diff -up gnutls-2.8.6/AUTHORS.reneg gnutls-2.8.6/AUTHORS --- gnutls-2.8.6/AUTHORS.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/AUTHORS 2010-05-31 22:52:31.000000000 +0200 @@ -51,6 +51,9 @@ OpenPGP discussion and improvements. David Marín Carreño Added gnutls_x509_crq_get_key_id. +Steve Dispensa +TLS safe renegotiation fix. + -----BEGIN PGP PUBLIC KEY BLOCK----- URL: http://josefsson.org/key.txt (always latest version) Comment: This 0xB565716F key is used to sign releases of GnuTLS. diff -up gnutls-2.8.6/configure.reneg gnutls-2.8.6/configure --- gnutls-2.8.6/configure.reneg 2010-05-31 22:52:31.000000000 +0200 +++ gnutls-2.8.6/configure 2010-05-31 22:52:31.000000000 +0200 @@ -28559,7 +28559,7 @@ subdirs="$subdirs libextra" ac_config_files="$ac_config_files guile/pre-inst-guile" -ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile" +ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/safe-renegotiation/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -29783,6 +29783,7 @@ do "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;; "tests/key-id/Makefile") CONFIG_FILES="$CONFIG_FILES tests/key-id/Makefile" ;; "tests/openpgp-certs/Makefile") CONFIG_FILES="$CONFIG_FILES tests/openpgp-certs/Makefile" ;; + "tests/safe-renegotiation/Makefile") CONFIG_FILES="$CONFIG_FILES tests/safe-renegotiation/Makefile" ;; "tests/pathlen/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pathlen/Makefile" ;; "tests/pkcs1-padding/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs1-padding/Makefile" ;; "tests/pkcs12-decode/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs12-decode/Makefile" ;; diff -up gnutls-2.8.6/doc/gnutls-api.texi.reneg gnutls-2.8.6/doc/gnutls-api.texi --- gnutls-2.8.6/doc/gnutls-api.texi.reneg 2010-03-15 11:35:23.000000000 +0100 +++ gnutls-2.8.6/doc/gnutls-api.texi 2010-05-31 22:52:31.000000000 +0200 @@ -3307,6 +3307,20 @@ This function will initialize the tempor @strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, or an negative error code. @end deftypefun +@subheading gnutls_safe_renegotiation_status +@anchor{gnutls_safe_renegotiation_status} +@deftypefun {int} {gnutls_safe_renegotiation_status} (gnutls_session_t @var{session}) +@var{session}: is a @code{gnutls_session_t} structure. + +Can be used to check whether safe renegotiation is being used +in the current session. + +@strong{Returns:} 0 when safe renegotiation is not used and non zero when +safe renegotiation is used. + +@strong{Since:} 2.10.0 +@end deftypefun + @subheading gnutls_server_name_get @anchor{gnutls_server_name_get} @deftypefun {int} {gnutls_server_name_get} (gnutls_session_t @var{session}, void * @var{data}, size_t * @var{data_length}, unsigned int * @var{type}, unsigned int @var{indx}) diff -up gnutls-2.8.6/doc/gnutls.texi.reneg gnutls-2.8.6/doc/gnutls.texi --- gnutls-2.8.6/doc/gnutls.texi.reneg 2009-06-02 21:07:14.000000000 +0200 +++ gnutls-2.8.6/doc/gnutls.texi 2010-06-02 10:23:27.000000000 +0200 @@ -565,6 +565,7 @@ also supports @acronym{X.509} and @acron * Selecting cryptographic key sizes:: * On SSL 2 and older protocols:: * On Record Padding:: +* Safe Renegotiation:: @end menu @node TLS layers @@ -1202,6 +1203,94 @@ here are some links: @url{http://thread.gmane.org/gmane.ietf.tls/3079} +@node Safe Renegotiation +@section Safe Renegotiation +@cindex renegotiation + +Some application protocols and implementations uses the TLS +renegotiation feature in a manner that enables attackers to insert +content of his choice in the beginning of a TLS session. + +One easy to understand vulnerability is HTTPS when servers request +client certificates optionally for certain parts of a web site. The +attack works by having the attacker simulate a client and connect to a +server, with server-only authentication, and send some data intended +to cause harm. When the proper client attempts to contact the server, +the attacker hijacks that connection and uses the TLS renegotiation +feature with the server and splices in the client connection to the +already established connection between the attacker and server. The +attacker will not be able to read the data exchanged between the +client and the server. However, the server will (incorrectly) assume +that the data sent by the attacker was sent by the now authenticated +client. The result is a prefix plain-text injection attack. + +The above is just one example. Other vulnerabilities exists that do +not rely on the TLS renegotiation to change the client's authenticated +status (either TLS or application layer). + +While fixing these application protocols and implementations would be +one natural reaction, an extension to TLS has been designed that +cryptographically binds together any renegotiated handshakes with the +initial negotiation. When the extension is used, the attack is +detected and the session can be terminated. The extension is +specified in @xcite{RFC5746}. + +GnuTLS supports the safe renegotiation extension. The default +behavior is as follows. Clients will attempt to negotiate the safe +renegotiation extension when talking to servers. Servers will accept +the extension when presented by clients. Clients and servers will +permit an initial handshake to complete even when the other side does +not support the safe renegotiation extension. Clients and servers +will refuse renegotiation attempts when the extension has not been +negotiated. + +Note that permitting clients to connect to servers even when the safe +renegotiation extension is not negotiated open up for some attacks. +Changing this default behaviour would prevent interoperability against +the majority of deployed servers out there. We will reconsider this +default behaviour in the future when more servers have been upgraded. +Note that it is easy to configure clients to always require the safe +renegotiation extension from servers (see below on the +%SAFE_RENEGOTIATION priority string). + +To modify the default behaviour, we have introduced some new priority +strings. The priority strings can be used by applications +(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority} +parameter to @code{gnutls-cli} and @code{gnutls-serv}). + +The @code{%UNSAFE_RENEGOTIATION} priority string permits +(re-)handshakes even when the safe renegotiation extension was not +negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will +prevent renegotiation with clients and servers not supporting the +extension. This is secure for servers but leaves clients vulnerable +to some attacks, but this is a tradeoff between security and compatibility +with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes +clients and servers require the extension for every handshake. The latter +is the most secure option for clients, at the cost of not being able +to connect to legacy servers. Servers will also deny clients that +do not support the extension from connecting. + +It is possible to disable use of the extension completely, in both +clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION} +priority string however we strongly recommend you to only do this for +debugging and test purposes. + +The default values if the flags above are not specified are: +@table @code + +@item Server: +%PARTIAL_RENEGOTIATION + +@item Client: +%PARTIAL_RENEGOTIATION + +@end table + +For applications we have introduced a new API related to safe +renegotiation. The @ref{gnutls_safe_renegotiation_status} function is +used to check if the extension has been negotiated on a session, and +can be used both by clients and servers. + @node Authentication methods @chapter Authentication Methods @@ -4179,6 +4268,11 @@ Pasi Eronen and Hannes Tschofenig, "Pre- TLS", December 2005, Available from @url{http://www.ietf.org/rfc/rfc4279.txt}. +@item @anchor{RFC5746}[RFC5746] +E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "Transport Layer +Security (TLS) Renegotiation Indication Extension", February 2010, +available from @url{http://www.ietf.org/rfc/rfc5746}. + @item @anchor{TOMSRP}[TOMSRP] Tom Wu, "The Stanford SRP Authentication Project", Available at @url{http://srp.stanford.edu/}. diff -up gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg gnutls-2.8.6/doc/manpages/gnutls-cli.1 --- gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/doc/manpages/gnutls-cli.1 2010-06-02 10:23:27.000000000 +0200 @@ -75,6 +75,15 @@ Special keywords: "%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client hello. This is to avoid buggy servers from terminating connection. .IP +"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones. +.IP +"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not +supporting the safe renegotiation extension. (default) +.IP +"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most +secure and recommended option for clients. However this will prevent from +connecting to legacy servers. +.IP To avoid collisions in order to specify a compression algorithm in this string you have to prefix it with "COMP-", protocol versions with "VERS-" and certificate types with "CTYPE-". All other diff -up gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg gnutls-2.8.6/doc/manpages/gnutls_priority_init.3 --- gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg 2010-03-15 11:32:37.000000000 +0100 +++ gnutls-2.8.6/doc/manpages/gnutls_priority_init.3 2010-05-31 22:52:31.000000000 +0200 @@ -67,6 +67,21 @@ compression methods. "%COMPAT" will enable compatibility features for a server. +"%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now +the default for clients, but will change once more servers support the safe renegotiation +TLS fix). + +"%SAFE_RENEGOTIATION" will allow safe renegotiation only (this is the +default for servers \- that will reject clients trying to perform an +unsafe renegotiation). + +"%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if +renegotiation wasn't requested. Only valid for server side and implies +"%SAFE_RENEGOTIATION". + +"%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use +unless you know what you are doing. Testing purposes only. + "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello. "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA\-MD5 signatures in diff -up gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3.reneg gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3 --- gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3.reneg 2010-05-31 22:52:31.000000000 +0200 +++ gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3 2010-05-31 22:52:31.000000000 +0200 @@ -0,0 +1,41 @@ +.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. +.TH "gnutls_safe_renegotiation_status" 3 "2.9.11" "gnutls" "gnutls" +.SH NAME +gnutls_safe_renegotiation_status \- API function +.SH SYNOPSIS +.B #include +.sp +.BI "int gnutls_safe_renegotiation_status(gnutls_session_t " session ");" +.SH ARGUMENTS +.IP "gnutls_session_t session" 12 +is a \fBgnutls_session_t\fP structure. +.SH "DESCRIPTION" +Can be used to check whether safe renegotiation is being used +in the current session. +.SH "RETURNS" +0 when safe renegotiation is not used and non zero when +safe renegotiation is used. +.SH "SINCE" +2.10.0 +.SH "REPORTING BUGS" +Report bugs to . +GnuTLS home page: http://www.gnu.org/software/gnutls/ +General help using GNU software: http://www.gnu.org/gethelp/ +.SH COPYRIGHT +Copyright \(co 2008 Free Software Foundation. +.br +Copying and distribution of this file, with or without modification, +are permitted in any medium without royalty provided the copyright +notice and this notice are preserved. +.SH "SEE ALSO" +The full documentation for +.B gnutls +is maintained as a Texinfo manual. If the +.B info +and +.B gnutls +programs are properly installed at your site, the command +.IP +.B info gnutls +.PP +should give you access to the complete manual. diff -up gnutls-2.8.6/doc/manpages/gnutls-serv.1.reneg gnutls-2.8.6/doc/manpages/gnutls-serv.1 --- gnutls-2.8.6/doc/manpages/gnutls-serv.1.reneg 2009-06-02 21:07:14.000000000 +0200 +++ gnutls-2.8.6/doc/manpages/gnutls-serv.1 2010-06-02 10:23:27.000000000 +0200 @@ -75,6 +75,15 @@ Special keywords: .IP '%COMPAT' will enable compatibility features for a server. .IP +"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones. +.IP +"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not +supporting the safe renegotiation extension. (default) +.IP +"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most +secure and recommended option for clients. However this will prevent from +connecting to legacy servers. +.IP To avoid collisions in order to specify a compression algorithm in this string you have to prefix it with "COMP-", protocol versions with "VERS-" and certificate types with "CTYPE-". All other diff -up gnutls-2.8.6/doc/manpages/Makefile.in.reneg gnutls-2.8.6/doc/manpages/Makefile.in --- gnutls-2.8.6/doc/manpages/Makefile.in.reneg 2010-03-15 11:32:23.000000000 +0100 +++ gnutls-2.8.6/doc/manpages/Makefile.in 2010-05-31 22:52:31.000000000 +0200 @@ -525,7 +525,6 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ @@ -684,7 +683,8 @@ APIMANS = gnutls_crypto_single_cipher_re gnutls_crypto_bigint_register2.3 gnutls_crypto_pk_register2.3 \ gnutls_crypto_cipher_register2.3 gnutls_crypto_mac_register2.3 \ gnutls_crypto_digest_register2.3 gnutls_oprfi_enable_client.3 \ - gnutls_oprfi_enable_server.3 gnutls_server_name_get.3 \ + gnutls_oprfi_enable_server.3 \ + gnutls_safe_renegotiation_status.3 gnutls_server_name_get.3 \ gnutls_server_name_set.3 gnutls_alert_get_name.3 \ gnutls_alert_send.3 gnutls_error_to_alert.3 \ gnutls_alert_send_appropriate.3 gnutls_alert_get.3 \ diff -up gnutls-2.8.6/lib/ext_safe_renegotiation.c.reneg gnutls-2.8.6/lib/ext_safe_renegotiation.c --- gnutls-2.8.6/lib/ext_safe_renegotiation.c.reneg 2010-05-31 22:52:31.000000000 +0200 +++ gnutls-2.8.6/lib/ext_safe_renegotiation.c 2010-06-02 10:23:27.000000000 +0200 @@ -0,0 +1,139 @@ +/* + * Copyright (C) 2009 Free Software Foundation + * + * Author: Steve Dispensa () + * + * This file is part of GNUTLS. + * + * The GNUTLS library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA + * + */ + +#include +#include +#include + +int +_gnutls_safe_renegotiation_recv_params (gnutls_session_t session, + const opaque * data, size_t _data_size) +{ + tls_ext_st *ext = &session->security_parameters.extensions; + int len = data[0]; + ssize_t data_size = _data_size; + + DECR_LEN (data_size, len+1 /* count the first byte and payload */); + + if (session->internals.priorities.sr == SR_DISABLED) + { + gnutls_assert (); + return 0; + } + + /* It is not legal to receive this extension on a renegotiation and + * not receive it on the initial negotiation. + */ + if (session->internals.initial_negotiation_completed != 0 && + session->internals.connection_using_safe_renegotiation == 0) + { + gnutls_assert(); + return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; + } + + if (len > sizeof (ext->ri_extension_data)) + { + gnutls_assert(); + return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; + } + + if (len > 0) + memcpy (ext->ri_extension_data, &data[1], len); + ext->ri_extension_data_len = len; + + /* "safe renegotiation received" means on *this* handshake; "connection using + * safe renegotiation" means that the initial hello received on the connection + * indicated safe renegotiation. + */ + session->internals.safe_renegotiation_received = 1; + session->internals.connection_using_safe_renegotiation = 1; + + return 0; +} + +int +_gnutls_safe_renegotiation_send_params (gnutls_session_t session, + opaque * data, size_t _data_size) +{ + /* The format of this extension is a one-byte length of verify data followed + * by the verify data itself. Note that the length byte does not include + * itself; IOW, empty verify data is represented as a length of 0. That means + * the minimum extension is one byte: 0x00. + */ + ssize_t data_size = _data_size; + tls_ext_st *ext = &session->security_parameters.extensions; + + + if (session->internals.priorities.sr == SR_DISABLED) + { + gnutls_assert(); + return 0; + } + + data[0] = 0; + + /* Always offer the extension if we're a client */ + if (session->internals.connection_using_safe_renegotiation || + session->security_parameters.entity == GNUTLS_CLIENT) + { + DECR_LEN (data_size, 1); + data[0] = ext->client_verify_data_len; + + DECR_LEN (data_size, ext->client_verify_data_len); + + if (ext->client_verify_data_len > 0) + memcpy(&data[1], + ext->client_verify_data, + ext->client_verify_data_len); + + if (session->security_parameters.entity == GNUTLS_SERVER) + { + data[0] += ext->server_verify_data_len; + + DECR_LEN (data_size, ext->server_verify_data_len); + + if (ext->server_verify_data_len > 0) + memcpy(&data[1 + ext->client_verify_data_len], + ext->server_verify_data, + ext->server_verify_data_len); + } + } + else + return 0; + + return 1 + data[0]; /* don't forget the length byte */ +} + +/** + * gnutls_safe_renegotiation_status: + * @session: is a #gnutls_session_t structure. + * + * Can be used to check whether safe renegotiation is being used + * in the current session. Returns 0 when not and non zero when + * used. + **/ +int gnutls_safe_renegotiation_status (gnutls_session_t session) +{ + return session->internals.connection_using_safe_renegotiation; +} diff -up gnutls-2.8.6/lib/ext_safe_renegotiation.h.reneg gnutls-2.8.6/lib/ext_safe_renegotiation.h --- gnutls-2.8.6/lib/ext_safe_renegotiation.h.reneg 2010-05-31 22:52:31.000000000 +0200 +++ gnutls-2.8.6/lib/ext_safe_renegotiation.h 2010-05-31 22:52:31.000000000 +0200 @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2009 Free Software Foundation + * + * Author: Steve Dispensa () + * + * This file is part of GNUTLS. + * + * The GNUTLS library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA + * + */ + +#ifndef EXT_SAFE_RENEGOTIATION_H +# define EXT_SAFE_RENEGOTIATION_H + +int _gnutls_safe_renegotiation_recv_params (gnutls_session_t state, + const opaque * data, size_t data_size); +int _gnutls_safe_renegotiation_send_params (gnutls_session_t state, + opaque * data, size_t); + +#endif /* EXT_SAFE_RENEGOTIATION_H */ diff -up gnutls-2.8.6/lib/gnutls_alert.c.reneg gnutls-2.8.6/lib/gnutls_alert.c --- gnutls-2.8.6/lib/gnutls_alert.c.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/lib/gnutls_alert.c 2010-05-31 22:52:31.000000000 +0200 @@ -180,6 +180,10 @@ gnutls_error_to_alert (int err, int *lev ret = GNUTLS_A_ILLEGAL_PARAMETER; _level = GNUTLS_AL_FATAL; break; + case GNUTLS_E_UNKNOWN_SRP_USERNAME: + ret = GNUTLS_A_UNKNOWN_PSK_IDENTITY; + _level = GNUTLS_AL_FATAL; + break; case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND: case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND: case GNUTLS_E_ASN1_DER_ERROR: @@ -199,6 +203,7 @@ gnutls_error_to_alert (int err, int *lev case GNUTLS_E_INSUFFICIENT_CREDENTIALS: case GNUTLS_E_NO_CIPHER_SUITES: case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: + case GNUTLS_E_SAFE_RENEGOTIATION_FAILED: ret = GNUTLS_A_HANDSHAKE_FAILURE; _level = GNUTLS_AL_FATAL; break; @@ -212,6 +217,7 @@ gnutls_error_to_alert (int err, int *lev _level = GNUTLS_AL_FATAL; break; case GNUTLS_E_REHANDSHAKE: + case GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED: ret = GNUTLS_A_NO_RENEGOTIATION; _level = GNUTLS_AL_WARNING; break; diff -up gnutls-2.8.6/lib/gnutls_algorithms.c.reneg gnutls-2.8.6/lib/gnutls_algorithms.c --- gnutls-2.8.6/lib/gnutls_algorithms.c.reneg 2009-08-12 08:58:22.000000000 +0200 +++ gnutls-2.8.6/lib/gnutls_algorithms.c 2010-05-31 22:52:31.000000000 +0200 @@ -457,6 +457,10 @@ typedef struct #define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x88 } #endif +/* Safe renegotiation */ + +#define GNUTLS_RENEGO_PROTECTION_REQUEST { GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR, GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR } + #define CIPHER_SUITES_COUNT sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1 static const gnutls_cipher_suite_entry cs_algorithms[] = { @@ -624,6 +628,9 @@ static const gnutls_cipher_suite_entry c GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_TLS1), #endif + GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RENEGO_PROTECTION_REQUEST, + GNUTLS_CIPHER_UNKNOWN, GNUTLS_KX_UNKNOWN, + GNUTLS_MAC_UNKNOWN, GNUTLS_SSL3), {0, {{0, 0}}, 0, 0, 0, 0} }; diff -up gnutls-2.8.6/lib/gnutls_algorithms.h.reneg gnutls-2.8.6/lib/gnutls_algorithms.h --- gnutls-2.8.6/lib/gnutls_algorithms.h.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/lib/gnutls_algorithms.h 2010-05-31 22:52:31.000000000 +0200 @@ -27,6 +27,9 @@ #include "gnutls_auth.h" +#define GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR 0x00 +#define GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR 0xFF + /* Functions for version handling. */ gnutls_protocol_t _gnutls_version_lowest (gnutls_session_t session); gnutls_protocol_t _gnutls_version_max (gnutls_session_t session); diff -up gnutls-2.8.6/lib/gnutls_constate.c.reneg gnutls-2.8.6/lib/gnutls_constate.c --- gnutls-2.8.6/lib/gnutls_constate.c.reneg 2009-11-06 09:39:42.000000000 +0100 +++ gnutls-2.8.6/lib/gnutls_constate.c 2010-05-31 22:52:31.000000000 +0200 @@ -380,6 +380,17 @@ _gnutls_set_write_keys (gnutls_session_t export_flag); } +#define CPY_EXTENSIONS \ + memcpy(dst->extensions.server_names, src->extensions.server_names, sizeof(src->extensions.server_names)); \ + dst->extensions.server_names_size = src->extensions.server_names_size; \ + memcpy(dst->extensions.srp_username, src->extensions.srp_username, sizeof(src->extensions.srp_username)); \ + dst->extensions.gnutls_ia_enable = src->extensions.gnutls_ia_enable; \ + dst->extensions.gnutls_ia_peer_enable = src->extensions.gnutls_ia_peer_enable; \ + dst->extensions.gnutls_ia_allowskip = src->extensions.gnutls_ia_allowskip; \ + dst->extensions.gnutls_ia_peer_allowskip = src->extensions.gnutls_ia_peer_allowskip; \ + dst->extensions.do_recv_supplemental = src->extensions.do_recv_supplemental; \ + dst->extensions.do_send_supplemental = src->extensions.do_send_supplemental + #define CPY_COMMON dst->entity = src->entity; \ dst->kx_algorithm = src->kx_algorithm; \ memcpy( &dst->current_cipher_suite, &src->current_cipher_suite, sizeof(cipher_suite_st)); \ @@ -393,8 +404,8 @@ _gnutls_set_write_keys (gnutls_session_t dst->max_record_recv_size = src->max_record_recv_size; \ dst->max_record_send_size = src->max_record_send_size; \ dst->version = src->version; \ - memcpy( &dst->extensions, &src->extensions, sizeof(tls_ext_st)); \ - memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE); + CPY_EXTENSIONS; \ + memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE) static void _gnutls_cpy_read_security_parameters (security_parameters_st * diff -up gnutls-2.8.6/lib/gnutls_errors.c.reneg gnutls-2.8.6/lib/gnutls_errors.c --- gnutls-2.8.6/lib/gnutls_errors.c.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/lib/gnutls_errors.c 2010-05-31 22:52:31.000000000 +0200 @@ -220,9 +220,15 @@ static const gnutls_error_entry error_al GNUTLS_E_OPENPGP_GETKEY_FAILED, 1), ERROR_ENTRY (N_("Could not find OpenPGP subkey."), GNUTLS_E_OPENPGP_SUBKEY_ERROR, 1), + ERROR_ENTRY (N_("Safe renegotiation failed."), + GNUTLS_E_SAFE_RENEGOTIATION_FAILED, 1), + ERROR_ENTRY (N_("Unsafe renegotiation denied."), + GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED, 1), ERROR_ENTRY (N_("The SRP username supplied is illegal."), GNUTLS_E_ILLEGAL_SRP_USERNAME, 1), + ERROR_ENTRY (N_("The SRP username supplied is unknown."), + GNUTLS_E_UNKNOWN_SRP_USERNAME, 1), ERROR_ENTRY (N_("The OpenPGP fingerprint is not supported."), GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1), diff -up gnutls-2.8.6/lib/gnutls_extensions.c.reneg gnutls-2.8.6/lib/gnutls_extensions.c --- gnutls-2.8.6/lib/gnutls_extensions.c.reneg 2009-06-08 19:11:03.000000000 +0200 +++ gnutls-2.8.6/lib/gnutls_extensions.c 2010-05-31 22:52:31.000000000 +0200 @@ -35,6 +35,7 @@ #include #include #include +#include #include typedef struct @@ -133,7 +134,7 @@ _gnutls_parse_extensions (gnutls_session type = _gnutls_read_uint16 (&data[pos]); pos += 2; - _gnutls_debug_log ("EXT[%p]: Received extension '%s/%d'\n", session, + _gnutls_debug_log ("EXT[%p]: Found extension '%s/%d'\n", session, _gnutls_extension_get_name (type), type); if ((ret = _gnutls_extension_list_check (session, type)) < 0) @@ -153,6 +154,8 @@ _gnutls_parse_extensions (gnutls_session ext_recv = _gnutls_ext_func_recv (type, parse_type); if (ext_recv == NULL) continue; + + if ((ret = ext_recv (session, sdata, size)) < 0) { gnutls_assert (); @@ -170,7 +173,7 @@ _gnutls_parse_extensions (gnutls_session * This list is used to check whether the (later) received * extensions are the ones we requested. */ -static void +void _gnutls_extension_list_add (gnutls_session_t session, uint16_t type) { @@ -192,7 +195,7 @@ _gnutls_extension_list_add (gnutls_sessi int _gnutls_gen_extensions (gnutls_session_t session, opaque * data, - size_t data_size) + size_t data_size, gnutls_ext_parse_type_t parse_type) { int size; uint16_t pos = 0; @@ -223,6 +226,9 @@ _gnutls_gen_extensions (gnutls_session_t if (p->send_func == NULL) continue; + + if (parse_type != GNUTLS_EXT_ANY && p->parse_type != parse_type) + continue; size = p->send_func (session, sdata, sdata_size); if (size > 0) @@ -304,6 +310,14 @@ _gnutls_ext_init (void) if (ret != GNUTLS_E_SUCCESS) return ret; + ret = gnutls_ext_register (GNUTLS_EXTENSION_SAFE_RENEGOTIATION, + "SAFE_RENEGOTIATION", + GNUTLS_EXT_MANDATORY, + _gnutls_safe_renegotiation_recv_params, + _gnutls_safe_renegotiation_send_params); + if (ret != GNUTLS_E_SUCCESS) + return ret; + #ifdef ENABLE_OPRFI ret = gnutls_ext_register (GNUTLS_EXTENSION_OPAQUE_PRF_INPUT, "OPAQUE_PRF_INPUT", diff -up gnutls-2.8.6/lib/gnutls_extensions.h.reneg gnutls-2.8.6/lib/gnutls_extensions.h --- gnutls-2.8.6/lib/gnutls_extensions.h.