data[MAX_VERIFY_DATA_SIZE*2]; /* max signal is 72 bytes in s->c sslv3 */
|
|
+ size_t ri_extension_data_len;
|
|
+
|
|
} tls_ext_st;
|
|
|
|
/* auth_info_t structures now MAY contain malloced
|
|
@@ -317,7 +335,7 @@ typedef struct
|
|
*/
|
|
|
|
/* if you add anything in Security_Parameters struct, then
|
|
- * also modify CPY_COMMON in gnutls_constate.c
|
|
+ * also modify CPY_COMMON in gnutls_constate.c.
|
|
*/
|
|
|
|
/* Note that the security parameters structure is set up after the
|
|
@@ -361,6 +379,7 @@ typedef struct
|
|
/* holds the negotiated certificate type */
|
|
gnutls_certificate_type_t cert_type;
|
|
gnutls_protocol_t version; /* moved here */
|
|
+
|
|
/* For TLS/IA. XXX: Move to IA credential? */
|
|
opaque inner_secret[GNUTLS_MASTER_SIZE];
|
|
} security_parameters_st;
|
|
@@ -400,6 +419,13 @@ typedef struct
|
|
unsigned int algorithms;
|
|
} priority_st;
|
|
|
|
+typedef enum {
|
|
+ SR_DISABLED,
|
|
+ SR_UNSAFE,
|
|
+ SR_PARTIAL,
|
|
+ SR_SAFE,
|
|
+} safe_renegotiation_t;
|
|
+
|
|
/* For the external api */
|
|
struct gnutls_priority_st
|
|
{
|
|
@@ -411,7 +437,8 @@ struct gnutls_priority_st
|
|
priority_st cert_type;
|
|
|
|
/* to disable record padding */
|
|
- int no_padding;
|
|
+ int no_padding:1;
|
|
+ safe_renegotiation_t sr;
|
|
int ssl3_record_version;
|
|
int additional_verify_flags;
|
|
};
|
|
@@ -673,6 +700,10 @@ typedef struct
|
|
*/
|
|
uint16_t srp_prime_bits;
|
|
|
|
+ int safe_renegotiation_received:1;
|
|
+ int initial_negotiation_completed:1;
|
|
+ int connection_using_safe_renegotiation:1;
|
|
+
|
|
/* If you add anything here, check _gnutls_handshake_internal_state_clear().
|
|
*/
|
|
} internals_st;
|
|
diff -up gnutls-2.8.6/lib/gnutls_priority.c.reneg gnutls-2.8.6/lib/gnutls_priority.c
|
|
--- gnutls-2.8.6/lib/gnutls_priority.c.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/gnutls_priority.c 2010-06-02 10:23:27.000000000 +0200
|
|
@@ -491,6 +491,21 @@ gnutls_priority_set (gnutls_session_t se
|
|
*
|
|
* "%COMPAT" will enable compatibility features for a server.
|
|
*
|
|
+ * "%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use
|
|
+ * unless you know what you are doing. Testing purposes only.
|
|
+ *
|
|
+ * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now
|
|
+ * the default for clients, but will change once more servers support the safe renegotiation
|
|
+ * TLS fix).
|
|
+ *
|
|
+ * "%PARTIAL_SAFE_RENEGOTIATION" In server side it will enable safe renegotiation
|
|
+ * and will protect all clients from known attacks, but will not prevent insecure clients
|
|
+ * from connecting. In client side it will disallow from renegotiating with an insecure server
|
|
+ * but will not prevent connecting to one (this leaves the client vulnerable to attacks).
|
|
+ *
|
|
+ * "%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and Servers will refuse
|
|
+ * to talk to an insecure peer.
|
|
+ *
|
|
* "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello.
|
|
*
|
|
* "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA-MD5 signatures in
|
|
@@ -523,7 +538,7 @@ gnutls_priority_init (gnutls_priority_t
|
|
{
|
|
char *broken_list[MAX_ELEMENTS];
|
|
int broken_list_size, i, j;
|
|
- char *darg;
|
|
+ char *darg = NULL;
|
|
int algo;
|
|
rmadd_func *fn;
|
|
|
|
@@ -533,6 +548,11 @@ gnutls_priority_init (gnutls_priority_t
|
|
gnutls_assert ();
|
|
return GNUTLS_E_MEMORY_ERROR;
|
|
}
|
|
+
|
|
+ /* for now unsafe renegotiation is default on everyone. To be removed
|
|
+ * when we make it the default.
|
|
+ */
|
|
+ (*priority_cache)->sr = SR_PARTIAL;
|
|
|
|
if (priorities == NULL)
|
|
priorities = "NORMAL";
|
|
@@ -541,9 +561,10 @@ gnutls_priority_init (gnutls_priority_t
|
|
if (darg == NULL)
|
|
{
|
|
gnutls_assert ();
|
|
- return GNUTLS_E_MEMORY_ERROR;
|
|
+ goto error;
|
|
}
|
|
|
|
+
|
|
break_comma_list (darg, broken_list, &broken_list_size, MAX_ELEMENTS, ':');
|
|
/* This is our default set of protocol version, certificate types and
|
|
* compression methods.
|
|
@@ -652,6 +673,25 @@ gnutls_priority_init (gnutls_priority_t
|
|
"VERIFY_ALLOW_X509_V1_CA_CRT") == 0)
|
|
(*priority_cache)->additional_verify_flags |=
|
|
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
|
|
+ else if (strcasecmp (&broken_list[i][1],
|
|
+ "UNSAFE_RENEGOTIATION") == 0)
|
|
+ {
|
|
+ (*priority_cache)->sr = SR_UNSAFE;
|
|
+ }
|
|
+ else if (strcasecmp (&broken_list[i][1], "SAFE_RENEGOTIATION") == 0)
|
|
+ {
|
|
+ (*priority_cache)->sr = SR_SAFE;
|
|
+ }
|
|
+ else if (strcasecmp (&broken_list[i][1],
|
|
+ "PARTIAL_RENEGOTIATION") == 0)
|
|
+ {
|
|
+ (*priority_cache)->sr = SR_PARTIAL;
|
|
+ }
|
|
+ else if (strcasecmp (&broken_list[i][1],
|
|
+ "DISABLE_SAFE_RENEGOTIATION") == 0)
|
|
+ {
|
|
+ (*priority_cache)->sr = SR_DISABLED;
|
|
+ }
|
|
else
|
|
goto error;
|
|
}
|
|
@@ -672,6 +712,7 @@ error:
|
|
}
|
|
}
|
|
gnutls_free (darg);
|
|
+ gnutls_free(*priority_cache);
|
|
|
|
return GNUTLS_E_INVALID_REQUEST;
|
|
|
|
diff -up gnutls-2.8.6/lib/gnutls_record.c.reneg gnutls-2.8.6/lib/gnutls_record.c
|
|
--- gnutls-2.8.6/lib/gnutls_record.c.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/gnutls_record.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -744,6 +744,14 @@ record_check_type (gnutls_session_t sess
|
|
if (session->security_parameters.entity == GNUTLS_SERVER)
|
|
{
|
|
gnutls_assert ();
|
|
+ ret =
|
|
+ _gnutls_record_buffer_put (recv_type, session, (void *) data,
|
|
+ data_size);
|
|
+ if (ret < 0)
|
|
+ {
|
|
+ gnutls_assert ();
|
|
+ return ret;
|
|
+ }
|
|
return GNUTLS_E_REHANDSHAKE;
|
|
}
|
|
|
|
@@ -896,9 +904,13 @@ begin:
|
|
_gnutls_io_read_buffered (session, &headers, header_size,
|
|
-1)) != header_size)
|
|
{
|
|
+ _gnutls_handshake_log ("XXX[]: ret: %d %s\n", ret, gnutls_strerror(ret));
|
|
+
|
|
if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
|
|
return ret;
|
|
|
|
+ _gnutls_handshake_log ("XXX2[]: ret: %d %s\n", ret, gnutls_strerror(ret));
|
|
+
|
|
session_invalidate (session);
|
|
if (type == GNUTLS_ALERT)
|
|
{
|
|
diff -up gnutls-2.8.6/lib/gnutls_state.c.reneg gnutls-2.8.6/lib/gnutls_state.c
|
|
--- gnutls-2.8.6/lib/gnutls_state.c.reneg 2009-11-02 11:30:39.000000000 +0100
|
|
+++ gnutls-2.8.6/lib/gnutls_state.c 2010-06-02 10:23:27.000000000 +0200
|
|
@@ -223,6 +223,7 @@ _gnutls_handshake_internal_state_clear (
|
|
session->internals.adv_version_minor = 0;
|
|
session->internals.adv_version_minor = 0;
|
|
session->internals.direction = 0;
|
|
+ session->internals.safe_renegotiation_received = 0;
|
|
|
|
/* use out of band data for the last
|
|
* handshake messages received.
|
|
@@ -338,6 +339,11 @@ gnutls_init (gnutls_session_t * session,
|
|
|
|
_gnutls_handshake_internal_state_clear (*session);
|
|
|
|
+ /* emulate old gnutls behavior for old applications that do not use the priority_*
|
|
+ * functions.
|
|
+ */
|
|
+ (*session)->internals.priorities.sr = SR_PARTIAL;
|
|
+
|
|
return 0;
|
|
}
|
|
|
|
diff -up gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in.reneg gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in
|
|
--- gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -503,7 +503,9 @@ extern "C" {
|
|
{
|
|
GNUTLS_EXT_ANY,
|
|
GNUTLS_EXT_APPLICATION,
|
|
- GNUTLS_EXT_TLS
|
|
+ GNUTLS_EXT_TLS,
|
|
+ GNUTLS_EXT_MANDATORY, /* parse even if resuming or extensions disabled */
|
|
+ GNUTLS_EXT_NONE,
|
|
} gnutls_ext_parse_type_t;
|
|
|
|
int gnutls_ext_register (int type,
|
|
@@ -525,6 +527,9 @@ extern "C" {
|
|
void *data, size_t * data_length,
|
|
unsigned int *type, unsigned int indx);
|
|
|
|
+ /* Safe renegotiation */
|
|
+ int gnutls_safe_renegotiation_status (gnutls_session_t session);
|
|
+
|
|
/* Opaque PRF Input
|
|
* http://tools.ietf.org/id/draft-rescorla-tls-opaque-prf-input-00.txt
|
|
*/
|
|
@@ -1368,6 +1373,9 @@ extern "C" {
|
|
#define GNUTLS_E_IA_VERIFY_FAILED -104
|
|
|
|
#define GNUTLS_E_UNKNOWN_ALGORITHM -105
|
|
+#define GNUTLS_E_SAFE_RENEGOTIATION_FAILED -107
|
|
+#define GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED -108
|
|
+#define GNUTLS_E_UNKNOWN_SRP_USERNAME -109
|
|
|
|
#define GNUTLS_E_BASE64_ENCODING_ERROR -201
|
|
#define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202 /* obsolete */
|
|
diff -up gnutls-2.8.6/lib/libgnutls.map.reneg gnutls-2.8.6/lib/libgnutls.map
|
|
--- gnutls-2.8.6/lib/libgnutls.map.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/lib/libgnutls.map 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -567,6 +567,12 @@ GNUTLS_2_8
|
|
gnutls_x509_crt_verify_hash;
|
|
} GNUTLS_1_4;
|
|
|
|
+GNUTLS_2_10
|
|
+{
|
|
+ global:
|
|
+ gnutls_safe_renegotiation_status;
|
|
+} GNUTLS_2_8;
|
|
+
|
|
GNUTLS_PRIVATE {
|
|
global:
|
|
# Internal symbols needed by libgnutls-extra:
|
|
diff -up gnutls-2.8.6/lib/Makefile.in.reneg gnutls-2.8.6/lib/Makefile.in
|
|
--- gnutls-2.8.6/lib/Makefile.in.reneg 2010-03-15 11:28:41.000000000 +0100
|
|
+++ gnutls-2.8.6/lib/Makefile.in 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -214,7 +214,7 @@ am__objects_4 = gnutls_record.lo gnutls_
|
|
ext_server_name.lo auth_dh_common.lo gnutls_helper.lo \
|
|
gnutls_supplemental.lo crypto.lo random.lo pk-libgcrypt.lo \
|
|
mpi-libgcrypt.lo rnd-libgcrypt.lo cipher-libgcrypt.lo \
|
|
- mac-libgcrypt.lo $(am__objects_3)
|
|
+ mac-libgcrypt.lo ext_safe_renegotiation.lo $(am__objects_3)
|
|
am__objects_5 = ext_srp.lo gnutls_srp.lo auth_srp.lo \
|
|
auth_srp_passwd.lo auth_srp_sb64.lo auth_srp_rsa.lo
|
|
am__objects_6 = auth_psk.lo auth_psk_passwd.lo gnutls_psk.lo \
|
|
@@ -854,6 +854,7 @@ COBJECTS = gnutls_record.c gnutls_compre
|
|
auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \
|
|
crypto.c random.c pk-libgcrypt.c mpi-libgcrypt.c \
|
|
rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c \
|
|
+ ext_safe_renegotiation.c \
|
|
$(am__append_5)
|
|
HFILES = debug.h gnutls_compress.h gnutls_cipher.h gnutls_buffers.h \
|
|
gnutls_errors.h gnutls_int.h gnutls_handshake.h gnutls_num.h \
|
|
@@ -868,7 +869,8 @@ HFILES = debug.h gnutls_compress.h gnutl
|
|
gnutls_rsa_export.h ext_server_name.h auth_dh_common.h \
|
|
ext_srp.h gnutls_srp.h auth_srp.h auth_srp_passwd.h \
|
|
gnutls_helper.h auth_psk.h auth_psk_passwd.h \
|
|
- gnutls_supplemental.h ext_oprfi.h crypto.h random.h
|
|
+ gnutls_supplemental.h ext_oprfi.h crypto.h random.h \
|
|
+ ext_safe_renegotiation.h
|
|
|
|
|
|
# Separate so we can create the documentation
|
|
@@ -1058,6 +1060,7 @@ distclean-compile:
|
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gnutls_x509.Plo@am__quote@
|
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libgnutlsxx_la-gnutlsxx.Plo@am__quote@
|
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mac-libgcrypt.Plo@am__quote@
|
|
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ext_safe_renegotiation.Plo@am__quote@
|
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mpi-libgcrypt.Plo@am__quote@
|
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pk-libgcrypt.Plo@am__quote@
|
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkix_asn1_tab.Plo@am__quote@
|
|
diff -up gnutls-2.8.6/NEWS.reneg gnutls-2.8.6/NEWS
|
|
--- gnutls-2.8.6/NEWS.reneg 2010-03-15 13:49:42.000000000 +0100
|
|
+++ gnutls-2.8.6/NEWS 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -3,6 +3,23 @@ Copyright (C) 2000, 2001, 2002, 2003, 20
|
|
2006, 2007, 2008, 2009, 2010 Free Software Foundation
|
|
See the end for copying conditions.
