diff options
| author | Patrick J Volkerding <volkerdi@slackware.com> | 2018-05-25 23:29:36 +0000 |
|---|---|---|
| committer | Eric Hameleers <alien@slackware.com> | 2018-05-31 15:04:55 -0700 |
| commit | d8220d28e5d53cd896b28d9dea13e2258923f35a (patch) | |
| tree | 0ae3d22871d934a49ba1689084ba6fe301ee48e0 /patches/source/gnutls | |
| parent | 5a12e7c134274dba706667107d10d231517d3e05 (diff) | |
| download | current-d8220d28e5d53cd896b28d9dea13e2258923f35a.tar.gz | |
Fri May 25 23:29:36 UTC 201813.0
patches/packages/glibc-zoneinfo-2018e-noarch-2_slack13.0.txz: Rebuilt.
Handle removal of US/Pacific-New timezone. If we see that the machine is
using this, it will be automatically switched to US/Pacific.
Diffstat (limited to 'patches/source/gnutls')
16 files changed, 8954 insertions, 0 deletions
diff --git a/patches/source/gnutls/gnutls-2.8.4_CVE-2009-3555.diff b/patches/source/gnutls/gnutls-2.8.4_CVE-2009-3555.diff new file mode 100644 index 00000000..3eb1cebd --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_CVE-2009-3555.diff @@ -0,0 +1,7376 @@ +From 1799ec5c820c421947633bc2f0516236f12d0dca Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Sun, 29 Sep 2013 +Subject: CVE-2009-3555 [GNUTLS-SA-2009-5] + +Adds safe renegotiation patch from Steve Dispensa, modified by GnuTLS +to conform with project style guidelines, error checking, and RFC 5746. + +This is a backport adaptation for use with GnuTLS 2.8.4. + +For background, read Marsh Ray & Steve Dispensa's 2009 paper: +http://ww1.prweb.com/prfiles/2009/11/05/104435/RenegotiatingTLS.pdf + +Relevant upstream commits: +-------------------------- +https://gitorious.org/gnutls/gnutls/commit/03249cd537c0b5 +https://gitorious.org/gnutls/gnutls/commit/1344b312402d3b +https://gitorious.org/gnutls/gnutls/commit/15090a5f52a5f5 +https://gitorious.org/gnutls/gnutls/commit/17e65babe44763 +https://gitorious.org/gnutls/gnutls/commit/1875dca5e0f6d7 +https://gitorious.org/gnutls/gnutls/commit/1a338cbaaeec11 +https://gitorious.org/gnutls/gnutls/commit/1ac2d2d55d8411 +https://gitorious.org/gnutls/gnutls/commit/1ced4c4d68cf33 +https://gitorious.org/gnutls/gnutls/commit/1d6766cda39a57 +https://gitorious.org/gnutls/gnutls/commit/1e42526790e54d +https://gitorious.org/gnutls/gnutls/commit/22553a5d48bcf0 +https://gitorious.org/gnutls/gnutls/commit/250e4ddf478910 +https://gitorious.org/gnutls/gnutls/commit/2d303d2076f53a +https://gitorious.org/gnutls/gnutls/commit/30748a9bcbfb76 +https://gitorious.org/gnutls/gnutls/commit/36693266659a6d +https://gitorious.org/gnutls/gnutls/commit/3deda2c2f0c2ac +https://gitorious.org/gnutls/gnutls/commit/3ee73d04c2a503 +https://gitorious.org/gnutls/gnutls/commit/4ceabba9547dc3 +https://gitorious.org/gnutls/gnutls/commit/4e5d5518c6cb58 +https://gitorious.org/gnutls/gnutls/commit/4f31d28f160a59 +https://gitorious.org/gnutls/gnutls/commit/530fa2957535be +https://gitorious.org/gnutls/gnutls/commit/555ddcdcf363ca +https://gitorious.org/gnutls/gnutls/commit/58604f748d324c +https://gitorious.org/gnutls/gnutls/commit/5cf6a95171b1a8 +https://gitorious.org/gnutls/gnutls/commit/5dfa0b28334e36 +https://gitorious.org/gnutls/gnutls/commit/5fc3704e32462f +https://gitorious.org/gnutls/gnutls/commit/62e03fb4b0f307 +https://gitorious.org/gnutls/gnutls/commit/705aa8cd3da09a +https://gitorious.org/gnutls/gnutls/commit/78149b946d3cff +https://gitorious.org/gnutls/gnutls/commit/783bfc6415ca0a +https://gitorious.org/gnutls/gnutls/commit/7b6ae740e8e8a4 +https://gitorious.org/gnutls/gnutls/commit/87ff666e310cfa +https://gitorious.org/gnutls/gnutls/commit/8cb3fee16deb3f +https://gitorious.org/gnutls/gnutls/commit/987076c0b8fce9 +https://gitorious.org/gnutls/gnutls/commit/a23f37448755d8 +https://gitorious.org/gnutls/gnutls/commit/a4d4458cf2ec08 +https://gitorious.org/gnutls/gnutls/commit/ae2540986ed382 +https://gitorious.org/gnutls/gnutls/commit/bbc7b93c9e1720 +https://gitorious.org/gnutls/gnutls/commit/bef37bc1f17c83 +https://gitorious.org/gnutls/gnutls/commit/bfe6ede9843c0c +https://gitorious.org/gnutls/gnutls/commit/c1953c310b347b +https://gitorious.org/gnutls/gnutls/commit/caab2fd62fdd32 +https://gitorious.org/gnutls/gnutls/commit/ce53777e3ad877 +https://gitorious.org/gnutls/gnutls/commit/d20cd80b62148c +https://gitorious.org/gnutls/gnutls/commit/dc468cee92c5ae +https://gitorious.org/gnutls/gnutls/commit/de9bc9b3dc1ec0 +https://gitorious.org/gnutls/gnutls/commit/dea2ff7150f00f +https://gitorious.org/gnutls/gnutls/commit/df861cb8ae9728 +https://gitorious.org/gnutls/gnutls/commit/e543db08dc98d4 +https://gitorious.org/gnutls/gnutls/commit/ed8a5c018ea46d +https://gitorious.org/gnutls/gnutls/commit/f623b9904535b8 +https://gitorious.org/gnutls/gnutls/commit/d4ea78c390dff6 +https://gitorious.org/gnutls/gnutls/commit/b2fca85c8fe5db +https://gitorious.org/gnutls/gnutls/commit/100563a343b9e3 +https://gitorious.org/gnutls/gnutls/commit/67ff3f2cedabcf +https://gitorious.org/gnutls/gnutls/commit/8a39da8c8eba54 +https://gitorious.org/gnutls/gnutls/commit/dc5a475674af59 + +--- + AUTHORS | 3 + NEWS | 17 + configure | 3 + configure.ac | 1 + doc/gnutls-api.texi | 14 + doc/gnutls.texi | 94 + + doc/manpages/Makefile.in | 4 + doc/manpages/gnutls-cli.1 | 9 + doc/manpages/gnutls-serv.1 | 9 + doc/manpages/gnutls_priority_init.3 | 15 + doc/manpages/gnutls_safe_renegotiation_status.3 | 41 + lib/Makefile.am | 4 + lib/Makefile.in | 7 + lib/ext_safe_renegotiation.c | 139 ++ + lib/ext_safe_renegotiation.h | 33 + lib/gnutls_alert.c | 6 + lib/gnutls_algorithms.c | 7 + lib/gnutls_algorithms.h | 3 + lib/gnutls_constate.c | 15 + lib/gnutls_errors.c | 6 + lib/gnutls_extensions.c | 20 + lib/gnutls_extensions.h | 4 + lib/gnutls_handshake.c | 391 +++++-- + lib/gnutls_int.h | 39 + lib/gnutls_priority.c | 105 + + lib/gnutls_record.c | 12 + lib/gnutls_state.c | 6 + lib/includes/gnutls/gnutls.h.in | 10 + lib/libgnutls.map | 6 + src/cli-gaa.c | 19 + src/cli-gaa.h | 1 + src/cli.c | 25 + src/cli.gaa | 5 + src/serv.c | 59 - + src/tests.c | 513 ++------- + src/tests.h | 5 + src/tls_test.c | 11 + tests/Makefile.am | 2 + tests/Makefile.in | 4 + tests/resume.c | 22 + tests/safe-renegotiation/Makefile.am | 37 + tests/safe-renegotiation/Makefile.in | 1299 ++++++++++++++++++++++++ + tests/safe-renegotiation/README | 93 + + tests/safe-renegotiation/params.dh | 35 + tests/safe-renegotiation/srn0.c | 338 ++++++ + tests/safe-renegotiation/srn1.c | 341 ++++++ + tests/safe-renegotiation/srn2.c | 341 ++++++ + tests/safe-renegotiation/srn3.c | 264 ++++ + tests/safe-renegotiation/srn4.c | 263 ++++ + tests/safe-renegotiation/srn5.c | 337 ++++++ + tests/safe-renegotiation/srn6.c | 337 ++++++ + tests/safe-renegotiation/srn7.c | 336 ++++++ + tests/safe-renegotiation/testsrn | 103 + + tests/simple.c | 4 + 54 files changed, 5330 insertions(+), 487 deletions(-) + +--- a/AUTHORS 2009-06-02 ++++ b/AUTHORS 2013-09-26 +@@ -51,6 +51,9 @@ OpenPGP discussion and improvements. + David Marín Carreño <davefx@gmail.com> + Added gnutls_x509_crq_get_key_id. + ++Steve Dispensa <dispensa@phonefactor.com> ++TLS safe renegotiation fix. ++ + -----BEGIN PGP PUBLIC KEY BLOCK----- + URL: http://josefsson.org/key.txt (always latest version) + Comment: This 0xB565716F key is used to sign releases of GnuTLS. +--- a/configure.ac 2009-11-06 ++++ b/configure.ac 2013-09-26 +@@ -275,6 +275,7 @@ AC_CONFIG_FILES([ + tests/pkcs8-decode/Makefile + tests/rsa-md5-collision/Makefile + tests/sha2/Makefile ++ tests/safe-renegotiation/Makefile + tests/userid/Makefile + ]) + AC_OUTPUT +--- a/configure 2010-03-15 ++++ b/configure 2013-09-26 +@@ -28310,7 +28310,7 @@ subdirs="$subdirs libextra" + + ac_config_files="$ac_config_files guile/pre-inst-guile" + +-ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile" ++ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/safe-renegotiation/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile" + + cat >confcache <<\_ACEOF + # This file is a shell script that caches the results of configure +@@ -29529,6 +29529,7 @@ do + "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;; + "tests/key-id/Makefile") CONFIG_FILES="$CONFIG_FILES tests/key-id/Makefile" ;; + "tests/openpgp-certs/Makefile") CONFIG_FILES="$CONFIG_FILES tests/openpgp-certs/Makefile" ;; ++ "tests/safe-renegotiation/Makefile") CONFIG_FILES="$CONFIG_FILES tests/safe-renegotiation/Makefile" ;; + "tests/pathlen/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pathlen/Makefile" ;; + "tests/pkcs1-padding/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs1-padding/Makefile" ;; + "tests/pkcs12-decode/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs12-decode/Makefile" ;; +--- a/doc/gnutls-api.texi 2010-03-15 ++++ b/doc/gnutls-api.texi 2013-09-26 +@@ -3307,6 +3307,20 @@ This function will initialize the tempor + @strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, or an negative error code. + @end deftypefun + ++@subheading gnutls_safe_renegotiation_status ++@anchor{gnutls_safe_renegotiation_status} ++@deftypefun {int} {gnutls_safe_renegotiation_status} (gnutls_session_t @var{session}) ++@var{session}: is a @code{gnutls_session_t} structure. ++ ++Can be used to check whether safe renegotiation is being used ++in the current session. ++ ++@strong{Returns:} 0 when safe renegotiation is not used and non zero when ++safe renegotiation is used. ++ ++@strong{Since:} 2.10.0 ++@end deftypefun ++ + @subheading gnutls_server_name_get + @anchor{gnutls_server_name_get} + @deftypefun {int} {gnutls_server_name_get} (gnutls_session_t @var{session}, void * @var{data}, size_t * @var{data_length}, unsigned int * @var{type}, unsigned int @var{indx}) +--- a/doc/gnutls.texi 2009-06-02 ++++ b/doc/gnutls.texi 2013-09-26 +@@ -565,6 +565,7 @@ also supports @acronym{X.509} and @acron + * Selecting cryptographic key sizes:: + * On SSL 2 and older protocols:: + * On Record Padding:: ++* Safe Renegotiation:: + @end menu + + @node TLS layers +@@ -1202,6 +1203,94 @@ here are some links: + + @url{http://thread.gmane.org/gmane.ietf.tls/3079} + ++@node Safe Renegotiation ++@section Safe Renegotiation ++@cindex renegotiation ++ ++Some application protocols and implementations uses the TLS ++renegotiation feature in a manner that enables attackers to insert ++content of his choice in the beginning of a TLS session. ++ ++One easy to understand vulnerability is HTTPS when servers request ++client certificates optionally for certain parts of a web site. The ++attack works by having the attacker simulate a client and connect to a ++server, with server-only authentication, and send some data intended ++to cause harm. When the proper client attempts to contact the server, ++the attacker hijacks that connection and uses the TLS renegotiation ++feature with the server and splices in the client connection to the ++already established connection between the attacker and server. The ++attacker will not be able to read the data exchanged between the ++client and the server. However, the server will (incorrectly) assume ++that the data sent by the attacker was sent by the now authenticated ++client. The result is a prefix plain-text injection attack. ++ ++The above is just one example. Other vulnerabilities exists that do ++not rely on the TLS renegotiation to change the client's authenticated ++status (either TLS or application layer). ++ ++While fixing these application protocols and implementations would be ++one natural reaction, an extension to TLS has been designed that ++cryptographically binds together any renegotiated handshakes with the ++initial negotiation. When the extension is used, the attack is ++detected and the session can be terminated. The extension is ++specified in @xcite{RFC5746}. ++ ++GnuTLS supports the safe renegotiation extension. The default ++behavior is as follows. Clients will attempt to negotiate the safe ++renegotiation extension