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/lib/gnutls_extensions.h 2010-05-31 22:52:31.000000000 +0200 @@ -26,6 +26,8 @@ int _gnutls_parse_extensions (gnutls_ses gnutls_ext_parse_type_t parse_type, const opaque *data, int data_size); int _gnutls_gen_extensions (gnutls_session_t session, opaque * data, - size_t data_size); + size_t data_size, gnutls_ext_parse_type_t); int _gnutls_ext_init (void); void _gnutls_ext_deinit (void); + +void _gnutls_extension_list_add (gnutls_session_t session, uint16_t type); diff -up gnutls-2.8.6/lib/gnutls_handshake.c.reneg gnutls-2.8.6/lib/gnutls_handshake.c --- gnutls-2.8.6/lib/gnutls_handshake.c.reneg 2009-11-02 11:30:39.000000000 +0100 +++ gnutls-2.8.6/lib/gnutls_handshake.c 2010-06-02 10:29:00.000000000 +0200 @@ -48,6 +48,7 @@ #include #include #include +#include #include /* for gnutls_get_rsa_params() */ #include /* for gnutls_anon_server_credentials_t */ #include /* for gnutls_psk_server_credentials_t */ @@ -119,6 +120,7 @@ resume_copy_required_values (gnutls_sess sizeof (session->security_parameters.session_id)); session->security_parameters.session_id_size = session->internals.resumed_security_parameters.session_id_size; + } void @@ -404,8 +406,36 @@ _gnutls_read_client_hello (gnutls_sessio if (ret == 0) { /* resumed! */ + /* Parse only the safe renegotiation extension + * We don't want to parse any other extensions since + * we don't want new extension values to overwrite the + * resumed ones. + */ + + /* move forward to extensions */ + DECR_LEN (len, 2); + suite_size = _gnutls_read_uint16 (&data[pos]); + pos += 2; + + DECR_LEN (len, suite_size); + pos += suite_size; + + DECR_LEN (len, 1); + comp_size = data[pos++]; /* z is the number of compression methods */ + DECR_LEN (len, comp_size); + pos += comp_size; + + ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, + &data[pos], len); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + resume_copy_required_values (session); session->internals.resumed = RESUME_TRUE; + return _gnutls_user_hello_func (session, adv_version); } else @@ -437,17 +467,17 @@ _gnutls_read_client_hello (gnutls_sessio pos += comp_size; /* Parse the extensions (if any) - */ - if (neg_version >= GNUTLS_TLS1) + * + * Unconditionally try to parse extensions; safe renegotiation uses them in + * sslv3 and higher, even though sslv3 doesn't officially support them. + */ + ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION, + &data[pos], len); + /* len is the rest of the parsed length */ + if (ret < 0) { - ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION, - &data[pos], len); - /* len is the rest of the parsed length */ - if (ret < 0) - { - gnutls_assert (); - return ret; - } + gnutls_assert (); + return ret; } ret = _gnutls_user_hello_func (session, adv_version); @@ -457,16 +487,20 @@ _gnutls_read_client_hello (gnutls_sessio return ret; } - if (neg_version >= GNUTLS_TLS1) + ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, + &data[pos], len); + if (ret < 0) { - ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, - &data[pos], len); - /* len is the rest of the parsed length */ - if (ret < 0) - { - gnutls_assert (); - return ret; - } + gnutls_assert (); + return ret; + } + + ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, + &data[pos], len); + if (ret < 0) + { + gnutls_assert (); + return ret; } /* select an appropriate cipher suite @@ -531,7 +565,7 @@ _gnutls_handshake_hash_pending (gnutls_s static int _gnutls_send_finished (gnutls_session_t session, int again) { - uint8_t data[36]; + uint8_t data[MAX_VERIFY_DATA_SIZE]; int ret; int data_size = 0; @@ -556,7 +590,7 @@ _gnutls_send_finished (gnutls_session_t data_size = 36; } else - { /* TLS 1.0 */ + { /* TLS 1.0+ */ ret = _gnutls_finished (session, session->security_parameters.entity, data); data_size = 12; @@ -572,6 +606,31 @@ _gnutls_send_finished (gnutls_session_t session->internals.finished_func (session, data, data_size); } + /* Save data for safe renegotiation. + */ + if (data_size > MAX_VERIFY_DATA_SIZE) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + session->security_parameters.extensions.client_verify_data_len = + data_size; + + memcpy (session->security_parameters.extensions.client_verify_data, + data, data_size); + } + else + { + session->security_parameters.extensions.server_verify_data_len = + data_size; + + memcpy (session->security_parameters.extensions.server_verify_data, + data, data_size); + } + ret = _gnutls_send_handshake (session, data_size ? data : NULL, data_size, GNUTLS_HANDSHAKE_FINISHED); @@ -585,10 +644,11 @@ _gnutls_send_finished (gnutls_session_t static int _gnutls_recv_finished (gnutls_session_t session) { - uint8_t data[36], *vrfy; + uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy; int data_size; int ret; int vrfysize; + tls_ext_st *ext; ret = _gnutls_recv_handshake (session, &vrfy, &vrfysize, @@ -646,6 +706,28 @@ _gnutls_recv_finished (gnutls_session_t } gnutls_free (vrfy); + /* Save peer's verify data for safe renegotiation */ + if (data_size > MAX_VERIFY_DATA_SIZE) + { + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + + ext = &session->security_parameters.extensions; + + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + memcpy (ext->server_verify_data, data, data_size); + ext->server_verify_data_len = data_size; + } + else + { + memcpy (ext->client_verify_data, data, data_size); + ext->client_verify_data_len = data_size; + } + + session->internals.initial_negotiation_completed = 1; + return ret; } @@ -685,7 +767,6 @@ _gnutls_server_find_pk_algos_in_ciphersu return algo; } - /* This selects the best supported ciphersuite from the given ones. Then * it adds the suite to the session and performs some checks. */ @@ -700,11 +781,31 @@ _gnutls_server_select_suite (gnutls_sess * supported by the peer. */ + /* First, check for safe renegotiation SCSV. + */ + if (session->internals.priorities.sr != SR_DISABLED) + { + int offset; + + for(offset = 0; offset < datalen; offset += 2) + { + /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */ + if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR && + data[offset+1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) + { + _gnutls_handshake_log ("HSK[%p]: Received safe renegotiation CS\n", session); + session->internals.safe_renegotiation_received = 1; + session->internals.connection_using_safe_renegotiation = 1; + break; + } + } + } + pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites (data, datalen); x = _gnutls_supported_ciphersuites (session, &ciphers); if (x < 0) - { /* the case x==0 is handled within the function. */ + { /* the case x==0 is handled within the function. */ gnutls_assert (); return x; } @@ -752,21 +853,21 @@ _gnutls_server_select_suite (gnutls_sess for (j = 0; j < datalen; j += 2) { - for (i = 0; i < x; i++) - { - if (memcmp (ciphers[i].suite, &data[j], 2) == 0) - { - memcpy (&cs.suite, &data[j], 2); - - _gnutls_handshake_log - ("HSK[%p]: Selected cipher suite: %s\n", session, - _gnutls_cipher_suite_get_name (&cs)); - memcpy (session->security_parameters.current_cipher_suite.suite, - ciphers[i].suite, 2); - retval = 0; - goto finish; - } - } + for (i = 0; i < x; i++) + { + if (memcmp (ciphers[i].suite, &data[j], 2) == 0) + { + memcpy (&cs.suite, &data[j], 2); + + _gnutls_handshake_log + ("HSK[%p]: Selected cipher suite: %s\n", session, + _gnutls_cipher_suite_get_name (&cs)); + memcpy (session->security_parameters.current_cipher_suite.suite, + ciphers[i].suite, 2); + retval = 0; + goto finish; + } + } } finish: @@ -960,7 +1061,7 @@ _gnutls_send_handshake (gnutls_session_t if (i_datasize > 0) memcpy (&data[pos], i_data, i_datasize); - _gnutls_handshake_log ("HSK[%p]: %s was send [%ld bytes]\n", + _gnutls_handshake_log ("HSK[%p]: %s was sent [%ld bytes]\n", session, _gnutls_handshake2str (type), (long) datasize); @@ -1042,7 +1143,6 @@ _gnutls_recv_handshake_header (gnutls_se if (ret < 0) { - gnutls_assert (); return ret; } @@ -1525,15 +1625,26 @@ _gnutls_read_server_hello (gnutls_sessio } DECR_LEN (len, session_id_len); - /* check if we are resuming and set the appropriate * values; */ if (_gnutls_client_check_if_resuming (session, &data[pos], session_id_len) == 0) - return 0; - pos += session_id_len; + { + pos += session_id_len + 2 + 1; + DECR_LEN (len, 2+1); + ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, + &data[pos], len); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + return 0; + } + + pos += session_id_len; /* Check if the given cipher suite is supported and copy * it to the session. @@ -1548,8 +1659,6 @@ _gnutls_read_server_hello (gnutls_sessio } pos += 2; - - /* move to compression */ DECR_LEN (len, 1); @@ -1563,32 +1672,32 @@ _gnutls_read_server_hello (gnutls_sessio /* Parse extensions. */ - if (version >= GNUTLS_TLS1) + ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, + &data[pos], len); + if (ret < 0) { - ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, - &data[pos], len); - /* len is the rest of the parsed length */ - if (ret < 0) - { - gnutls_assert (); - return ret; - } + gnutls_assert (); + return ret; } + return ret; } /* This function copies the appropriate ciphersuites to a locally allocated buffer - * Needed in client hello messages. Returns the new data length. + * Needed in client hello messages. Returns the new data length. If add_scsv is + * true, add the special safe renegotiation CS. */ static int _gnutls_copy_ciphersuites (gnutls_session_t session, - opaque * ret_data, size_t ret_data_size) + opaque * ret_data, size_t ret_data_size, + int add_scsv) { int ret, i; cipher_suite_st *cipher_suites; uint16_t cipher_num; int datalen, pos; + uint16_t loop_max; ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites); if (ret < 0) @@ -1619,6 +1728,9 @@ _gnutls_copy_ciphersuites (gnutls_sessio return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } + if (add_scsv) + ++ret; + cipher_num = ret; cipher_num *= sizeof (uint16_t); /* in order to get bytes */ @@ -1636,11 +1748,21 @@ _gnutls_copy_ciphersuites (gnutls_sessio _gnutls_write_uint16 (cipher_num, ret_data); pos += 2; - for (i = 0; i < (cipher_num / 2); i++) + loop_max = add_scsv ? cipher_num - 2 : cipher_num; + + for (i = 0; i < (loop_max / 2); i++) { memcpy (&ret_data[pos], cipher_suites[i].suite, 2); pos += 2; } + + if (add_scsv) + { + /* Safe renegotiation signalling CS value is { 0x00, 0xff } */ + ret_data[pos++] = 0x00; + ret_data[pos++] = 0xff; + } + gnutls_free (cipher_suites); return datalen; @@ -1700,7 +1822,7 @@ _gnutls_send_client_hello (gnutls_sessio { opaque *data = NULL; int extdatalen; - int pos = 0; + int pos = 0, type; int datalen = 0, ret = 0; opaque rnd[GNUTLS_RANDOM_SIZE]; gnutls_protocol_t hver; @@ -1807,9 +1929,21 @@ _gnutls_send_client_hello (gnutls_sessio /* Copy the ciphersuites. - */ - extdatalen = - _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata)); + * + * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM + * prevention on initial negotiation (but not renegotiation; that's + * handled with the RI extension below). + */ + if(!session->internals.initial_negotiation_completed && + session->security_parameters.entity == GNUTLS_CLIENT && + gnutls_protocol_get_version (session) == GNUTLS_SSL3) + { + extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), TRUE); + _gnutls_extension_list_add (session, GNUTLS_EXTENSION_SAFE_RENEGOTIATION); + } + else + extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), FALSE); + if (extdatalen > 0) { datalen += extdatalen; @@ -1864,11 +1998,19 @@ _gnutls_send_client_hello (gnutls_sessio /* Generate and copy TLS extensions. */ if (hver >= GNUTLS_TLS1) + type = GNUTLS_EXT_ANY; + else { - extdatalen = - _gnutls_gen_extensions (session, extdata, sizeof (extdata)); + if (session->internals.initial_negotiation_completed != 0) + type = GNUTLS_EXT_MANDATORY; + else + type = GNUTLS_EXT_NONE; + } + + extdatalen = + _gnutls_gen_extensions (session, extdata, sizeof (extdata), type); - if (extdatalen > 0) + if (extdatalen > 0) { datalen += extdatalen; data = gnutls_realloc_fast (data, datalen); @@ -1880,13 +2022,12 @@ _gnutls_send_client_hello (gnutls_sessio memcpy (&data[pos], extdata, extdatalen); } - else if (extdatalen < 0) + else if (extdatalen < 0) { gnutls_assert (); gnutls_free (data); return extdatalen; } - } } ret = @@ -1932,15 +2073,7 @@ _gnutls_send_server_hello (gnutls_sessio * alert and abort. */ gnutls_assert (); - ret = gnutls_alert_send (session, GNUTLS_AL_FATAL, - GNUTLS_A_UNKNOWN_PSK_IDENTITY); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - return GNUTLS_E_ILLEGAL_SRP_USERNAME; + return GNUTLS_E_UNKNOWN_SRP_USERNAME; } } #endif @@ -1949,7 +2082,7 @@ _gnutls_send_server_hello (gnutls_sessio { datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3; extdatalen = - _gnutls_gen_extensions (session, extdata, sizeof (extdata)); + _gnutls_gen_extensions (session, extdata, sizeof (extdata), GNUTLS_EXT_ANY); if (extdatalen < 0) { @@ -2015,6 +2148,8 @@ _gnutls_send_hello (gnutls_session_t ses { int ret; + session->internals.safe_renegotiation_received = 0; + if (session->security_parameters.entity == GNUTLS_CLIENT) { ret = _gnutls_send_client_hello (session, again); @@ -2036,6 +2171,7 @@ int _gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen) { int ret; + tls_ext_st *ext; if (session->security_parameters.entity == GNUTLS_CLIENT) { @@ -2047,7 +2183,7 @@ _gnutls_recv_hello (gnutls_session_t ses } } else - { /* Server side reading a client hello */ + { /* Server side reading a client hello */ ret = _gnutls_read_client_hello (session, data, datalen); if (ret < 0) @@ -2057,6 +2193,89 @@ _gnutls_recv_hello (gnutls_session_t ses } } + if (session->internals.priorities.sr == SR_DISABLED) + { + gnutls_assert(); + return ret; + } + + /* Safe renegotiation */ + ext = &session->security_parameters.extensions; + + if (session->internals.safe_renegotiation_received) + { + if ((ext->ri_extension_data_len < ext->client_verify_data_len) || + (memcmp (ext->ri_extension_data, + ext->client_verify_data, + ext->client_verify_data_len))) + { + gnutls_assert(); + _gnutls_handshake_log ("Safe renegotiation failed [1]\n"); + return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; + } + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + if ((ext->ri_extension_data_len != + ext->client_verify_data_len + ext->server_verify_data_len) || + memcmp (ext->ri_extension_data + ext->client_verify_data_len, + ext->server_verify_data, ext->server_verify_data_len) != 0) + { + gnutls_assert(); + _gnutls_handshake_log ("Safe renegotiation failed [2]\n"); + return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; + } + } + else /* Make sure there are 0 extra bytes */ + { + if (ext->ri_extension_data_len != ext->client_verify_data_len) + { + gnutls_assert(); + _gnutls_handshake_log ("Safe renegotiation failed [3]\n"); + return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; + } + } + + _gnutls_handshake_log ("Safe renegotiation succeeded.\n"); + } + else /* safe renegotiation not received... */ + { + if (session->internals.connection_using_safe_renegotiation) + { + gnutls_assert(); + _gnutls_handshake_log ("Peer previously asked for safe renegotiation!