|
|
|
|
+** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746)
|
|
+Solves the issue discussed in:
|
|
+<http://www.ietf.org/mail-archive/web/tls/current/msg03928.html> and
|
|
+<http://www.ietf.org/mail-archive/web/tls/current/msg03948.html>.
|
|
+Note that to allow connecting to unpatched servers the full protection
|
|
+is only enabled if the priority string %SAFE_RENEGOTIATION is
|
|
+specified. You can check whether protection is in place by querying
|
|
+gnutls_safe_renegotiation_status(). New error codes
|
|
+GNUTLS_E_SAFE_RENEGOTIATION_FAILED and
|
|
+GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED added.
|
|
+
|
|
+gnutls_safe_renegotiation_status: Added
|
|
+
|
|
+%UNSAFE_RENEGOTIATION: Added to priority strings
|
|
+%INITIAL_SAFE_RENEGOTIATION: Added to priority strings
|
|
+%DISABLE_SAFE_RENEGOTIATION: Added to priority strings (do not use)
|
|
+
|
|
* Version 2.8.6 (released 2010-03-15)
|
|
|
|
** libgnutls: For CSRs, don't null pad integers for RSA/DSA value.
|
|
diff -up gnutls-2.8.6/src/cli.c.reneg gnutls-2.8.6/src/cli.c
|
|
--- gnutls-2.8.6/src/cli.c.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/src/cli.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -53,7 +53,7 @@
|
|
#define MAX_BUF 4096
|
|
|
|
/* global stuff here */
|
|
-int resume, starttls, insecure;
|
|
+int resume, starttls, insecure, rehandshake;
|
|
const char *hostname = NULL;
|
|
char *service;
|
|
int record_max_size;
|
|
@@ -674,6 +674,23 @@ after_handshake:
|
|
programs to search for when gnutls-cli has reached this point. */
|
|
printf ("\n- Simple Client Mode:\n\n");
|
|
|
|
+ if (rehandshake)
|
|
+ {
|
|
+ ret = do_handshake (&hd);
|
|
+
|
|
+ if (ret < 0)
|
|
+ {
|
|
+ fprintf (stderr, "*** ReHandshake has failed\n");
|
|
+ gnutls_perror (ret);
|
|
+ gnutls_deinit (hd.session);
|
|
+ return 1;
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ printf ("- ReHandshake was completed\n");
|
|
+ }
|
|
+ }
|
|
+
|
|
#ifndef _WIN32
|
|
signal (SIGALRM, &starttls_alarm);
|
|
#endif
|
|
@@ -838,6 +855,7 @@ gaa_parser (int argc, char **argv)
|
|
print_cert = info.print_cert;
|
|
starttls = info.starttls;
|
|
resume = info.resume;
|
|
+ rehandshake = info.rehandshake;
|
|
insecure = info.insecure;
|
|
service = info.port;
|
|
record_max_size = info.record_size;
|
|
@@ -962,6 +980,11 @@ do_handshake (socket_st * socket)
|
|
socket->secure = 1;
|
|
|
|
}
|
|
+ else
|
|
+ {
|
|
+ gnutls_alert_send_appropriate(socket->session, ret);
|
|
+ shutdown (socket->fd, SHUT_RDWR);
|
|
+ }
|
|
return ret;
|
|
}
|
|
|
|
diff -up gnutls-2.8.6/src/cli-gaa.c.reneg gnutls-2.8.6/src/cli-gaa.c
|
|
--- gnutls-2.8.6/src/cli-gaa.c.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/src/cli-gaa.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -129,6 +129,7 @@ void gaa_help(void)
|
|
printf("GNU TLS test client\nUsage: gnutls-cli [options] hostname\n\n\n");
|
|
__gaa_helpsingle('d', "debug", "integer ", "Enable debugging");
|
|
__gaa_helpsingle('r', "resume", "", "Connect, establish a session. Connect again and resume this session.");
|
|
+ __gaa_helpsingle('e', "rehandshake", "", "Connect, establish a session and rehandshake immediately.");
|
|
__gaa_helpsingle('s', "starttls", "", "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received.");
|
|
__gaa_helpsingle(0, "crlf", "", "Send CR LF instead of LF.");
|
|
__gaa_helpsingle(0, "x509fmtder", "", "Use DER format for certificates to read from.");
|
|
@@ -250,6 +251,8 @@ struct _gaainfo
|
|
int crlf;
|
|
#line 20 "cli.gaa"
|
|
int starttls;
|
|
+#line 20 "cli.gaa"
|
|
+ int rehandshake;
|
|
#line 17 "cli.gaa"
|
|
int resume;
|
|
#line 14 "cli.gaa"
|
|
@@ -342,8 +345,9 @@ static int gaa_error = 0;
|
|
#define GAAOPTID_x509fmtder 31
|
|
#define GAAOPTID_crlf 32
|
|
#define GAAOPTID_starttls 33
|
|
-#define GAAOPTID_resume 34
|
|
-#define GAAOPTID_debug 35
|
|
+#define GAAOPTID_rehandshake 34
|
|
+#define GAAOPTID_resume 35
|
|
+#define GAAOPTID_debug 36
|
|
|
|
#line 168 "gaa.skel"
|
|
|
|
@@ -721,6 +725,7 @@ static int gaa_get_option_num(char *str,
|
|
GAA_CHECK1STR("", GAAOPTID_x509fmtder);
|
|
GAA_CHECK1STR("", GAAOPTID_crlf);
|
|
GAA_CHECK1STR("s", GAAOPTID_starttls);
|
|
+ GAA_CHECK1STR("e", GAAOPTID_rehandshake);
|
|
GAA_CHECK1STR("r", GAAOPTID_resume);
|
|
|
|
#line 277 "gaa.skel"
|
|
@@ -759,6 +764,7 @@ static int gaa_get_option_num(char *str,
|
|
GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder);
|
|
GAA_CHECKSTR("crlf", GAAOPTID_crlf);
|
|
GAA_CHECKSTR("starttls", GAAOPTID_starttls);
|
|
+ GAA_CHECKSTR("rehandshake", GAAOPTID_rehandshake);
|
|
GAA_CHECKSTR("resume", GAAOPTID_resume);
|
|
GAA_CHECKSTR("debug", GAAOPTID_debug);
|
|
|
|
@@ -1101,6 +1107,13 @@ static int gaa_try(int gaa_num, int gaa_
|
|
|
|
return GAA_OK;
|
|
break;
|
|
+ case GAAOPTID_rehandshake:
|
|
+ OK = 0;
|
|
+#line 21 "cli.gaa"
|
|
+{ gaaval->rehandshake = 1 ;};
|
|
+
|
|
+ return GAA_OK;
|
|
+ break;
|
|
case GAAOPTID_resume:
|
|
OK = 0;
|
|
#line 18 "cli.gaa"
|
|
@@ -1164,7 +1177,7 @@ int gaa(int argc, char **argv, gaainfo *
|
|
gaaval->srp_username=NULL; gaaval->srp_passwd=NULL; gaaval->fmtder = 0; gaaval->starttls =0;
|
|
gaaval->debug = 0; gaaval->print_cert = 0; gaaval->verbose = 0; gaaval->psk_key = NULL;
|
|
gaaval->psk_username = NULL; gaaval->priorities = NULL;
|
|
- gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; ;};
|
|
+ gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; gaaval->rehandshake = 0; ;};
|
|
|
|
}
|
|
inited = 1;
|
|
diff -up gnutls-2.8.6/src/cli-gaa.h.reneg gnutls-2.8.6/src/cli-gaa.h
|
|
--- gnutls-2.8.6/src/cli-gaa.h.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/src/cli-gaa.h 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -82,6 +82,7 @@ struct _gaainfo
|
|
int crlf;
|
|
#line 20 "cli.gaa"
|
|
int starttls;
|
|
+ int rehandshake;
|
|
#line 17 "cli.gaa"
|
|
int resume;
|
|
#line 14 "cli.gaa"
|
|
diff -up gnutls-2.8.6/src/cli.gaa.reneg gnutls-2.8.6/src/cli.gaa
|
|
--- gnutls-2.8.6/src/cli.gaa.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/src/cli.gaa 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -17,6 +17,9 @@ option (d, debug) INT "integer" { $debug
|
|
#int resume;
|
|
option (r, resume) { $resume = 1 } "Connect, establish a session. Connect again and resume this session."
|
|
|
|
+#int rehandshake;
|
|
+option (e, rehandshake) { $rehandshake = 1 } "Connect, establish a session and rehandshake immediately."
|
|
+
|
|
#int starttls;
|
|
option (s, starttls) { $starttls = 1 } "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received."
|
|
|
|
@@ -130,4 +133,4 @@ init { $resume=0; $port="443"; $rest_arg
|
|
$srp_username=NULL; $srp_passwd=NULL; $fmtder = 0; $starttls =0;
|
|
$debug = 0; $print_cert = 0; $verbose = 0; $psk_key = NULL;
|
|
$psk_username = NULL; $priorities = NULL;
|
|
- $opaque_prf_input = NULL; $pgp_subkey = NULL; }
|
|
+ $opaque_prf_input = NULL; $pgp_subkey = NULL; $rehandshake = 0; }
|
|
diff -up gnutls-2.8.6/src/serv.c.reneg gnutls-2.8.6/src/serv.c
|
|
--- gnutls-2.8.6/src/serv.c.reneg 2009-11-06 09:39:42.000000000 +0100
|
|
+++ gnutls-2.8.6/src/serv.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -764,6 +764,18 @@ get_response (gnutls_session_t session,
|
|
}
|
|
else
|
|
{
|
|
+ fprintf(stderr, "received: %s\n", request);
|
|
+ if (request[0] == request[1] && request[0] == '*')
|
|
+ {
|
|
+ if (strncmp(request, "**REHANDSHAKE**", sizeof("**REHANDSHAKE**")-1)==0)
|
|
+ {
|
|
+ fprintf(stderr, "*** Sending rehandshake request\n");
|
|
+ gnutls_rehandshake(session);
|
|
+ }
|
|
+ *response = NULL;
|
|
+ *response_length = 0;
|
|
+ return;
|
|
+ }
|
|
*response = strdup (request);
|
|
*response_length = ((*response) ? strlen (*response) : 0);
|
|
}
|
|
@@ -1177,7 +1189,7 @@ main (int argc, char **argv)
|
|
ret =
|
|
gnutls_alert_send_appropriate (j->tls_session, r);
|
|
}
|
|
- while (ret == GNUTLS_E_AGAIN);
|
|
+ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
|
|
j->http_state = HTTP_STATE_CLOSING;
|
|
}
|
|
else if (r == 0)
|
|
@@ -1210,14 +1222,37 @@ main (int argc, char **argv)
|
|
}
|
|
else if (r <= 0)
|
|
{
|
|
- j->http_state = HTTP_STATE_CLOSING;
|
|
- if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
|
|
+ if (r == GNUTLS_E_REHANDSHAKE)
|
|
{
|
|
- check_alert (j->tls_session, r);
|
|
- fprintf (stderr, "Error while receiving data\n");
|
|
- GERR (r);
|
|
- }
|
|
-
|
|
+ fprintf(stderr, "*** Received hello message\n");
|
|
+ do
|
|
+ {
|
|
+ r = gnutls_handshake (j->tls_session);
|
|
+ }
|
|
+ while (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN);
|
|
+ if (r < 0)
|
|
+ {
|
|
+
|
|
+ do
|
|
+ {
|
|
+ ret = gnutls_alert_send_appropriate (j->tls_session, r);
|
|
+ }
|
|
+ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
|
|
+
|
|
+ GERR (r);
|
|
+ j->http_state = HTTP_STATE_CLOSING;
|
|
+ }
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ j->http_state = HTTP_STATE_CLOSING;
|
|
+ if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
|
|
+ {
|
|
+ check_alert (j->tls_session, r);
|
|
+ fprintf (stderr, "Error while receiving data\n");
|
|
+ GERR (r);
|
|
+ }
|
|
+ }
|
|
}
|
|
else
|
|
{
|
|
@@ -1299,7 +1334,7 @@ main (int argc, char **argv)
|
|
}
|
|
}
|
|
|
|
- if (j->handshake_ok == 1)
|
|
+ if (j->handshake_ok == 1 && j->http_response != NULL)
|
|
{
|
|
/* FIXME if j->http_response == NULL? */
|
|
r = gnutls_record_send (j->tls_session,
|
|
@@ -1351,6 +1386,12 @@ main (int argc, char **argv)
|
|
}
|
|
}
|
|
}
|
|
+ else
|
|
+ {
|
|
+ j->request_length = 0;
|
|
+ j->http_request[0] = 0;
|
|
+ j->http_state = HTTP_STATE_REQUEST;
|
|
+ }
|
|
}
|
|
}
|
|
lloopend (listener_list, j);
|
|
diff -up gnutls-2.8.6/src/tests.c.reneg gnutls-2.8.6/src/tests.c
|
|
--- gnutls-2.8.6/src/tests.c.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/src/tests.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -45,6 +45,7 @@ extern int verbose;
|
|
int tls1_ok = 0;
|
|
int ssl3_ok = 0;
|
|
int tls1_1_ok = 0;
|
|
+int tls1_2_ok = 0;
|
|
|
|
/* keep session info */
|
|
static char *session_data = NULL;
|
|
@@ -103,158 +104,28 @@ do_handshake (gnutls_session_t session)
|
|
return TEST_SUCCEED;
|
|
}
|
|
|
|
-static int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
|
|
+char protocol_str[] = "+VERS-TLS1.0:+VERS-SSL3.0";
|
|
+char prio_str[256] = "";
|
|
|
|
-static const int kx_priority[16] =
|
|
- { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA,
|
|
- GNUTLS_KX_ANON_DH,
|
|
- GNUTLS_KX_RSA_EXPORT, 0
|
|
-};
|
|
-
|
|
-static const int cipher_priority[16] =
|
|
- { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128,
|
|
- GNUTLS_CIPHER_ARCFOUR_40, 0
|
|
-};
|
|
-static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
|
|
-static const int mac_priority[16] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 };
|
|
-static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 };
|
|
-
|
|
-#define ADD_ALL_CIPHERS(session) gnutls_cipher_set_priority(session, cipher_priority)
|
|
-#define ADD_ALL_COMP(session) gnutls_compression_set_priority(session, comp_priority)
|
|
-#define ADD_ALL_MACS(session) gnutls_mac_set_priority(session, mac_priority)
|
|
-#define ADD_ALL_KX(session) gnutls_kx_set_priority(session, kx_priority)
|
|
-#define ADD_ALL_PROTOCOLS(session) gnutls_protocol_set_priority(session, protocol_priority)
|
|
-#define ADD_ALL_CERTTYPES(session) gnutls_certificate_type_set_priority(session, cert_type_priority)
|
|
-
|
|
-static void
|
|
-ADD_KX (gnutls_session_t session, int kx)
|
|
-{
|
|
- static int _kx_priority[] = { 0, 0 };
|
|
- _kx_priority[0] = kx;
|
|
-
|
|
- gnutls_kx_set_priority (session, _kx_priority);
|
|
-}
|
|
-
|
|
-static void
|
|
-ADD_KX2 (gnutls_session_t session, int kx1, int kx2)
|
|
-{
|
|
- static int _kx_priority[] = { 0, 0, 0 };
|
|
- _kx_priority[0] = kx1;
|
|
- _kx_priority[1] = kx2;
|
|
-
|
|
- gnutls_kx_set_priority (session, _kx_priority);
|
|
-}
|
|
-
|
|
-static void
|
|
-ADD_CIPHER (gnutls_session_t session, int cipher)
|
|
-{
|
|
- static int _cipher_priority[] = { 0, 0 };
|
|
- _cipher_priority[0] = cipher;
|
|
-
|
|
- gnutls_cipher_set_priority (session, _cipher_priority);
|
|
-}
|
|
-
|
|
-static void
|
|
-ADD_CIPHER4 (gnutls_session_t session, int cipher1, int cipher2, int cipher3,
|
|
- int cipher4)
|
|
-{
|
|