when talking to servers. Servers will accept ++the extension when presented by clients. Clients and servers will ++permit an initial handshake to complete even when the other side does ++not support the safe renegotiation extension. Clients and servers ++will refuse renegotiation attempts when the extension has not been ++negotiated. ++ ++Note that permitting clients to connect to servers even when the safe ++renegotiation extension is not negotiated open up for some attacks. ++Changing this default behaviour would prevent interoperability against ++the majority of deployed servers out there. We will reconsider this ++default behaviour in the future when more servers have been upgraded. ++Note that it is easy to configure clients to always require the safe ++renegotiation extension from servers (see below on the ++%SAFE_RENEGOTIATION priority string). ++ ++To modify the default behaviour, we have introduced some new priority ++strings. The priority strings can be used by applications ++(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority} ++parameter to @code{gnutls-cli} and @code{gnutls-serv}). ++ ++The @code{%UNSAFE_RENEGOTIATION} priority string permits ++(re-)handshakes even when the safe renegotiation extension was not ++negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will ++prevent renegotiation with clients and servers not supporting the ++extension. This is secure for servers but leaves clients vulnerable ++to some attacks, but this is a tradeoff between security and compatibility ++with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes ++clients and servers require the extension for every handshake. The latter ++is the most secure option for clients, at the cost of not being able ++to connect to legacy servers. Servers will also deny clients that ++do not support the extension from connecting. ++ ++It is possible to disable use of the extension completely, in both ++clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION} ++priority string however we strongly recommend you to only do this for ++debugging and test purposes. ++ ++The default values if the flags above are not specified are: ++@table @code ++ ++@item Server: ++%PARTIAL_RENEGOTIATION ++ ++@item Client: ++%PARTIAL_RENEGOTIATION ++ ++@end table ++ ++For applications we have introduced a new API related to safe ++renegotiation. The @ref{gnutls_safe_renegotiation_status} function is ++used to check if the extension has been negotiated on a session, and ++can be used both by clients and servers. ++ + @node Authentication methods + @chapter Authentication Methods + +@@ -4179,6 +4268,11 @@ Pasi Eronen and Hannes Tschofenig, "Pre- + TLS", December 2005, Available from + @url{http://www.ietf.org/rfc/rfc4279.txt}. + ++@item @anchor{RFC5746}[RFC5746] ++E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "Transport Layer ++Security (TLS) Renegotiation Indication Extension", February 2010, ++available from @url{http://www.ietf.org/rfc/rfc5746}. ++ + @item @anchor{TOMSRP}[TOMSRP] + Tom Wu, "The Stanford SRP Authentication Project", Available at + @url{http://srp.stanford.edu/}. +--- a/doc/manpages/gnutls-cli.1 2009-06-02 ++++ b/doc/manpages/gnutls-cli.1 2013-09-26 +@@ -75,6 +75,15 @@ Special keywords: + "%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client + hello. This is to avoid buggy servers from terminating connection. + .IP ++"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones. ++.IP ++"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not ++supporting the safe renegotiation extension. (default) ++.IP ++"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most ++secure and recommended option for clients. However this will prevent from ++connecting to legacy servers. ++.IP + To avoid collisions in order to specify a compression algorithm in + this string you have to prefix it with "COMP-", protocol versions + with "VERS-" and certificate types with "CTYPE-". All other +--- a/doc/manpages/gnutls-serv.1 2009-06-02 ++++ b/doc/manpages/gnutls-serv.1 2013-09-26 +@@ -75,6 +75,15 @@ Special keywords: + .IP + '%COMPAT' will enable compatibility features for a server. + .IP ++"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones. ++.IP ++"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not ++supporting the safe renegotiation extension. (default) ++.IP ++"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most ++secure and recommended option for clients. However this will prevent from ++connecting to legacy servers. ++.IP + To avoid collisions in order to specify a compression algorithm in + this string you have to prefix it with "COMP-", protocol versions + with "VERS-" and certificate types with "CTYPE-". All other +--- a/doc/manpages/gnutls_priority_init.3 2010-03-15 ++++ b/doc/manpages/gnutls_priority_init.3 2013-09-26 +@@ -67,6 +67,21 @@ compression methods. + + "%COMPAT" will enable compatibility features for a server. + ++"%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now ++the default for clients, but will change once more servers support the safe renegotiation ++TLS fix). ++ ++"%SAFE_RENEGOTIATION" will allow safe renegotiation only (this is the ++default for servers \- that will reject clients trying to perform an ++unsafe renegotiation). ++ ++"%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if ++renegotiation wasn't requested. Only valid for server side and implies ++"%SAFE_RENEGOTIATION". ++ ++"%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use ++unless you know what you are doing. Testing purposes only. ++ + "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello. + + "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA\-MD5 signatures in +--- /dev/null 2013-09-26 ++++ b/doc/manpages/gnutls_safe_renegotiation_status.3 2013-09-26 +@@ -0,0 +1,41 @@ ++.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. ++.TH "gnutls_safe_renegotiation_status" 3 "2.9.11" "gnutls" "gnutls" ++.SH NAME ++gnutls_safe_renegotiation_status \- API function ++.SH SYNOPSIS ++.B #include <gnutls/gnutls.h> ++.sp ++.BI "int gnutls_safe_renegotiation_status(gnutls_session_t " session ");" ++.SH ARGUMENTS ++.IP "gnutls_session_t session" 12 ++is a \fBgnutls_session_t\fP structure. ++.SH "DESCRIPTION" ++Can be used to check whether safe renegotiation is being used ++in the current session. ++.SH "RETURNS" ++0 when safe renegotiation is not used and non zero when ++safe renegotiation is used. ++.SH "SINCE" ++2.10.0 ++.SH "REPORTING BUGS" ++Report bugs to <bug-gnutls@gnu.org>. ++GnuTLS home page: http://www.gnu.org/software/gnutls/ ++General help using GNU software: http://www.gnu.org/gethelp/ ++.SH COPYRIGHT ++Copyright \(co 2008 Free Software Foundation. ++.br ++Copying and distribution of this file, with or without modification, ++are permitted in any medium without royalty provided the copyright ++notice and this notice are preserved. ++.SH "SEE ALSO" ++The full documentation for ++.B gnutls ++is maintained as a Texinfo manual. If the ++.B info ++and ++.B gnutls ++programs are properly installed at your site, the command ++.IP ++.B info gnutls ++.PP ++should give you access to the complete manual. +--- a/doc/manpages/Makefile.in 2010-03-15 ++++ b/doc/manpages/Makefile.in 2013-09-26 +@@ -523,7 +523,6 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ + PACKAGE_NAME = @PACKAGE_NAME@ + PACKAGE_STRING = @PACKAGE_STRING@ + PACKAGE_TARNAME = @PACKAGE_TARNAME@ +-PACKAGE_URL = @PACKAGE_URL@ + PACKAGE_VERSION = @PACKAGE_VERSION@ + PATH_SEPARATOR = @PATH_SEPARATOR@ + PKG_CONFIG = @PKG_CONFIG@ +@@ -682,7 +681,8 @@ APIMANS = gnutls_crypto_single_cipher_re + gnutls_crypto_bigint_register2.3 gnutls_crypto_pk_register2.3 \ + gnutls_crypto_cipher_register2.3 gnutls_crypto_mac_register2.3 \ + gnutls_crypto_digest_register2.3 gnutls_oprfi_enable_client.3 \ +- gnutls_oprfi_enable_server.3 gnutls_server_name_get.3 \ ++ gnutls_oprfi_enable_server.3 \ ++ gnutls_safe_renegotiation_status.3 gnutls_server_name_get.3 \ + gnutls_server_name_set.3 gnutls_alert_get_name.3 \ + gnutls_alert_send.3 gnutls_error_to_alert.3 \ + gnutls_alert_send_appropriate.3 gnutls_alert_get.3 \ +--- /dev/null 2013-09-26 ++++ b/lib/ext_safe_renegotiation.c 2013-09-26 +@@ -0,0 +1,139 @@ ++/* ++ * Copyright (C) 2009 Free Software Foundation ++ * ++ * Author: Steve Dispensa (<dispensa@phonefactor.com>) ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, ++ * USA ++ * ++ */ ++ ++#include <gnutls_int.h> ++#include <ext_safe_renegotiation.h> ++#include <gnutls_errors.h> ++ ++int ++_gnutls_safe_renegotiation_recv_params (gnutls_session_t session, ++ const opaque * data, size_t _data_size) ++{ ++ tls_ext_st *ext = &session->security_parameters.extensions; ++ int len = data[0]; ++ ssize_t data_size = _data_size; ++ ++ DECR_LEN (data_size, len+1 /* count the first byte and payload */); ++ ++ if (session->internals.priorities.safe_renegotiation == SR_DISABLED) ++ { ++ gnutls_assert (); ++ return 0; ++ } ++ ++ /* It is not legal to receive this extension on a renegotiation and ++ * not receive it on the initial negotiation. ++ */ ++ if (session->internals.initial_negotiation_completed != 0 && ++ session->internals.connection_using_safe_renegotiation == 0) ++ { ++ gnutls_assert(); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ ++ if (len > sizeof (ext->ri_extension_data)) ++ { ++ gnutls_assert(); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ ++ if (len > 0) ++ memcpy (ext->ri_extension_data, &data[1], len); ++ ext->ri_extension_data_len = len; ++ ++ /* "safe renegotiation received" means on *this* handshake; "connection using ++ * safe renegotiation" means that the initial hello received on the connection ++ * indicated safe renegotiation. ++ */ ++ session->internals.safe_renegotiation_received = 1; ++ session->internals.connection_using_safe_renegotiation = 1; ++ ++ return 0; ++} ++ ++int ++_gnutls_safe_renegotiation_send_params (gnutls_session_t session, ++ opaque * data, size_t _data_size) ++{ ++ /* The format of this extension is a one-byte length of verify data followed ++ * by the verify data itself. Note that the length byte does not include ++ * itself; IOW, empty verify data is represented as a length of 0. That means ++ * the minimum extension is one byte: 0x00. ++ */ ++ ssize_t data_size = _data_size; ++ tls_ext_st *ext = &session->security_parameters.extensions; ++ ++ ++ if (session->internals.priorities.safe_renegotiation == SR_DISABLED) ++ { ++ gnutls_assert(); ++ return 0; ++ } ++ ++ data[0] = 0; ++ ++ /* Always offer the extension if we're a client */ ++ if (session->internals.connection_using_safe_renegotiation || ++ session->security_parameters.entity == GNUTLS_CLIENT) ++ { ++ DECR_LEN (data_size, 1); ++ data[0] = ext->client_verify_data_len; ++ ++ DECR_LEN (data_size, ext->client_verify_data_len); ++ ++ if (ext->client_verify_data_len > 0) ++ memcpy(&data[1], ++ ext->client_verify_data, ++ ext->client_verify_data_len); ++ ++ if (session->security_parameters.entity == GNUTLS_SERVER) ++ { ++ data[0] += ext->server_verify_data_len; ++ ++ DECR_LEN (data_size, ext->server_verify_data_len); ++ ++ if (ext->server_verify_data_len > 0) ++ memcpy(&data[1 + ext->client_verify_data_len], ++ ext->server_verify_data, ++ ext->server_verify_data_len); ++ } ++ } ++ else ++ return 0; ++ ++ return 1 + data[0]; /* don't forget the length byte */ ++} ++ ++/** ++ * gnutls_safe_renegotiation_status: ++ * @session: is a #gnutls_session_t structure. ++ * ++ * Can be used to check whether safe renegotiation is being used ++ * in the current session. Returns 0 when not and non zero when ++ * used. ++ **/ ++int gnutls_safe_renegotiation_status (gnutls_session_t session) ++{ ++ return session->internals.connection_using_safe_renegotiation; ++} +--- /dev/null 2013-09-26 ++++ b/lib/ext_safe_renegotiation.h 