\n"); + return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; + } + + /* Clients can't tell if it's an initial negotiation */ + if (session->internals.initial_negotiation_completed) + { + + if (session->internals.priorities.sr < SR_PARTIAL) + { + _gnutls_handshake_log ("Allowing unsafe (re)negotiation!\n"); + } + else + { + gnutls_assert(); + _gnutls_handshake_log ("Denying unsafe (re)negotiation.\n"); + return GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED; + } + } + else + { + if (session->internals.priorities.sr < SR_SAFE) + { + _gnutls_handshake_log ("Allowing unsafe initial negotiation!\n"); + } + else + { + gnutls_assert(); + _gnutls_handshake_log ("Denying unsafe initial negotiation.\n"); + return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; + } + } + } + return ret; } @@ -2097,6 +2316,13 @@ _gnutls_recv_hello (gnutls_session_t ses * gnutls_handshake() function in order to negotiate the new * parameters. * + * Since TLS is full duplex some application data might have been + * sent during peer's processing of this message. In that case + * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE + * is returned to clear any pending data. Care must be taken if + * rehandshake is mandatory to terminate if it does not start after + * some threshold. + * * If the client does not wish to renegotiate parameters he will * should with an alert message, thus the return code will be * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be diff -up gnutls-2.8.6/lib/gnutls_int.h.reneg gnutls-2.8.6/lib/gnutls_int.h --- gnutls-2.8.6/lib/gnutls_int.h.reneg 2009-11-02 11:30:39.000000000 +0100 +++ gnutls-2.8.6/lib/gnutls_int.h 2010-06-02 10:23:27.000000000 +0200 @@ -171,7 +171,8 @@ typedef enum extensions_t GNUTLS_EXTENSION_OPAQUE_PRF_INPUT = ENABLE_OPRFI, #endif GNUTLS_EXTENSION_SRP = 12, - GNUTLS_EXTENSION_INNER_APPLICATION = 37703 + GNUTLS_EXTENSION_INNER_APPLICATION = 37703, + GNUTLS_EXTENSION_SAFE_RENEGOTIATION = 65281, /* aka: 0xff01 */ } extensions_t; typedef enum @@ -282,6 +283,11 @@ typedef struct #define MAX_SERVER_NAME_EXTENSIONS 3 +#define MAX_VERIFY_DATA_SIZE 36 /* in SSL 3.0, 12 in TLS 1.0 */ + +/* If you want the extension data to be kept across resuming sessions + * then modify CPY_EXTENSIONS in gnutls_constate.c + */ typedef struct { server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS]; @@ -297,6 +303,9 @@ typedef struct /* Used by extensions that enable supplemental data. */ int do_recv_supplemental, do_send_supplemental; + /*** Those below do not get copied when resuming session + ***/ + /* Opaque PRF input. */ gnutls_oprfi_callback_func oprfi_cb; void *oprfi_userdata; @@ -304,6 +313,15 @@ typedef struct uint16_t oprfi_client_len; opaque *oprfi_server; uint16_t oprfi_server_len; + + /* Safe renegotiation. */ + uint8_t client_verify_data[MAX_VERIFY_DATA_SIZE]; + size_t client_verify_data_len; + uint8_t server_verify_data[MAX_VERIFY_DATA_SIZE]; + size_t server_verify_data_len; + uint8_t ri_extension_data[MAX_VERIFY_DATA_SIZE*2]; /* max signal is 72 bytes in s->c sslv3 */ + size_t ri_extension_data_len; + } tls_ext_st; /* auth_info_t structures now MAY contain malloced @@ -317,7 +335,7 @@ typedef struct */ /* if you add anything in Security_Parameters struct, then - * also modify CPY_COMMON in gnutls_constate.c + * also modify CPY_COMMON in gnutls_constate.c. */ /* Note that the security parameters structure is set up after the @@ -361,6 +379,7 @@ typedef struct /* holds the negotiated certificate type */ gnutls_certificate_type_t cert_type; gnutls_protocol_t version; /* moved here */ + /* For TLS/IA. XXX: Move to IA credential? */ opaque inner_secret[GNUTLS_MASTER_SIZE]; } security_parameters_st; @@ -400,6 +419,13 @@ typedef struct unsigned int algorithms; } priority_st; +typedef enum { + SR_DISABLED, + SR_UNSAFE, + SR_PARTIAL, + SR_SAFE, +} safe_renegotiation_t; + /* For the external api */ struct gnutls_priority_st { @@ -411,7 +437,8 @@ struct gnutls_priority_st priority_st cert_type; /* to disable record padding */ - int no_padding; + int no_padding:1; + safe_renegotiation_t sr; int ssl3_record_version; int additional_verify_flags; }; @@ -673,6 +700,10 @@ typedef struct */ uint16_t srp_prime_bits; + int safe_renegotiation_received:1; + int initial_negotiation_completed:1; + int connection_using_safe_renegotiation:1; + /* If you add anything here, check _gnutls_handshake_internal_state_clear(). */ } internals_st; diff -up gnutls-2.8.6/lib/gnutls_priority.c.reneg gnutls-2.8.6/lib/gnutls_priority.c --- gnutls-2.8.6/lib/gnutls_priority.c.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/lib/gnutls_priority.c 2010-06-02 10:23:27.000000000 +0200 @@ -491,6 +491,21 @@ gnutls_priority_set (gnutls_session_t se * * "%COMPAT" will enable compatibility features for a server. * + * "%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use + * unless you know what you are doing. Testing purposes only. + * + * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now + * the default for clients, but will change once more servers support the safe renegotiation + * TLS fix). + * + * "%PARTIAL_SAFE_RENEGOTIATION" In server side it will enable safe renegotiation + * and will protect all clients from known attacks, but will not prevent insecure clients + * from connecting. In client side it will disallow from renegotiating with an insecure server + * but will not prevent connecting to one (this leaves the client vulnerable to attacks). + * + * "%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and Servers will refuse + * to talk to an insecure peer. + * * "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello. * * "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA-MD5 signatures in @@ -523,7 +538,7 @@ gnutls_priority_init (gnutls_priority_t { char *broken_list[MAX_ELEMENTS]; int broken_list_size, i, j; - char *darg; + char *darg = NULL; int algo; rmadd_func *fn; @@ -533,6 +548,11 @@ gnutls_priority_init (gnutls_priority_t gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } + + /* for now unsafe renegotiation is default on everyone. To be removed + * when we make it the default. + */ + (*priority_cache)->sr = SR_PARTIAL; if (priorities == NULL) priorities = "NORMAL"; @@ -541,9 +561,10 @@ gnutls_priority_init (gnutls_priority_t if (darg == NULL) { gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; + goto error; } + break_comma_list (darg, broken_list, &broken_list_size, MAX_ELEMENTS, ':'); /* This is our default set of protocol version, certificate types and * compression methods. @@ -652,6 +673,25 @@ gnutls_priority_init (gnutls_priority_t "VERIFY_ALLOW_X509_V1_CA_CRT") == 0) (*priority_cache)->additional_verify_flags |= GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT; + else if (strcasecmp (&broken_list[i][1], + "UNSAFE_RENEGOTIATION") == 0) + { + (*priority_cache)->sr = SR_UNSAFE; + } + else if (strcasecmp (&broken_list[i][1], "SAFE_RENEGOTIATION") == 0) + { + (*priority_cache)->sr = SR_SAFE; + } + else if (strcasecmp (&broken_list[i][1], + "PARTIAL_RENEGOTIATION") == 0) + { + (*priority_cache)->sr = SR_PARTIAL; + } + else if (strcasecmp (&broken_list[i][1], + "DISABLE_SAFE_RENEGOTIATION") == 0) + { + (*priority_cache)->sr = SR_DISABLED; + } else goto error; } @@ -672,6 +712,7 @@ error: } } gnutls_free (darg); + gnutls_free(*priority_cache); return GNUTLS_E_INVALID_REQUEST; diff -up gnutls-2.8.6/lib/gnutls_record.c.reneg gnutls-2.8.6/lib/gnutls_record.c --- gnutls-2.8.6/lib/gnutls_record.c.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/lib/gnutls_record.c 2010-05-31 22:52:31.000000000 +0200 @@ -744,6 +744,14 @@ record_check_type (gnutls_session_t sess if (session->security_parameters.entity == GNUTLS_SERVER) { gnutls_assert (); + ret = + _gnutls_record_buffer_put (recv_type, session, (void *) data, + data_size); + if (ret < 0) + { + gnutls_assert (); + return ret; + } return GNUTLS_E_REHANDSHAKE; } @@ -896,9 +904,13 @@ begin: _gnutls_io_read_buffered (session, &headers, header_size, -1)) != header_size) { + _gnutls_handshake_log ("XXX[]: ret: %d %s\n", ret, gnutls_strerror(ret)); + if (ret < 0 && gnutls_error_is_fatal (ret) == 0) return ret; + _gnutls_handshake_log ("XXX2[]: ret: %d %s\n", ret, gnutls_strerror(ret)); + session_invalidate (session); if (type == GNUTLS_ALERT) { diff -up gnutls-2.8.6/lib/gnutls_state.c.reneg gnutls-2.8.6/lib/gnutls_state.c --- gnutls-2.8.6/lib/gnutls_state.c.reneg 2009-11-02 11:30:39.000000000 +0100 +++ gnutls-2.8.6/lib/gnutls_state.c 2010-06-02 10:23:27.000000000 +0200 @@ -223,6 +223,7 @@ _gnutls_handshake_internal_state_clear ( session->internals.adv_version_minor = 0; session->internals.adv_version_minor = 0; session->internals.direction = 0; + session->internals.safe_renegotiation_received = 0; /* use out of band data for the last * handshake messages received. @@ -338,6 +339,11 @@ gnutls_init (gnutls_session_t * session, _gnutls_handshake_internal_state_clear (*session); + /* emulate old gnutls behavior for old applications that do not use the priority_* + * functions. + */ + (*session)->internals.priorities.sr = SR_PARTIAL; + return 0; } diff -up gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in.reneg gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in --- gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in 2010-05-31 22:52:31.000000000 +0200 @@ -503,7 +503,9 @@ extern "C" { { GNUTLS_EXT_ANY, GNUTLS_EXT_APPLICATION, - GNUTLS_EXT_TLS + GNUTLS_EXT_TLS, + GNUTLS_EXT_MANDATORY, /* parse even if resuming or extensions disabled */ + GNUTLS_EXT_NONE, } gnutls_ext_parse_type_t; int gnutls_ext_register (int type, @@ -525,6 +527,9 @@ extern "C" { void *data, size_t * data_length, unsigned int *type, unsigned int indx); + /* Safe renegotiation */ + int gnutls_safe_renegotiation_status (gnutls_session_t session); + /* Opaque PRF Input * http://tools.ietf.org/id/draft-rescorla-tls-opaque-prf-input-00.txt */ @@ -1368,6 +1373,9 @@ extern "C" { #define GNUTLS_E_IA_VERIFY_FAILED -104 #define GNUTLS_E_UNKNOWN_ALGORITHM -105 +#define GNUTLS_E_SAFE_RENEGOTIATION_FAILED -107 +#define GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED -108 +#define GNUTLS_E_UNKNOWN_SRP_USERNAME -109 #define GNUTLS_E_BASE64_ENCODING_ERROR -201 #define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202 /* obsolete */ diff -up gnutls-2.8.6/lib/libgnutls.map.reneg gnutls-2.8.6/lib/libgnutls.map --- gnutls-2.8.6/lib/libgnutls.map.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/lib/libgnutls.map 2010-05-31 22:52:31.000000000 +0200 @@ -567,6 +567,12 @@ GNUTLS_2_8 gnutls_x509_crt_verify_hash; } GNUTLS_1_4; +GNUTLS_2_10 +{ + global: + gnutls_safe_renegotiation_status; +} GNUTLS_2_8; + GNUTLS_PRIVATE { global: # Internal symbols needed by libgnutls-extra: diff -up gnutls-2.8.6/lib/Makefile.in.reneg gnutls-2.8.6/lib/Makefile.in --- gnutls-2.8.6/lib/Makefile.in.reneg 2010-03-15 11:28:41.000000000 +0100 +++ gnutls-2.8.6/lib/Makefile.in 2010-05-31 22:52:31.000000000 +0200 @@ -214,7 +214,7 @@ am__objects_4 = gnutls_record.lo gnutls_ ext_server_name.lo auth_dh_common.lo gnutls_helper.lo \ gnutls_supplemental.lo crypto.lo random.lo pk-libgcrypt.lo \ mpi-libgcrypt.lo rnd-libgcrypt.lo cipher-libgcrypt.lo \ - mac-libgcrypt.lo $(am__objects_3) + mac-libgcrypt.lo ext_safe_renegotiation.lo $(am__objects_3) am__objects_5 = ext_srp.lo gnutls_srp.lo auth_srp.lo \ auth_srp_passwd.lo auth_srp_sb64.lo auth_srp_rsa.lo am__objects_6 = auth_psk.lo auth_psk_passwd.lo gnutls_psk.lo \ @@ -854,6 +854,7 @@ COBJECTS = gnutls_record.c gnutls_compre auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \ crypto.c random.c pk-libgcrypt.c mpi-libgcrypt.c \ rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c \ + ext_safe_renegotiation.c \ $(am__append_5) HFILES = debug.h gnutls_compress.h gnutls_cipher.h gnutls_buffers.h \ gnutls_errors.h gnutls_int.h gnutls_handshake.h gnutls_num.h \ @@ -868,7 +869,8 @@ HFILES = debug.h gnutls_compress.h gnutl gnutls_rsa_export.h ext_server_name.h auth_dh_common.h \ ext_srp.h gnutls_srp.h auth_srp.h auth_srp_passwd.h \ gnutls_helper.h auth_psk.h auth_psk_passwd.h \ - gnutls_supplemental.h ext_oprfi.h crypto.h random.h + gnutls_supplemental.h ext_oprfi.h crypto.h random.h \ + ext_safe_renegotiation.h # Separate so we can create the documentation @@ -1058,6 +1060,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gnutls_x509.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libgnutlsxx_la-gnutlsxx.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mac-libgcrypt.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ext_safe_renegotiation.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mpi-libgcrypt.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pk-libgcrypt.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkix_asn1_tab.Plo@am__quote@ diff -up gnutls-2.8.6/NEWS.reneg gnutls-2.8.6/NEWS --- gnutls-2.8.6/NEWS.reneg 2010-03-15 13:49:42.000000000 +0100 +++ gnutls-2.8.6/NEWS 2010-05-31 22:52:31.000000000 +0200 @@ -3,6 +3,23 @@ Copyright (C) 2000, 2001, 2002, 2003, 20 2006, 2007, 2008, 2009, 2010 Free Software Foundation See the end for copying conditions. +** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746) +Solves the issue discussed in: + and +. +Note that to allow connecting to unpatched servers the full protection +is only enabled if the priority string %SAFE_RENEGOTIATION is +specified. You can check whether protection is in place by querying +gnutls_safe_renegotiation_status(). New error codes +GNUTLS_E_SAFE_RENEGOTIATION_FAILED and +GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED added. + +gnutls_safe_renegotiation_status: Added + +%UNSAFE_RENEGOTIATION: Added to priority strings +%INITIAL_SAFE_RENEGOTIATION: Added to priority strings +%DISABLE_SAFE_RENEGOTIATION: Added to priority strings (do not use) + * Version 2.8.6 (released 2010-03-15) ** libgnutls: For CSRs, don't null pad integers for RSA/DSA value. diff -up gnutls-2.8.6/src/cli.c.reneg gnutls-2.8.6/src/cli.c --- gnutls-2.8.6/src/cli.c.