- static int _cipher_priority[] = { 0, 0, 0, 0, 0 };
|
|
- _cipher_priority[0] = cipher1;
|
|
- _cipher_priority[1] = cipher2;
|
|
- _cipher_priority[2] = cipher3;
|
|
- _cipher_priority[3] = cipher4;
|
|
-
|
|
- gnutls_cipher_set_priority (session, _cipher_priority);
|
|
-}
|
|
-
|
|
-static void
|
|
-ADD_MAC (gnutls_session_t session, int mac)
|
|
-{
|
|
- static int _mac_priority[] = { 0, 0 };
|
|
- _mac_priority[0] = mac;
|
|
-
|
|
- gnutls_mac_set_priority (session, _mac_priority);
|
|
-}
|
|
-
|
|
-static void
|
|
-ADD_COMP (gnutls_session_t session, int c)
|
|
-{
|
|
- static int _comp_priority[] = { 0, 0 };
|
|
- _comp_priority[0] = c;
|
|
-
|
|
- gnutls_compression_set_priority (session, _comp_priority);
|
|
-}
|
|
-
|
|
-static void
|
|
-ADD_CERTTYPE (gnutls_session_t session, int ctype)
|
|
-{
|
|
- static int _ct_priority[] = { 0, 0 };
|
|
- _ct_priority[0] = ctype;
|
|
-
|
|
- gnutls_certificate_type_set_priority (session, _ct_priority);
|
|
-}
|
|
-
|
|
-static void
|
|
-ADD_PROTOCOL (gnutls_session_t session, int protocol)
|
|
-{
|
|
- static int _proto_priority[] = { 0, 0 };
|
|
- _proto_priority[0] = protocol;
|
|
-
|
|
- gnutls_protocol_set_priority (session, _proto_priority);
|
|
-}
|
|
-
|
|
-static void
|
|
-ADD_PROTOCOL3 (gnutls_session_t session, int p1, int p2, int p3)
|
|
-{
|
|
- static int _proto_priority[] = { 0, 0, 0, 0 };
|
|
- _proto_priority[0] = p1;
|
|
- _proto_priority[1] = p2;
|
|
- _proto_priority[2] = p3;
|
|
-
|
|
- gnutls_protocol_set_priority (session, _proto_priority);
|
|
-}
|
|
-
|
|
-#ifdef ENABLE_SRP
|
|
-static int srp_detected;
|
|
-
|
|
-int
|
|
-_test_srp_username_callback (gnutls_session_t session,
|
|
- char **username, char **password)
|
|
-{
|
|
- srp_detected = 1;
|
|
-
|
|
- return -1;
|
|
-}
|
|
-
|
|
-test_code_t
|
|
-test_srp (gnutls_session_t session)
|
|
-{
|
|
- int ret;
|
|
-
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
-
|
|
- ADD_KX (session, GNUTLS_KX_SRP);
|
|
- srp_detected = 0;
|
|
-
|
|
- gnutls_srp_set_client_credentials_function (srp_cred,
|
|
- _test_srp_username_callback);
|
|
-
|
|
- gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
|
|
-
|
|
- ret = do_handshake (session);
|
|
-
|
|
- gnutls_srp_set_client_credentials_function (srp_cred, NULL);
|
|
-
|
|
- if (srp_detected != 0)
|
|
- return TEST_SUCCEED;
|
|
- else
|
|
- return TEST_FAILED;
|
|
+#define ALL_CIPHERS "+3DES-CBC:+ARCFOUR-128:+ARCFOUR-40"
|
|
+#define ALL_COMP "+COMP-NULL"
|
|
+#define ALL_MACS "+SHA1:+MD5"
|
|
+#define ALL_CERTTYPES "+CTYPE-X509"
|
|
+#define REST "%%UNSAFE_RENEGOTIATION"
|
|
+#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+RSA-EXPORT"
|
|
+#define INIT_STR "NONE:"
|
|
+
|
|
+static inline void _gnutls_priority_set_direct(gnutls_session_t session, const char* str)
|
|
+{
|
|
+ const char* err;
|
|
+ int ret = gnutls_priority_set_direct(session, str, &err);
|
|
+
|
|
+ if (ret < 0)
|
|
+ {
|
|
+ fprintf(stderr, "Error in %s\n", err);
|
|
+ exit(1);
|
|
+ }
|
|
}
|
|
-#endif
|
|
|
|
test_code_t
|
|
test_server (gnutls_session_t session)
|
|
@@ -269,12 +140,8 @@ test_server (gnutls_session_t session)
|
|
|
|
buf[sizeof (buf) - 1] = 0;
|
|
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
@@ -318,13 +185,9 @@ test_export (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
+ sprintf(prio_str, "+ARCFOUR-40:+RSA-EXPORT:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
|
|
- ADD_KX (session, GNUTLS_KX_RSA_EXPORT);
|
|
- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -348,13 +211,9 @@ test_export_info (gnutls_session_t sessi
|
|
if (verbose == 0 || export_true == 0)
|
|
return TEST_IGNORE;
|
|
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
+ sprintf(prio_str, "+ARCFOUR-40:+RSA-EXPORT:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
|
|
- ADD_KX (session, GNUTLS_KX_RSA_EXPORT);
|
|
- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -395,13 +254,9 @@ test_dhe (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+DHE-RSA:+DHE-DSS:"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
|
|
- ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -411,6 +266,37 @@ test_dhe (gnutls_session_t session)
|
|
return ret;
|
|
}
|
|
|
|
+
|
|
+test_code_t
|
|
+test_safe_renegotiation (gnutls_session_t session)
|
|
+{
|
|
+ int ret;
|
|
+
|
|
+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":%%INITIAL_SAFE_RENEGOTIATION", protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
+
|
|
+ ret = do_handshake (session);
|
|
+
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+test_code_t
|
|
+test_safe_renegotiation_scsv (gnutls_session_t session)
|
|
+{
|
|
+ int ret;
|
|
+
|
|
+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-SSL3.0:"ALL_MACS":"ALL_KX":%%INITIAL_SAFE_RENEGOTIATION");
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
+
|
|
+ ret = do_handshake (session);
|
|
+
|
|
+ return ret;
|
|
+}
|
|
+
|
|
test_code_t
|
|
test_dhe_group (gnutls_session_t session)
|
|
{
|
|
@@ -421,13 +307,8 @@ test_dhe_group (gnutls_session_t session
|
|
if (verbose == 0 || pubkey.data == NULL)
|
|
return TEST_IGNORE;
|
|
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+DHE-RSA:+DHE-DSS:"REST, protocol_str);
|
|
|
|
- ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -463,12 +344,9 @@ test_code_t
|
|
test_ssl3 (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_PROTOCOL (session, GNUTLS_SSL3);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-SSL3.0:"ALL_MACS":"ALL_KX":"REST);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -496,12 +374,9 @@ test_bye (gnutls_session_t session)
|
|
signal (SIGALRM, got_alarm);
|
|
#endif
|
|
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -548,12 +423,10 @@ test_code_t
|
|
test_aes (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_CIPHER (session, GNUTLS_CIPHER_AES_128_CBC);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST , protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -565,12 +438,10 @@ test_code_t
|
|
test_camellia (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_CIPHER (session, GNUTLS_CIPHER_CAMELLIA_128_CBC);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR "+CAMELLIA-128-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -582,12 +453,10 @@ test_code_t
|
|
test_openpgp1 (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_CERTTYPE (session, GNUTLS_CRT_OPENPGP);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":+CTYPE-OPENPGP:%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -604,18 +473,16 @@ test_code_t
|
|
test_unknown_ciphersuites (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
+
|
|
+
|
|
#ifdef ENABLE_CAMELLIA
|
|
- ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC,
|
|
- GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_ARCFOUR_128);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
#else
|
|
- ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC,
|
|
- GNUTLS_CIPHER_ARCFOUR_128, 0);
|
|
+ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
#endif
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -626,12 +493,10 @@ test_code_t
|
|
test_md5 (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_MAC (session, GNUTLS_MAC_MD5);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:+MD5:"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -643,12 +508,10 @@ test_code_t
|
|
test_zlib (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_COMP (session, GNUTLS_COMP_ZLIB);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":+COMP-ZLIB:"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -657,34 +520,25 @@ test_zlib (gnutls_session_t session)
|
|
#endif
|
|
|
|
test_code_t
|
|
-test_lzo (gnutls_session_t session)
|
|
+test_sha (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- gnutls_handshake_set_private_extensions (session, 1);
|
|
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_COMP (session, GNUTLS_COMP_LZO);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:+SHA1:"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
-
|
|
return ret;
|
|
}
|
|
|
|
test_code_t
|
|
-test_sha (gnutls_session_t session)
|
|
+test_3des (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_MAC (session, GNUTLS_MAC_SHA1);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR "+3DES-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -692,15 +546,12 @@ test_sha (gnutls_session_t session)
|
|
}
|
|
|
|
test_code_t
|
|
-test_3des (gnutls_session_t session)
|
|
+test_arcfour (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_CIPHER (session, GNUTLS_CIPHER_3DES_CBC);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR "+ARCFOUR-128:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -708,15 +559,13 @@ test_3des (gnutls_session_t session)
|
|
}
|
|
|
|
test_code_t
|
|
-test_arcfour (gnutls_session_t session)
|
|
+test_arcfour_40 (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_128);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR "+ARCFOUR-40:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":""+RSA-EXPORT"":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -724,36 +573,36 @@ test_arcfour (gnutls_session_t session)
|
|
}
|
|
|
|
test_code_t
|
|
-test_arcfour_40 (gnutls_session_t session)
|
|
+test_tls1 (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.0:"ALL_MACS":"ALL_KX":"REST);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
+ if (ret == TEST_SUCCEED)
|
|
+ tls1_ok = 1;
|
|
+
|
|
return ret;
|
|
+
|
|
}
|
|
|
|
test_code_t
|
|
-test_tls1 (gnutls_session_t session)
|
|
+test_tls1_2 (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_PROTOCOL (session, GNUTLS_TLS1);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.2:"ALL_MACS":"ALL_KX":"REST);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
if (ret == TEST_SUCCEED)
|
|
- tls1_ok = 1;
|
|
+ tls1_2_ok = 1;
|
|
|
|
return ret;
|
|
|
|
@@ -763,12 +612,10 @@ test_code_t
|
|
test_tls1_1 (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_PROTOCOL (session, GNUTLS_TLS1_1);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.1:"ALL_MACS":"ALL_KX":"REST);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -786,12 +633,9 @@ test_tls1_1_fallback (gnutls_session_t s
|
|
if (tls1_1_ok)
|
|
return TEST_IGNORE;
|
|
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_PROTOCOL3 (session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0:"ALL_MACS":"ALL_KX":"REST);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -817,12 +661,9 @@ test_tls_disable (gnutls_session_t sessi
|
|
if (tls1_ok != 0)
|
|
return TEST_IGNORE;
|
|
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
+
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -831,8 +672,7 @@ test_tls_disable (gnutls_session_t sessi
|
|
/* disable TLS 1.0 */
|
|
if (ssl3_ok != 0)
|
|
{
|
|
- protocol_priority[0] = GNUTLS_SSL3;
|
|
- protocol_priority[1] = 0;
|
|
+ strcpy(protocol_str, "+VERS-SSL3.0");
|
|
}
|
|
}
|
|
return ret;
|
|
@@ -849,12 +689,8 @@ test_rsa_pms (gnutls_session_t session)
|
|
* If the server is old, buggy and only supports
|
|
* SSL 3.0 then the handshake will fail.
|
|
*/
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_KX (session, GNUTLS_KX_RSA);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+RSA:"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -870,12 +706,8 @@ test_code_t
|
|
test_max_record_size (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
gnutls_record_set_max_size (session, 512);
|
|
|
|
@@ -894,12 +726,9 @@ test_code_t
|
|
test_hello_extension (gnutls_session_t session)
|
|
{
|
|
int ret;
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
gnutls_record_set_max_size (session, 512);
|
|
|
|
@@ -925,12 +754,8 @@ test_version_rollback (gnutls_session_t
|
|
* attacks which allow a version downgrade) and this
|
|
* connection will fail.
|
|
*/
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
_gnutls_record_set_default_version (session, 3, 0);
|
|
|
|
@@ -955,12 +780,8 @@ test_version_oob (gnutls_session_t sessi
|
|
/* here we enable both SSL 3.0 and TLS 1.0
|
|
* and we connect using a 5.5 record version.
|
|
*/
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
_gnutls_record_set_default_version (session, 5, 5);
|
|
|
|
@@ -980,12 +801,8 @@ test_rsa_pms_version_check (gnutls_sessi
|
|
*
|
|
* A normal server would abort this handshake.