2013-09-26 +@@ -0,0 +1,33 @@ ++/* ++ * Copyright (C) 2009 Free Software Foundation ++ * ++ * Author: Steve Dispensa (<dispensa@phonefactor.com>) ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, ++ * USA ++ * ++ */ ++ ++#ifndef EXT_SAFE_RENEGOTIATION_H ++# define EXT_SAFE_RENEGOTIATION_H ++ ++int _gnutls_safe_renegotiation_recv_params (gnutls_session_t state, ++ const opaque * data, size_t data_size); ++int _gnutls_safe_renegotiation_send_params (gnutls_session_t state, ++ opaque * data, size_t); ++ ++#endif /* EXT_SAFE_RENEGOTIATION_H */ +--- a/lib/gnutls_alert.c 2009-06-02 ++++ b/lib/gnutls_alert.c 2013-09-26 +@@ -180,6 +180,10 @@ gnutls_error_to_alert (int err, int *lev + ret = GNUTLS_A_ILLEGAL_PARAMETER; + _level = GNUTLS_AL_FATAL; + break; ++ case GNUTLS_E_UNKNOWN_SRP_USERNAME: ++ ret = GNUTLS_A_UNKNOWN_PSK_IDENTITY; ++ _level = GNUTLS_AL_FATAL; ++ break; + case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND: + case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND: + case GNUTLS_E_ASN1_DER_ERROR: +@@ -199,6 +203,7 @@ gnutls_error_to_alert (int err, int *lev + case GNUTLS_E_INSUFFICIENT_CREDENTIALS: + case GNUTLS_E_NO_CIPHER_SUITES: + case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: ++ case GNUTLS_E_SAFE_RENEGOTIATION_FAILED: + ret = GNUTLS_A_HANDSHAKE_FAILURE; + _level = GNUTLS_AL_FATAL; + break; +@@ -212,6 +217,7 @@ gnutls_error_to_alert (int err, int *lev + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_REHANDSHAKE: ++ case GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED: + ret = GNUTLS_A_NO_RENEGOTIATION; + _level = GNUTLS_AL_WARNING; + break; +--- a/lib/gnutls_algorithms.c 2009-08-12 ++++ b/lib/gnutls_algorithms.c 2013-09-26 +@@ -457,6 +457,10 @@ typedef struct + #define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x88 } + #endif + ++/* Safe renegotiation */ ++ ++#define GNUTLS_RENEGO_PROTECTION_REQUEST { GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR, GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR } ++ + #define CIPHER_SUITES_COUNT sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1 + + static const gnutls_cipher_suite_entry cs_algorithms[] = { +@@ -624,6 +628,9 @@ static const gnutls_cipher_suite_entry c + GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + #endif ++ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RENEGO_PROTECTION_REQUEST, ++ GNUTLS_CIPHER_UNKNOWN, GNUTLS_KX_UNKNOWN, ++ GNUTLS_MAC_UNKNOWN, GNUTLS_SSL3), + {0, {{0, 0}}, 0, 0, 0, 0} + }; + +--- a/lib/gnutls_algorithms.h 2009-06-02 ++++ b/lib/gnutls_algorithms.h 2013-09-26 +@@ -27,6 +27,9 @@ + + #include "gnutls_auth.h" + ++#define GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR 0x00 ++#define GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR 0xFF ++ + /* Functions for version handling. */ + gnutls_protocol_t _gnutls_version_lowest (gnutls_session_t session); + gnutls_protocol_t _gnutls_version_max (gnutls_session_t session); +--- a/lib/gnutls_constate.c 2009-11-06 ++++ b/lib/gnutls_constate.c 2013-09-26 +@@ -380,6 +380,17 @@ _gnutls_set_write_keys (gnutls_session_t + export_flag); + } + ++#define CPY_EXTENSIONS \ ++ memcpy(dst->extensions.server_names, src->extensions.server_names, sizeof(src->extensions.server_names)); \ ++ dst->extensions.server_names_size = src->extensions.server_names_size; \ ++ memcpy(dst->extensions.srp_username, src->extensions.srp_username, sizeof(src->extensions.srp_username)); \ ++ dst->extensions.gnutls_ia_enable = src->extensions.gnutls_ia_enable; \ ++ dst->extensions.gnutls_ia_peer_enable = src->extensions.gnutls_ia_peer_enable; \ ++ dst->extensions.gnutls_ia_allowskip = src->extensions.gnutls_ia_allowskip; \ ++ dst->extensions.gnutls_ia_peer_allowskip = src->extensions.gnutls_ia_peer_allowskip; \ ++ dst->extensions.do_recv_supplemental = src->extensions.do_recv_supplemental; \ ++ dst->extensions.do_send_supplemental = src->extensions.do_send_supplemental ++ + #define CPY_COMMON dst->entity = src->entity; \ + dst->kx_algorithm = src->kx_algorithm; \ + memcpy( &dst->current_cipher_suite, &src->current_cipher_suite, sizeof(cipher_suite_st)); \ +@@ -393,8 +404,8 @@ _gnutls_set_write_keys (gnutls_session_t + dst->max_record_recv_size = src->max_record_recv_size; \ + dst->max_record_send_size = src->max_record_send_size; \ + dst->version = src->version; \ +- memcpy( &dst->extensions, &src->extensions, sizeof(tls_ext_st)); \ +- memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE); ++ CPY_EXTENSIONS; \ ++ memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE) + + static void + _gnutls_cpy_read_security_parameters (security_parameters_st * +--- a/lib/gnutls_errors.c 2009-06-02 ++++ b/lib/gnutls_errors.c 2013-09-26 +@@ -220,9 +220,15 @@ static const gnutls_error_entry error_al + GNUTLS_E_OPENPGP_GETKEY_FAILED, 1), + ERROR_ENTRY (N_("Could not find OpenPGP subkey."), + GNUTLS_E_OPENPGP_SUBKEY_ERROR, 1), ++ ERROR_ENTRY (N_("Safe renegotiation failed."), ++ GNUTLS_E_SAFE_RENEGOTIATION_FAILED, 1), ++ ERROR_ENTRY (N_("Unsafe renegotiation denied."), ++ GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED, 1), + + ERROR_ENTRY (N_("The SRP username supplied is illegal."), + GNUTLS_E_ILLEGAL_SRP_USERNAME, 1), ++ ERROR_ENTRY (N_("The SRP username supplied is unknown."), ++ GNUTLS_E_UNKNOWN_SRP_USERNAME, 1), + + ERROR_ENTRY (N_("The OpenPGP fingerprint is not supported."), + GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1), +--- a/lib/gnutls_extensions.c 2009-06-08 ++++ b/lib/gnutls_extensions.c 2013-09-26 +@@ -35,6 +35,7 @@ + #include <ext_server_name.h> + #include <ext_oprfi.h> + #include <ext_srp.h> ++#include <ext_safe_renegotiation.h> + #include <gnutls_num.h> + + typedef struct +@@ -133,7 +134,7 @@ _gnutls_parse_extensions (gnutls_session + type = _gnutls_read_uint16 (&data[pos]); + pos += 2; + +- _gnutls_debug_log ("EXT[%p]: Received extension '%s/%d'\n", session, ++ _gnutls_debug_log ("EXT[%p]: Found extension '%s/%d'\n", session, + _gnutls_extension_get_name (type), type); + + if ((ret = _gnutls_extension_list_check (session, type)) < 0) +@@ -153,6 +154,8 @@ _gnutls_parse_extensions (gnutls_session + ext_recv = _gnutls_ext_func_recv (type, parse_type); + if (ext_recv == NULL) + continue; ++ ++ + if ((ret = ext_recv (session, sdata, size)) < 0) + { + gnutls_assert (); +@@ -170,7 +173,7 @@ _gnutls_parse_extensions (gnutls_session + * This list is used to check whether the (later) received + * extensions are the ones we requested. + */ +-static void ++void + _gnutls_extension_list_add (gnutls_session_t session, uint16_t type) + { + +@@ -192,7 +195,7 @@ _gnutls_extension_list_add (gnutls_sessi + + int + _gnutls_gen_extensions (gnutls_session_t session, opaque * data, +- size_t data_size) ++ size_t data_size, gnutls_ext_parse_type_t parse_type) + { + int size; + uint16_t pos = 0; +@@ -223,6 +226,9 @@ _gnutls_gen_extensions (gnutls_session_t + + if (p->send_func == NULL) + continue; ++ ++ if (parse_type != GNUTLS_EXT_ANY && p->parse_type != parse_type) ++ continue; + + size = p->send_func (session, sdata, sdata_size); + if (size > 0) +@@ -304,6 +310,14 @@ _gnutls_ext_init (void) + if (ret != GNUTLS_E_SUCCESS) + return ret; + ++ ret = gnutls_ext_register (GNUTLS_EXTENSION_SAFE_RENEGOTIATION, ++ "SAFE_RENEGOTIATION", ++ GNUTLS_EXT_MANDATORY, ++ _gnutls_safe_renegotiation_recv_params, ++ _gnutls_safe_renegotiation_send_params); ++ if (ret != GNUTLS_E_SUCCESS) ++ return ret; ++ + #ifdef ENABLE_OPRFI + ret = gnutls_ext_register (GNUTLS_EXTENSION_OPAQUE_PRF_INPUT, + "OPAQUE_PRF_INPUT", +--- a/lib/gnutls_extensions.h 2009-06-02 ++++ b/lib/gnutls_extensions.h 2013-09-26 +@@ -26,6 +26,8 @@ int _gnutls_parse_extensions (gnutls_ses + gnutls_ext_parse_type_t parse_type, + const opaque *data, int data_size); + int _gnutls_gen_extensions (gnutls_session_t session, opaque * data, +- size_t data_size); ++ size_t data_size, gnutls_ext_parse_type_t); + int _gnutls_ext_init (void); + void _gnutls_ext_deinit (void); ++ ++void _gnutls_extension_list_add (gnutls_session_t session, uint16_t type); +--- a/lib/gnutls_handshake.c 2009-11-02 ++++ b/lib/gnutls_handshake.c 2013-09-26 +@@ -48,6 +48,7 @@ + #include <gnutls_record.h> + #include <gnutls_state.h> + #include <ext_srp.h> ++#include <ext_safe_renegotiation.h> + #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */ + #include <auth_anon.h> /* for gnutls_anon_server_credentials_t */ + #include <auth_psk.h> /* for gnutls_psk_server_credentials_t */ +@@ -119,6 +120,7 @@ resume_copy_required_values (gnutls_sess + sizeof (session->security_parameters.session_id)); + session->security_parameters.session_id_size = + session->internals.resumed_security_parameters.session_id_size; ++ + } + + void +@@ -404,8 +406,36 @@ _gnutls_read_client_hello (gnutls_sessio + + if (ret == 0) + { /* resumed! */ ++ /* Parse only the safe renegotiation extension ++ * We don't want to parse any other extensions since ++ * we don't want new extension values to overwrite the ++ * resumed ones. ++ */ ++ ++ /* move forward to extensions */ ++ DECR_LEN (len, 2); ++ suite_size = _gnutls_read_uint16 (&data[pos]); ++ pos += 2; ++ ++ DECR_LEN (len, suite_size); ++ pos += suite_size; ++ ++ DECR_LEN (len, 1); ++ comp_size = data[pos++]; /* z is the number of compression methods */ ++ DECR_LEN (len, comp_size); ++ pos += comp_size; ++ ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, ++ &data[pos], len); ++ if (ret < 0) ++ { ++ gnutls_assert (); ++ return ret; ++ } ++ + resume_copy_required_values (session); + session->internals.resumed = RESUME_TRUE; ++ + return _gnutls_user_hello_func (session, adv_version); + } + else +@@ -437,17 +467,17 @@ _gnutls_read_client_hello (gnutls_sessio + pos += comp_size; + + /* Parse the extensions (if any) +- */ +- if (neg_version >= GNUTLS_TLS1) ++ * ++ * Unconditionally try to parse extensions; safe renegotiation uses them in ++ * sslv3 and higher, even though sslv3 doesn't officially support them. ++ */ ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION, ++ &data[pos], len); ++ /* len is the rest of the parsed length */ ++ if (ret < 0) + { +- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION, +- &data[pos], len); +- /* len is the rest of the parsed length */ +- if (ret < 0) +- { +- gnutls_assert (); +- return ret; +- } ++ gnutls_assert (); ++ return ret; + } + + ret = _gnutls_user_hello_func (session, adv_version); +@@ -457,16 +487,20 @@ _gnutls_read_client_hello (gnutls_sessio + return ret; + } + +- if (neg_version >= GNUTLS_TLS1) ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, ++ &data[pos], len); ++ if (ret < 0) + { +- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, +- &data[pos], len); +- /* len is the rest of the parsed length */ +- if (ret < 0) +- { +- gnutls_assert (); +- return ret; +- } ++ gnutls_assert (); ++ return ret; ++ } ++ ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, ++ &data[pos], len); ++ if (ret < 0) ++ { ++ gnutls_assert (); ++ return ret; + } + + /* select an appropriate cipher suite +@@ -531,7 +565,7 @@ _gnutls_handshake_hash_pending (gnutls_s + static int + _gnutls_send_finished (gnutls_session_t session, int again) + { +- uint8_t data[36]; ++ uint8_t data[MAX_VERIFY_DATA_SIZE]; + int ret; + int data_size = 0; + +@@ -556,7 +590,7 @@ _gnutls_send_finished (gnutls_session_t + data_size = 36; + } + else +- { /* TLS 1.0 */ ++ { /* TLS 1.0+ */ + ret = _gnutls_finished (session, + session->security_parameters.entity, data); + data_size = 12; +@@ -572,6 +606,31 @@ _gnutls_send_finished (gnutls_session_t + session->internals.finished_func (session, data, data_size); + } + ++ /* Save data for safe renegotiation. ++ */ ++ if (data_size > MAX_VERIFY_DATA_SIZE) ++ { ++ gnutls_assert (); ++ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; ++ } ++ ++ if (session->security_parameters.entity == GNUTLS_CLIENT) ++ { ++ session->security_parameters.extensions.client_verify_data_len = ++ data_size; ++ ++ memcpy (session->security_parameters.extensions.client_verify_data, ++ data, data_size); ++ } ++ else ++ { ++ session->security_parameters.extensions.server_verify_data_len = ++ data_size; ++ ++ memcpy (session->security_parameters.extensions.server_verify_data, ++ data, data_size); ++ } ++ + ret = + _gnutls_send_handshake (session, data_size ? data : NULL, data_size, + GNUTLS_HANDSHAKE_FINISHED); +@@ -585,10 +644,11 @@ _gnutls_send_finished (gnutls_session_t + static int + _gnutls_recv_finished (gnutls_session_t session) + { +- uint8_t data[36], *vrfy; ++ uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy; + int data_size; + int ret; + int vrfysize; ++ tls_ext_st *ext; + + ret = + _gnutls_recv_handshake (session, &vrfy, &vrfysize, +@@ -640,13 +700,38 @@ _gnutls_recv_finished (gnutls_session_t + } + + if (memcmp (vrfy, data, data_size) != 0) ++ ret = memcmp (vrfy, data, data_size); ++ gnutls_free (vrfy); ++ ++ if (ret != 0) + { + gnutls_assert (); +- ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET; ++ return GNUTLS_E_ERROR_IN_FINISHED_PACKET; + } +- gnutls_free (vrfy); + +- return ret; ++ /* Save peer's verify data for safe renegotiation */ ++ if (data_size > MAX_VERIFY_DATA_SIZE) ++ { ++ gnutls_assert (); ++ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; ++ } ++ ++ ext = &session->security_parameters.extensions; ++ ++ if (session->security_parameters.entity == GNUTLS_CLIENT) ++ { ++ memcpy (ext->server_verify_data, data, data_size); ++ ext->server_verify_data_len = data_size; ++ } ++ else ++ { ++ memcpy (ext->client_verify_data, data, data_size); ++ ext->client_verify_data_len = data_size; ++ } ++ ++ session->internals.initial_negotiation_completed = 1; ++ ++ return 0; + } + + /* returns PK_RSA if the given cipher suite list only supports, +@@ -685,7 +767,6 @@ _gnutls_server_find_pk_algos_in_ciphersu + return algo; + } + +- + /* This selects the best supported ciphersuite from the given ones. Then + * it adds the suite to the session and performs some checks. + */ +@@ -700,11 +784,31 @@ _gnutls_server_select_suite (gnutls_sess + * supported by the peer. + */ + ++ /* First, check for safe renegotiation SCSV. ++ */ ++ if (session->internals.priorities.safe_renegotiation != SR_DISABLED) ++ { ++ int offset; ++ ++ for(offset = 0; offset < datalen; offset += 2) ++ { ++ /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */ ++ if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR && ++ data[offset+1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) ++ { ++ _gnutls_handshake_log ("HSK[%p]: Received safe renegotiation CS\n", session); ++ session->internals.safe_renegotiation_received = 1; ++ session->internals.connection_using_safe_renegotiation = 1; ++ break; ++ } ++ } ++ } ++ + pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites (data, datalen); + + x = _gnutls_supported_ciphersuites (session, &ciphers); + if (x < 0) +- { /* the case x==0 is handled within the function. */ ++ { /* the case x==0 is handled within the function. */ + gnutls_assert (); + return x; + } +@@ -752,21 +856,21 @@ _gnutls_server_select_suite (gnutls_sess + + for (j = 0; j < datalen; j += 2) + { +- for (i = 0; i < x; i++) +- { +- if (memcmp (ciphers[i].suite, &data[j], 2) == 0) +- { +- memcpy (&cs.suite, &data[j], 2); +- +- _gnutls_handshake_log +- ("HSK[%p]: Selected cipher suite: %s\n", session, +- _gnutls_cipher_suite_get_name (&cs)); +- memcpy (session->security_parameters.current_cipher_suite.suite, +- ciphers[i].suite, 2); +- retval = 0; +- goto finish; +- } +- } ++ for (i = 0; i < x; i++) ++ { ++ if (memcmp (ciphers[i].suite, &data[j], 2) == 0) ++ { ++ memcpy (&cs.suite, &data[j], 2); ++ ++ _gnutls_handshake_log ++ ("HSK[%p]: Selected cipher suite: %s\n", session, ++ _gnutls_cipher_suite_get_name (&cs)); ++ memcpy (session->security_parameters.current_cipher_suite.suite, ++ ciphers[i].suite, 2); ++ retval = 0; ++ goto finish; ++ } ++ } + } + + finish: +@@ -960,7 +1064,7 @@ _gnutls_send_handshake (gnutls_session_t + if (i_datasize > 0) + memcpy (&data[pos], i_data, i_datasize); + +- _gnutls_handshake_log ("HSK[%p]: %s was send [%ld bytes]\n", ++ _gnutls_handshake_log ("HSK[%p]: %s was sent [%ld bytes]\n", + session, _gnutls_handshake2str (type), + (long) datasize); + +@@ -1042,7 +1146,6 @@ _gnutls_recv_handshake_header (gnutls_se + + if (ret < 0) + { +- gnutls_assert (); + return ret; + } + +@@ -1525,15 +1628,26 @@ _gnutls_read_server_hello (gnutls_sessio + } + DECR_LEN (len, session_id_len); + +- + /* check if we are resuming and set the appropriate + * values; + */ + if (_gnutls_client_check_if_resuming + (session, &data[pos], session_id_len) == 0) +- return 0; +- pos += session_id_len; ++ { ++ pos += session_id_len + 2 + 1; ++ DECR_LEN (len, 2+1); ++ ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, ++ &data[pos], len); ++ if (ret < 0) ++ { ++ gnutls_assert (); ++ return ret; ++ } ++ return 0; ++ } + ++ pos += session_id_len; + + /* Check if the given cipher suite is supported and copy + * it to the session. +@@ -1548,8 +1662,6 @@ _gnutls_read_server_hello (gnutls_sessio + } + pos += 2; + +- +- + /* move to compression + */ + DECR_LEN (len, 1); +@@ -1563,32 +1675,32 @@ _gnutls_read_server_hello (gnutls_sessio + + /* Parse extensions. + */ +- if (version >= GNUTLS_TLS1) ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, ++ &data[pos], len); ++ if (ret < 0) + { +- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, +- &data[pos], len); +- /* len is the rest of the parsed length */ +- if (ret < 0) +- { +- gnutls_assert (); +- return ret; +- } ++ gnutls_assert (); ++ return ret; + } ++ + return ret; + } + + + /* This function copies the appropriate ciphersuites to a locally allocated buffer +- * Needed in client hello messages. Returns the new data length. ++ * Needed in client hello messages. Returns the new data length. If add_scsv is ++ * true, add the special safe renegotiation CS. + */ + static int + _gnutls_copy_ciphersuites (gnutls_session_t session, +- opaque * ret_data, size_t ret_data_size) ++ opaque * ret_data, size_t ret_data_size, ++ int add_scsv) + { + int ret, i; + cipher_suite_st *cipher_suites; + uint16_t cipher_num; + int datalen, pos; ++ uint16_t loop_max; + + ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites); + if (ret < 0) +@@ -1619,6 +1731,9 @@ _gnutls_copy_ciphersuites (gnutls_sessio + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + ++ if (add_scsv) ++ ++ret; ++ + cipher_num = ret; + + cipher_num *= sizeof (uint16_t); /* in order to get bytes */ +@@ -1636,11 +1751,21 @@ _gnutls_copy_ciphersuites (gnutls_sessio + _gnutls_write_uint16 (cipher_num, ret_data); + pos += 2; + +- for (i = 0; i < (cipher_num / 2); i++) ++ loop_max = add_scsv ? cipher_num - 2 : cipher_num; ++ ++ for (i = 0; i < (loop_max / 2); i++) + { + memcpy (&ret_data[pos], cipher_suites[i].suite, 2); + pos += 2; + } ++ ++ if (add_scsv) ++ { ++ /* Safe renegotiation signalling CS value is { 0x00, 0xff } */ ++ ret_data[pos++] = 0x00; ++ ret_data[pos++] = 0xff; ++ } ++ + gnutls_free (cipher_suites); + + return datalen; +@@ -1700,7 +1825,7 @@ _gnutls_send_client_hello (gnutls_sessio + { + opaque *data = NULL; + int extdatalen; +- int pos = 0; ++ int pos = 0, type; + int datalen = 0, ret = 0; + opaque rnd[GNUTLS_RANDOM_SIZE]; + gnutls_protocol_t hver; +@@ -1807,9 +1932,21 @@ _gnutls_send_client_hello (gnutls_sessio + + + /* Copy the ciphersuites. ++ * ++ * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM ++ * prevention on initial negotiation (but not renegotiation; that's ++ * handled with the RI extension below). + */ +- extdatalen = +- _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata)); ++ if(!session->internals.initial_negotiation_completed && ++ session->security_parameters.entity == GNUTLS_CLIENT && ++ gnutls_protocol_get_version (session) == GNUTLS_SSL3) ++ { ++ extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), TRUE); ++ _gnutls_extension_list_add (session, GNUTLS_EXTENSION_SAFE_RENEGOTIATION); ++ } ++ else ++ extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), FALSE); ++ + if (extdatalen > 0) + { + datalen += extdatalen; +@@ -1864,11 +2001,19 @@ _gnutls_send_client_hello (gnutls_sessio + /* Generate and copy TLS extensions. + */ + if (hver >= GNUTLS_TLS1) ++ type = GNUTLS_EXT_ANY; ++ else + { +- extdatalen = +- _gnutls_gen_extensions (session, extdata, sizeof (extdata)); ++ if (session->internals.initial_negotiation_completed != 0) ++ type = GNUTLS_EXT_MANDATORY; ++ else ++ type = GNUTLS_EXT_NONE; ++ } ++ ++ extdatalen = ++ _gnutls_gen_extensions (session, extdata, sizeof (extdata), type); + +- if (extdatalen > 0) ++ if (extdatalen > 0) + { + datalen += extdatalen; + data = gnutls_realloc_fast (data, datalen); +@@ -1880,13 +2025,12 @@ _gnutls_send_client_hello (gnutls_sessio + + memcpy (&data[pos], extdata, extdatalen); + } +- else if (extdatalen < 0) ++ else if (extdatalen < 0) + { + gnutls_assert (); + gnutls_free (data); + return extdatalen; + } +- } + } + + ret = +@@ -1932,15 +2076,7 @@ _gnutls_send_server_hello (gnutls_sessio + * alert and abort. + */ + gnutls_assert (); +- ret = gnutls_alert_send (session, GNUTLS_AL_FATAL, +- GNUTLS_A_UNKNOWN_PSK_IDENTITY); +- if (ret < 0) +- { +- gnutls_assert (); +- return ret; +- } +- +- return GNUTLS_E_ILLEGAL_SRP_USERNAME; ++ return GNUTLS_E_UNKNOWN_SRP_USERNAME; + } + } + #endif +@@ -1949,7 +2085,7 @@ _gnutls_send_server_hello (gnutls_sessio + { + datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3; + extdatalen = +- _gnutls_gen_extensions (session, extdata, sizeof (extdata)); ++ _gnutls_gen_extensions (session, extdata, sizeof (extdata), GNUTLS_EXT_ANY); + + if (extdatalen < 0) + { +@@ -2015,6 +2151,8 @@ _gnutls_send_hello (gnutls_session_t ses + { + int ret; + ++ session->internals.safe_renegotiation_received = 0; ++ + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + ret = _gnutls_send_client_hello (session, again); +@@ -2036,6 +2174,7 @@ int + _gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen) + { + int ret; ++ tls_ext_st *ext; + + if (session->security_parameters.entity == GNUTLS_CLIENT) + { +@@ -2047,7 +2186,7 @@ _gnutls_recv_hello (gnutls_session_t ses + } + } + else +- { /* Server side reading a client hello */ ++ { /* Server side reading a client hello */ + + ret = _gnutls_read_client_hello (session, data, datalen); + if (ret < 0) +@@ -2057,7 +2196,90 @@ _gnutls_recv_hello (gnutls_session_t ses + } + } + +- return ret; ++ if (session->internals.priorities.safe_renegotiation == SR_DISABLED) ++ { ++ gnutls_assert(); ++ return 0; ++ } ++ ++ /* Safe renegotiation */ ++ ext = &session->security_parameters.extensions; ++ ++ if (session->internals.safe_renegotiation_received) ++ { ++ if ((ext->ri_extension_data_len < ext->client_verify_data_len) || ++ (memcmp (ext->ri_extension_data, ++ ext->client_verify_data, ++ ext->client_verify_data_len))) ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Safe renegotiation failed [1]\n"); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ if (session->security_parameters.entity == GNUTLS_CLIENT) ++ { ++ if ((ext->ri_extension_data_len != ++ ext->client_verify_data_len + ext->server_verify_data_len) || ++ memcmp (ext->ri_extension_data + ext->client_verify_data_len, ++ ext->server_verify_data, ext->server_verify_data_len) != 0) ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Safe renegotiation failed [2]\n"); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ } ++ else /* Make sure there are 0 extra bytes */ ++ { ++ if (ext->ri_extension_data_len != ext->client_verify_data_len) ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Safe renegotiation failed [3]\n"); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ } ++ ++ _gnutls_handshake_log ("Safe renegotiation succeeded.