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/src/cli.c 2010-05-31 22:52:31.000000000 +0200 @@ -53,7 +53,7 @@ #define MAX_BUF 4096 /* global stuff here */ -int resume, starttls, insecure; +int resume, starttls, insecure, rehandshake; const char *hostname = NULL; char *service; int record_max_size; @@ -674,6 +674,23 @@ after_handshake: programs to search for when gnutls-cli has reached this point. */ printf ("\n- Simple Client Mode:\n\n"); + if (rehandshake) + { + ret = do_handshake (&hd); + + if (ret < 0) + { + fprintf (stderr, "*** ReHandshake has failed\n"); + gnutls_perror (ret); + gnutls_deinit (hd.session); + return 1; + } + else + { + printf ("- ReHandshake was completed\n"); + } + } + #ifndef _WIN32 signal (SIGALRM, &starttls_alarm); #endif @@ -838,6 +855,7 @@ gaa_parser (int argc, char **argv) print_cert = info.print_cert; starttls = info.starttls; resume = info.resume; + rehandshake = info.rehandshake; insecure = info.insecure; service = info.port; record_max_size = info.record_size; @@ -962,6 +980,11 @@ do_handshake (socket_st * socket) socket->secure = 1; } + else + { + gnutls_alert_send_appropriate(socket->session, ret); + shutdown (socket->fd, SHUT_RDWR); + } return ret; } diff -up gnutls-2.8.6/src/cli-gaa.c.reneg gnutls-2.8.6/src/cli-gaa.c --- gnutls-2.8.6/src/cli-gaa.c.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/src/cli-gaa.c 2010-05-31 22:52:31.000000000 +0200 @@ -129,6 +129,7 @@ void gaa_help(void) printf("GNU TLS test client\nUsage: gnutls-cli [options] hostname\n\n\n"); __gaa_helpsingle('d', "debug", "integer ", "Enable debugging"); __gaa_helpsingle('r', "resume", "", "Connect, establish a session. Connect again and resume this session."); + __gaa_helpsingle('e', "rehandshake", "", "Connect, establish a session and rehandshake immediately."); __gaa_helpsingle('s', "starttls", "", "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received."); __gaa_helpsingle(0, "crlf", "", "Send CR LF instead of LF."); __gaa_helpsingle(0, "x509fmtder", "", "Use DER format for certificates to read from."); @@ -250,6 +251,8 @@ struct _gaainfo int crlf; #line 20 "cli.gaa" int starttls; +#line 20 "cli.gaa" + int rehandshake; #line 17 "cli.gaa" int resume; #line 14 "cli.gaa" @@ -342,8 +345,9 @@ static int gaa_error = 0; #define GAAOPTID_x509fmtder 31 #define GAAOPTID_crlf 32 #define GAAOPTID_starttls 33 -#define GAAOPTID_resume 34 -#define GAAOPTID_debug 35 +#define GAAOPTID_rehandshake 34 +#define GAAOPTID_resume 35 +#define GAAOPTID_debug 36 #line 168 "gaa.skel" @@ -721,6 +725,7 @@ static int gaa_get_option_num(char *str, GAA_CHECK1STR("", GAAOPTID_x509fmtder); GAA_CHECK1STR("", GAAOPTID_crlf); GAA_CHECK1STR("s", GAAOPTID_starttls); + GAA_CHECK1STR("e", GAAOPTID_rehandshake); GAA_CHECK1STR("r", GAAOPTID_resume); #line 277 "gaa.skel" @@ -759,6 +764,7 @@ static int gaa_get_option_num(char *str, GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder); GAA_CHECKSTR("crlf", GAAOPTID_crlf); GAA_CHECKSTR("starttls", GAAOPTID_starttls); + GAA_CHECKSTR("rehandshake", GAAOPTID_rehandshake); GAA_CHECKSTR("resume", GAAOPTID_resume); GAA_CHECKSTR("debug", GAAOPTID_debug); @@ -1101,6 +1107,13 @@ static int gaa_try(int gaa_num, int gaa_ return GAA_OK; break; + case GAAOPTID_rehandshake: + OK = 0; +#line 21 "cli.gaa" +{ gaaval->rehandshake = 1 ;}; + + return GAA_OK; + break; case GAAOPTID_resume: OK = 0; #line 18 "cli.gaa" @@ -1164,7 +1177,7 @@ int gaa(int argc, char **argv, gaainfo * gaaval->srp_username=NULL; gaaval->srp_passwd=NULL; gaaval->fmtder = 0; gaaval->starttls =0; gaaval->debug = 0; gaaval->print_cert = 0; gaaval->verbose = 0; gaaval->psk_key = NULL; gaaval->psk_username = NULL; gaaval->priorities = NULL; - gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; ;}; + gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; gaaval->rehandshake = 0; ;}; } inited = 1; diff -up gnutls-2.8.6/src/cli-gaa.h.reneg gnutls-2.8.6/src/cli-gaa.h --- gnutls-2.8.6/src/cli-gaa.h.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/src/cli-gaa.h 2010-05-31 22:52:31.000000000 +0200 @@ -82,6 +82,7 @@ struct _gaainfo int crlf; #line 20 "cli.gaa" int starttls; + int rehandshake; #line 17 "cli.gaa" int resume; #line 14 "cli.gaa" diff -up gnutls-2.8.6/src/cli.gaa.reneg gnutls-2.8.6/src/cli.gaa --- gnutls-2.8.6/src/cli.gaa.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/src/cli.gaa 2010-05-31 22:52:31.000000000 +0200 @@ -17,6 +17,9 @@ option (d, debug) INT "integer" { $debug #int resume; option (r, resume) { $resume = 1 } "Connect, establish a session. Connect again and resume this session." +#int rehandshake; +option (e, rehandshake) { $rehandshake = 1 } "Connect, establish a session and rehandshake immediately." + #int starttls; option (s, starttls) { $starttls = 1 } "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received." @@ -130,4 +133,4 @@ init { $resume=0; $port="443"; $rest_arg $srp_username=NULL; $srp_passwd=NULL; $fmtder = 0; $starttls =0; $debug = 0; $print_cert = 0; $verbose = 0; $psk_key = NULL; $psk_username = NULL; $priorities = NULL; - $opaque_prf_input = NULL; $pgp_subkey = NULL; } + $opaque_prf_input = NULL; $pgp_subkey = NULL; $rehandshake = 0; } diff -up gnutls-2.8.6/src/serv.c.reneg gnutls-2.8.6/src/serv.c --- gnutls-2.8.6/src/serv.c.reneg 2009-11-06 09:39:42.000000000 +0100 +++ gnutls-2.8.6/src/serv.c 2010-05-31 22:52:31.000000000 +0200 @@ -764,6 +764,18 @@ get_response (gnutls_session_t session, } else { + fprintf(stderr, "received: %s\n", request); + if (request[0] == request[1] && request[0] == '*') + { + if (strncmp(request, "**REHANDSHAKE**", sizeof("**REHANDSHAKE**")-1)==0) + { + fprintf(stderr, "*** Sending rehandshake request\n"); + gnutls_rehandshake(session); + } + *response = NULL; + *response_length = 0; + return; + } *response = strdup (request); *response_length = ((*response) ? strlen (*response) : 0); } @@ -1177,7 +1189,7 @@ main (int argc, char **argv) ret = gnutls_alert_send_appropriate (j->tls_session, r); } - while (ret == GNUTLS_E_AGAIN); + while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); j->http_state = HTTP_STATE_CLOSING; } else if (r == 0) @@ -1210,14 +1222,37 @@ main (int argc, char **argv) } else if (r <= 0) { - j->http_state = HTTP_STATE_CLOSING; - if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH) + if (r == GNUTLS_E_REHANDSHAKE) { - check_alert (j->tls_session, r); - fprintf (stderr, "Error while receiving data\n"); - GERR (r); - } - + fprintf(stderr, "*** Received hello message\n"); + do + { + r = gnutls_handshake (j->tls_session); + } + while (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN); + if (r < 0) + { + + do + { + ret = gnutls_alert_send_appropriate (j->tls_session, r); + } + while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + GERR (r); + j->http_state = HTTP_STATE_CLOSING; + } + } + else + { + j->http_state = HTTP_STATE_CLOSING; + if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH) + { + check_alert (j->tls_session, r); + fprintf (stderr, "Error while receiving data\n"); + GERR (r); + } + } } else { @@ -1299,7 +1334,7 @@ main (int argc, char **argv) } } - if (j->handshake_ok == 1) + if (j->handshake_ok == 1 && j->http_response != NULL) { /* FIXME if j->http_response == NULL? */ r = gnutls_record_send (j->tls_session, @@ -1351,6 +1386,12 @@ main (int argc, char **argv) } } } + else + { + j->request_length = 0; + j->http_request[0] = 0; + j->http_state = HTTP_STATE_REQUEST; + } } } lloopend (listener_list, j); diff -up gnutls-2.8.6/src/tests.c.reneg gnutls-2.8.6/src/tests.c --- gnutls-2.8.6/src/tests.c.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/src/tests.c 2010-05-31 22:52:31.000000000 +0200 @@ -45,6 +45,7 @@ extern int verbose; int tls1_ok = 0; int ssl3_ok = 0; int tls1_1_ok = 0; +int tls1_2_ok = 0; /* keep session info */ static char *session_data = NULL; @@ -103,158 +104,28 @@ do_handshake (gnutls_session_t session) return TEST_SUCCEED; } -static int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; +char protocol_str[] = "+VERS-TLS1.0:+VERS-SSL3.0"; +char prio_str[256] = ""; -static const int kx_priority[16] = - { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, - GNUTLS_KX_ANON_DH, - GNUTLS_KX_RSA_EXPORT, 0 -}; - -static const int cipher_priority[16] = - { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_CIPHER_ARCFOUR_40, 0 -}; -static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 }; -static const int mac_priority[16] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 }; -static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 }; - -#define ADD_ALL_CIPHERS(session) gnutls_cipher_set_priority(session, cipher_priority) -#define ADD_ALL_COMP(session) gnutls_compression_set_priority(session, comp_priority) -#define ADD_ALL_MACS(session) gnutls_mac_set_priority(session, mac_priority) -#define ADD_ALL_KX(session) gnutls_kx_set_priority(session, kx_priority) -#define ADD_ALL_PROTOCOLS(session) gnutls_protocol_set_priority(session, protocol_priority) -#define ADD_ALL_CERTTYPES(session) gnutls_certificate_type_set_priority(session, cert_type_priority) - -static void -ADD_KX (gnutls_session_t session, int kx) -{ - static int _kx_priority[] = { 0, 0 }; - _kx_priority[0] = kx; - - gnutls_kx_set_priority (session, _kx_priority); -} - -static void -ADD_KX2 (gnutls_session_t session, int kx1, int kx2) -{ - static int _kx_priority[] = { 0, 0, 0 }; - _kx_priority[0] = kx1; - _kx_priority[1] = kx2; - - gnutls_kx_set_priority (session, _kx_priority); -} - -static void -ADD_CIPHER (gnutls_session_t session, int cipher) -{ - static int _cipher_priority[] = { 0, 0 }; - _cipher_priority[0] = cipher; - - gnutls_cipher_set_priority (session, _cipher_priority); -} - -static void -ADD_CIPHER4 (gnutls_session_t session, int cipher1, int cipher2, int cipher3, - int cipher4) -{ - static int _cipher_priority[] = { 0, 0, 0, 0, 0 }; - _cipher_priority[0] = cipher1; - _cipher_priority[1] = cipher2; - _cipher_priority[2] = cipher3; - _cipher_priority[3] = cipher4; - - gnutls_cipher_set_priority (session, _cipher_priority); -} - -static void -ADD_MAC (gnutls_session_t session, int mac) -{ - static int _mac_priority[] = { 0, 0 }; - _mac_priority[0] = mac; - - gnutls_mac_set_priority (session, _mac_priority); -} - -static void -ADD_COMP (gnutls_session_t session, int c) -{ - static int _comp_priority[] = { 0, 0 }; - _comp_priority[0] = c; - - gnutls_compression_set_priority (session, _comp_priority); -} - -static void -ADD_CERTTYPE (gnutls_session_t session, int ctype) -{ - static int _ct_priority[] = { 0, 0 }; - _ct_priority[0] = ctype; - - gnutls_certificate_type_set_priority (session, _ct_priority); -} - -static void -ADD_PROTOCOL (gnutls_session_t session, int protocol) -{ - static int _proto_priority[] = { 0, 0 }; - _proto_priority[0] = protocol; - - gnutls_protocol_set_priority (session, _proto_priority); -} - -static void -ADD_PROTOCOL3 (gnutls_session_t session, int p1, int p2, int p3) -{ - static int _proto_priority[] = { 0, 0, 0, 0 }; - _proto_priority[0] = p1; - _proto_priority[1] = p2; - _proto_priority[2] = p3; - - gnutls_protocol_set_priority (session, _proto_priority); -} - -#ifdef ENABLE_SRP -static int srp_detected; - -int -_test_srp_username_callback (gnutls_session_t session, - char **username, char **password) -{ - srp_detected = 1; - - return -1; -} - -test_code_t -test_srp (gnutls_session_t session) -{ - int ret; - - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - - ADD_KX (session, GNUTLS_KX_SRP); - srp_detected = 0; - - gnutls_srp_set_client_credentials_function (srp_cred, - _test_srp_username_callback); - - gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); - - ret = do_handshake (session); - - gnutls_srp_set_client_credentials_function (srp_cred, NULL); - - if (srp_detected != 0) - return TEST_SUCCEED; - else - return TEST_FAILED; +#define ALL_CIPHERS "+3DES-CBC:+ARCFOUR-128:+ARCFOUR-40" +#define ALL_COMP "+COMP-NULL" +#define ALL_MACS "+SHA1:+MD5" +#define ALL_CERTTYPES "+CTYPE-X509" +#define REST "%%UNSAFE_RENEGOTIATION" +#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+RSA-EXPORT" +#define INIT_STR "NONE:" + +static inline void _gnutls_priority_set_direct(gnutls_session_t session, const char* str) +{ + const char* err; + int ret = gnutls_priority_set_direct(session, str, &err); + + if (ret < 0) + { + fprintf(stderr, "Error in %s\n", err); + exit(1); + } } -#endif test_code_t test_server (gnutls_session_t session) @@ -269,12 +140,8 @@ test_server (gnutls_session_t session) buf[sizeof (buf) - 1] = 0; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -318,13 +185,9 @@ test_export (gnutls_session_t session) { int ret; - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); + sprintf(prio_str, "+ARCFOUR-40:+RSA-EXPORT:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); - ADD_KX (session, GNUTLS_KX_RSA_EXPORT); - ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -348,13 +211,9 @@ test_export_info (gnutls_session_t sessi if (verbose == 0 || export_true == 0) return TEST_IGNORE; - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); + sprintf(prio_str, "+ARCFOUR-40:+RSA-EXPORT:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); - ADD_KX (session, GNUTLS_KX_RSA_EXPORT); - ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -395,13 +254,9 @@ test_dhe (gnutls_session_t session) { int ret; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); + sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+DHE-RSA:+DHE-DSS:"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); - ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -411,6 +266,37 @@ test_dhe (gnutls_session_t session) return ret; } + +test_code_t +test_safe_renegotiation (gnutls_session_t session) +{ + int ret; + + sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":%%INITIAL_SAFE_RENEGOTIATION", protocol_str); + _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); + + return ret; +} + +test_code_t +test_safe_renegotiation_scsv (gnutls_session_t session) +{ + int ret; + + sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-SSL3.0:"ALL_MACS":"ALL_KX":%%INITIAL_SAFE_RENEGOTIATION"); + _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); + + return ret; +} + test_code_t test_dhe_group (gnutls_session_t session) { @@ -421,13 +307,8 @@ test_dhe_group (gnutls_session_t session if (verbose == 0 || pubkey.data == NULL) return TEST_IGNORE; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); + sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+DHE-RSA:+DHE-DSS:"REST, protocol_str); - ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -463,12 +344,9 @@ test_code_t test_ssl3 (gnutls_session_t session) { int ret; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_PROTOCOL (session, GNUTLS_SSL3); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-SSL3.0:"ALL_MACS":"ALL_KX":"REST); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -496,12 +374,9 @@ test_bye (gnutls_session_t session) signal (SIGALRM, got_alarm); #endif - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -548,12 +423,10 @@ test_code_t test_aes (gnutls_session_t session) { int ret; - ADD_CIPHER (session, GNUTLS_CIPHER_AES_128_CBC); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST , protocol_str); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -565,12 +438,10 @@ test_code_t test_camellia (gnutls_session_t session) { int ret; - ADD_CIPHER (session, GNUTLS_CIPHER_CAMELLIA_128_CBC); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR "+CAMELLIA-128-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -582,12 +453,10 @@ test_code_t test_openpgp1 (gnutls_session_t session) { int ret; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_CERTTYPE (session, GNUTLS_CRT_OPENPGP); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":+CTYPE-OPENPGP:%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -604,18 +473,16 @@ test_code_t test_unknown_ciphersuites (gnutls_session_t session) { int ret; + + #ifdef ENABLE_CAMELLIA - ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, - GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_ARCFOUR_128); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); #else - ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, - GNUTLS_CIPHER_ARCFOUR_128, 0); + sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); #endif - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -626,12 +493,10 @@ test_code_t test_md5 (gnutls_session_t session) { int ret; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_MAC (session, GNUTLS_MAC_MD5); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:+MD5:"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -643,12 +508,10 @@ test_code_t test_zlib (gnutls_session_t session) { int ret; - ADD_ALL_CIPHERS (session); - ADD_COMP (session, GNUTLS_COMP_ZLIB); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR ALL_CIPHERS":+COMP-ZLIB:"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -657,34 +520,25 @@ test_zlib (gnutls_session_t session) #endif test_code_t -test_lzo (gnutls_session_t session) +test_sha (gnutls_session_t session) { int ret; - gnutls_handshake_set_private_extensions (session, 1); - ADD_ALL_CIPHERS (session); - ADD_COMP (session, GNUTLS_COMP_LZO); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:+SHA1:"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); - return ret; } test_code_t -test_sha (gnutls_session_t session) +test_3des (gnutls_session_t session) { int ret; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_MAC (session, GNUTLS_MAC_SHA1); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR "+3DES-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -692,15 +546,12 @@ test_sha (gnutls_session_t session) } test_code_t -test_3des (gnutls_session_t session) +test_arcfour (gnutls_session_t session) { int ret; - ADD_CIPHER (session, GNUTLS_CIPHER_3DES_CBC); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR "+ARCFOUR-128:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -708,15 +559,13 @@ test_3des (gnutls_session_t session) } test_code_t -test_arcfour (gnutls_session_t session) +test_arcfour_40 (gnutls_session_t session) { int ret; - ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_128); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR "+ARCFOUR-40:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":""+RSA-EXPORT"":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -724,36 +573,36 @@ test_arcfour (gnutls_session_t session) } test_code_t -test_arcfour_40 (gnutls_session_t session) +test_tls1 (gnutls_session_t session) { int ret; - ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.0:"ALL_MACS":"ALL_KX":"REST); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); + if (ret == TEST_SUCCEED) + tls1_ok = 1; + return ret; + } test_code_t -test_tls1 (gnutls_session_t session) +test_tls1_2 (gnutls_session_t session) { int ret; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_PROTOCOL (session, GNUTLS_TLS1); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.2:"ALL_MACS":"ALL_KX":"REST); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); if (ret == TEST_SUCCEED) - tls1_ok = 1; + tls1_2_ok = 1; return ret; @@ -763,12 +612,10 @@ test_code_t test_tls1_1 (gnutls_session_t session) { int ret; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_PROTOCOL (session, GNUTLS_TLS1_1); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.1:"ALL_MACS":"ALL_KX":"REST); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -786,12 +633,9 @@ test_tls1_1_fallback (gnutls_session_t s if (tls1_1_ok) return TEST_IGNORE; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_PROTOCOL3 (session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0:"ALL_MACS":"ALL_KX":"REST); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -817,12 +661,9 @@ test_tls_disable (gnutls_session_t sessi if (tls1_ok != 0) return TEST_IGNORE; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -831,8 +672,7 @@ test_tls_disable (gnutls_session_t sessi /* disable TLS 1.0 */ if (ssl3_ok != 0) { - protocol_priority[0] = GNUTLS_SSL3; - protocol_priority[1] = 0; + strcpy(protocol_str, "+VERS-SSL3.0"); } } return ret; @@ -849,12 +689,8 @@ test_rsa_pms (gnutls_session_t session) * If the server is old, buggy and only supports * SSL 3.0 then the handshake will fail. */ - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_KX (session, GNUTLS_KX_RSA); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+RSA:"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ret = do_handshake (session); @@ -870,12 +706,8 @@ test_code_t test_max_record_size (gnutls_session_t session) { int ret; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_record_set_max_size (session, 512); @@ -894,12 +726,9 @@ test_code_t test_hello_extension (gnutls_session_t session) { int ret; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_record_set_max_size (session, 512); @@ -925,12 +754,8 @@ test_version_rollback (gnutls_session_t * attacks which allow a version downgrade) and this * connection will fail. */ - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); _gnutls_record_set_default_version (session, 3, 0); @@ -955,12 +780,8 @@ test_version_oob (gnutls_session_t sessi /* here we enable both SSL 3.0 and TLS 1.0 * and we connect using a 5.5 record version. */ - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); _gnutls_record_set_default_version (session, 5, 5); @@ -980,12 +801,8 @@ test_rsa_pms_version_check (gnutls_sessi * * A normal server would abort this handshake. */ - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); _gnutls_rsa_pms_set_version (session, 5, 5); /* use SSL 5.5 version */ @@ -1000,12 +817,8 @@ test_anonymous (gnutls_session_t session { int ret; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_KX (session, GNUTLS_KX_ANON_DH); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+ANON-DH:"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); ret = do_handshake (session); @@ -1027,12 +840,8 @@ test_session_resume2 (gnutls_session_t s if (session == NULL) return TEST_IGNORE; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); @@ -1074,12 +883,8 @@ test_certificate (gnutls_session_t sessi if (verbose == 0) return TEST_IGNORE; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); @@ -1143,12 +948,8 @@ test_server_cas (gnutls_session_t sessio if (verbose == 0) return TEST_IGNORE; - ADD_ALL_CIPHERS (session); - ADD_ALL_COMP (session); - ADD_ALL_CERTTYPES (session); - ADD_ALL_PROTOCOLS (session); - ADD_ALL_MACS (session); - ADD_ALL_KX (session); + sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); + _gnutls_priority_set_direct (session, prio_str); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); diff -up gnutls-2.8.6/src/tests.h.reneg gnutls-2.8.6/src/tests.h --- gnutls-2.8.6/src/tests.h.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/src/tests.h 2010-05-31 22:52:31.000000000 +0200 @@ -3,7 +3,6 @@ typedef enum TEST_SUCCEED, TEST_FAILED, TEST_UNSURE, TEST_IGNORE } test_code_t; -test_code_t test_srp (gnutls_session_t state); test_code_t test_server (gnutls_session_t state); test_code_t test_export (gnutls_session_t state); test_code_t test_export_info (gnutls_session_t state); @@ -21,7 +20,10 @@ test_code_t test_3des (gnutls_session_t test_code_t test_arcfour (gnutls_session_t state); test_code_t test_arcfour_40 (gnutls_session_t state); test_code_t test_tls1 (gnutls_session_t state); +test_code_t test_safe_renegotiation (gnutls_session_t state); +test_code_t test_safe_renegotiation_scsv (gnutls_session_t state); test_code_t test_tls1_1 (gnutls_session_t state); +test_code_t test_tls1_2 (gnutls_session_t state); test_code_t test_tls1_1_fallback (gnutls_session_t state); test_code_t test_tls_disable (gnutls_session_t state); test_code_t test_rsa_pms (gnutls_session_t state); @@ -37,6 +39,5 @@ test_code_t test_session_resume2 (gnutls test_code_t test_rsa_pms_version_check (gnutls_session_t session); test_code_t test_version_oob (gnutls_session_t session); test_code_t test_zlib (gnutls_session_t session); -test_code_t test_lzo (gnutls_session_t session); int _test_srp_username_callback (gnutls_session_t session, char **username, char **password); diff -up gnutls-2.8.6/src/tls_test.c.reneg gnutls-2.8.6/src/tls_test.c --- gnutls-2.8.6/src/tls_test.c.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/src/tls_test.c 2010-05-31 22:52:31.000000000 +0200 @@ -79,6 +79,9 @@ typedef struct } TLS_TEST; static const TLS_TEST tls_tests[] = { + {"for Safe renegotiation support", test_safe_renegotiation, "yes", "no", "dunno"}, + {"for Safe renegotiation support (SCSV)", test_safe_renegotiation_scsv, "yes", "no", "dunno"}, + {"for TLS 1.2 support", test_tls1_2, "yes", "no", "dunno"}, {"for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno"}, {"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "failed", "SSL 3.0"}, @@ -139,14 +142,8 @@ static const TLS_TEST tls_tests[] = { {"for ZLIB compression support (TLS extension)", test_zlib, "yes", "no", "dunno"}, #endif - {"for LZO compression support (GnuTLS extension)", test_lzo, "yes", - "no", "dunno"}, {"for max record size (TLS extension)", test_max_record_size, "yes", "no", "dunno"}, -#ifdef ENABLE_SRP - {"for SRP authentication support (TLS extension)", test_srp, "yes", - "no", "dunno"}, -#endif {"for OpenPGP authentication support (TLS extension)", test_openpgp1, "yes", "no", "dunno"}, {NULL, NULL, NULL, NULL, NULL} @@ -233,7 +230,7 @@ main (int argc, char **argv) /* if neither of SSL3 and TLSv1 are supported, exit */ - if (i > 3 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) + if (i > 6 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) { fprintf (stderr, "\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1\n"); diff -up gnutls-2.8.6/tests/Makefile.in.reneg gnutls-2.8.6/tests/Makefile.in --- gnutls-2.8.6/tests/Makefile.in.reneg 2010-03-15 11:29:22.000000000 +0100 +++ gnutls-2.8.6/tests/Makefile.in 2010-05-31 22:52:31.000000000 +0200 @@ -422,7 +422,7 @@ CTAGS = ctags am__tty_colors = \ red=; grn=; lgn=; blu=; std= DIST_SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode \ - pkcs12-decode userid pathlen key-id sha2 openpgp-certs + pkcs12-decode userid pathlen key-id sha2 openpgp-certs safe-renegotiation DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -972,7 +972,7 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode pkcs12-decode \ - userid pathlen key-id sha2 $(am__append_1) + userid pathlen key-id sha2 safe-renegotiation $(am__append_1) EXTRA_DIST = libgcrypt.supp hostname-check.README AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) AM_CPPFLAGS = -I$(top_srcdir)/gl -I$(top_builddir)/gl \ diff -up gnutls-2.8.6/tests/resume.c.reneg gnutls-2.8.6/tests/resume.c --- gnutls-2.8.6/tests/resume.c.