|
|
*/
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
_gnutls_rsa_pms_set_version (session, 5, 5); /* use SSL 5.5 version */
|
|
|
|
@@ -1000,12 +817,8 @@ test_anonymous (gnutls_session_t session
|
|
{
|
|
int ret;
|
|
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_KX (session, GNUTLS_KX_ANON_DH);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+ANON-DH:"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
|
|
|
|
ret = do_handshake (session);
|
|
@@ -1027,12 +840,8 @@ test_session_resume2 (gnutls_session_t s
|
|
if (session == NULL)
|
|
return TEST_IGNORE;
|
|
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
|
|
@@ -1074,12 +883,8 @@ test_certificate (gnutls_session_t sessi
|
|
if (verbose == 0)
|
|
return TEST_IGNORE;
|
|
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
|
|
@@ -1143,12 +948,8 @@ test_server_cas (gnutls_session_t sessio
|
|
if (verbose == 0)
|
|
return TEST_IGNORE;
|
|
|
|
- ADD_ALL_CIPHERS (session);
|
|
- ADD_ALL_COMP (session);
|
|
- ADD_ALL_CERTTYPES (session);
|
|
- ADD_ALL_PROTOCOLS (session);
|
|
- ADD_ALL_MACS (session);
|
|
- ADD_ALL_KX (session);
|
|
+ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str);
|
|
+ _gnutls_priority_set_direct (session, prio_str);
|
|
|
|
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
|
|
diff -up gnutls-2.8.6/src/tests.h.reneg gnutls-2.8.6/src/tests.h
|
|
--- gnutls-2.8.6/src/tests.h.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/src/tests.h 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -3,7 +3,6 @@ typedef enum
|
|
TEST_SUCCEED, TEST_FAILED, TEST_UNSURE, TEST_IGNORE
|
|
} test_code_t;
|
|
|
|
-test_code_t test_srp (gnutls_session_t state);
|
|
test_code_t test_server (gnutls_session_t state);
|
|
test_code_t test_export (gnutls_session_t state);
|
|
test_code_t test_export_info (gnutls_session_t state);
|
|
@@ -21,7 +20,10 @@ test_code_t test_3des (gnutls_session_t
|
|
test_code_t test_arcfour (gnutls_session_t state);
|
|
test_code_t test_arcfour_40 (gnutls_session_t state);
|
|
test_code_t test_tls1 (gnutls_session_t state);
|
|
+test_code_t test_safe_renegotiation (gnutls_session_t state);
|
|
+test_code_t test_safe_renegotiation_scsv (gnutls_session_t state);
|
|
test_code_t test_tls1_1 (gnutls_session_t state);
|
|
+test_code_t test_tls1_2 (gnutls_session_t state);
|
|
test_code_t test_tls1_1_fallback (gnutls_session_t state);
|
|
test_code_t test_tls_disable (gnutls_session_t state);
|
|
test_code_t test_rsa_pms (gnutls_session_t state);
|
|
@@ -37,6 +39,5 @@ test_code_t test_session_resume2 (gnutls
|
|
test_code_t test_rsa_pms_version_check (gnutls_session_t session);
|
|
test_code_t test_version_oob (gnutls_session_t session);
|
|
test_code_t test_zlib (gnutls_session_t session);
|
|
-test_code_t test_lzo (gnutls_session_t session);
|
|
int _test_srp_username_callback (gnutls_session_t session,
|
|
char **username, char **password);
|
|
diff -up gnutls-2.8.6/src/tls_test.c.reneg gnutls-2.8.6/src/tls_test.c
|
|
--- gnutls-2.8.6/src/tls_test.c.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/src/tls_test.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -79,6 +79,9 @@ typedef struct
|
|
} TLS_TEST;
|
|
|
|
static const TLS_TEST tls_tests[] = {
|
|
+ {"for Safe renegotiation support", test_safe_renegotiation, "yes", "no", "dunno"},
|
|
+ {"for Safe renegotiation support (SCSV)", test_safe_renegotiation_scsv, "yes", "no", "dunno"},
|
|
+ {"for TLS 1.2 support", test_tls1_2, "yes", "no", "dunno"},
|
|
{"for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno"},
|
|
{"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "failed",
|
|
"SSL 3.0"},
|
|
@@ -139,14 +142,8 @@ static const TLS_TEST tls_tests[] = {
|
|
{"for ZLIB compression support (TLS extension)", test_zlib, "yes",
|
|
"no", "dunno"},
|
|
#endif
|
|
- {"for LZO compression support (GnuTLS extension)", test_lzo, "yes",
|
|
- "no", "dunno"},
|
|
{"for max record size (TLS extension)", test_max_record_size, "yes",
|
|
"no", "dunno"},
|
|
-#ifdef ENABLE_SRP
|
|
- {"for SRP authentication support (TLS extension)", test_srp, "yes",
|
|
- "no", "dunno"},
|
|
-#endif
|
|
{"for OpenPGP authentication support (TLS extension)", test_openpgp1,
|
|
"yes", "no", "dunno"},
|
|
{NULL, NULL, NULL, NULL, NULL}
|
|
@@ -233,7 +230,7 @@ main (int argc, char **argv)
|
|
|
|
/* if neither of SSL3 and TLSv1 are supported, exit
|
|
*/
|
|
- if (i > 3 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0)
|
|
+ if (i > 6 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0)
|
|
{
|
|
fprintf (stderr,
|
|
"\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1\n");
|
|
diff -up gnutls-2.8.6/tests/Makefile.in.reneg gnutls-2.8.6/tests/Makefile.in
|
|
--- gnutls-2.8.6/tests/Makefile.in.reneg 2010-03-15 11:29:22.000000000 +0100
|
|
+++ gnutls-2.8.6/tests/Makefile.in 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -422,7 +422,7 @@ CTAGS = ctags
|
|
am__tty_colors = \
|
|
red=; grn=; lgn=; blu=; std=
|
|
DIST_SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode \
|
|
- pkcs12-decode userid pathlen key-id sha2 openpgp-certs
|
|
+ pkcs12-decode userid pathlen key-id sha2 openpgp-certs safe-renegotiation
|
|
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
|
am__relativize = \
|
|
dir0=`pwd`; \
|
|
@@ -972,7 +972,7 @@ top_build_prefix = @top_build_prefix@
|
|
top_builddir = @top_builddir@
|
|
top_srcdir = @top_srcdir@
|
|
SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode pkcs12-decode \
|
|
- userid pathlen key-id sha2 $(am__append_1)
|
|
+ userid pathlen key-id sha2 safe-renegotiation $(am__append_1)
|
|
EXTRA_DIST = libgcrypt.supp hostname-check.README
|
|
AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
|
|
AM_CPPFLAGS = -I$(top_srcdir)/gl -I$(top_builddir)/gl \
|
|
diff -up gnutls-2.8.6/tests/resume.c.reneg gnutls-2.8.6/tests/resume.c
|
|
--- gnutls-2.8.6/tests/resume.c.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/tests/resume.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -47,6 +47,8 @@ static int wrap_db_store (void *dbf, gnu
|
|
static gnutls_datum_t wrap_db_fetch (void *dbf, gnutls_datum_t key);
|
|
static int wrap_db_delete (void *dbf, gnutls_datum_t key);
|
|
|
|
+pid_t child;
|
|
+
|
|
#define TLS_SESSION_CACHE 50
|
|
|
|
/* A very basic TLS client, with anonymous authentication.
|
|
@@ -56,6 +58,12 @@ static int wrap_db_delete (void *dbf, gn
|
|
#define MSG "Hello TLS"
|
|
|
|
static void
|
|
+tls_log_func (int level, const char *str)
|
|
+{
|
|
+ fprintf (stderr, "%s |<%d>| %s", child ? "server" : "client", level, str);
|
|
+}
|
|
+
|
|
+static void
|
|
client (void)
|
|
{
|
|
int ret, sd, ii;
|
|
@@ -70,6 +78,11 @@ client (void)
|
|
int t;
|
|
gnutls_datum session_data;
|
|
|
|
+ if (debug)
|
|
+ {
|
|
+ gnutls_global_set_log_function (tls_log_func);
|
|
+ gnutls_global_set_log_level (2);
|
|
+ }
|
|
gnutls_global_init ();
|
|
|
|
gnutls_anon_allocate_client_credentials (&anoncred);
|
|
@@ -298,8 +311,13 @@ server (void)
|
|
|
|
/* this must be called once in the program, it is mostly for the server.
|
|
*/
|
|
- gnutls_global_init ();
|
|
+ if (debug)
|
|
+ {
|
|
+ gnutls_global_set_log_function (tls_log_func);
|
|
+ gnutls_global_set_log_level (2);
|
|
+ }
|
|
|
|
+ gnutls_global_init ();
|
|
gnutls_anon_allocate_server_credentials (&anoncred);
|
|
|
|
success ("Launched, generating DH parameters...\n");
|
|
@@ -385,8 +403,6 @@ server (void)
|
|
void
|
|
doit (void)
|
|
{
|
|
- pid_t child;
|
|
-
|
|
global_start ();
|
|
if (error_count)
|
|
return;
|
|
diff -up gnutls-2.8.6/tests/safe-renegotiation/Makefile.am.reneg gnutls-2.8.6/tests/safe-renegotiation/Makefile.am
|
|
--- gnutls-2.8.6/tests/safe-renegotiation/Makefile.am.reneg 2010-05-31 22:52:31.000000000 +0200
|
|
+++ gnutls-2.8.6/tests/safe-renegotiation/Makefile.am 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -0,0 +1,24 @@
|
|
+## Process this file with automake to produce Makefile.in
|
|
+# Copyright (C) 2010 Free Software Foundation
|
|
+#
|
|
+# This file is part of GNUTLS.
|
|
+#
|
|
+# This file is free software; you can redistribute it and/or modify it
|
|
+# under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This file is distributed in the hope that it will be useful, but
|
|
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+# General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this file; if not, write to the Free Software Foundation,
|
|
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+
|
|
+EXTRA_DIST = params.dh
|
|
+
|
|
+dist_check_SCRIPTS = testsrn
|
|
+TESTS = testsrn
|
|
+
|
|
diff -up gnutls-2.8.6/tests/safe-renegotiation/Makefile.in.reneg gnutls-2.8.6/tests/safe-renegotiation/Makefile.in
|
|
--- gnutls-2.8.6/tests/safe-renegotiation/Makefile.in.reneg 2010-05-31 22:52:31.000000000 +0200
|
|
+++ gnutls-2.8.6/tests/safe-renegotiation/Makefile.in 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -0,0 +1,937 @@
|
|
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
|
|
+# @configure_input@
|
|
+
|
|
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
|
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
|
|
+# Inc.
|
|
+# This Makefile.in is free software; the Free Software Foundation
|
|
+# gives unlimited permission to copy and/or distribute it,
|
|
+# with or without modifications, as long as this notice is preserved.
|
|
+
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
|
|
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
|
+# PARTICULAR PURPOSE.
|
|
+
|
|
+@SET_MAKE@
|
|
+
|
|
+# Copyright (C) 2006, 2008 Free Software Foundation
|
|
+#
|
|
+# Author: Simon Josefsson
|
|
+#
|
|
+# This file is part of GNUTLS.
|
|
+#
|
|
+# This file is free software; you can redistribute it and/or modify it
|
|
+# under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This file is distributed in the hope that it will be useful, but
|
|
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+# General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this file; if not, write to the Free Software Foundation,
|
|
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+VPATH = @srcdir@
|
|
+pkgdatadir = $(datadir)/@PACKAGE@
|
|
+pkgincludedir = $(includedir)/@PACKAGE@