\n"); ++ } ++ else /* safe renegotiation not received... */ ++ { ++ if (session->internals.connection_using_safe_renegotiation) ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Peer previously asked for safe renegotiation!\n"); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ ++ /* Clients can't tell if it's an initial negotiation */ ++ if (session->internals.initial_negotiation_completed) ++ { ++ ++ if (session->internals.priorities.safe_renegotiation < SR_PARTIAL) ++ { ++ _gnutls_handshake_log ("Allowing unsafe (re)negotiation!\n"); ++ } ++ else ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Denying unsafe (re)negotiation.\n"); ++ return GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED; ++ } ++ } ++ else ++ { ++ if (session->internals.priorities.safe_renegotiation < SR_SAFE) ++ { ++ _gnutls_handshake_log ("Allowing unsafe initial negotiation!\n"); ++ } ++ else ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Denying unsafe initial negotiation.\n"); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ } ++ } ++ ++ return 0; + } + + /* The packets in gnutls_handshake (it's more broad than original TLS handshake) +@@ -2097,6 +2319,13 @@ _gnutls_recv_hello (gnutls_session_t ses + * gnutls_handshake() function in order to negotiate the new + * parameters. + * ++ * Since TLS is full duplex some application data might have been ++ * sent during peer's processing of this message. In that case ++ * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE ++ * is returned to clear any pending data. Care must be taken if ++ * rehandshake is mandatory to terminate if it does not start after ++ * some threshold. ++ * + * If the client does not wish to renegotiate parameters he will + * should with an alert message, thus the return code will be + * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be +--- a/lib/gnutls_int.h 2009-11-02 ++++ b/lib/gnutls_int.h 2013-09-26 +@@ -171,7 +171,8 @@ typedef enum extensions_t + GNUTLS_EXTENSION_OPAQUE_PRF_INPUT = ENABLE_OPRFI, + #endif + GNUTLS_EXTENSION_SRP = 12, +- GNUTLS_EXTENSION_INNER_APPLICATION = 37703 ++ GNUTLS_EXTENSION_INNER_APPLICATION = 37703, ++ GNUTLS_EXTENSION_SAFE_RENEGOTIATION = 65281, /* aka: 0xff01 */ + } extensions_t; + + typedef enum +@@ -282,6 +283,11 @@ typedef struct + + #define MAX_SERVER_NAME_EXTENSIONS 3 + ++#define MAX_VERIFY_DATA_SIZE 36 /* in SSL 3.0, 12 in TLS 1.0 */ ++ ++/* If you want the extension data to be kept across resuming sessions ++ * then modify CPY_EXTENSIONS in gnutls_constate.c ++ */ + typedef struct + { + server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS]; +@@ -297,6 +303,9 @@ typedef struct + /* Used by extensions that enable supplemental data. */ + int do_recv_supplemental, do_send_supplemental; + ++ /*** Those below do not get copied when resuming session ++ ***/ ++ + /* Opaque PRF input. */ + gnutls_oprfi_callback_func oprfi_cb; + void *oprfi_userdata; +@@ -304,6 +313,15 @@ typedef struct + uint16_t oprfi_client_len; + opaque *oprfi_server; + uint16_t oprfi_server_len; ++ ++ /* Safe renegotiation. */ ++ uint8_t client_verify_data[MAX_VERIFY_DATA_SIZE]; ++ size_t client_verify_data_len; ++ uint8_t server_verify_data[MAX_VERIFY_DATA_SIZE]; ++ size_t server_verify_data_len; ++ uint8_t ri_extension_data[MAX_VERIFY_DATA_SIZE*2]; /* max signal is 72 bytes in s->c sslv3 */ ++ size_t ri_extension_data_len; ++ + } tls_ext_st; + + /* auth_info_t structures now MAY contain malloced +@@ -317,7 +335,7 @@ typedef struct + */ + + /* if you add anything in Security_Parameters struct, then +- * also modify CPY_COMMON in gnutls_constate.c ++ * also modify CPY_COMMON in gnutls_constate.c. + */ + + /* Note that the security parameters structure is set up after the +@@ -361,6 +379,7 @@ typedef struct + /* holds the negotiated certificate type */ + gnutls_certificate_type_t cert_type; + gnutls_protocol_t version; /* moved here */ ++ + /* For TLS/IA. XXX: Move to IA credential? */ + opaque inner_secret[GNUTLS_MASTER_SIZE]; + } security_parameters_st; +@@ -400,6 +419,13 @@ typedef struct + unsigned int algorithms; + } priority_st; + ++typedef enum { ++ SR_DISABLED, ++ SR_UNSAFE, ++ SR_PARTIAL, ++ SR_SAFE, ++} safe_renegotiation_t; ++ + /* For the external api */ + struct gnutls_priority_st + { +@@ -409,9 +435,12 @@ struct gnutls_priority_st + priority_st compression; + priority_st protocol; + priority_st cert_type; ++ priority_st sign_algo; + + /* to disable record padding */ +- int no_padding; ++ int no_padding:1; ++ safe_renegotiation_t safe_renegotiation; ++ int allow_large_records:1; + int ssl3_record_version; + int additional_verify_flags; + }; +@@ -673,6 +702,10 @@ typedef struct + */ + uint16_t srp_prime_bits; + ++ int safe_renegotiation_received:1; ++ int initial_negotiation_completed:1; ++ int connection_using_safe_renegotiation:1; ++ + /* If you add anything here, check _gnutls_handshake_internal_state_clear(). + */ + } internals_st; +--- a/lib/gnutls_priority.c 2009-06-02 ++++ b/lib/gnutls_priority.c 2013-09-26 +@@ -338,6 +338,27 @@ static const int comp_priority[] = { + 0 + }; + ++static const int sign_priority_default[] = { ++ GNUTLS_SIGN_RSA_SHA1, ++ GNUTLS_SIGN_DSA_SHA1, ++ GNUTLS_SIGN_RSA_SHA256, ++ GNUTLS_SIGN_RSA_SHA384, ++ GNUTLS_SIGN_RSA_SHA512, ++ 0 ++}; ++ ++static const int sign_priority_secure128[] = { ++ GNUTLS_SIGN_RSA_SHA256, ++ GNUTLS_SIGN_RSA_SHA384, ++ GNUTLS_SIGN_RSA_SHA512, ++ GNUTLS_SIGN_DSA_SHA1, ++ 0 ++}; ++ ++static const int sign_priority_secure256[] = { ++ GNUTLS_SIGN_RSA_SHA512, ++ 0 ++}; + + static const int mac_priority_performance[] = { + GNUTLS_MAC_MD5, +@@ -425,6 +446,14 @@ gnutls_priority_set (gnutls_session_t se + memcpy (&session->internals.priorities, priority, + sizeof (struct gnutls_priority_st)); + ++ /* set the current version to the first in the chain. ++ * * This will be overridden later. ++ * */ ++ if (session->internals.priorities.protocol.algorithms > 0) ++ _gnutls_set_current_version (session, ++ session->internals.priorities.protocol. ++ priority[0]); ++ + return 0; + } + +@@ -491,6 +520,21 @@ gnutls_priority_set (gnutls_session_t se + * + * "%COMPAT" will enable compatibility features for a server. + * ++ * "%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use ++ * unless you know what you are doing. Testing purposes only. ++ * ++ * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now ++ * the default for clients, but will change once more servers support the safe renegotiation ++ * TLS fix). ++ * ++ * "%PARTIAL_SAFE_RENEGOTIATION" In server side it will enable safe renegotiation ++ * and will protect all clients from known attacks, but will not prevent insecure clients ++ * from connecting. In client side it will disallow from renegotiating with an insecure server ++ * but will not prevent connecting to one (this leaves the client vulnerable to attacks). ++ * ++ * "%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and Servers will refuse ++ * to talk to an insecure peer. ++ * + * "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello. + * + * "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA-MD5 signatures in +@@ -523,7 +567,7 @@ gnutls_priority_init (gnutls_priority_t + { + char *broken_list[MAX_ELEMENTS]; + int broken_list_size, i, j; +- char *darg; ++ char *darg = NULL; + int algo; + rmadd_func *fn; + +@@ -533,6 +577,11 @@ gnutls_priority_init (gnutls_priority_t + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } ++ ++ /* for now unsafe renegotiation is default on everyone. To be removed ++ * when we make it the default. ++ */ ++ (*priority_cache)->safe_renegotiation = SR_PARTIAL; + + if (priorities == NULL) + priorities = "NORMAL"; +@@ -541,9 +590,10 @@ gnutls_priority_init (gnutls_priority_t + if (darg == NULL) + { + gnutls_assert (); +- return GNUTLS_E_MEMORY_ERROR; ++ goto error; + } + ++ + break_comma_list (darg, broken_list, &broken_list_size, MAX_ELEMENTS, ':'); + /* This is our default set of protocol version, certificate types and + * compression methods. +@@ -553,6 +603,7 @@ gnutls_priority_init (gnutls_priority_t + _set_priority (&(*priority_cache)->protocol, protocol_priority); + _set_priority (&(*priority_cache)->compression, comp_priority); + _set_priority (&(*priority_cache)->cert_type, cert_type_priority); ++ _set_priority (&(*priority_cache)->sign_algo, sign_priority_default); + i = 0; + } + else +@@ -568,12 +619,16 @@ gnutls_priority_init (gnutls_priority_t + cipher_priority_performance); + _set_priority (&(*priority_cache)->kx, kx_priority_performance); + _set_priority (&(*priority_cache)->mac, mac_priority_performance); ++ _set_priority (&(*priority_cache)->sign_algo, ++ sign_priority_default); + } + else if (strcasecmp (broken_list[i], "NORMAL") == 0) + { + _set_priority (&(*priority_cache)->cipher, cipher_priority_normal); + _set_priority (&(*priority_cache)->kx, kx_priority_secure); + _set_priority (&(*priority_cache)->mac, mac_priority_secure); ++ _set_priority (&(*priority_cache)->sign_algo, ++ sign_priority_default); + } + else if (strcasecmp (broken_list[i], "SECURE256") == 0 + || strcasecmp (broken_list[i], "SECURE") == 0) +@@ -582,6 +637,8 @@ gnutls_priority_init (gnutls_priority_t + cipher_priority_secure256); + _set_priority (&(*priority_cache)->kx, kx_priority_secure); + _set_priority (&(*priority_cache)->mac, mac_priority_secure); ++ _set_priority (&(*priority_cache)->sign_algo, ++ sign_priority_secure256); + } + else if (strcasecmp (broken_list[i], "SECURE128") == 0) + { +@@ -589,12 +646,16 @@ gnutls_priority_init (gnutls_priority_t + cipher_priority_secure128); + _set_priority (&(*priority_cache)->kx, kx_priority_secure); + _set_priority (&(*priority_cache)->mac, mac_priority_secure); ++ _set_priority (&(*priority_cache)->sign_algo, ++ sign_priority_secure128); + } + else if (strcasecmp (broken_list[i], "EXPORT") == 0) + { + _set_priority (&(*priority_cache)->cipher, cipher_priority_export); + _set_priority (&(*priority_cache)->kx, kx_priority_export); + _set_priority (&(*priority_cache)->mac, mac_priority_secure); ++ _set_priority (&(*priority_cache)->sign_algo, ++ sign_priority_default); + } /* now check if the element is something like -ALGO */ + else if (broken_list[i][0] == '!' || broken_list[i][0] == '+' + || broken_list[i][0] == '-') +@@ -619,6 +680,8 @@ gnutls_priority_init (gnutls_priority_t + gnutls_protocol_get_id (&broken_list[i][6])) != + GNUTLS_VERSION_UNKNOWN) + fn (&(*priority_cache)->protocol, algo); ++ else ++ goto error; + } /* now check if the element is something like -ALGO */ + else if (strncasecmp (&broken_list[i][1], "COMP-", 5) == 0) + { +@@ -626,6 +689,8 @@ gnutls_priority_init (gnutls_priority_t + gnutls_compression_get_id (&broken_list[i][6])) != + GNUTLS_COMP_UNKNOWN) + fn (&(*priority_cache)->compression, algo); ++ else ++ goto error; + } /* now check if the element is something like -ALGO */ + else if (strncasecmp (&broken_list[i][1], "CTYPE-", 6) == 0) + { +@@ -633,18 +698,34 @@ gnutls_priority_init (gnutls_priority_t + gnutls_certificate_type_get_id (&broken_list[i][7])) != + GNUTLS_CRT_UNKNOWN) + fn (&(*priority_cache)->cert_type, algo); ++ else ++ goto error; + } /* now check if the element is something like -ALGO */ ++ else if (strncasecmp (&broken_list[i][1], "SIGN-", 5) == 0) ++ { ++ if ((algo = gnutls_sign_get_id (&broken_list[i][6])) != ++ GNUTLS_SIGN_UNKNOWN) ++ fn (&(*priority_cache)->sign_algo, algo); ++ else ++ goto error; ++ } /* now check if the element is something like -ALGO */ + else + goto error; + } + else if (broken_list[i][0] == '%') + { + if (strcasecmp (&broken_list[i][1], "COMPAT") == 0) ++ { + (*priority_cache)->no_padding = 1; ++ (*priority_cache)->allow_large_records = 1; ++ } + else