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/tests/resume.c 2010-05-31 22:52:31.000000000 +0200 @@ -47,6 +47,8 @@ static int wrap_db_store (void *dbf, gnu static gnutls_datum_t wrap_db_fetch (void *dbf, gnutls_datum_t key); static int wrap_db_delete (void *dbf, gnutls_datum_t key); +pid_t child; + #define TLS_SESSION_CACHE 50 /* A very basic TLS client, with anonymous authentication. @@ -56,6 +58,12 @@ static int wrap_db_delete (void *dbf, gn #define MSG "Hello TLS" static void +tls_log_func (int level, const char *str) +{ + fprintf (stderr, "%s |<%d>| %s", child ? "server" : "client", level, str); +} + +static void client (void) { int ret, sd, ii; @@ -70,6 +78,11 @@ client (void) int t; gnutls_datum session_data; + if (debug) + { + gnutls_global_set_log_function (tls_log_func); + gnutls_global_set_log_level (2); + } gnutls_global_init (); gnutls_anon_allocate_client_credentials (&anoncred); @@ -298,8 +311,13 @@ server (void) /* this must be called once in the program, it is mostly for the server. */ - gnutls_global_init (); + if (debug) + { + gnutls_global_set_log_function (tls_log_func); + gnutls_global_set_log_level (2); + } + gnutls_global_init (); gnutls_anon_allocate_server_credentials (&anoncred); success ("Launched, generating DH parameters...\n"); @@ -385,8 +403,6 @@ server (void) void doit (void) { - pid_t child; - global_start (); if (error_count) return; diff -up gnutls-2.8.6/tests/safe-renegotiation/Makefile.am.reneg gnutls-2.8.6/tests/safe-renegotiation/Makefile.am --- gnutls-2.8.6/tests/safe-renegotiation/Makefile.am.reneg 2010-05-31 22:52:31.000000000 +0200 +++ gnutls-2.8.6/tests/safe-renegotiation/Makefile.am 2010-05-31 22:52:31.000000000 +0200 @@ -0,0 +1,24 @@ +## Process this file with automake to produce Makefile.in +# Copyright (C) 2010 Free Software Foundation +# +# This file is part of GNUTLS. +# +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this file; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +EXTRA_DIST = params.dh + +dist_check_SCRIPTS = testsrn +TESTS = testsrn + diff -up gnutls-2.8.6/tests/safe-renegotiation/Makefile.in.reneg gnutls-2.8.6/tests/safe-renegotiation/Makefile.in --- gnutls-2.8.6/tests/safe-renegotiation/Makefile.in.reneg 2010-05-31 22:52:31.000000000 +0200 +++ gnutls-2.8.6/tests/safe-renegotiation/Makefile.in 2010-05-31 22:52:31.000000000 +0200 @@ -0,0 +1,937 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# Copyright (C) 2006, 2008 Free Software Foundation +# +# Author: Simon Josefsson +# +# This file is part of GNUTLS. +# +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this file; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = tests/safe-renegotiation +DIST_COMMON = $(dist_check_SCRIPTS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/libextra/m4/hooks.m4 \ + $(top_srcdir)/lib/m4/hooks.m4 $(top_srcdir)/lib/gl/m4/po.m4 \ + $(top_srcdir)/gl/m4/00gnulib.m4 $(top_srcdir)/gl/m4/alloca.m4 \ + $(top_srcdir)/gl/m4/arpa_inet_h.m4 \ + $(top_srcdir)/gl/m4/autobuild.m4 $(top_srcdir)/gl/m4/close.m4 \ + $(top_srcdir)/gl/m4/errno_h.m4 $(top_srcdir)/gl/m4/error.m4 \ + $(top_srcdir)/gl/m4/extensions.m4 \ + $(top_srcdir)/gl/m4/fclose.m4 $(top_srcdir)/gl/m4/float_h.m4 \ + $(top_srcdir)/gl/m4/fseeko.m4 \ + $(top_srcdir)/gl/m4/getaddrinfo.m4 \ + $(top_srcdir)/gl/m4/getdelim.m4 $(top_srcdir)/gl/m4/getline.m4 \ + $(top_srcdir)/gl/m4/getpass.m4 \ + $(top_srcdir)/gl/m4/gettimeofday.m4 \ + $(top_srcdir)/gl/m4/gnulib-common.m4 \ + $(top_srcdir)/gl/m4/gnulib-comp.m4 \ + $(top_srcdir)/gl/m4/hostent.m4 \ + $(top_srcdir)/gl/m4/include_next.m4 \ + $(top_srcdir)/gl/m4/inet_ntop.m4 \ + $(top_srcdir)/gl/m4/inet_pton.m4 \ + $(top_srcdir)/gl/m4/intmax_t.m4 \ + $(top_srcdir)/gl/m4/inttypes_h.m4 \ + $(top_srcdir)/gl/m4/lib-ld.m4 $(top_srcdir)/gl/m4/lib-link.m4 \ + $(top_srcdir)/gl/m4/lib-prefix.m4 \ + $(top_srcdir)/gl/m4/longlong.m4 $(top_srcdir)/gl/m4/lseek.m4 \ + $(top_srcdir)/gl/m4/malloc.m4 \ + $(top_srcdir)/gl/m4/manywarnings.m4 \ + $(top_srcdir)/gl/m4/minmax.m4 $(top_srcdir)/gl/m4/multiarch.m4 \ + $(top_srcdir)/gl/m4/netdb_h.m4 \ + $(top_srcdir)/gl/m4/netinet_in_h.m4 \ + $(top_srcdir)/gl/m4/onceonly_2_57.m4 \ + $(top_srcdir)/gl/m4/perror.m4 \ + $(top_srcdir)/gl/m4/pmccabe2html.m4 \ + $(top_srcdir)/gl/m4/printf.m4 $(top_srcdir)/gl/m4/read-file.m4 \ + $(top_srcdir)/gl/m4/readline.m4 $(top_srcdir)/gl/m4/realloc.m4 \ + $(top_srcdir)/gl/m4/select.m4 $(top_srcdir)/gl/m4/servent.m4 \ + $(top_srcdir)/gl/m4/size_max.m4 \ + $(top_srcdir)/gl/m4/snprintf.m4 $(top_srcdir)/gl/m4/sockets.m4 \ + $(top_srcdir)/gl/m4/socklen.m4 $(top_srcdir)/gl/m4/sockpfaf.m4 \ + $(top_srcdir)/gl/m4/stdarg.m4 $(top_srcdir)/gl/m4/stdbool.m4 \ + $(top_srcdir)/gl/m4/stdint.m4 $(top_srcdir)/gl/m4/stdint_h.m4 \ + $(top_srcdir)/gl/m4/stdio_h.m4 $(top_srcdir)/gl/m4/stdlib_h.m4 \ + $(top_srcdir)/gl/m4/strerror.m4 \ + $(top_srcdir)/gl/m4/string_h.m4 \ + $(top_srcdir)/gl/m4/sys_ioctl_h.m4 \ + $(top_srcdir)/gl/m4/sys_select_h.m4 \ + $(top_srcdir)/gl/m4/sys_socket_h.m4 \ + $(top_srcdir)/gl/m4/sys_stat_h.m4 \ + $(top_srcdir)/gl/m4/sys_time_h.m4 \ + $(top_srcdir)/gl/m4/ungetc.m4 $(top_srcdir)/gl/m4/unistd_h.m4 \ + $(top_srcdir)/gl/m4/vasnprintf.m4 \ + $(top_srcdir)/gl/m4/warnings.m4 $(top_srcdir)/gl/m4/wchar.m4 \ + $(top_srcdir)/gl/m4/wchar_t.m4 $(top_srcdir)/gl/m4/wint_t.m4 \ + $(top_srcdir)/gl/m4/xsize.m4 $(top_srcdir)/m4/gtk-doc.m4 \ + $(top_srcdir)/m4/guile.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/m4/valgrind.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +SOURCES = +DIST_SOURCES = +am__tty_colors = \ +red=; grn=; lgn=; blu=; std= +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +ALLOCA_H = @ALLOCA_H@ +AMTAR = @AMTAR@ +APPLE_UNIVERSAL_BUILD = @APPLE_UNIVERSAL_BUILD@ +AR = @AR@ +ARPA_INET_H = @ARPA_INET_H@ +AS = @AS@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BITSIZEOF_PTRDIFF_T = @BITSIZEOF_PTRDIFF_T@ +BITSIZEOF_SIG_ATOMIC_T = @BITSIZEOF_SIG_ATOMIC_T@ +BITSIZEOF_SIZE_T = @BITSIZEOF_SIZE_T@ +BITSIZEOF_WCHAR_T = @BITSIZEOF_WCHAR_T@ +BITSIZEOF_WINT_T = @BITSIZEOF_WINT_T@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DLL_VERSION = @DLL_VERSION@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ +EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ +ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ +ENOLINK_VALUE = @ENOLINK_VALUE@ +EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ +EOVERFLOW_VALUE = @EOVERFLOW_VALUE@ +ERRNO_H = @ERRNO_H@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FLOAT_H = @FLOAT_H@ +GAA = @GAA@ +GETADDRINFO_LIB = @GETADDRINFO_LIB@ +GNULIB_ACCEPT = @GNULIB_ACCEPT@ +GNULIB_ATOLL = @GNULIB_ATOLL@ +GNULIB_BIND = @GNULIB_BIND@ +GNULIB_BTOWC = @GNULIB_BTOWC@ +GNULIB_CALLOC_POSIX = @GNULIB_CALLOC_POSIX@ +GNULIB_CHOWN = @GNULIB_CHOWN@ +GNULIB_CLOSE = @GNULIB_CLOSE@ +GNULIB_CONNECT = @GNULIB_CONNECT@ +GNULIB_DPRINTF = @GNULIB_DPRINTF@ +GNULIB_DUP2 = @GNULIB_DUP2@ +GNULIB_ENVIRON = @GNULIB_ENVIRON@ +GNULIB_EUIDACCESS = @GNULIB_EUIDACCESS@ +GNULIB_FCHDIR = @GNULIB_FCHDIR@ +GNULIB_FCLOSE = @GNULIB_FCLOSE@ +GNULIB_FFLUSH = @GNULIB_FFLUSH@ +GNULIB_FOPEN = @GNULIB_FOPEN@ +GNULIB_FPRINTF = @GNULIB_FPRINTF@ +GNULIB_FPRINTF_POSIX = @GNULIB_FPRINTF_POSIX@ +GNULIB_FPUTC = @GNULIB_FPUTC@ +GNULIB_FPUTS = @GNULIB_FPUTS@ +GNULIB_FREOPEN = @GNULIB_FREOPEN@ +GNULIB_FSEEK = @GNULIB_FSEEK@ +GNULIB_FSEEKO = @GNULIB_FSEEKO@ +GNULIB_FSYNC = @GNULIB_FSYNC@ +GNULIB_FTELL = @GNULIB_FTELL@ +GNULIB_FTELLO = @GNULIB_FTELLO@ +GNULIB_FTRUNCATE = @GNULIB_FTRUNCATE@ +GNULIB_FWRITE = @GNULIB_FWRITE@ +GNULIB_GETADDRINFO = @GNULIB_GETADDRINFO@ +GNULIB_GETCWD = @GNULIB_GETCWD@ +GNULIB_GETDELIM = @GNULIB_GETDELIM@ +GNULIB_GETDOMAINNAME = @GNULIB_GETDOMAINNAME@ +GNULIB_GETDTABLESIZE = @GNULIB_GETDTABLESIZE@ +GNULIB_GETHOSTNAME = @GNULIB_GETHOSTNAME@ +GNULIB_GETLINE = @GNULIB_GETLINE@ +GNULIB_GETLOADAVG = @GNULIB_GETLOADAVG@ +GNULIB_GETLOGIN_R = @GNULIB_GETLOGIN_R@ +GNULIB_GETPAGESIZE = @GNULIB_GETPAGESIZE@ +GNULIB_GETPEERNAME = @GNULIB_GETPEERNAME@ +GNULIB_GETSOCKNAME = @GNULIB_GETSOCKNAME@ +GNULIB_GETSOCKOPT = @GNULIB_GETSOCKOPT@ +GNULIB_GETSUBOPT = @GNULIB_GETSUBOPT@ +GNULIB_GETUSERSHELL = @GNULIB_GETUSERSHELL@ +GNULIB_INET_NTOP = @GNULIB_INET_NTOP@ +GNULIB_INET_PTON = @GNULIB_INET_PTON@ +GNULIB_IOCTL = @GNULIB_IOCTL@ +GNULIB_LCHMOD = @GNULIB_LCHMOD@ +GNULIB_LCHOWN = @GNULIB_LCHOWN@ +GNULIB_LINK = @GNULIB_LINK@ +GNULIB_LISTEN = @GNULIB_LISTEN@ +GNULIB_LSEEK = @GNULIB_LSEEK@ +GNULIB_LSTAT = @GNULIB_LSTAT@ +GNULIB_MALLOC_POSIX = @GNULIB_MALLOC_POSIX@ +GNULIB_MBRLEN = @GNULIB_MBRLEN@ +GNULIB_MBRTOWC = @GNULIB_MBRTOWC@ +GNULIB_MBSCASECMP = @GNULIB_MBSCASECMP@ +GNULIB_MBSCASESTR = @GNULIB_MBSCASESTR@ +GNULIB_MBSCHR = @GNULIB_MBSCHR@ +GNULIB_MBSCSPN = @GNULIB_MBSCSPN@ +GNULIB_MBSINIT = @GNULIB_MBSINIT@ +GNULIB_MBSLEN = @GNULIB_MBSLEN@ +GNULIB_MBSNCASECMP = @GNULIB_MBSNCASECMP@ +GNULIB_MBSNLEN = @GNULIB_MBSNLEN@ +GNULIB_MBSNRTOWCS = @GNULIB_MBSNRTOWCS@ +GNULIB_MBSPBRK = @GNULIB_MBSPBRK@ +GNULIB_MBSPCASECMP = @GNULIB_MBSPCASECMP@ +GNULIB_MBSRCHR = @GNULIB_MBSRCHR@ +GNULIB_MBSRTOWCS = @GNULIB_MBSRTOWCS@ +GNULIB_MBSSEP = @GNULIB_MBSSEP@ +GNULIB_MBSSPN = @GNULIB_MBSSPN@ +GNULIB_MBSSTR = @GNULIB_MBSSTR@ +GNULIB_MBSTOK_R = @GNULIB_MBSTOK_R@ +GNULIB_MEMMEM = @GNULIB_MEMMEM@ +GNULIB_MEMPCPY = @GNULIB_MEMPCPY@ +GNULIB_MEMRCHR = @GNULIB_MEMRCHR@ +GNULIB_MKDTEMP = @GNULIB_MKDTEMP@ +GNULIB_MKSTEMP = @GNULIB_MKSTEMP@ +GNULIB_OBSTACK_PRINTF = @GNULIB_OBSTACK_PRINTF@ +GNULIB_OBSTACK_PRINTF_POSIX = @GNULIB_OBSTACK_PRINTF_POSIX@ +GNULIB_PERROR = @GNULIB_PERROR@ +GNULIB_PRINTF = @GNULIB_PRINTF@ +GNULIB_PRINTF_POSIX = @GNULIB_PRINTF_POSIX@ +GNULIB_PUTC = @GNULIB_PUTC@ +GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ +GNULIB_PUTENV = @GNULIB_PUTENV@ +GNULIB_PUTS = @GNULIB_PUTS@ +GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ +GNULIB_RAWMEMCHR = @GNULIB_RAWMEMCHR@ +GNULIB_READLINK = @GNULIB_READLINK@ +GNULIB_REALLOC_POSIX = @GNULIB_REALLOC_POSIX@ +GNULIB_RECV = @GNULIB_RECV@ +GNULIB_RECVFROM = @GNULIB_RECVFROM@ +GNULIB_RPMATCH = @GNULIB_RPMATCH@ +GNULIB_SELECT = @GNULIB_SELECT@ +GNULIB_SEND = @GNULIB_SEND@ +GNULIB_SENDTO = @GNULIB_SENDTO@ +GNULIB_SETENV = @GNULIB_SETENV@ +GNULIB_SETSOCKOPT = @GNULIB_SETSOCKOPT@ +GNULIB_SHUTDOWN = @GNULIB_SHUTDOWN@ +GNULIB_SLEEP = @GNULIB_SLEEP@ +GNULIB_SNPRINTF = @GNULIB_SNPRINTF@ +GNULIB_SOCKET = @GNULIB_SOCKET@ +GNULIB_SPRINTF_POSIX = @GNULIB_SPRINTF_POSIX@ +GNULIB_STDIO_H_SIGPIPE = @GNULIB_STDIO_H_SIGPIPE@ +GNULIB_STPCPY = @GNULIB_STPCPY@ +GNULIB_STPNCPY = @GNULIB_STPNCPY@ +GNULIB_STRCASESTR = @GNULIB_STRCASESTR@ +GNULIB_STRCHRNUL = @GNULIB_STRCHRNUL@ +GNULIB_STRDUP = @GNULIB_STRDUP@ +GNULIB_STRERROR = @GNULIB_STRERROR@ +GNULIB_STRNDUP = @GNULIB_STRNDUP@ +GNULIB_STRNLEN = @GNULIB_STRNLEN@ +GNULIB_STRPBRK = @GNULIB_STRPBRK@ +GNULIB_STRSEP = @GNULIB_STRSEP@ +GNULIB_STRSIGNAL = @GNULIB_STRSIGNAL@ +GNULIB_STRSTR = @GNULIB_STRSTR@ +GNULIB_STRTOD = @GNULIB_STRTOD@ +GNULIB_STRTOK_R = @GNULIB_STRTOK_R@ +GNULIB_STRTOLL = @GNULIB_STRTOLL@ +GNULIB_STRTOULL = @GNULIB_STRTOULL@ +GNULIB_STRVERSCMP = @GNULIB_STRVERSCMP@ +GNULIB_UNISTD_H_SIGPIPE = @GNULIB_UNISTD_H_SIGPIPE@ +GNULIB_UNSETENV = @GNULIB_UNSETENV@ +GNULIB_VASPRINTF = @GNULIB_VASPRINTF@ +GNULIB_VDPRINTF = @GNULIB_VDPRINTF@ +GNULIB_VFPRINTF = @GNULIB_VFPRINTF@ +GNULIB_VFPRINTF_POSIX = @GNULIB_VFPRINTF_POSIX@ +GNULIB_VPRINTF = @GNULIB_VPRINTF@ +GNULIB_VPRINTF_POSIX = @GNULIB_VPRINTF_POSIX@ +GNULIB_VSNPRINTF = @GNULIB_VSNPRINTF@ +GNULIB_VSPRINTF_POSIX = @GNULIB_VSPRINTF_POSIX@ +GNULIB_WCRTOMB = @GNULIB_WCRTOMB@ +GNULIB_WCSNRTOMBS = @GNULIB_WCSNRTOMBS@ +GNULIB_WCSRTOMBS = @GNULIB_WCSRTOMBS@ +GNULIB_WCTOB = @GNULIB_WCTOB@ +GNULIB_WCWIDTH = @GNULIB_WCWIDTH@ +GNULIB_WRITE = @GNULIB_WRITE@ +GREP = @GREP@ +GTKDOC_CHECK = @GTKDOC_CHECK@ +GTKDOC_MKPDF = @GTKDOC_MKPDF@ +GTKDOC_REBASE = @GTKDOC_REBASE@ +GUILE = @GUILE@ +GUILE_CFLAGS = @GUILE_CFLAGS@ +GUILE_CONFIG = @GUILE_CONFIG@ +GUILE_LDFLAGS = @GUILE_LDFLAGS@ +GUILE_SITE = @GUILE_SITE@ +GUILE_TOOLS = @GUILE_TOOLS@ +HAVE_ARPA_INET_H = @HAVE_ARPA_INET_H@ +HAVE_ATOLL = @HAVE_ATOLL@ +HAVE_BTOWC = @HAVE_BTOWC@ +HAVE_CALLOC_POSIX = @HAVE_CALLOC_POSIX@ +HAVE_DECL_ENVIRON = @HAVE_DECL_ENVIRON@ +HAVE_DECL_FREEADDRINFO = @HAVE_DECL_FREEADDRINFO@ +HAVE_DECL_GAI_STRERROR = @HAVE_DECL_GAI_STRERROR@ +HAVE_DECL_GETADDRINFO = @HAVE_DECL_GETADDRINFO@ +HAVE_DECL_GETDELIM = @HAVE_DECL_GETDELIM@ +HAVE_DECL_GETLINE = @HAVE_DECL_GETLINE@ +HAVE_DECL_GETLOADAVG = @HAVE_DECL_GETLOADAVG@ +HAVE_DECL_GETLOGIN_R = @HAVE_DECL_GETLOGIN_R@ +HAVE_DECL_GETNAMEINFO = @HAVE_DECL_GETNAMEINFO@ +HAVE_DECL_INET_NTOP = @HAVE_DECL_INET_NTOP@ +HAVE_DECL_INET_PTON = @HAVE_DECL_INET_PTON@ +HAVE_DECL_MEMMEM = @HAVE_DECL_MEMMEM@ +HAVE_DECL_MEMRCHR = @HAVE_DECL_MEMRCHR@ +HAVE_DECL_OBSTACK_PRINTF = @HAVE_DECL_OBSTACK_PRINTF@ +HAVE_DECL_SNPRINTF = @HAVE_DECL_SNPRINTF@ +HAVE_DECL_STRDUP = @HAVE_DECL_STRDUP@ +HAVE_DECL_STRERROR = @HAVE_DECL_STRERROR@ +HAVE_DECL_STRNDUP = @HAVE_DECL_STRNDUP@ +HAVE_DECL_STRNLEN = @HAVE_DECL_STRNLEN@ +HAVE_DECL_STRSIGNAL = @HAVE_DECL_STRSIGNAL@ +HAVE_DECL_STRTOK_R = @HAVE_DECL_STRTOK_R@ +HAVE_DECL_VSNPRINTF = @HAVE_DECL_VSNPRINTF@ +HAVE_DECL_WCTOB = @HAVE_DECL_WCTOB@ +HAVE_DECL_WCWIDTH = @HAVE_DECL_WCWIDTH@ +HAVE_DPRINTF = @HAVE_DPRINTF@ +HAVE_DUP2 = @HAVE_DUP2@ +HAVE_EUIDACCESS = @HAVE_EUIDACCESS@ +HAVE_FSEEKO = @HAVE_FSEEKO@ +HAVE_FSYNC = @HAVE_FSYNC@ +HAVE_FTELLO = @HAVE_FTELLO@ +HAVE_FTRUNCATE = @HAVE_FTRUNCATE@ +HAVE_GETDOMAINNAME = @HAVE_GETDOMAINNAME@ +HAVE_GETDTABLESIZE = @HAVE_GETDTABLESIZE@ +HAVE_GETHOSTNAME = @HAVE_GETHOSTNAME@ +HAVE_GETPAGESIZE = @HAVE_GETPAGESIZE@ +HAVE_GETSUBOPT = @HAVE_GETSUBOPT@ +HAVE_GETUSERSHELL = @HAVE_GETUSERSHELL@ +HAVE_INTTYPES_H = @HAVE_INTTYPES_H@ +HAVE_LCHMOD = @HAVE_LCHMOD@ +HAVE_LIBGCRYPT = @HAVE_LIBGCRYPT@ +HAVE_LIBTASN1 = @HAVE_LIBTASN1@ +HAVE_LINK = @HAVE_LINK@ +HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ +HAVE_LSTAT = @HAVE_LSTAT@ +HAVE_MALLOC_POSIX = @HAVE_MALLOC_POSIX@ +HAVE_MBRLEN = @HAVE_MBRLEN@ +HAVE_MBRTOWC = @HAVE_MBRTOWC@ +HAVE_MBSINIT = @HAVE_MBSINIT@ +HAVE_MBSNRTOWCS = @HAVE_MBSNRTOWCS@ +HAVE_MBSRTOWCS = @HAVE_MBSRTOWCS@ +HAVE_MEMPCPY = @HAVE_MEMPCPY@ +HAVE_MKDTEMP = @HAVE_MKDTEMP@ +HAVE_NETDB_H = @HAVE_NETDB_H@ +HAVE_NETINET_IN_H = @HAVE_NETINET_IN_H@ +HAVE_OS_H = @HAVE_OS_H@ +HAVE_RANDOM_H = @HAVE_RANDOM_H@ +HAVE_RANDOM_R = @HAVE_RANDOM_R@ +HAVE_RAWMEMCHR = @HAVE_RAWMEMCHR@ +HAVE_READLINK = @HAVE_READLINK@ +HAVE_REALLOC_POSIX = @HAVE_REALLOC_POSIX@ +HAVE_RPMATCH = @HAVE_RPMATCH@ +HAVE_SA_FAMILY_T = @HAVE_SA_FAMILY_T@ +HAVE_SETENV = @HAVE_SETENV@ +HAVE_SIGNED_SIG_ATOMIC_T = @HAVE_SIGNED_SIG_ATOMIC_T@ +HAVE_SIGNED_WCHAR_T = @HAVE_SIGNED_WCHAR_T@ +HAVE_SIGNED_WINT_T = @HAVE_SIGNED_WINT_T@ +HAVE_SLEEP = @HAVE_SLEEP@ +HAVE_STDINT_H = @HAVE_STDINT_H@ +HAVE_STPCPY = @HAVE_STPCPY@ +HAVE_STPNCPY = @HAVE_STPNCPY@ +HAVE_STRCASESTR = @HAVE_STRCASESTR@ +HAVE_STRCHRNUL = @HAVE_STRCHRNUL@ +HAVE_STRNDUP = @HAVE_STRNDUP@ +HAVE_STRPBRK = @HAVE_STRPBRK@ +HAVE_STRSEP = @HAVE_STRSEP@ +HAVE_STRTOD = @HAVE_STRTOD@ +HAVE_STRTOLL = @HAVE_STRTOLL@ +HAVE_STRTOULL = @HAVE_STRTOULL@ +HAVE_STRUCT_ADDRINFO = @HAVE_STRUCT_ADDRINFO@ +HAVE_STRUCT_RANDOM_DATA = @HAVE_STRUCT_RANDOM_DATA@ +HAVE_STRUCT_SOCKADDR_STORAGE = @HAVE_STRUCT_SOCKADDR_STORAGE@ +HAVE_STRUCT_TIMEVAL = @HAVE_STRUCT_TIMEVAL@ +HAVE_STRVERSCMP = @HAVE_STRVERSCMP@ +HAVE_SYS_BITYPES_H = @HAVE_SYS_BITYPES_H@ +HAVE_SYS_INTTYPES_H = @HAVE_SYS_INTTYPES_H@ +HAVE_SYS_IOCTL_H = @HAVE_SYS_IOCTL_H@ +HAVE_SYS_LOADAVG_H = @HAVE_SYS_LOADAVG_H@ +HAVE_SYS_PARAM_H = @HAVE_SYS_PARAM_H@ +HAVE_SYS_SELECT_H = @HAVE_SYS_SELECT_H@ +HAVE_SYS_SOCKET_H = @HAVE_SYS_SOCKET_H@ +HAVE_SYS_TIME_H = @HAVE_SYS_TIME_H@ +HAVE_SYS_TYPES_H = @HAVE_SYS_TYPES_H@ +HAVE_UNISTD_H = @HAVE_UNISTD_H@ +HAVE_UNSETENV = @HAVE_UNSETENV@ +HAVE_UNSIGNED_LONG_LONG_INT = @HAVE_UNSIGNED_LONG_LONG_INT@ +HAVE_VASPRINTF = @HAVE_VASPRINTF@ +HAVE_VDPRINTF = @HAVE_VDPRINTF@ +HAVE_WCHAR_H = @HAVE_WCHAR_H@ +HAVE_WCRTOMB = @HAVE_WCRTOMB@ +HAVE_WCSNRTOMBS = @HAVE_WCSNRTOMBS@ +HAVE_WCSRTOMBS = @HAVE_WCSRTOMBS@ +HAVE_WINSOCK2_H = @HAVE_WINSOCK2_H@ +HAVE_WINT_T = @HAVE_WINT_T@ +HAVE_WS2TCPIP_H = @HAVE_WS2TCPIP_H@ +HAVE__BOOL = @HAVE__BOOL@ +HOSTENT_LIB = @HOSTENT_LIB@ +HTML_DIR = @HTML_DIR@ +INCLUDE_NEXT = @INCLUDE_NEXT@ +INCLUDE_NEXT_AS_FIRST_DIRECTIVE = @INCLUDE_NEXT_AS_FIRST_DIRECTIVE@ +INET_NTOP_LIB = @INET_NTOP_LIB@ +INET_PTON_LIB = @INET_PTON_LIB@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LIBGCRYPT = @LIBGCRYPT@ +LIBGCRYPT_PREFIX = @LIBGCRYPT_PREFIX@ +LIBINTL = @LIBINTL@ +LIBOBJS = @LIBOBJS@ +LIBREADLINE = @LIBREADLINE@ +LIBS = @LIBS@ +LIBSOCKET = @LIBSOCKET@ +LIBTASN1 = @LIBTASN1@ +LIBTASN1_PREFIX = @LIBTASN1_PREFIX@ +LIBTESTS_LIBDEPS = @LIBTESTS_LIBDEPS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTALLOCA = @LTALLOCA@ +LTLIBGCRYPT = @LTLIBGCRYPT@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +LTLIBREADLINE = @LTLIBREADLINE@ +LTLIBTASN1 = @LTLIBTASN1@ +LT_AGE = @LT_AGE@ +LT_CURRENT = @LT_CURRENT@ +LT_REVISION = @LT_REVISION@ +LZO_LIBS = @LZO_LIBS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NETDB_H = @NETDB_H@ +NETINET_IN_H = @NETINET_IN_H@ +NEXT_ARPA_INET_H = @NEXT_ARPA_INET_H@ +NEXT_ERRNO_H = @NEXT_ERRNO_H@ +NEXT_FLOAT_H = @NEXT_FLOAT_H@ +NEXT_NETDB_H = @NEXT_NETDB_H@ +NEXT_NETINET_IN_H = @NEXT_NETINET_IN_H@ +NEXT_STDARG_H = @NEXT_STDARG_H@ +NEXT_STDINT_H = @NEXT_STDINT_H@ +NEXT_STDIO_H = @NEXT_STDIO_H@ +NEXT_STDLIB_H = @NEXT_STDLIB_H@ +NEXT_STRING_H = @NEXT_STRING_H@ +NEXT_SYS_IOCTL_H = @NEXT_SYS_IOCTL_H@ +NEXT_SYS_SELECT_H = @NEXT_SYS_SELECT_H@ +NEXT_SYS_SOCKET_H = @NEXT_SYS_SOCKET_H@ +NEXT_SYS_STAT_H = @NEXT_SYS_STAT_H@ +NEXT_SYS_TIME_H = @NEXT_SYS_TIME_H@ +NEXT_UNISTD_H = @NEXT_UNISTD_H@ +NEXT_WCHAR_H = @NEXT_WCHAR_H@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +PMCCABE = @PMCCABE@ +PRAGMA_SYSTEM_HEADER = @PRAGMA_SYSTEM_HEADER@ +PTRDIFF_T_SUFFIX = @PTRDIFF_T_SUFFIX@ +RANLIB = @RANLIB@ +REPLACE_BTOWC = @REPLACE_BTOWC@ +REPLACE_CHOWN = @REPLACE_CHOWN@ +REPLACE_CLOSE = @REPLACE_CLOSE@ +REPLACE_DPRINTF = @REPLACE_DPRINTF@ +REPLACE_FCHDIR = @REPLACE_FCHDIR@ +REPLACE_FCLOSE = @REPLACE_FCLOSE@ +REPLACE_FFLUSH = @REPLACE_FFLUSH@ +REPLACE_FOPEN = @REPLACE_FOPEN@ +REPLACE_FPRINTF = @REPLACE_FPRINTF@ +REPLACE_FREOPEN = @REPLACE_FREOPEN@ +REPLACE_FSEEK = @REPLACE_FSEEK@ +REPLACE_FSEEKO = @REPLACE_FSEEKO@ +REPLACE_FTELL = @REPLACE_FTELL@ +REPLACE_FTELLO = @REPLACE_FTELLO@ +REPLACE_GETCWD = @REPLACE_GETCWD@ +REPLACE_GETLINE = @REPLACE_GETLINE@ +REPLACE_GETPAGESIZE = @REPLACE_GETPAGESIZE@ +REPLACE_GETTIMEOFDAY = @REPLACE_GETTIMEOFDAY@ +REPLACE_LCHOWN = @REPLACE_LCHOWN@ +REPLACE_LSEEK = @REPLACE_LSEEK@ +REPLACE_LSTAT = @REPLACE_LSTAT@ +REPLACE_MBRLEN = @REPLACE_MBRLEN@ +REPLACE_MBRTOWC = @REPLACE_MBRTOWC@ +REPLACE_MBSINIT = @REPLACE_MBSINIT@ +REPLACE_MBSNRTOWCS = @REPLACE_MBSNRTOWCS@ +REPLACE_MBSRTOWCS = @REPLACE_MBSRTOWCS@ +REPLACE_MBSTATE_T = @REPLACE_MBSTATE_T@ +REPLACE_MEMMEM = @REPLACE_MEMMEM@ +REPLACE_MKDIR = @REPLACE_MKDIR@ +REPLACE_MKSTEMP = @REPLACE_MKSTEMP@ +REPLACE_OBSTACK_PRINTF = @REPLACE_OBSTACK_PRINTF@ +REPLACE_PERROR = @REPLACE_PERROR@ +REPLACE_PRINTF = @REPLACE_PRINTF@ +REPLACE_PUTENV = @REPLACE_PUTENV@ +REPLACE_SELECT = @REPLACE_SELECT@ +REPLACE_SNPRINTF = @REPLACE_SNPRINTF@ +REPLACE_SPRINTF = @REPLACE_SPRINTF@ +REPLACE_STDIO_WRITE_FUNCS = @REPLACE_STDIO_WRITE_FUNCS@ +REPLACE_STRCASESTR = @REPLACE_STRCASESTR@ +REPLACE_STRDUP = @REPLACE_STRDUP@ +REPLACE_STRERROR = @REPLACE_STRERROR@ +REPLACE_STRSIGNAL = @REPLACE_STRSIGNAL@ +REPLACE_STRSTR = @REPLACE_STRSTR@ +REPLACE_STRTOD = @REPLACE_STRTOD@ +REPLACE_VASPRINTF = @REPLACE_VASPRINTF@ +REPLACE_VDPRINTF = @REPLACE_VDPRINTF@ +REPLACE_VFPRINTF = @REPLACE_VFPRINTF@ +REPLACE_VPRINTF = @REPLACE_VPRINTF@ +REPLACE_VSNPRINTF = @REPLACE_VSNPRINTF@ +REPLACE_VSPRINTF = @REPLACE_VSPRINTF@ +REPLACE_WCRTOMB = @REPLACE_WCRTOMB@ +REPLACE_WCSNRTOMBS = @REPLACE_WCSNRTOMBS@ +REPLACE_WCSRTOMBS = @REPLACE_WCSRTOMBS@ +REPLACE_WCTOB = @REPLACE_WCTOB@ +REPLACE_WCWIDTH = @REPLACE_WCWIDTH@ +REPLACE_WRITE = @REPLACE_WRITE@ +SED = @SED@ +SERVENT_LIB = @SERVENT_LIB@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIG_ATOMIC_T_SUFFIX = @SIG_ATOMIC_T_SUFFIX@ +SIZE_T_SUFFIX = @SIZE_T_SUFFIX@ +STDARG_H = @STDARG_H@ +STDBOOL_H = @STDBOOL_H@ +STDINT_H = @STDINT_H@ +STRIP = @STRIP@ +SYS_IOCTL_H = @SYS_IOCTL_H@ +SYS_IOCTL_H_HAVE_WINSOCK2_H = @SYS_IOCTL_H_HAVE_WINSOCK2_H@ +SYS_SELECT_H = @SYS_SELECT_H@ +SYS_SOCKET_H = @SYS_SOCKET_H@ +SYS_STAT_H = @SYS_STAT_H@ +SYS_TIME_H = @SYS_TIME_H@ +UNISTD_H_HAVE_WINSOCK2_H = @UNISTD_H_HAVE_WINSOCK2_H@ +VALGRIND = @VALGRIND@ +VERSION = @VERSION@ +VOID_UNSETENV = @VOID_UNSETENV@ +WARN_CFLAGS = @WARN_CFLAGS@ +WCHAR_H = @WCHAR_H@ +WCHAR_T_SUFFIX = @WCHAR_T_SUFFIX@ +WERROR_CFLAGS = @WERROR_CFLAGS@ +WINT_T_SUFFIX = @WINT_T_SUFFIX@ +abs_aux_dir = @abs_aux_dir@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gl_LIBOBJS = @gl_LIBOBJS@ +gl_LTLIBOBJS = @gl_LTLIBOBJS@ +gltests_LIBOBJS = @gltests_LIBOBJS@ +gltests_LTLIBOBJS = @gltests_LTLIBOBJS@ +guile_snarf = @guile_snarf@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +subdirs = @subdirs@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +EXTRA_DIST = params.dh +dist_check_SCRIPTS = testsrn +TESTS = testsrn +TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) +all: all-am + +.SUFFIXES: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +tags: TAGS +TAGS: + +ctags: CTAGS +CTAGS: + + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + $(am__tty_colors); \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + col=$$red; res=XPASS; \ + ;; \ + *) \ + col=$$grn; res=PASS; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xfail=`expr $$xfail + 1`; \ + col=$$lgn; res=XFAIL; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + col=$$red; res=FAIL; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + col=$$blu; res=SKIP; \ + fi; \ + echo "$${col}$$res$${std}: $$tst"; \ + done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="$$All$$all $$tests passed"; \ + else \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all $$tests failed"; \ + else \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + if test "$$failed" -eq 0; then \ + echo "$$grn$$dashes"; \ + else \ + echo "$$red$$dashes"; \ + fi; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes$$std"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: check-am install-am install-strip + +.PHONY: all all-am check check-TESTS check-am clean clean-generic \ + clean-libtool distclean distclean-generic distclean-libtool \ + distdir dvi dvi-am html html-am info info-am install \ + install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + uninstall uninstall-am + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -up gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg gnutls-2.8.6/tests/safe-renegotiation/params.dh --- gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg 2010-05-31 22:52:31.000000000 +0200 +++ gnutls-2.8.6/tests/safe-renegotiation/params.dh 2010-05-31 22:52:31.000000000 +0200 @@ -0,0 +1,35 @@ + +Generator: 05 + +Prime: c9:e9:2d:fc:94:15:1a:10:4f:3c:b5:16 + 7e:34:10:7d:eb:3d:d5:7d:61:ff:b0:ce + da:7f:6e:0c:ea:db:b4:87:f6:c6:34:a8 + 3c:f8:84:52:14:59:ab:17:5c:d0:f0:86 + c4:02:93:dc:09:83:57:16:98:21:d0:42 + 8e:33:fc:48:69:e6:04:0d:4e:50:09:33 + 2e:28:60:4f:05:08:7c:ce:2f:a6:1a:4c + 41:d1:a3:dd:f6:37:56:44:1d:b0:54:af + f7:4a:a0:c2:19:5d:ce:62:b0:7a:1b:e1 + 5c:7f:bb:4d:7e:9e:28:48:00:a4:9a:86 + 3e:6e:6e:9c:57:41:c7:ec:bf:7f:09:fc + da:25:c2:1e:e0:52:dc:65:8c:40:a3:6e + bd:99:4e:0b:1a:04:e0:23:20:46:5a:d0 + 3f:b3:a4:d6:76:73:b7:cc:61:33:11:54 + a6:32:ff:94:08:d5:66:36:fd:99:69:21 + cc:28:5d:11:52:32:48:b6:a5:b5:c3:b0 + 21:3f:f9:69:25:83:b1:3d:79:a6:ed:ae + db:95:62:fc:72:ca:ad:46:fc:b6:b1:ea + 98:68:97:ba:f2:54:aa:86:ed:62:b1:78 + 5f:d5:19:80:ce:41:ee:98:a1:71:9f:fa + 5b:6b:d8:5e:7e:b3:18:0a:f0:4c:96:76 + 6c:0c:b0:a3 + + +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAyekt/JQVGhBPPLUWfjQQfes91X1h/7DO2n9uDOrbtIf2xjSoPPiE +UhRZqxdc0PCGxAKT3AmDVxaYIdBCjjP8SGnmBA1OUAkzLihgTwUIfM4vphpMQdGj +3fY3VkQdsFSv90qgwhldzmKwehvhXH+7TX6eKEgApJqGPm5unFdBx+y/fwn82iXC +HuBS3GWMQKNuvZlOCxoE4CMgRlrQP7Ok1nZzt8xhMxFUpjL/lAjVZjb9mWkhzChd +EVIySLaltcOwIT/5aSWDsT15pu2u25Vi/HLKrUb8trHqmGiXuvJUqobtYrF4X9UZ +gM5B7pihcZ/6W2vYXn6zGArwTJZ2bAywowIBBQ== +-----END DH PARAMETERS----- diff -up gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg gnutls-2.8.6/tests/safe-renegotiation/testsrn --- gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg 2010-05-31 22:52:31.000000000 +0200 +++ gnutls-2.8.6/tests/safe-renegotiation/testsrn 2010-06-02 10:23:35.000000000 +0200 @@ -0,0 +1,103 @@ +#!/bin/sh + +# Copyright (C) 2010 Free Software Foundation +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GNUTLS. +# +# GNUTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GNUTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GNUTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" +SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q" +CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" +PORT="${PORT:-5558}" +unset RETCODE + +fail() { + echo "Failure: $1" >&2 + RETCODE=${RETCODE:-${2:-1}} +} + +echo "Checking Safe renegotiation" + +$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%PARTIAL_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & +pid=$! + +# give the server a chance to initialize +sleep 2 + +$CLI -p $PORT 127.0.0.1 --rehandshake --priority NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-SSL3.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail "0. Renegotiation should have succeeded!" + +$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail "1. Safe rehandshake should have succeeded!" + +$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail "2. Unsafe rehandshake should have succeeded!" + +$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail "3. Unsafe negotiation should have succeeded!" + +$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ + fail "4. Unsafe renegotiation should have failed!" + + +kill $pid +wait + +$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & +pid=$! + +# give the server a chance to initialize +sleep 2 + +$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail "5. Safe rehandshake should have succeeded!" + +$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail "6. Unsafe rehandshake should have succeeded!" + +$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ + fail "7. Unsafe negotiation should have failed!" + +$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ + fail "8. Unsafe renegotiation should have failed!" + +kill $pid +wait + +$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & +pid=$! + +# give the server a chance to initialize +sleep 2 + +$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 && \ + fail "9. Initial connection should have failed!" + +$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail "10. Unsafe connection should have succeeded!" + +$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail "11. Unsafe negotiation should have succeeded!" + +$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ + fail "12. Unsafe renegotiation should have succeeded!" + +kill $pid +wait + +exit ${RETCODE:-0} diff -up gnutls-2.8.6/tests/simple.c.reneg gnutls-2.8.6/tests/simple.c --- gnutls-2.8.6/tests/simple.c.reneg 2009-06-02 20:59:32.000000000 +0200 +++ gnutls-2.8.6/tests/simple.c 2010-05-31 22:52:31.000000000 +0200 @@ -50,7 +50,7 @@ doit (void) for (i = 0; algs[i]; i++) { - printf ("pk_list[%d] = %d = %s = %d\n", i, algs[i], + printf ("pk_list[%d] = %d = %s = %d\n", (int)i, algs[i], gnutls_pk_algorithm_get_name (algs[i]), gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i]))); if (gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i])) @@ -76,7 +76,7 @@ doit (void) for (i = 0; algs[i]; i++) { - printf ("sign_list[%d] = %d = %s = %d\n", i, algs[i], + printf ("sign_list[%d] = %d = %s = %d\n", (int)i, algs[i], gnutls_sign_algorithm_get_name (algs[i]), gnutls_sign_get_id (gnutls_sign_algorithm_get_name (algs[i])));