|
|
+pkglibdir = $(libdir)/@PACKAGE@
|
|
+pkglibexecdir = $(libexecdir)/@PACKAGE@
|
|
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
|
|
+install_sh_DATA = $(install_sh) -c -m 644
|
|
+install_sh_PROGRAM = $(install_sh) -c
|
|
+install_sh_SCRIPT = $(install_sh) -c
|
|
+INSTALL_HEADER = $(INSTALL_DATA)
|
|
+transform = $(program_transform_name)
|
|
+NORMAL_INSTALL = :
|
|
+PRE_INSTALL = :
|
|
+POST_INSTALL = :
|
|
+NORMAL_UNINSTALL = :
|
|
+PRE_UNINSTALL = :
|
|
+POST_UNINSTALL = :
|
|
+build_triplet = @build@
|
|
+host_triplet = @host@
|
|
+subdir = tests/safe-renegotiation
|
|
+DIST_COMMON = $(dist_check_SCRIPTS) $(srcdir)/Makefile.am \
|
|
+ $(srcdir)/Makefile.in
|
|
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
|
+am__aclocal_m4_deps = $(top_srcdir)/libextra/m4/hooks.m4 \
|
|
+ $(top_srcdir)/lib/m4/hooks.m4 $(top_srcdir)/lib/gl/m4/po.m4 \
|
|
+ $(top_srcdir)/gl/m4/00gnulib.m4 $(top_srcdir)/gl/m4/alloca.m4 \
|
|
+ $(top_srcdir)/gl/m4/arpa_inet_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/autobuild.m4 $(top_srcdir)/gl/m4/close.m4 \
|
|
+ $(top_srcdir)/gl/m4/errno_h.m4 $(top_srcdir)/gl/m4/error.m4 \
|
|
+ $(top_srcdir)/gl/m4/extensions.m4 \
|
|
+ $(top_srcdir)/gl/m4/fclose.m4 $(top_srcdir)/gl/m4/float_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/fseeko.m4 \
|
|
+ $(top_srcdir)/gl/m4/getaddrinfo.m4 \
|
|
+ $(top_srcdir)/gl/m4/getdelim.m4 $(top_srcdir)/gl/m4/getline.m4 \
|
|
+ $(top_srcdir)/gl/m4/getpass.m4 \
|
|
+ $(top_srcdir)/gl/m4/gettimeofday.m4 \
|
|
+ $(top_srcdir)/gl/m4/gnulib-common.m4 \
|
|
+ $(top_srcdir)/gl/m4/gnulib-comp.m4 \
|
|
+ $(top_srcdir)/gl/m4/hostent.m4 \
|
|
+ $(top_srcdir)/gl/m4/include_next.m4 \
|
|
+ $(top_srcdir)/gl/m4/inet_ntop.m4 \
|
|
+ $(top_srcdir)/gl/m4/inet_pton.m4 \
|
|
+ $(top_srcdir)/gl/m4/intmax_t.m4 \
|
|
+ $(top_srcdir)/gl/m4/inttypes_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/lib-ld.m4 $(top_srcdir)/gl/m4/lib-link.m4 \
|
|
+ $(top_srcdir)/gl/m4/lib-prefix.m4 \
|
|
+ $(top_srcdir)/gl/m4/longlong.m4 $(top_srcdir)/gl/m4/lseek.m4 \
|
|
+ $(top_srcdir)/gl/m4/malloc.m4 \
|
|
+ $(top_srcdir)/gl/m4/manywarnings.m4 \
|
|
+ $(top_srcdir)/gl/m4/minmax.m4 $(top_srcdir)/gl/m4/multiarch.m4 \
|
|
+ $(top_srcdir)/gl/m4/netdb_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/netinet_in_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/onceonly_2_57.m4 \
|
|
+ $(top_srcdir)/gl/m4/perror.m4 \
|
|
+ $(top_srcdir)/gl/m4/pmccabe2html.m4 \
|
|
+ $(top_srcdir)/gl/m4/printf.m4 $(top_srcdir)/gl/m4/read-file.m4 \
|
|
+ $(top_srcdir)/gl/m4/readline.m4 $(top_srcdir)/gl/m4/realloc.m4 \
|
|
+ $(top_srcdir)/gl/m4/select.m4 $(top_srcdir)/gl/m4/servent.m4 \
|
|
+ $(top_srcdir)/gl/m4/size_max.m4 \
|
|
+ $(top_srcdir)/gl/m4/snprintf.m4 $(top_srcdir)/gl/m4/sockets.m4 \
|
|
+ $(top_srcdir)/gl/m4/socklen.m4 $(top_srcdir)/gl/m4/sockpfaf.m4 \
|
|
+ $(top_srcdir)/gl/m4/stdarg.m4 $(top_srcdir)/gl/m4/stdbool.m4 \
|
|
+ $(top_srcdir)/gl/m4/stdint.m4 $(top_srcdir)/gl/m4/stdint_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/stdio_h.m4 $(top_srcdir)/gl/m4/stdlib_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/strerror.m4 \
|
|
+ $(top_srcdir)/gl/m4/string_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/sys_ioctl_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/sys_select_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/sys_socket_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/sys_stat_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/sys_time_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/ungetc.m4 $(top_srcdir)/gl/m4/unistd_h.m4 \
|
|
+ $(top_srcdir)/gl/m4/vasnprintf.m4 \
|
|
+ $(top_srcdir)/gl/m4/warnings.m4 $(top_srcdir)/gl/m4/wchar.m4 \
|
|
+ $(top_srcdir)/gl/m4/wchar_t.m4 $(top_srcdir)/gl/m4/wint_t.m4 \
|
|
+ $(top_srcdir)/gl/m4/xsize.m4 $(top_srcdir)/m4/gtk-doc.m4 \
|
|
+ $(top_srcdir)/m4/guile.m4 $(top_srcdir)/m4/libtool.m4 \
|
|
+ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
|
+ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
|
|
+ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/m4/valgrind.m4 \
|
|
+ $(top_srcdir)/configure.ac
|
|
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
|
|
+ $(ACLOCAL_M4)
|
|
+mkinstalldirs = $(install_sh) -d
|
|
+CONFIG_HEADER = $(top_builddir)/config.h
|
|
+CONFIG_CLEAN_FILES =
|
|
+CONFIG_CLEAN_VPATH_FILES =
|
|
+SOURCES =
|
|
+DIST_SOURCES =
|
|
+am__tty_colors = \
|
|
+red=; grn=; lgn=; blu=; std=
|
|
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
|
+ACLOCAL = @ACLOCAL@
|
|
+ALLOCA = @ALLOCA@
|
|
+ALLOCA_H = @ALLOCA_H@
|
|
+AMTAR = @AMTAR@
|
|
+APPLE_UNIVERSAL_BUILD = @APPLE_UNIVERSAL_BUILD@
|
|
+AR = @AR@
|
|
+ARPA_INET_H = @ARPA_INET_H@
|
|
+AS = @AS@
|
|
+AUTOCONF = @AUTOCONF@
|
|
+AUTOHEADER = @AUTOHEADER@
|
|
+AUTOMAKE = @AUTOMAKE@
|
|
+AWK = @AWK@
|
|
+BITSIZEOF_PTRDIFF_T = @BITSIZEOF_PTRDIFF_T@
|
|
+BITSIZEOF_SIG_ATOMIC_T = @BITSIZEOF_SIG_ATOMIC_T@
|
|
+BITSIZEOF_SIZE_T = @BITSIZEOF_SIZE_T@
|
|
+BITSIZEOF_WCHAR_T = @BITSIZEOF_WCHAR_T@
|
|
+BITSIZEOF_WINT_T = @BITSIZEOF_WINT_T@
|
|
+CC = @CC@
|
|
+CCDEPMODE = @CCDEPMODE@
|
|
+CFLAGS = @CFLAGS@
|
|
+CPP = @CPP@
|
|
+CPPFLAGS = @CPPFLAGS@
|
|
+CXX = @CXX@
|
|
+CXXCPP = @CXXCPP@
|
|
+CXXDEPMODE = @CXXDEPMODE@
|
|
+CXXFLAGS = @CXXFLAGS@
|
|
+CYGPATH_W = @CYGPATH_W@
|
|
+DEFS = @DEFS@
|
|
+DEPDIR = @DEPDIR@
|
|
+DLLTOOL = @DLLTOOL@
|
|
+DLL_VERSION = @DLL_VERSION@
|
|
+DSYMUTIL = @DSYMUTIL@
|
|
+DUMPBIN = @DUMPBIN@
|
|
+ECHO_C = @ECHO_C@
|
|
+ECHO_N = @ECHO_N@
|
|
+ECHO_T = @ECHO_T@
|
|
+EGREP = @EGREP@
|
|
+EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@
|
|
+EMULTIHOP_VALUE = @EMULTIHOP_VALUE@
|
|
+ENOLINK_HIDDEN = @ENOLINK_HIDDEN@
|
|
+ENOLINK_VALUE = @ENOLINK_VALUE@
|
|
+EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@
|
|
+EOVERFLOW_VALUE = @EOVERFLOW_VALUE@
|
|
+ERRNO_H = @ERRNO_H@
|
|
+EXEEXT = @EXEEXT@
|
|
+FGREP = @FGREP@
|
|
+FLOAT_H = @FLOAT_H@
|
|
+GAA = @GAA@
|
|
+GETADDRINFO_LIB = @GETADDRINFO_LIB@
|
|
+GNULIB_ACCEPT = @GNULIB_ACCEPT@
|
|
+GNULIB_ATOLL = @GNULIB_ATOLL@
|
|
+GNULIB_BIND = @GNULIB_BIND@
|
|
+GNULIB_BTOWC = @GNULIB_BTOWC@
|
|
+GNULIB_CALLOC_POSIX = @GNULIB_CALLOC_POSIX@
|
|
+GNULIB_CHOWN = @GNULIB_CHOWN@
|
|
+GNULIB_CLOSE = @GNULIB_CLOSE@
|
|
+GNULIB_CONNECT = @GNULIB_CONNECT@
|
|
+GNULIB_DPRINTF = @GNULIB_DPRINTF@
|
|
+GNULIB_DUP2 = @GNULIB_DUP2@
|
|
+GNULIB_ENVIRON = @GNULIB_ENVIRON@
|
|
+GNULIB_EUIDACCESS = @GNULIB_EUIDACCESS@
|
|
+GNULIB_FCHDIR = @GNULIB_FCHDIR@
|
|
+GNULIB_FCLOSE = @GNULIB_FCLOSE@
|
|
+GNULIB_FFLUSH = @GNULIB_FFLUSH@
|
|
+GNULIB_FOPEN = @GNULIB_FOPEN@
|
|
+GNULIB_FPRINTF = @GNULIB_FPRINTF@
|
|
+GNULIB_FPRINTF_POSIX = @GNULIB_FPRINTF_POSIX@
|
|
+GNULIB_FPUTC = @GNULIB_FPUTC@
|
|
+GNULIB_FPUTS = @GNULIB_FPUTS@
|
|
+GNULIB_FREOPEN = @GNULIB_FREOPEN@
|
|
+GNULIB_FSEEK = @GNULIB_FSEEK@
|
|
+GNULIB_FSEEKO = @GNULIB_FSEEKO@
|
|
+GNULIB_FSYNC = @GNULIB_FSYNC@
|
|
+GNULIB_FTELL = @GNULIB_FTELL@
|
|
+GNULIB_FTELLO = @GNULIB_FTELLO@
|
|
+GNULIB_FTRUNCATE = @GNULIB_FTRUNCATE@
|
|
+GNULIB_FWRITE = @GNULIB_FWRITE@
|
|
+GNULIB_GETADDRINFO = @GNULIB_GETADDRINFO@
|
|
+GNULIB_GETCWD = @GNULIB_GETCWD@
|
|
+GNULIB_GETDELIM = @GNULIB_GETDELIM@
|
|
+GNULIB_GETDOMAINNAME = @GNULIB_GETDOMAINNAME@
|
|
+GNULIB_GETDTABLESIZE = @GNULIB_GETDTABLESIZE@
|
|
+GNULIB_GETHOSTNAME = @GNULIB_GETHOSTNAME@
|
|
+GNULIB_GETLINE = @GNULIB_GETLINE@
|
|
+GNULIB_GETLOADAVG = @GNULIB_GETLOADAVG@
|
|
+GNULIB_GETLOGIN_R = @GNULIB_GETLOGIN_R@
|
|
+GNULIB_GETPAGESIZE = @GNULIB_GETPAGESIZE@
|
|
+GNULIB_GETPEERNAME = @GNULIB_GETPEERNAME@
|
|
+GNULIB_GETSOCKNAME = @GNULIB_GETSOCKNAME@
|
|
+GNULIB_GETSOCKOPT = @GNULIB_GETSOCKOPT@
|
|
+GNULIB_GETSUBOPT = @GNULIB_GETSUBOPT@
|
|
+GNULIB_GETUSERSHELL = @GNULIB_GETUSERSHELL@
|
|
+GNULIB_INET_NTOP = @GNULIB_INET_NTOP@
|
|
+GNULIB_INET_PTON = @GNULIB_INET_PTON@
|
|
+GNULIB_IOCTL = @GNULIB_IOCTL@
|
|
+GNULIB_LCHMOD = @GNULIB_LCHMOD@
|
|
+GNULIB_LCHOWN = @GNULIB_LCHOWN@
|
|
+GNULIB_LINK = @GNULIB_LINK@
|
|
+GNULIB_LISTEN = @GNULIB_LISTEN@
|
|
+GNULIB_LSEEK = @GNULIB_LSEEK@
|
|
+GNULIB_LSTAT = @GNULIB_LSTAT@
|
|
+GNULIB_MALLOC_POSIX = @GNULIB_MALLOC_POSIX@
|
|
+GNULIB_MBRLEN = @GNULIB_MBRLEN@
|
|
+GNULIB_MBRTOWC = @GNULIB_MBRTOWC@
|
|
+GNULIB_MBSCASECMP = @GNULIB_MBSCASECMP@
|
|
+GNULIB_MBSCASESTR = @GNULIB_MBSCASESTR@
|
|
+GNULIB_MBSCHR = @GNULIB_MBSCHR@
|
|
+GNULIB_MBSCSPN = @GNULIB_MBSCSPN@
|
|
+GNULIB_MBSINIT = @GNULIB_MBSINIT@
|
|
+GNULIB_MBSLEN = @GNULIB_MBSLEN@
|
|
+GNULIB_MBSNCASECMP = @GNULIB_MBSNCASECMP@
|
|
+GNULIB_MBSNLEN = @GNULIB_MBSNLEN@
|
|
+GNULIB_MBSNRTOWCS = @GNULIB_MBSNRTOWCS@
|
|
+GNULIB_MBSPBRK = @GNULIB_MBSPBRK@
|
|
+GNULIB_MBSPCASECMP = @GNULIB_MBSPCASECMP@
|
|
+GNULIB_MBSRCHR = @GNULIB_MBSRCHR@
|
|
+GNULIB_MBSRTOWCS = @GNULIB_MBSRTOWCS@
|
|
+GNULIB_MBSSEP = @GNULIB_MBSSEP@
|
|
+GNULIB_MBSSPN = @GNULIB_MBSSPN@
|
|
+GNULIB_MBSSTR = @GNULIB_MBSSTR@
|
|
+GNULIB_MBSTOK_R = @GNULIB_MBSTOK_R@
|
|
+GNULIB_MEMMEM = @GNULIB_MEMMEM@
|
|
+GNULIB_MEMPCPY = @GNULIB_MEMPCPY@
|
|
+GNULIB_MEMRCHR = @GNULIB_MEMRCHR@
|
|
+GNULIB_MKDTEMP = @GNULIB_MKDTEMP@
|
|
+GNULIB_MKSTEMP = @GNULIB_MKSTEMP@
|
|
+GNULIB_OBSTACK_PRINTF = @GNULIB_OBSTACK_PRINTF@
|
|
+GNULIB_OBSTACK_PRINTF_POSIX = @GNULIB_OBSTACK_PRINTF_POSIX@
|
|
+GNULIB_PERROR = @GNULIB_PERROR@
|
|
+GNULIB_PRINTF = @GNULIB_PRINTF@
|
|
+GNULIB_PRINTF_POSIX = @GNULIB_PRINTF_POSIX@
|
|
+GNULIB_PUTC = @GNULIB_PUTC@
|
|
+GNULIB_PUTCHAR = @GNULIB_PUTCHAR@
|
|
+GNULIB_PUTENV = @GNULIB_PUTENV@
|
|
+GNULIB_PUTS = @GNULIB_PUTS@
|
|
+GNULIB_RANDOM_R = @GNULIB_RANDOM_R@
|
|
+GNULIB_RAWMEMCHR = @GNULIB_RAWMEMCHR@
|
|
+GNULIB_READLINK = @GNULIB_READLINK@
|
|
+GNULIB_REALLOC_POSIX = @GNULIB_REALLOC_POSIX@
|
|
+GNULIB_RECV = @GNULIB_RECV@
|
|
+GNULIB_RECVFROM = @GNULIB_RECVFROM@
|
|
+GNULIB_RPMATCH = @GNULIB_RPMATCH@
|
|
+GNULIB_SELECT = @GNULIB_SELECT@
|
|
+GNULIB_SEND = @GNULIB_SEND@
|
|
+GNULIB_SENDTO = @GNULIB_SENDTO@
|
|
+GNULIB_SETENV = @GNULIB_SETENV@
|
|
+GNULIB_SETSOCKOPT = @GNULIB_SETSOCKOPT@
|
|
+GNULIB_SHUTDOWN = @GNULIB_SHUTDOWN@
|
|
+GNULIB_SLEEP = @GNULIB_SLEEP@
|
|
+GNULIB_SNPRINTF = @GNULIB_SNPRINTF@
|
|
+GNULIB_SOCKET = @GNULIB_SOCKET@
|
|
+GNULIB_SPRINTF_POSIX = @GNULIB_SPRINTF_POSIX@
|
|
+GNULIB_STDIO_H_SIGPIPE = @GNULIB_STDIO_H_SIGPIPE@
|
|
+GNULIB_STPCPY = @GNULIB_STPCPY@
|
|
+GNULIB_STPNCPY = @GNULIB_STPNCPY@
|
|
+GNULIB_STRCASESTR = @GNULIB_STRCASESTR@
|
|
+GNULIB_STRCHRNUL = @GNULIB_STRCHRNUL@
|
|
+GNULIB_STRDUP = @GNULIB_STRDUP@
|
|
+GNULIB_STRERROR = @GNULIB_STRERROR@
|
|
+GNULIB_STRNDUP = @GNULIB_STRNDUP@
|
|
+GNULIB_STRNLEN = @GNULIB_STRNLEN@
|
|
+GNULIB_STRPBRK = @GNULIB_STRPBRK@
|
|
+GNULIB_STRSEP = @GNULIB_STRSEP@
|
|
+GNULIB_STRSIGNAL = @GNULIB_STRSIGNAL@
|
|
+GNULIB_STRSTR = @GNULIB_STRSTR@
|
|
+GNULIB_STRTOD = @GNULIB_STRTOD@
|
|
+GNULIB_STRTOK_R = @GNULIB_STRTOK_R@
|
|
+GNULIB_STRTOLL = @GNULIB_STRTOLL@
|
|
+GNULIB_STRTOULL = @GNULIB_STRTOULL@
|
|
+GNULIB_STRVERSCMP = @GNULIB_STRVERSCMP@
|
|
+GNULIB_UNISTD_H_SIGPIPE = @GNULIB_UNISTD_H_SIGPIPE@
|
|
+GNULIB_UNSETENV = @GNULIB_UNSETENV@
|
|
+GNULIB_VASPRINTF = @GNULIB_VASPRINTF@
|
|
+GNULIB_VDPRINTF = @GNULIB_VDPRINTF@
|
|
+GNULIB_VFPRINTF = @GNULIB_VFPRINTF@
|
|
+GNULIB_VFPRINTF_POSIX = @GNULIB_VFPRINTF_POSIX@
|
|
+GNULIB_VPRINTF = @GNULIB_VPRINTF@
|
|
+GNULIB_VPRINTF_POSIX = @GNULIB_VPRINTF_POSIX@
|
|
+GNULIB_VSNPRINTF = @GNULIB_VSNPRINTF@
|
|
+GNULIB_VSPRINTF_POSIX = @GNULIB_VSPRINTF_POSIX@
|
|
+GNULIB_WCRTOMB = @GNULIB_WCRTOMB@
|
|
+GNULIB_WCSNRTOMBS = @GNULIB_WCSNRTOMBS@
|
|
+GNULIB_WCSRTOMBS = @GNULIB_WCSRTOMBS@
|
|
+GNULIB_WCTOB = @GNULIB_WCTOB@
|
|
+GNULIB_WCWIDTH = @GNULIB_WCWIDTH@
|
|
+GNULIB_WRITE = @GNULIB_WRITE@
|
|
+GREP = @GREP@
|
|
+GTKDOC_CHECK = @GTKDOC_CHECK@
|
|
+GTKDOC_MKPDF = @GTKDOC_MKPDF@
|
|
+GTKDOC_REBASE = @GTKDOC_REBASE@
|
|
+GUILE = @GUILE@
|
|
+GUILE_CFLAGS = @GUILE_CFLAGS@
|
|
+GUILE_CONFIG = @GUILE_CONFIG@
|
|
+GUILE_LDFLAGS = @GUILE_LDFLAGS@
|
|
+GUILE_SITE = @GUILE_SITE@
|
|
+GUILE_TOOLS = @GUILE_TOOLS@
|
|
+HAVE_ARPA_INET_H = @HAVE_ARPA_INET_H@
|
|
+HAVE_ATOLL = @HAVE_ATOLL@
|
|
+HAVE_BTOWC = @HAVE_BTOWC@
|
|
+HAVE_CALLOC_POSIX = @HAVE_CALLOC_POSIX@
|
|
+HAVE_DECL_ENVIRON = @HAVE_DECL_ENVIRON@
|
|
+HAVE_DECL_FREEADDRINFO = @HAVE_DECL_FREEADDRINFO@
|
|
+HAVE_DECL_GAI_STRERROR = @HAVE_DECL_GAI_STRERROR@
|
|
+HAVE_DECL_GETADDRINFO = @HAVE_DECL_GETADDRINFO@
|
|
+HAVE_DECL_GETDELIM = @HAVE_DECL_GETDELIM@
|
|
+HAVE_DECL_GETLINE = @HAVE_DECL_GETLINE@
|
|
+HAVE_DECL_GETLOADAVG = @HAVE_DECL_GETLOADAVG@
|
|
+HAVE_DECL_GETLOGIN_R = @HAVE_DECL_GETLOGIN_R@
|
|
+HAVE_DECL_GETNAMEINFO = @HAVE_DECL_GETNAMEINFO@
|
|
+HAVE_DECL_INET_NTOP = @HAVE_DECL_INET_NTOP@
|
|
+HAVE_DECL_INET_PTON = @HAVE_DECL_INET_PTON@
|
|
+HAVE_DECL_MEMMEM = @HAVE_DECL_MEMMEM@
|
|
+HAVE_DECL_MEMRCHR = @HAVE_DECL_MEMRCHR@
|
|
+HAVE_DECL_OBSTACK_PRINTF = @HAVE_DECL_OBSTACK_PRINTF@
|
|
+HAVE_DECL_SNPRINTF = @HAVE_DECL_SNPRINTF@
|
|
+HAVE_DECL_STRDUP = @HAVE_DECL_STRDUP@
|
|
+HAVE_DECL_STRERROR = @HAVE_DECL_STRERROR@
|
|
+HAVE_DECL_STRNDUP = @HAVE_DECL_STRNDUP@
|
|
+HAVE_DECL_STRNLEN = @HAVE_DECL_STRNLEN@
|
|
+HAVE_DECL_STRSIGNAL = @HAVE_DECL_STRSIGNAL@
|
|
+HAVE_DECL_STRTOK_R = @HAVE_DECL_STRTOK_R@
|
|
+HAVE_DECL_VSNPRINTF = @HAVE_DECL_VSNPRINTF@
|
|
+HAVE_DECL_WCTOB = @HAVE_DECL_WCTOB@
|
|
+HAVE_DECL_WCWIDTH = @HAVE_DECL_WCWIDTH@
|
|
+HAVE_DPRINTF = @HAVE_DPRINTF@
|
|
+HAVE_DUP2 = @HAVE_DUP2@
|
|
+HAVE_EUIDACCESS = @HAVE_EUIDACCESS@
|
|
+HAVE_FSEEKO = @HAVE_FSEEKO@
|
|
+HAVE_FSYNC = @HAVE_FSYNC@
|
|
+HAVE_FTELLO = @HAVE_FTELLO@
|
|
+HAVE_FTRUNCATE = @HAVE_FTRUNCATE@
|
|
+HAVE_GETDOMAINNAME = @HAVE_GETDOMAINNAME@
|
|
+HAVE_GETDTABLESIZE = @HAVE_GETDTABLESIZE@
|
|
+HAVE_GETHOSTNAME = @HAVE_GETHOSTNAME@
|
|
+HAVE_GETPAGESIZE = @HAVE_GETPAGESIZE@
|
|
+HAVE_GETSUBOPT = @HAVE_GETSUBOPT@
|
|
+HAVE_GETUSERSHELL = @HAVE_GETUSERSHELL@
|
|
+HAVE_INTTYPES_H = @HAVE_INTTYPES_H@
|
|
+HAVE_LCHMOD = @HAVE_LCHMOD@
|
|
+HAVE_LIBGCRYPT = @HAVE_LIBGCRYPT@
|
|
+HAVE_LIBTASN1 = @HAVE_LIBTASN1@
|
|
+HAVE_LINK = @HAVE_LINK@
|
|
+HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@
|
|
+HAVE_LSTAT = @HAVE_LSTAT@
|
|
+HAVE_MALLOC_POSIX = @HAVE_MALLOC_POSIX@
|
|
+HAVE_MBRLEN = @HAVE_MBRLEN@
|
|
+HAVE_MBRTOWC = @HAVE_MBRTOWC@
|
|
+HAVE_MBSINIT = @HAVE_MBSINIT@
|
|
+HAVE_MBSNRTOWCS = @HAVE_MBSNRTOWCS@
|
|
+HAVE_MBSRTOWCS = @HAVE_MBSRTOWCS@
|
|
+HAVE_MEMPCPY = @HAVE_MEMPCPY@
|
|
+HAVE_MKDTEMP = @HAVE_MKDTEMP@
|
|
+HAVE_NETDB_H = @HAVE_NETDB_H@
|
|
+HAVE_NETINET_IN_H = @HAVE_NETINET_IN_H@
|
|
+HAVE_OS_H = @HAVE_OS_H@
|
|
+HAVE_RANDOM_H = @HAVE_RANDOM_H@
|
|
+HAVE_RANDOM_R = @HAVE_RANDOM_R@
|
|
+HAVE_RAWMEMCHR = @HAVE_RAWMEMCHR@
|
|
+HAVE_READLINK = @HAVE_READLINK@
|
|
+HAVE_REALLOC_POSIX = @HAVE_REALLOC_POSIX@
|
|
+HAVE_RPMATCH = @HAVE_RPMATCH@
|
|
+HAVE_SA_FAMILY_T = @HAVE_SA_FAMILY_T@
|
|
+HAVE_SETENV = @HAVE_SETENV@
|
|
+HAVE_SIGNED_SIG_ATOMIC_T = @HAVE_SIGNED_SIG_ATOMIC_T@
|
|
+HAVE_SIGNED_WCHAR_T = @HAVE_SIGNED_WCHAR_T@
|
|
+HAVE_SIGNED_WINT_T = @HAVE_SIGNED_WINT_T@
|
|
+HAVE_SLEEP = @HAVE_SLEEP@
|
|
+HAVE_STDINT_H = @HAVE_STDINT_H@
|
|
+HAVE_STPCPY = @HAVE_STPCPY@
|
|
+HAVE_STPNCPY = @HAVE_STPNCPY@
|
|
+HAVE_STRCASESTR = @HAVE_STRCASESTR@
|
|
+HAVE_STRCHRNUL = @HAVE_STRCHRNUL@
|
|
+HAVE_STRNDUP = @HAVE_STRNDUP@
|
|
+HAVE_STRPBRK = @HAVE_STRPBRK@
|
|
+HAVE_STRSEP = @HAVE_STRSEP@
|
|
+HAVE_STRTOD = @HAVE_STRTOD@
|
|
+HAVE_STRTOLL = @HAVE_STRTOLL@
|
|
+HAVE_STRTOULL = @HAVE_STRTOULL@
|
|
+HAVE_STRUCT_ADDRINFO = @HAVE_STRUCT_ADDRINFO@
|
|
+HAVE_STRUCT_RANDOM_DATA = @HAVE_STRUCT_RANDOM_DATA@
|
|
+HAVE_STRUCT_SOCKADDR_STORAGE = @HAVE_STRUCT_SOCKADDR_STORAGE@
|
|
+HAVE_STRUCT_TIMEVAL = @HAVE_STRUCT_TIMEVAL@
|
|
+HAVE_STRVERSCMP = @HAVE_STRVERSCMP@
|
|
+HAVE_SYS_BITYPES_H = @HAVE_SYS_BITYPES_H@
|
|
+HAVE_SYS_INTTYPES_H = @HAVE_SYS_INTTYPES_H@
|
|
+HAVE_SYS_IOCTL_H = @HAVE_SYS_IOCTL_H@
|
|
+HAVE_SYS_LOADAVG_H = @HAVE_SYS_LOADAVG_H@
|
|
+HAVE_SYS_PARAM_H = @HAVE_SYS_PARAM_H@
|
|
+HAVE_SYS_SELECT_H = @HAVE_SYS_SELECT_H@
|
|
+HAVE_SYS_SOCKET_H = @HAVE_SYS_SOCKET_H@
|
|
+HAVE_SYS_TIME_H = @HAVE_SYS_TIME_H@
|
|
+HAVE_SYS_TYPES_H = @HAVE_SYS_TYPES_H@
|
|
+HAVE_UNISTD_H = @HAVE_UNISTD_H@
|
|
+HAVE_UNSETENV = @HAVE_UNSETENV@
|
|
+HAVE_UNSIGNED_LONG_LONG_INT = @HAVE_UNSIGNED_LONG_LONG_INT@
|
|
+HAVE_VASPRINTF = @HAVE_VASPRINTF@
|
|
+HAVE_VDPRINTF = @HAVE_VDPRINTF@
|
|
+HAVE_WCHAR_H = @HAVE_WCHAR_H@
|
|
+HAVE_WCRTOMB = @HAVE_WCRTOMB@
|
|
+HAVE_WCSNRTOMBS = @HAVE_WCSNRTOMBS@
|
|
+HAVE_WCSRTOMBS = @HAVE_WCSRTOMBS@
|
|
+HAVE_WINSOCK2_H = @HAVE_WINSOCK2_H@
|
|
+HAVE_WINT_T = @HAVE_WINT_T@
|
|
+HAVE_WS2TCPIP_H = @HAVE_WS2TCPIP_H@
|
|
+HAVE__BOOL = @HAVE__BOOL@
|
|
+HOSTENT_LIB = @HOSTENT_LIB@
|
|
+HTML_DIR = @HTML_DIR@
|
|
+INCLUDE_NEXT = @INCLUDE_NEXT@
|
|
+INCLUDE_NEXT_AS_FIRST_DIRECTIVE = @INCLUDE_NEXT_AS_FIRST_DIRECTIVE@
|
|
+INET_NTOP_LIB = @INET_NTOP_LIB@
|
|
+INET_PTON_LIB = @INET_PTON_LIB@
|
|
+INSTALL = @INSTALL@
|
|
+INSTALL_DATA = @INSTALL_DATA@
|
|
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
|
|
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
|
|
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
|
|
+LD = @LD@
|
|
+LDFLAGS = @LDFLAGS@
|
|
+LIBGCRYPT = @LIBGCRYPT@
|
|
+LIBGCRYPT_PREFIX = @LIBGCRYPT_PREFIX@
|
|
+LIBINTL = @LIBINTL@
|
|
+LIBOBJS = @LIBOBJS@
|
|
+LIBREADLINE = @LIBREADLINE@
|
|
+LIBS = @LIBS@
|
|
+LIBSOCKET = @LIBSOCKET@
|
|
+LIBTASN1 = @LIBTASN1@
|
|
+LIBTASN1_PREFIX = @LIBTASN1_PREFIX@
|
|
+LIBTESTS_LIBDEPS = @LIBTESTS_LIBDEPS@
|
|
+LIBTOOL = @LIBTOOL@
|
|
+LIPO = @LIPO@
|
|
+LN_S = @LN_S@
|
|
+LTALLOCA = @LTALLOCA@
|
|
+LTLIBGCRYPT = @LTLIBGCRYPT@
|
|
+LTLIBINTL = @LTLIBINTL@
|
|
+LTLIBOBJS = @LTLIBOBJS@
|
|
+LTLIBREADLINE = @LTLIBREADLINE@
|
|
+LTLIBTASN1 = @LTLIBTASN1@
|
|
+LT_AGE = @LT_AGE@
|
|
+LT_CURRENT = @LT_CURRENT@
|
|
+LT_REVISION = @LT_REVISION@
|
|
+LZO_LIBS = @LZO_LIBS@
|
|
+MAKEINFO = @MAKEINFO@
|
|
+MKDIR_P = @MKDIR_P@
|
|
+NETDB_H = @NETDB_H@
|
|
+NETINET_IN_H = @NETINET_IN_H@
|
|
+NEXT_ARPA_INET_H = @NEXT_ARPA_INET_H@
|
|
+NEXT_ERRNO_H = @NEXT_ERRNO_H@
|
|
+NEXT_FLOAT_H = @NEXT_FLOAT_H@
|
|
+NEXT_NETDB_H = @NEXT_NETDB_H@
|
|
+NEXT_NETINET_IN_H = @NEXT_NETINET_IN_H@
|
|
+NEXT_STDARG_H = @NEXT_STDARG_H@
|
|
+NEXT_STDINT_H = @NEXT_STDINT_H@
|
|
+NEXT_STDIO_H = @NEXT_STDIO_H@
|
|
+NEXT_STDLIB_H = @NEXT_STDLIB_H@
|
|
+NEXT_STRING_H = @NEXT_STRING_H@
|
|
+NEXT_SYS_IOCTL_H = @NEXT_SYS_IOCTL_H@
|
|
+NEXT_SYS_SELECT_H = @NEXT_SYS_SELECT_H@
|
|
+NEXT_SYS_SOCKET_H = @NEXT_SYS_SOCKET_H@
|
|
+NEXT_SYS_STAT_H = @NEXT_SYS_STAT_H@
|
|
+NEXT_SYS_TIME_H = @NEXT_SYS_TIME_H@
|
|
+NEXT_UNISTD_H = @NEXT_UNISTD_H@
|
|
+NEXT_WCHAR_H = @NEXT_WCHAR_H@
|
|
+NM = @NM@
|
|
+NMEDIT = @NMEDIT@
|
|
+OBJDUMP = @OBJDUMP@
|
|
+OBJEXT = @OBJEXT@
|
|
+OTOOL = @OTOOL@
|
|
+OTOOL64 = @OTOOL64@
|
|
+PACKAGE = @PACKAGE@
|
|
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
|
|
+PACKAGE_NAME = @PACKAGE_NAME@
|
|
+PACKAGE_STRING = @PACKAGE_STRING@
|
|
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
|
+PACKAGE_URL = @PACKAGE_URL@
|
|
+PACKAGE_VERSION = @PACKAGE_VERSION@
|
|
+PATH_SEPARATOR = @PATH_SEPARATOR@
|
|
+PKG_CONFIG = @PKG_CONFIG@
|
|
+PMCCABE = @PMCCABE@
|
|
+PRAGMA_SYSTEM_HEADER = @PRAGMA_SYSTEM_HEADER@
|
|
+PTRDIFF_T_SUFFIX = @PTRDIFF_T_SUFFIX@
|
|
+RANLIB = @RANLIB@
|
|
+REPLACE_BTOWC = @REPLACE_BTOWC@
|
|
+REPLACE_CHOWN = @REPLACE_CHOWN@
|
|
+REPLACE_CLOSE = @REPLACE_CLOSE@
|
|
+REPLACE_DPRINTF = @REPLACE_DPRINTF@
|
|
+REPLACE_FCHDIR = @REPLACE_FCHDIR@
|
|
+REPLACE_FCLOSE = @REPLACE_FCLOSE@
|
|
+REPLACE_FFLUSH = @REPLACE_FFLUSH@
|
|
+REPLACE_FOPEN = @REPLACE_FOPEN@
|
|
+REPLACE_FPRINTF = @REPLACE_FPRINTF@
|
|
+REPLACE_FREOPEN = @REPLACE_FREOPEN@
|
|
+REPLACE_FSEEK = @REPLACE_FSEEK@
|
|
+REPLACE_FSEEKO = @REPLACE_FSEEKO@
|
|
+REPLACE_FTELL = @REPLACE_FTELL@
|
|
+REPLACE_FTELLO = @REPLACE_FTELLO@
|
|
+REPLACE_GETCWD = @REPLACE_GETCWD@
|
|
+REPLACE_GETLINE = @REPLACE_GETLINE@
|
|
+REPLACE_GETPAGESIZE = @REPLACE_GETPAGESIZE@
|
|
+REPLACE_GETTIMEOFDAY = @REPLACE_GETTIMEOFDAY@
|
|
+REPLACE_LCHOWN = @REPLACE_LCHOWN@
|
|
+REPLACE_LSEEK = @REPLACE_LSEEK@
|
|
+REPLACE_LSTAT = @REPLACE_LSTAT@
|
|
+REPLACE_MBRLEN = @REPLACE_MBRLEN@
|
|
+REPLACE_MBRTOWC = @REPLACE_MBRTOWC@
|
|
+REPLACE_MBSINIT = @REPLACE_MBSINIT@
|
|
+REPLACE_MBSNRTOWCS = @REPLACE_MBSNRTOWCS@
|
|
+REPLACE_MBSRTOWCS = @REPLACE_MBSRTOWCS@
|
|
+REPLACE_MBSTATE_T = @REPLACE_MBSTATE_T@
|
|
+REPLACE_MEMMEM = @REPLACE_MEMMEM@
|
|
+REPLACE_MKDIR = @REPLACE_MKDIR@
|
|
+REPLACE_MKSTEMP = @REPLACE_MKSTEMP@
|
|
+REPLACE_OBSTACK_PRINTF = @REPLACE_OBSTACK_PRINTF@
|
|
+REPLACE_PERROR = @REPLACE_PERROR@
|
|
+REPLACE_PRINTF = @REPLACE_PRINTF@
|
|
+REPLACE_PUTENV = @REPLACE_PUTENV@
|
|
+REPLACE_SELECT = @REPLACE_SELECT@
|
|
+REPLACE_SNPRINTF = @REPLACE_SNPRINTF@
|
|
+REPLACE_SPRINTF = @REPLACE_SPRINTF@
|
|
+REPLACE_STDIO_WRITE_FUNCS = @REPLACE_STDIO_WRITE_FUNCS@
|
|
+REPLACE_STRCASESTR = @REPLACE_STRCASESTR@
|
|
+REPLACE_STRDUP = @REPLACE_STRDUP@
|
|
+REPLACE_STRERROR = @REPLACE_STRERROR@
|
|
+REPLACE_STRSIGNAL = @REPLACE_STRSIGNAL@
|
|
+REPLACE_STRSTR = @REPLACE_STRSTR@
|
|
+REPLACE_STRTOD = @REPLACE_STRTOD@
|
|
+REPLACE_VASPRINTF = @REPLACE_VASPRINTF@
|
|
+REPLACE_VDPRINTF = @REPLACE_VDPRINTF@
|
|
+REPLACE_VFPRINTF = @REPLACE_VFPRINTF@
|
|
+REPLACE_VPRINTF = @REPLACE_VPRINTF@
|
|
+REPLACE_VSNPRINTF = @REPLACE_VSNPRINTF@
|
|
+REPLACE_VSPRINTF = @REPLACE_VSPRINTF@
|
|
+REPLACE_WCRTOMB = @REPLACE_WCRTOMB@
|
|
+REPLACE_WCSNRTOMBS = @REPLACE_WCSNRTOMBS@
|
|
+REPLACE_WCSRTOMBS = @REPLACE_WCSRTOMBS@
|
|
+REPLACE_WCTOB = @REPLACE_WCTOB@
|
|
+REPLACE_WCWIDTH = @REPLACE_WCWIDTH@
|
|
+REPLACE_WRITE = @REPLACE_WRITE@
|
|
+SED = @SED@
|
|
+SERVENT_LIB = @SERVENT_LIB@
|
|
+SET_MAKE = @SET_MAKE@
|
|
+SHELL = @SHELL@
|
|
+SIG_ATOMIC_T_SUFFIX = @SIG_ATOMIC_T_SUFFIX@
|
|
+SIZE_T_SUFFIX = @SIZE_T_SUFFIX@
|
|
+STDARG_H = @STDARG_H@
|
|
+STDBOOL_H = @STDBOOL_H@
|
|
+STDINT_H = @STDINT_H@
|
|
+STRIP = @STRIP@
|
|
+SYS_IOCTL_H = @SYS_IOCTL_H@
|
|
+SYS_IOCTL_H_HAVE_WINSOCK2_H = @SYS_IOCTL_H_HAVE_WINSOCK2_H@
|
|
+SYS_SELECT_H = @SYS_SELECT_H@
|
|
+SYS_SOCKET_H = @SYS_SOCKET_H@
|
|
+SYS_STAT_H = @SYS_STAT_H@
|
|
+SYS_TIME_H = @SYS_TIME_H@
|
|
+UNISTD_H_HAVE_WINSOCK2_H = @UNISTD_H_HAVE_WINSOCK2_H@
|
|
+VALGRIND = @VALGRIND@
|
|
+VERSION = @VERSION@
|
|
+VOID_UNSETENV = @VOID_UNSETENV@
|
|
+WARN_CFLAGS = @WARN_CFLAGS@
|
|
+WCHAR_H = @WCHAR_H@
|
|
+WCHAR_T_SUFFIX = @WCHAR_T_SUFFIX@
|
|
+WERROR_CFLAGS = @WERROR_CFLAGS@
|
|
+WINT_T_SUFFIX = @WINT_T_SUFFIX@
|
|
+abs_aux_dir = @abs_aux_dir@
|
|
+abs_builddir = @abs_builddir@
|
|
+abs_srcdir = @abs_srcdir@
|
|
+abs_top_builddir = @abs_top_builddir@
|
|
+abs_top_srcdir = @abs_top_srcdir@
|
|
+ac_ct_CC = @ac_ct_CC@
|
|
+ac_ct_CXX = @ac_ct_CXX@
|
|
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
|
+am__include = @am__include@
|
|
+am__leading_dot = @am__leading_dot@
|
|
+am__quote = @am__quote@
|
|
+am__tar = @am__tar@
|
|
+am__untar = @am__untar@
|
|
+bindir = @bindir@
|
|
+build = @build@
|
|
+build_alias = @build_alias@
|
|
+build_cpu = @build_cpu@
|
|
+build_os = @build_os@
|
|
+build_vendor = @build_vendor@
|
|
+builddir = @builddir@
|
|
+datadir = @datadir@
|
|
+datarootdir = @datarootdir@
|
|
+docdir = @docdir@
|
|
+dvidir = @dvidir@
|
|
+exec_prefix = @exec_prefix@
|
|
+gl_LIBOBJS = @gl_LIBOBJS@
|
|
+gl_LTLIBOBJS = @gl_LTLIBOBJS@
|
|
+gltests_LIBOBJS = @gltests_LIBOBJS@
|
|
+gltests_LTLIBOBJS = @gltests_LTLIBOBJS@
|
|
+guile_snarf = @guile_snarf@
|
|
+host = @host@
|
|
+host_alias = @host_alias@
|
|
+host_cpu = @host_cpu@
|
|
+host_os = @host_os@
|
|
+host_vendor = @host_vendor@
|
|
+htmldir = @htmldir@
|
|
+includedir = @includedir@
|
|
+infodir = @infodir@
|
|
+install_sh = @install_sh@
|
|
+libdir = @libdir@
|
|
+libexecdir = @libexecdir@
|
|
+localedir = @localedir@
|
|
+localstatedir = @localstatedir@
|
|
+lt_ECHO = @lt_ECHO@
|
|
+mandir = @mandir@
|
|
+mkdir_p = @mkdir_p@
|
|
+oldincludedir = @oldincludedir@
|
|
+pdfdir = @pdfdir@
|
|
+prefix = @prefix@
|
|
+program_transform_name = @program_transform_name@
|
|
+psdir = @psdir@
|
|
+sbindir = @sbindir@
|
|
+sharedstatedir = @sharedstatedir@
|
|
+srcdir = @srcdir@
|
|
+subdirs = @subdirs@
|
|
+sysconfdir = @sysconfdir@
|
|
+target_alias = @target_alias@
|
|
+top_build_prefix = @top_build_prefix@
|
|
+top_builddir = @top_builddir@
|
|
+top_srcdir = @top_srcdir@
|
|
+EXTRA_DIST = params.dh
|
|
+dist_check_SCRIPTS = testsrn
|
|
+TESTS = testsrn
|
|
+TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT)
|
|
+all: all-am
|
|
+
|
|
+.SUFFIXES:
|
|
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
|
|
+ @for dep in $?; do \
|
|
+ case '$(am__configure_deps)' in \
|
|
+ *$$dep*) \
|
|
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
|
|
+ && { if test -f $@; then exit 0; else break; fi; }; \
|
|
+ exit 1;; \
|
|
+ esac; \
|
|
+ done; \
|
|
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile'; \
|
|
+ $(am__cd) $(top_srcdir) && \
|
|
+ $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile
|
|
+.PRECIOUS: Makefile
|
|
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
|
|
+ @case '$?' in \
|
|
+ *config.status*) \
|
|
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
|
|
+ *) \
|
|
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
|
|
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
|
|
+ esac;
|
|
+
|
|
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
|
|
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
|
+
|
|
+$(top_srcdir)/configure: $(am__configure_deps)
|
|
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
|
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
|
|
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
|
+$(am__aclocal_m4_deps):
|
|
+
|
|
+mostlyclean-libtool:
|
|
+ -rm -f *.lo
|
|
+
|
|
+clean-libtool:
|
|
+ -rm -rf .libs _libs
|
|
+tags: TAGS
|
|
+TAGS:
|
|
+
|
|
+ctags: CTAGS
|
|
+CTAGS:
|
|
+
|
|
+
|
|
+check-TESTS: $(TESTS)
|
|
+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
|
|
+ srcdir=$(srcdir); export srcdir; \
|
|
+ list=' $(TESTS) '; \
|
|
+ $(am__tty_colors); \
|
|
+ if test -n "$$list"; then \
|
|
+ for tst in $$list; do \
|
|
+ if test -f ./$$tst; then dir=./; \
|
|
+ elif test -f $$tst; then dir=; \
|
|
+ else dir="$(srcdir)/"; fi; \
|
|
+ if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
|
|
+ all=`expr $$all + 1`; \
|
|
+ case " $(XFAIL_TESTS) " in \
|
|
+ *[\ \ ]$$tst[\ \ ]*) \
|
|
+ xpass=`expr $$xpass + 1`; \
|
|
+ failed=`expr $$failed + 1`; \
|
|
+ col=$$red; res=XPASS; \
|
|
+ ;; \
|
|
+ *) \
|
|
+ col=$$grn; res=PASS; \
|
|
+ ;; \
|
|
+ esac; \
|
|
+ elif test $$? -ne 77; then \
|
|
+ all=`expr $$all + 1`; \
|
|
+ case " $(XFAIL_TESTS) " in \
|
|
+ *[\ \ ]$$tst[\ \ ]*) \
|
|
+ xfail=`expr $$xfail + 1`; \
|
|
+ col=$$lgn; res=XFAIL; \
|
|
+ ;; \
|
|
+ *) \
|
|
+ failed=`expr $$failed + 1`; \
|
|
+ col=$$red; res=FAIL; \
|
|
+ ;; \
|
|
+ esac; \
|
|
+ else \
|
|
+ skip=`expr $$skip + 1`; \
|
|
+ col=$$blu; res=SKIP; \
|
|
+ fi; \
|
|
+ echo "$${col}$$res$${std}: $$tst"; \
|
|
+ done; \
|
|
+ if test "$$all" -eq 1; then \
|
|
+ tests="test"; \
|
|
+ All=""; \
|
|
+ else \
|
|
+ tests="tests"; \
|
|
+ All="All "; \
|
|
+ fi; \
|
|
+ if test "$$failed" -eq 0; then \
|
|
+ if test "$$xfail" -eq 0; then \
|
|
+ banner="$$All$$all $$tests passed"; \
|
|
+ else \
|
|
+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
|
|
+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
|
|
+ fi; \
|
|
+ else \
|
|
+ if test "$$xpass" -eq 0; then \
|
|
+ banner="$$failed of $$all $$tests failed"; \
|
|
+ else \
|
|
+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
|
|
+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
|
|
+ fi; \
|
|
+ fi; \
|
|
+ dashes="$$banner"; \
|
|
+ skipped=""; \
|
|
+ if test "$$skip" -ne 0; then \
|
|
+ if test "$$skip" -eq 1; then \
|
|
+ skipped="($$skip test was not run)"; \
|
|
+ else \
|
|
+ skipped="($$skip tests were not run)"; \
|
|
+ fi; \
|
|
+ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
|
|
+ dashes="$$skipped"; \
|
|
+ fi; \
|
|
+ report=""; \
|
|
+ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
|
|
+ report="Please report to $(PACKAGE_BUGREPORT)"; \
|
|
+ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
|
|
+ dashes="$$report"; \
|
|
+ fi; \
|
|
+ dashes=`echo "$$dashes" | sed s/./=/g`; \
|
|
+ if test "$$failed" -eq 0; then \
|
|
+ echo "$$grn$$dashes"; \
|
|
+ else \
|
|
+ echo "$$red$$dashes"; \
|
|
+ fi; \
|
|
+ echo "$$banner"; \
|
|
+ test -z "$$skipped" || echo "$$skipped"; \
|
|
+ test -z "$$report" || echo "$$report"; \
|
|
+ echo "$$dashes$$std"; \
|
|
+ test "$$failed" -eq 0; \
|
|
+ else :; fi
|
|
+
|
|
+distdir: $(DISTFILES)
|
|
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
|
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
|
+ list='$(DISTFILES)'; \
|
|
+ dist_files=`for file in $$list; do echo $$file; done | \
|
|
+ sed -e "s|^$$srcdirstrip/||;t" \
|
|
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
|
|
+ case $$dist_files in \
|
|
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
|
|
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
|
|
+ sort -u` ;; \
|
|
+ esac; \
|
|
+ for file in $$dist_files; do \
|
|
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
|
|
+ if test -d $$d/$$file; then \
|
|
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
|
|
+ if test -d "$(distdir)/$$file"; then \
|
|
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
|
|
+ fi; \
|
|
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
|
|
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
|
|
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
|
|
+ fi; \
|
|
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
|
|
+ else \
|
|
+ test -f "$(distdir)/$$file" \
|
|
+ || cp -p $$d/$$file "$(distdir)/$$file" \
|
|
+ || exit 1; \
|
|
+ fi; \
|
|
+ done
|
|
+check-am: all-am
|
|
+ $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS)
|
|
+ $(MAKE) $(AM_MAKEFLAGS) check-TESTS
|
|
+check: check-am
|
|
+all-am: Makefile
|
|
+installdirs:
|
|
+install: install-am
|
|
+install-exec: install-exec-am
|
|
+install-data: install-data-am
|
|
+uninstall: uninstall-am
|
|
+
|
|
+install-am: all-am
|
|
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
|
|
+
|
|
+installcheck: installcheck-am
|
|
+install-strip:
|
|
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
|
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
|
+ `test -z '$(STRIP)' || \
|
|
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
|
|
+mostlyclean-generic:
|
|
+
|
|
+clean-generic:
|
|
+
|
|
+distclean-generic:
|
|
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
|
|
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
|
|
+
|
|
+maintainer-clean-generic:
|
|
+ @echo "This command is intended for maintainers to use"
|
|
+ @echo "it deletes files that may require special tools to rebuild."
|
|
+clean: clean-am
|
|
+
|
|
+clean-am: clean-generic clean-libtool mostlyclean-am
|
|
+
|
|
+distclean: distclean-am
|
|
+ -rm -f Makefile
|
|
+distclean-am: clean-am distclean-generic
|
|
+
|
|
+dvi: dvi-am
|
|
+
|
|
+dvi-am:
|
|
+
|
|
+html: html-am
|
|
+
|
|
+html-am:
|
|
+
|
|
+info: info-am
|
|
+
|
|
+info-am:
|
|
+
|
|
+install-data-am:
|
|
+
|
|
+install-dvi: install-dvi-am
|
|
+
|
|
+install-dvi-am:
|
|
+
|
|
+install-exec-am:
|
|
+
|
|
+install-html: install-html-am
|
|
+
|
|
+install-html-am:
|
|
+
|
|
+install-info: install-info-am
|
|
+
|
|
+install-info-am:
|
|
+
|
|
+install-man:
|
|
+
|
|
+install-pdf: install-pdf-am
|
|
+
|
|
+install-pdf-am:
|
|
+
|
|
+install-ps: install-ps-am
|
|
+
|
|
+install-ps-am:
|
|
+
|
|
+installcheck-am:
|
|
+
|
|
+maintainer-clean: maintainer-clean-am
|
|
+ -rm -f Makefile
|
|
+maintainer-clean-am: distclean-am maintainer-clean-generic
|
|
+
|
|
+mostlyclean: mostlyclean-am
|
|
+
|
|
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
|
|
+
|
|
+pdf: pdf-am
|
|
+
|
|
+pdf-am:
|
|
+
|
|
+ps: ps-am
|
|
+
|
|
+ps-am:
|
|
+
|
|
+uninstall-am:
|
|
+
|
|
+.MAKE: check-am install-am install-strip
|
|
+
|
|
+.PHONY: all all-am check check-TESTS check-am clean clean-generic \
|
|
+ clean-libtool distclean distclean-generic distclean-libtool \
|
|
+ distdir dvi dvi-am html html-am info info-am install \
|
|
+ install-am install-data install-data-am install-dvi \
|
|
+ install-dvi-am install-exec install-exec-am install-html \
|
|
+ install-html-am install-info install-info-am install-man \
|
|
+ install-pdf install-pdf-am install-ps install-ps-am \
|
|
+ install-strip installcheck installcheck-am installdirs \
|
|
+ maintainer-clean maintainer-clean-generic mostlyclean \
|
|
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
|
|
+ uninstall uninstall-am
|
|
+
|
|
+
|
|
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
|
+# Otherwise a system limit (for SysV at least) may be exceeded.
|
|
+.NOEXPORT:
|
|
diff -up gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg gnutls-2.8.6/tests/safe-renegotiation/params.dh
|
|
--- gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg 2010-05-31 22:52:31.000000000 +0200
|
|
+++ gnutls-2.8.6/tests/safe-renegotiation/params.dh 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -0,0 +1,35 @@
|
|
+
|
|
+Generator: 05
|
|
+
|
|
+Prime: c9:e9:2d:fc:94:15:1a:10:4f:3c:b5:16
|
|
+ 7e:34:10:7d:eb:3d:d5:7d:61:ff:b0:ce
|
|
+ da:7f:6e:0c:ea:db:b4:87:f6:c6:34:a8
|
|
+ 3c:f8:84:52:14:59:ab:17:5c:d0:f0:86
|
|
+ c4:02:93:dc:09:83:57:16:98:21:d0:42
|
|
+ 8e:33:fc:48:69:e6:04:0d:4e:50:09:33
|
|
+ 2e:28:60:4f:05:08:7c:ce:2f:a6:1a:4c
|
|
+ 41:d1:a3:dd:f6:37:56:44:1d:b0:54:af
|
|
+ f7:4a:a0:c2:19:5d:ce:62:b0:7a:1b:e1
|
|
+ 5c:7f:bb:4d:7e:9e:28:48:00:a4:9a:86
|
|
+ 3e:6e:6e:9c:57:41:c7:ec:bf:7f:09:fc
|
|
+ da:25:c2:1e:e0:52:dc:65:8c:40:a3:6e
|
|
+ bd:99:4e:0b:1a:04:e0:23:20:46:5a:d0
|
|
+ 3f:b3:a4:d6:76:73:b7:cc:61:33:11:54
|
|
+ a6:32:ff:94:08:d5:66:36:fd:99:69:21
|
|
+ cc:28:5d:11:52:32:48:b6:a5:b5:c3:b0
|
|
+ 21:3f:f9:69:25:83:b1:3d:79:a6:ed:ae
|
|
+ db:95:62:fc:72:ca:ad:46:fc:b6:b1:ea
|
|
+ 98:68:97:ba:f2:54:aa:86:ed:62:b1:78
|
|
+ 5f:d5:19:80:ce:41:ee:98:a1:71:9f:fa
|
|
+ 5b:6b:d8:5e:7e:b3:18:0a:f0:4c:96:76
|
|
+ 6c:0c:b0:a3
|
|
+
|
|
+
|
|
+-----BEGIN DH PARAMETERS-----
|
|
+MIIBCAKCAQEAyekt/JQVGhBPPLUWfjQQfes91X1h/7DO2n9uDOrbtIf2xjSoPPiE
|
|
+UhRZqxdc0PCGxAKT3AmDVxaYIdBCjjP8SGnmBA1OUAkzLihgTwUIfM4vphpMQdGj
|
|
+3fY3VkQdsFSv90qgwhldzmKwehvhXH+7TX6eKEgApJqGPm5unFdBx+y/fwn82iXC
|
|
+HuBS3GWMQKNuvZlOCxoE4CMgRlrQP7Ok1nZzt8xhMxFUpjL/lAjVZjb9mWkhzChd
|
|
+EVIySLaltcOwIT/5aSWDsT15pu2u25Vi/HLKrUb8trHqmGiXuvJUqobtYrF4X9UZ
|
|
+gM5B7pihcZ/6W2vYXn6zGArwTJZ2bAywowIBBQ==
|
|
+-----END DH PARAMETERS-----
|
|
diff -up gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg gnutls-2.8.6/tests/safe-renegotiation/testsrn
|
|
--- gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg 2010-05-31 22:52:31.000000000 +0200
|
|
+++ gnutls-2.8.6/tests/safe-renegotiation/testsrn 2010-06-02 10:23:35.000000000 +0200
|
|
@@ -0,0 +1,103 @@
|
|
+#!/bin/sh
|
|
+
|
|
+# Copyright (C) 2010 Free Software Foundation
|
|
+#
|
|
+# Author: Nikos Mavrogiannopoulos
|
|
+#
|
|
+# This file is part of GNUTLS.
|
|
+#
|
|
+# GNUTLS is free software; you can redistribute it and/or modify it
|
|
+# under the terms of the GNU General Public License as published by the
|
|
+# Free Software Foundation; either version 3 of the License, or (at
|
|
+# your option) any later version.
|
|
+#
|
|
+# GNUTLS is distributed in the hope that it will be useful, but
|
|
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
+# General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with GNUTLS; if not, write to the Free Software Foundation,
|
|
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+
|
|
+srcdir="${srcdir:-.}"
|
|
+SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q"
|
|
+CLI="${CLI:-../../src/gnutls-cli$EXEEXT}"
|
|
+PORT="${PORT:-5558}"
|
|
+unset RETCODE
|
|
+
|
|
+fail() {
|
|
+ echo "Failure: $1" >&2
|
|
+ RETCODE=${RETCODE:-${2:-1}}
|
|
+}
|
|
+
|
|
+echo "Checking Safe renegotiation"
|
|
+
|
|
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%PARTIAL_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
|
|
+pid=$!
|
|
+
|
|
+# give the server a chance to initialize
|
|
+sleep 2
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-SSL3.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
|
|
+ fail "0. Renegotiation should have succeeded!"
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
|
|
+ fail "1. Safe rehandshake should have succeeded!"
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
|
|
+ fail "2. Unsafe rehandshake should have succeeded!"
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
|
|
+ fail "3. Unsafe negotiation should have succeeded!"
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
|
|
+ fail "4. Unsafe renegotiation should have failed!"
|
|
+
|
|
+
|
|
+kill $pid
|
|
+wait
|
|
+
|
|
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
|
|
+pid=$!
|
|
+
|
|
+# give the server a chance to initialize
|
|
+sleep 2
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
|
|
+ fail "5. Safe rehandshake should have succeeded!"
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
|
|
+ fail "6. Unsafe rehandshake should have succeeded!"
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
|
|
+ fail "7. Unsafe negotiation should have failed!"
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
|
|
+ fail "8. Unsafe renegotiation should have failed!"
|
|
+
|
|
+kill $pid
|
|
+wait
|
|
+
|
|
+$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
|
|
+pid=$!
|
|
+
|
|
+# give the server a chance to initialize
|
|
+sleep 2
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
|
|
+ fail "9. Initial connection should have failed!"
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
|
|
+ fail "10. Unsafe connection should have succeeded!"
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
|
|
+ fail "11. Unsafe negotiation should have succeeded!"
|
|
+
|
|
+$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
|
|
+ fail "12. Unsafe renegotiation should have succeeded!"
|
|
+
|
|
+kill $pid
|
|
+wait
|
|
+
|
|
+exit ${RETCODE:-0}
|
|
diff -up gnutls-2.8.6/tests/simple.c.reneg gnutls-2.8.6/tests/simple.c
|
|
--- gnutls-2.8.6/tests/simple.c.reneg 2009-06-02 20:59:32.000000000 +0200
|
|
+++ gnutls-2.8.6/tests/simple.c 2010-05-31 22:52:31.000000000 +0200
|
|
@@ -50,7 +50,7 @@ doit (void)
|
|
|
|
for (i = 0; algs[i]; i++)
|
|
{
|
|
- printf ("pk_list[%d] = %d = %s = %d\n", i, algs[i],
|
|
+ printf ("pk_list[%d] = %d = %s = %d\n", (int)i, algs[i],
|
|
gnutls_pk_algorithm_get_name (algs[i]),
|
|
gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i])));
|
|
if (gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i]))
|
|
@@ -76,7 +76,7 @@ doit (void)
|
|
|
|
for (i = 0; algs[i]; i++)
|
|
{
|
|
- printf ("sign_list[%d] = %d = %s = %d\n", i, algs[i],
|
|
+ printf ("sign_list[%d] = %d = %s = %d\n", (int)i, algs[i],
|
|
gnutls_sign_algorithm_get_name (algs[i]),
|
|
gnutls_sign_get_id (gnutls_sign_algorithm_get_name
|
|
(algs[i])));
|