if (strcasecmp (&broken_list[i][1], + "VERIFY_ALLOW_SIGN_RSA_MD5") == 0) ++ { ++ prio_add (&(*priority_cache)->sign_algo, GNUTLS_SIGN_RSA_MD5); + (*priority_cache)->additional_verify_flags |= + GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5; ++ } + else if (strcasecmp (&broken_list[i][1], + "SSL3_RECORD_VERSION") == 0) + (*priority_cache)->ssl3_record_version = 1; +@@ -652,6 +733,25 @@ gnutls_priority_init (gnutls_priority_t + "VERIFY_ALLOW_X509_V1_CA_CRT") == 0) + (*priority_cache)->additional_verify_flags |= + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT; ++ else if (strcasecmp (&broken_list[i][1], ++ "UNSAFE_RENEGOTIATION") == 0) ++ { ++ (*priority_cache)->safe_renegotiation = SR_UNSAFE; ++ } ++ else if (strcasecmp (&broken_list[i][1], "SAFE_RENEGOTIATION") == 0) ++ { ++ (*priority_cache)->safe_renegotiation = SR_SAFE; ++ } ++ else if (strcasecmp (&broken_list[i][1], ++ "PARTIAL_RENEGOTIATION") == 0) ++ { ++ (*priority_cache)->safe_renegotiation = SR_PARTIAL; ++ } ++ else if (strcasecmp (&broken_list[i][1], ++ "DISABLE_SAFE_RENEGOTIATION") == 0) ++ { ++ (*priority_cache)->safe_renegotiation = SR_DISABLED; ++ } + else + goto error; + } +@@ -672,6 +772,7 @@ error: + } + } + gnutls_free (darg); ++ gnutls_free(*priority_cache); + + return GNUTLS_E_INVALID_REQUEST; + +--- a/lib/gnutls_record.c 2009-06-02 ++++ b/lib/gnutls_record.c 2013-09-26 +@@ -744,6 +744,14 @@ record_check_type (gnutls_session_t sess + if (session->security_parameters.entity == GNUTLS_SERVER) + { + gnutls_assert (); ++ ret = ++ _gnutls_record_buffer_put (recv_type, session, (void *) data, ++ data_size); ++ if (ret < 0) ++ { ++ gnutls_assert (); ++ return ret; ++ } + return GNUTLS_E_REHANDSHAKE; + } + +@@ -896,9 +904,13 @@ begin: + _gnutls_io_read_buffered (session, &headers, header_size, + -1)) != header_size) + { ++ _gnutls_handshake_log ("XXX[]: ret: %d %s\n", ret, gnutls_strerror(ret)); ++ + if (ret < 0 && gnutls_error_is_fatal (ret) == 0) + return ret; + ++ _gnutls_handshake_log ("XXX2[]: ret: %d %s\n", ret, gnutls_strerror(ret)); ++ + session_invalidate (session); + if (type == GNUTLS_ALERT) + { +--- a/lib/gnutls_state.c 2009-11-02 ++++ b/lib/gnutls_state.c 2013-09-26 +@@ -223,6 +223,7 @@ _gnutls_handshake_internal_state_clear ( + session->internals.adv_version_minor = 0; + session->internals.adv_version_minor = 0; + session->internals.direction = 0; ++ session->internals.safe_renegotiation_received = 0; + + /* use out of band data for the last + * handshake messages received. +@@ -338,6 +339,11 @@ gnutls_init (gnutls_session_t * session, + + _gnutls_handshake_internal_state_clear (*session); + ++ /* emulate old gnutls behavior for old applications that do not use the priority_* ++ * functions. ++ */ ++ (*session)->internals.priorities.safe_renegotiation = SR_PARTIAL; ++ + return 0; + } + +--- a/lib/includes/gnutls/gnutls.h.in 2009-06-02 ++++ b/lib/includes/gnutls/gnutls.h.in 2013-09-26 +@@ -503,7 +503,9 @@ extern "C" { + { + GNUTLS_EXT_ANY, + GNUTLS_EXT_APPLICATION, +- GNUTLS_EXT_TLS ++ GNUTLS_EXT_TLS, ++ GNUTLS_EXT_MANDATORY, /* parse even if resuming or extensions disabled */ ++ GNUTLS_EXT_NONE, + } gnutls_ext_parse_type_t; + + int gnutls_ext_register (int type, +@@ -525,6 +527,9 @@ extern "C" { + void *data, size_t * data_length, + unsigned int *type, unsigned int indx); + ++ /* Safe renegotiation */ ++ int gnutls_safe_renegotiation_status (gnutls_session_t session); ++ + /* Opaque PRF Input + * http://tools.ietf.org/id/draft-rescorla-tls-opaque-prf-input-00.txt + */ +@@ -1368,6 +1373,9 @@ extern "C" { + #define GNUTLS_E_IA_VERIFY_FAILED -104 + + #define GNUTLS_E_UNKNOWN_ALGORITHM -105 ++#define GNUTLS_E_SAFE_RENEGOTIATION_FAILED -107 ++#define GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED -108 ++#define GNUTLS_E_UNKNOWN_SRP_USERNAME -109 + + #define GNUTLS_E_BASE64_ENCODING_ERROR -201 + #define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202 /* obsolete */ +--- a/lib/libgnutls.map 2009-06-02 ++++ b/lib/libgnutls.map 2013-09-26 +@@ -567,6 +567,12 @@ GNUTLS_2_8 + gnutls_x509_crt_verify_hash; + } GNUTLS_1_4; + ++GNUTLS_2_10 ++{ ++ global: ++ gnutls_safe_renegotiation_status; ++} GNUTLS_2_8; ++ + GNUTLS_PRIVATE { + global: + # Internal symbols needed by libgnutls-extra: +--- a/lib/Makefile.am 2009-06-02 ++++ b/lib/Makefile.am 2013-09-26 +@@ -79,7 +79,7 @@ COBJECTS = gnutls_record.c gnutls_compre + gnutls_rsa_export.c auth_rsa_export.c ext_server_name.c \ + auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \ + crypto.c random.c pk-libgcrypt.c mpi-libgcrypt.c \ +- rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c ++ rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c ext_safe_renegotiation.c + + if ENABLE_OPRFI + COBJECTS += $(OPRFI_COBJECTS) +@@ -98,7 +98,7 @@ HFILES = debug.h gnutls_compress.h gnutl + gnutls_rsa_export.h ext_server_name.h auth_dh_common.h \ + ext_srp.h gnutls_srp.h auth_srp.h auth_srp_passwd.h \ + gnutls_helper.h auth_psk.h auth_psk_passwd.h \ +- gnutls_supplemental.h ext_oprfi.h crypto.h random.h ++ gnutls_supplemental.h ext_oprfi.h crypto.h random.h ext_safe_renegotiation.h + + # Separate so we can create the documentation + +--- a/lib/Makefile.in 2010-03-15 ++++ b/lib/Makefile.in 2013-09-26 +@@ -214,7 +214,7 @@ am__objects_4 = gnutls_record.lo gnutls_ + ext_server_name.lo auth_dh_common.lo gnutls_helper.lo \ + gnutls_supplemental.lo crypto.lo random.lo pk-libgcrypt.lo \ + mpi-libgcrypt.lo rnd-libgcrypt.lo cipher-libgcrypt.lo \ +- mac-libgcrypt.lo $(am__objects_3) ++ mac-libgcrypt.lo ext_safe_renegotiation.lo $(am__objects_3) + am__objects_5 = ext_srp.lo gnutls_srp.lo auth_srp.lo \ + auth_srp_passwd.lo auth_srp_sb64.lo auth_srp_rsa.lo + am__objects_6 = auth_psk.lo auth_psk_passwd.lo gnutls_psk.lo \ +@@ -854,6 +854,7 @@ COBJECTS = gnutls_record.c gnutls_compre + auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \ + crypto.c random.c pk-libgcrypt.c mpi-libgcrypt.c \ + rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c \ ++ ext_safe_renegotiation.c \ + $(am__append_5) + HFILES = debug.h gnutls_compress.h gnutls_cipher.h gnutls_buffers.h \ + gnutls_errors.h gnutls_int.h gnutls_handshake.h gnutls_num.h \ +@@ -868,7 +869,8 @@ HFILES = debug.h gnutls_compress.h gnutl + gnutls_rsa_export.h ext_server_name.h auth_dh_common.h \ + ext_srp.h gnutls_srp.h auth_srp.h auth_srp_passwd.h \ + gnutls_helper.h auth_psk.h auth_psk_passwd.h \ +- gnutls_supplemental.h ext_oprfi.h crypto.h random.h ++ gnutls_supplemental.h ext_oprfi.h crypto.h random.h \ ++ ext_safe_renegotiation.h + + + # Separate so we can create the documentation +@@ -1058,6 +1060,7 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gnutls_x509.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libgnutlsxx_la-gnutlsxx.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mac-libgcrypt.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ext_safe_renegotiation.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mpi-libgcrypt.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pk-libgcrypt.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkix_asn1_tab.Plo@am__quote@ +--- a/NEWS 2009-09-18 ++++ b/NEWS 2013-09-26 +@@ -3,6 +3,23 @@ + Copyright (C) 2000, 2001, 2002, 2003, 2004 Nikos Mavrogiannopoulos + See the end for copying conditions. + ++** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746) ++Solves the issue discussed in: ++<http://www.ietf.org/mail-archive/web/tls/current/msg03928.html> and ++<http://www.ietf.org/mail-archive/web/tls/current/msg03948.html>. ++Note that to allow connecting to unpatched servers the full protection ++is only enabled if the priority string %SAFE_RENEGOTIATION is ++specified. You can check whether protection is in place by querying ++gnutls_safe_renegotiation_status(). New error codes ++GNUTLS_E_SAFE_RENEGOTIATION_FAILED and ++GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED added. ++ ++gnutls_safe_renegotiation_status: Added ++ ++%UNSAFE_RENEGOTIATION: Added to priority strings ++%INITIAL_SAFE_RENEGOTIATION: Added to priority strings ++%DISABLE_SAFE_RENEGOTIATION: Added to priority strings (do not use) ++ + * Version 2.8.4 (released 2009-09-18) + + ** libgnutls: Enable Camellia ciphers by default. +--- a/src/cli-gaa.c 2009-06-02 ++++ b/src/cli-gaa.c 2013-09-26 +@@ -129,6 +129,7 @@ void gaa_help(void) + printf("GNU TLS test client\nUsage: gnutls-cli [options] hostname\n\n\n"); + __gaa_helpsingle('d', "debug", "integer ", "Enable debugging"); + __gaa_helpsingle('r', "resume", "", "Connect, establish a session. Connect again and resume this session."); ++ __gaa_helpsingle('e', "rehandshake", "", "Connect, establish a session and rehandshake immediately."); + __gaa_helpsingle('s', "starttls", "", "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received."); + __gaa_helpsingle(0, "crlf", "", "Send CR LF instead of LF."); + __gaa_helpsingle(0, "x509fmtder", "", "Use DER format for certificates to read from."); +@@ -250,6 +251,8 @@ struct _gaainfo + int crlf; + #line 20 "cli.gaa" + int starttls; ++#line 20 "cli.gaa" ++ int rehandshake; + #line 17 "cli.gaa" + int resume; + #line 14 "cli.gaa" +@@ -342,8 +345,9 @@ static int gaa_error = 0; + #define GAAOPTID_x509fmtder 31 + #define GAAOPTID_crlf 32 + #define GAAOPTID_starttls 33 +-#define GAAOPTID_resume 34 +-#define GAAOPTID_debug 35 ++#define GAAOPTID_rehandshake 34 ++#define GAAOPTID_resume 35 ++#define GAAOPTID_debug 36 + + #line 168 "gaa.skel" + +@@ -721,6 +725,7 @@ static int gaa_get_option_num(char *str, + GAA_CHECK1STR("", GAAOPTID_x509fmtder); + GAA_CHECK1STR("", GAAOPTID_crlf); + GAA_CHECK1STR("s", GAAOPTID_starttls); ++ GAA_CHECK1STR("e", GAAOPTID_rehandshake); + GAA_CHECK1STR("r", GAAOPTID_resume); + + #line 277 "gaa.skel" +@@ -759,6 +764,7 @@ static int gaa_get_option_num(char *str, + GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder); + GAA_CHECKSTR("crlf", GAAOPTID_crlf); + GAA_CHECKSTR("starttls", GAAOPTID_starttls); ++ GAA_CHECKSTR("rehandshake", GAAOPTID_rehandshake); + GAA_CHECKSTR("resume", GAAOPTID_resume); + GAA_CHECKSTR("debug", GAAOPTID_debug); + +@@ -1101,6 +1107,13 @@ static int gaa_try(int gaa_num, int gaa_ + + return GAA_OK; + break; ++ case GAAOPTID_rehandshake: ++ OK = 0; ++#line 21 "cli.gaa" ++{ gaaval->rehandshake = 1 ;}; ++ ++ return GAA_OK; ++ break; + case GAAOPTID_resume: + OK = 0; + #line 18 "cli.gaa" +@@ -1164,7 +1177,7 @@ int gaa(int argc, char **argv, gaainfo * + gaaval->srp_username=NULL; gaaval->srp_passwd=NULL; gaaval->fmtder = 0; gaaval->starttls =0; + gaaval->debug = 0; gaaval->print_cert = 0; gaaval->verbose = 0; gaaval->psk_key = NULL; + gaaval->psk_username = NULL; gaaval->priorities = NULL; +- gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; ;}; ++ gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; gaaval->rehandshake = 0; ;}; + + } + inited = 1; +--- a/src/cli-gaa.h 2009-06-02 ++++ b/src/cli-gaa.h 2013-09-26 +@@ -82,6 +82,7 @@ struct _gaainfo + int crlf; + #line 20 "cli.gaa" + int starttls; ++ int rehandshake; + #line 17 "cli.gaa" + int resume; + #line 14 "cli.gaa" +--- a/src/cli.c 2009-06-02 ++++ b/src/cli.c 2013-09-26 +@@ -53,7 +53,7 @@ + #define MAX_BUF 4096 + + /* global stuff here */ +-int resume, starttls, insecure; ++int resume, starttls, insecure, rehandshake; + const char *hostname = NULL; + char *service; + int record_max_size; +@@ -674,6 +674,23 @@ after_handshake: + programs to search for when gnutls-cli has reached this point. */ + printf ("\n- Simple Client Mode:\n\n"); + ++ if (rehandshake) ++ { ++ ret = do_handshake (&hd); ++ ++ if (ret < 0) ++ { ++ fprintf (stderr, "*** ReHandshake has failed\n"); ++ gnutls_perror (ret); ++ gnutls_deinit (hd.session); ++ return 1; ++ } ++ else ++ { ++ printf ("- ReHandshake was completed\n"); ++ } ++ } ++ + #ifndef _WIN32 + signal (SIGALRM, &starttls_alarm); + #endif +@@ -838,6 +855,7 @@ gaa_parser (int argc, char **argv) + print_cert = info.print_cert; + starttls = info.starttls; + resume = info.resume; ++ rehandshake = info.rehandshake; + insecure = info.insecure; + service = info.port; + record_max_size = info.record_size; +@@ -962,6 +980,11 @@ do_handshake (socket_st * socket) + socket->secure = 1; + + } ++ else ++ { ++ gnutls_alert_send_appropriate(socket->session, ret); ++ shutdown (socket->fd, SHUT_RDWR); ++ } + return ret; + } + +--- a/src/cli.gaa 2009-06-02 ++++ b/src/cli.gaa 2013-09-26 +@@ -17,6 +17,9 @@ option (d, debug) INT "integer" { $debug + #int resume; + option (r, resume) { $resume = 1 } "Connect, establish a session. Connect again and resume this session." + ++#int rehandshake; ++option (e, rehandshake) { $rehandshake = 1 } "Connect, establish a session and rehandshake immediately." ++ + #int starttls; + option (s, starttls) { $starttls = 1 } "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received." + +@@ -130,4 +133,4 @@ init { $resume=0; $port="443"; $rest_arg + $srp_username=NULL; $srp_passwd=NULL; $fmtder = 0; $starttls =0; + $debug = 0; $print_cert = 0; $verbose = 0; $psk_key = NULL; + $psk_username = NULL; $priorities = NULL; +- $opaque_prf_input = NULL; $pgp_subkey = NULL; } ++ $opaque_prf_input = NULL; $pgp_subkey = NULL; $rehandshake = 0; } +--- a/src/serv.c 2009-11-06 ++++ b/src/serv.c 2013-09-26 +@@ -760,6 +760,18 @@ get_response (gnutls_session_t session, + } + else + { ++ fprintf(stderr, "received: %s\n", request); ++ if (request[0] == request[1] && request[0] == '*') ++ { ++ if (strncmp(request, "**REHANDSHAKE**", sizeof("**REHANDSHAKE**")-1)==0) ++ { ++ fprintf(stderr, "*** Sending rehandshake request\n"); ++ gnutls_rehandshake(session); ++ } ++ *response = NULL; ++ *response_length = 0; ++ return; ++ } + *response = strdup (request); + *response_length = ((*response) ? strlen (*response) : 0); + } +@@ -1173,7 +1185,7 @@ main (int argc, char **argv) + ret = + gnutls_alert_send_appropriate (j->tls_session, r); + } +- while (ret == GNUTLS_E_AGAIN); ++ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + j->http_state = HTTP_STATE_CLOSING; + } + else if (r == 0) +@@ -1206,14 +1218,37 @@ main (int argc, char **argv) + } + else if (r <= 0) + { +- j->http_state = HTTP_STATE_CLOSING; +- if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH) ++ if (r == GNUTLS_E_REHANDSHAKE) + { +- check_alert (j->tls_session, r); +- fprintf (stderr, "Error while receiving data\n"); +- GERR (r); +- } +- ++ fprintf(stderr, "*** Received hello message\n"); ++ do ++ { ++ r = gnutls_handshake (j->tls_session); ++ } ++ while (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN); ++ if (r < 0) ++ { ++ ++ do ++ { ++ ret = gnutls_alert_send_appropriate (j->tls_session, r); ++ } ++ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); ++ ++ GERR (r); ++ j->http_state = HTTP_STATE_CLOSING; ++ } ++ } ++ else ++ { ++ j->http_state = HTTP_STATE_CLOSING; ++ if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH) ++ { ++ check_alert (j->tls_session, r); ++ fprintf (stderr, "Error while receiving data\n"); ++ GERR (r); ++ } ++ } + } + else + { +@@ -1295,7 +1330,7 @@ main (int argc, char **argv) + } + } + +- if (j->handshake_ok == 1) ++ if (j->handshake_ok == 1 && j->http_response != NULL) + { + /* FIXME if j->http_response == NULL? */ + r = gnutls_record_send (j->tls_session, +@@ -1347,6 +1382,12 @@ main (int argc, char **argv) + } + } + } ++ else ++ { ++ j->request_length = 0; ++ j->http_request[0] = 0; ++ j->http_state = HTTP_STATE_REQUEST; ++ } + } + } + lloopend (listener_list, j); +--- a/src/tests.c 2009-06-02 ++++ b/src/tests.c 2013-09-26 +@@ -45,6 +45,7 @@ extern int verbose; + int tls1_ok = 0; + int ssl3_ok = 0; + int tls1_1_ok = 0; ++int tls1_2_ok = 0; + + /* keep session info */ + static char *session_data = NULL; +@@ -103,158 +104,28 @@ do_handshake (gnutls_session_t session) + return TEST_SUCCEED; + } + +-static int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; ++char protocol_str[] = "+VERS-TLS1.0:+VERS-SSL3.0"; ++char prio_str[256] = ""; + +-static const int kx_priority[16] = +- { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, +- GNUTLS_KX_ANON_DH, +- GNUTLS_KX_RSA_EXPORT, 0 +-}; +- +-static const int cipher_priority[16] = +- { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, +- GNUTLS_CIPHER_ARCFOUR_40, 0 +-}; +-static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 }; +-static const int mac_priority[16] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 }; +-static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 }; +- +-#define ADD_ALL_CIPHERS(session) gnutls_cipher_set_priority(session, cipher_priority) +-#define ADD_ALL_COMP(session) gnutls_compression_set_priority(session, comp_priority) +-#define ADD_ALL_MACS(session) gnutls_mac_set_priority(session, mac_priority) +-#define ADD_ALL_KX(session) gnutls_kx_set_priority(session, kx_priority) +-#define ADD_ALL_PROTOCOLS(session) gnutls_protocol_set_priority(session, protocol_priority) +-#define ADD_ALL_CERTTYPES(session) gnutls_certificate_type_set_priority(session, cert_type_priority) +- +-static void +-ADD_KX (gnutls_session_t session, int kx) +-{ +- static int _kx_priority[] = { 0, 0 }; +- _kx_priority[0] = kx; +- +- gnutls_kx_set_priority (session, _kx_priority); +-} +- +-static void +-ADD_KX2 (gnutls_session_t session, int kx1, int kx2) +-{ +- static int _kx_priority[] = { 0, 0, 0 }; +- _kx_priority[0] = kx1; +- _kx_priority[1] = kx2; +- +- gnutls_kx_set_priority (session, _kx_priority); +-} +- +-static void +-ADD_CIPHER (gnutls_session_t session, int cipher) +-{ +- static int _cipher_priority[] = { 0, 0 }; +- _cipher_priority[0] = cipher; +- +- gnutls_cipher_set_priority (session, _cipher_priority); +-} +- +-static void +-ADD_CIPHER4 (gnutls_session_t session, int cipher1, int cipher2, int cipher3, +- int cipher4) +-{ +- static int _cipher_priority[] = { 0, 0, 0, 0, 0 }; +- _cipher_priority[0] = cipher1; +- _cipher_priority[1] = cipher2; +- _cipher_priority[2] = cipher3; +- _cipher_priority[3] = cipher4; +- +- gnutls_cipher_set_priority (session, _cipher_priority); +-} +- +-static void +-ADD_MAC (gnutls_session_t session, int mac) +-{ +- static int _mac_priority[] = { 0, 0 }; +- _mac_priority[0] = mac; +- +- gnutls_mac_set_priority (session, _mac_priority); +-} +- +-static void +-ADD_COMP (gnutls_session_t session, int c) +-{ +- static int _comp_priority[] = { 0, 0 }; +- _comp_priority[0] = c; +- +- gnutls_compression_set_priority (session, _comp_priority); +-} +- +-static void +-ADD_CERTTYPE (gnutls_session_t session, int ctype) +-{ +- static int _ct_priority[] = { 0, 0 }; +- _ct_priority[0] = ctype; +- +- gnutls_certificate_type_set_priority (session, _ct_priority); +-} +- +-static void +-ADD_PROTOCOL (gnutls_session_t session, int protocol) +-{ +- static int _proto_priority[] = { 0, 0 }; +- _proto_priority[0] = protocol; +- +- gnutls_protocol_set_priority (session, _proto_priority); +-} +- +-static void +-ADD_PROTOCOL3 (gnutls_session_t session, int p1, int p2, int p3) +-{ +- static int _proto_priority[] = { 0, 0, 0, 0 }; +- _proto_priority[0] = p1; +- _proto_priority[1] = p2; +- _proto_priority[2] = p3; +- +- gnutls_protocol_set_priority (session, _proto_priority); +-} +- +-#ifdef ENABLE_SRP +-static int srp_detected; +- +-int +-_test_srp_username_callback (gnutls_session_t session, +- char **username, char **password) +-{ +- srp_detected = 1; +- +- return -1; +-} +- +-test_code_t +-test_srp (gnutls_session_t session) +-{ +- int ret; +- +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- +- ADD_KX (session, GNUTLS_KX_SRP); +- srp_detected = 0; +- +- gnutls_srp_set_client_credentials_function (srp_cred, +- _test_srp_username_callback); +- +- gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); +- +- ret = do_handshake (session); +- +- gnutls_srp_set_client_credentials_function (srp_cred, NULL); +- +- if (srp_detected != 0) +- return TEST_SUCCEED; +- else +- return TEST_FAILED; ++#define ALL_CIPHERS "+3DES-CBC:+ARCFOUR-128:+ARCFOUR-40" ++#define ALL_COMP "+COMP-NULL" ++#define ALL_MACS "+SHA1:+MD5" ++#define ALL_CERTTYPES "+CTYPE-X509" ++#define REST "%%UNSAFE_RENEGOTIATION" ++#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+RSA-EXPORT" ++#define INIT_STR "NONE:" ++ ++static inline void _gnutls_priority_set_direct(gnutls_session_t session, const char* str) ++{ ++ const char* err; ++ int ret = gnutls_priority_set_direct(session, str, &err); ++ ++ if (ret < 0) ++ { ++ fprintf(stderr, "Error in %s\n", err); ++ exit(1); ++ } + } +-#endif + + test_code_t + test_server (gnutls_session_t session) +@@ -269,12 +140,8 @@ test_server (gnutls_session_t session) + + buf[sizeof (buf) - 1] = 0; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + +@@ -318,13 +185,9 @@ test_export (gnutls_session_t session) + { + int ret; + +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); ++ sprintf(prio_str, INIT_STR "+ARCFOUR-40:+RSA-EXPORT:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + +- ADD_KX (session, GNUTLS_KX_RSA_EXPORT); +- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -348,13 +211,9 @@ test_export_info (gnutls_session_t sessi + if (verbose == 0 || export_true == 0) + return TEST_IGNORE; + +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); ++ sprintf(prio_str, INIT_STR "+ARCFOUR-40:+RSA-EXPORT:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + +- ADD_KX (session, GNUTLS_KX_RSA_EXPORT); +- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -395,13 +254,9 @@ test_dhe (gnutls_session_t session) + { + int ret; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":+DHE-RSA:+DHE-DSS:" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + +- ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -411,6 +266,37 @@ test_dhe (gnutls_session_t session) + return ret; + } + ++ ++test_code_t ++test_safe_renegotiation (gnutls_session_t session) ++{ ++ int ret; ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":%%SAFE_RENEGOTIATION", protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ ++ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ++ ++ ret = do_handshake (session); ++ ++ return ret; ++} ++ ++test_code_t ++test_safe_renegotiation_scsv (gnutls_session_t session) ++{ ++ int ret; ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%%SAFE_RENEGOTIATION"); ++ _gnutls_priority_set_direct (session, prio_str); ++ ++ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ++ ++ ret = do_handshake (session); ++ ++ return ret; ++} ++ + test_code_t + test_dhe_group (gnutls_session_t session) + { +@@ -421,13 +307,8 @@ test_dhe_group (gnutls_session_t session + if (verbose == 0 || pubkey.data == NULL) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":+DHE-RSA:+DHE-DSS:" REST, protocol_str); + +- ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -463,12 +344,9 @@ test_code_t + test_ssl3 (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_PROTOCOL (session, GNUTLS_SSL3); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":" REST); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -496,12 +374,9 @@ test_bye (gnutls_session_t session) + signal (SIGALRM, got_alarm); + #endif + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -548,12 +423,10 @@ test_code_t + test_aes (gnutls_session_t session) + { + int ret; +- ADD_CIPHER (session, GNUTLS_CIPHER_AES_128_CBC); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+AES-128-CBC:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST , protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -565,12 +438,10 @@ test_code_t + test_camellia (gnutls_session_t session) + { + int ret; +- ADD_CIPHER (session, GNUTLS_CIPHER_CAMELLIA_128_CBC); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+CAMELLIA-128-CBC:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -582,12 +453,10 @@ test_code_t + test_openpgp1 (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_CERTTYPE (session, GNUTLS_CRT_OPENPGP); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":+CTYPE-OPENPGP:%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -604,18 +473,16 @@ test_code_t + test_unknown_ciphersuites (gnutls_session_t session) + { + int ret; ++ ++ + #ifdef ENABLE_CAMELLIA +- ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, +- GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_ARCFOUR_128); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + #else +- ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, +- GNUTLS_CIPHER_ARCFOUR_128, 0); ++ sprintf(prio_str, INIT_STR "+AES-128-CBC:" ALL_CIPHERS ":"ALL_COMP":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + #endif +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -626,12 +493,10 @@ test_code_t + test_md5 (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_MAC (session, GNUTLS_MAC_MD5); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+AES-128-CBC:" ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:+MD5:" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -643,12 +508,10 @@ test_code_t + test_zlib (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_COMP (session, GNUTLS_COMP_ZLIB); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":+COMP-ZLIB:" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -657,34 +520,25 @@ test_zlib (gnutls_session_t session) + #endif + + test_code_t +-test_lzo (gnutls_session_t session) ++test_sha (gnutls_session_t session) + { + int ret; +- gnutls_handshake_set_private_extensions (session, 1); + +- ADD_ALL_CIPHERS (session); +- ADD_COMP (session, GNUTLS_COMP_LZO); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR "+AES-128-CBC:" ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:+SHA1:" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +- + return ret; + } + + test_code_t +-test_sha (gnutls_session_t session) ++test_3des (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_MAC (session, GNUTLS_MAC_SHA1); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+3DES-CBC:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -692,15 +546,12 @@ test_sha (gnutls_session_t session) + } + + test_code_t +-test_3des (gnutls_session_t session) ++test_arcfour (gnutls_session_t session) + { + int ret; +- ADD_CIPHER (session, GNUTLS_CIPHER_3DES_CBC); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+ARCFOUR-128:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -708,15 +559,13 @@ test_3des (gnutls_session_t session) + } + + test_code_t +-test_arcfour (gnutls_session_t session) ++test_arcfour_40 (gnutls_session_t session) + { + int ret; +- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_128); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+ARCFOUR-40:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" "+RSA-EXPORT" ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -724,36 +573,36 @@ test_arcfour (gnutls_session_t session) + } + + test_code_t +-test_arcfour_40 (gnutls_session_t session) ++test_tls1 (gnutls_session_t session) + { + int ret; +- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-TLS1.0:" ALL_MACS ":" ALL_KX ":" REST); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); ++ if (ret == TEST_SUCCEED) ++ tls1_ok = 1; ++ + return ret; ++ + } + + test_code_t +-test_tls1 (gnutls_session_t session) ++test_tls1_2 (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_PROTOCOL (session, GNUTLS_TLS1); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-TLS1.2:" ALL_MACS ":" ALL_KX ":" REST); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); + if (ret == TEST_SUCCEED) +- tls1_ok = 1; ++ tls1_2_ok = 1; + + return ret; + +@@ -763,12 +612,10 @@ test_code_t + test_tls1_1 (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_PROTOCOL (session, GNUTLS_TLS1_1); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-TLS1.1:" ALL_MACS ":" ALL_KX ":" REST); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -786,12 +633,9 @@ test_tls1_1_fallback (gnutls_session_t s + if (tls1_1_ok) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_PROTOCOL3 (session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":" REST); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -817,12 +661,9 @@ test_tls_disable (gnutls_session_t sessi + if (tls1_ok != 0) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -831,8 +672,7 @@ test_tls_disable (gnutls_session_t sessi + /* disable TLS 1.0 */ + if (ssl3_ok != 0) + { +- protocol_priority[0] = GNUTLS_SSL3; +- protocol_priority[1] = 0; ++ strcpy(protocol_str, "+VERS-SSL3.0"); + } + } + return ret; +@@ -849,12 +689,8 @@ test_rsa_pms (gnutls_session_t session) + * If the server is old, buggy and only supports + * SSL 3.0 then the handshake will fail. + */ +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_KX (session, GNUTLS_KX_RSA); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":+RSA:" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -870,12 +706,8 @@ test_code_t + test_max_record_size (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_record_set_max_size (session, 512); + +@@ -894,12 +726,9 @@ test_code_t + test_hello_extension (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_record_set_max_size (session, 512); + +@@ -925,12 +754,8 @@ test_version_rollback (gnutls_session_t + * attacks which allow a version downgrade) and this + * connection will fail. + */ +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + _gnutls_record_set_default_version (session, 3, 0); + +@@ -955,12 +780,8 @@ test_version_oob (gnutls_session_t sessi + /* here we enable both SSL 3.0 and TLS 1.0 + * and we connect using a 5.5 record version. + */ +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + _gnutls_record_set_default_version (session, 5, 5); + +@@ -980,12 +801,8 @@ test_rsa_pms_version_check (gnutls_sessi + * + * A normal server would abort this handshake. + */ +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + _gnutls_rsa_pms_set_version (session, 5, 5); /* use SSL 5.5 version */ + +@@ -1000,12 +817,8 @@ test_anonymous (gnutls_session_t session + { + int ret; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_KX (session, GNUTLS_KX_ANON_DH); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":+ANON-DH:" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); + + ret = do_handshake (session); +@@ -1027,12 +840,8 @@ test_session_resume2 (gnutls_session_t s + if (session == NULL) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); +@@ -1074,12 +883,8 @@ test_certificate (gnutls_session_t sessi + if (verbose == 0) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + +@@ -1143,12 +948,8 @@ test_server_cas (gnutls_session_t sessio + if (verbose == 0) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); +--- a/src/tests.h 2009-06-02 ++++ b/src/tests.h 2013-09-26 +@@ -3,7 +3,6 @@ typedef enum + TEST_SUCCEED, TEST_FAILED, TEST_UNSURE, TEST_IGNORE + } test_code_t; + +-test_code_t test_srp (gnutls_session_t state); + test_code_t test_server (gnutls_session_t state); + test_code_t test_export (gnutls_session_t state); + test_code_t test_export_info (gnutls_session_t state); +@@ -21,7 +20,10 @@ test_code_t test_3des (gnutls_session_t + test_code_t test_arcfour (gnutls_session_t state); + test_code_t test_arcfour_40 (gnutls_session_t state); + test_code_t test_tls1 (gnutls_session_t state); ++test_code_t test_safe_renegotiation (gnutls_session_t state); ++test_code_t test_safe_renegotiation_scsv (gnutls_session_t state); + test_code_t test_tls1_1 (gnutls_session_t state); ++test_code_t test_tls1_2 (gnutls_session_t state); + test_code_t test_tls1_1_fallback (gnutls_session_t state); + test_code_t test_tls_disable (gnutls_session_t state); + test_code_t test_rsa_pms (gnutls_session_t state); +@@ -37,6 +39,5 @@ test_code_t test_session_resume2 (gnutls + test_code_t test_rsa_pms_version_check (gnutls_session_t session); + test_code_t test_version_oob (gnutls_session_t session); + test_code_t test_zlib (gnutls_session_t session); +-test_code_t test_lzo (gnutls_session_t session); + int _test_srp_username_callback (gnutls_session_t session, + char **username, char **password); +--- a/src/tls_test.c 2009-06-02 ++++ b/src/tls_test.c 2013-09-26 +@@ -79,6 +79,9 @@ typedef struct + } TLS_TEST; + + static const TLS_TEST tls_tests[] = { ++ {"for Safe renegotiation support", test_safe_renegotiation, "yes", "no", "dunno"}, ++ {"for Safe renegotiation support (SCSV)", test_safe_renegotiation_scsv, "yes", "no", "dunno"}, ++ {"for TLS 1.2 support", test_tls1_2, "yes", "no", "dunno"}, + {"for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno"}, + {"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "failed", + "SSL 3.0"}, +@@ -139,14 +142,8 @@ static const TLS_TEST tls_tests[] = { + {"for ZLIB compression support (TLS extension)", test_zlib, "yes", + "no", "dunno"}, + #endif +- {"for LZO compression support (GnuTLS extension)", test_lzo, "yes", +- "no", "dunno"}, + {"for max record size (TLS extension)", test_max_record_size, "yes", + "no", "dunno"}, +-#ifdef ENABLE_SRP +- {"for SRP authentication support (TLS extension)", test_srp, "yes", +- "no", "dunno"}, +-#endif + {"for OpenPGP authentication support (TLS extension)", test_openpgp1, + "yes", "no", "dunno"}, + {NULL, NULL, NULL, NULL, NULL} +@@ -233,7 +230,7 @@ main (int argc, char **argv) + + /* if neither of SSL3 and TLSv1 are supported, exit + */ +- if (i > 3 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) ++ if (i > 6 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) + { + fprintf (stderr, + "\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1\n"); +--- a/tests/Makefile.am 2010-01-24 ++++ b/tests/Makefile.am 2013-09-26 +@@ -20,7 +20,7 @@ + # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode pkcs12-decode \ +- userid pathlen key-id sha2 ++ userid pathlen key-id sha2 safe-renegotiation + + if ENABLE_OPENPGP + SUBDIRS += openpgp-certs +--- a/tests/Makefile.in 2010-03-15 ++++ b/tests/Makefile.in 2013-09-26 +@@ -388,7 +388,7 @@ CTAGS = ctags + am__tty_colors = \ + red=; grn=; lgn=; blu=; std= + DIST_SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode \ +- pkcs12-decode userid pathlen key-id sha2 openpgp-certs ++ pkcs12-decode userid pathlen key-id sha2 openpgp-certs safe-renegotiation + DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) + am__relativize = \ + dir0=`pwd`; \ +@@ -936,7 +936,7 @@ top_build_prefix = @top_build_prefix@ + top_builddir = @top_builddir@ + top_srcdir = @top_srcdir@ + SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode pkcs12-decode \ +- userid pathlen key-id sha2 $(am__append_1) ++ userid pathlen key-id sha2 safe-renegotiation $(am__append_1) + EXTRA_DIST = libgcrypt.supp hostname-check.README + AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) + AM_CPPFLAGS = -I$(top_srcdir)/gl -I$(top_builddir)/gl \ +--- a/tests/resume.c 2009-06-02 ++++ b/tests/resume.c 2013-09-26 +@@ -47,6 +47,8 @@ static int wrap_db_store (void *dbf, gnu + static gnutls_datum_t wrap_db_fetch (void *dbf, gnutls_datum_t key); + static int wrap_db_delete (void *dbf, gnutls_datum_t key); + ++pid_t child; ++ + #define TLS_SESSION_CACHE 50 + + /* A very basic TLS client, with anonymous authentication. +@@ -56,6 +58,12 @@ static int wrap_db_delete (void *dbf, gn + #define MSG "Hello TLS" + + static void ++tls_log_func (int level, const char *str) ++{ ++ fprintf (stderr, "%s |<%d>| %s", child ? "server" : "client", level, str); ++} ++ ++static void + client (void) + { + int ret, sd, ii; +@@ -70,6 +78,11 @@ client (void) + int t; + gnutls_datum session_data; + ++ if (debug) ++ { ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (2); ++ } + gnutls_global_init (); + + gnutls_anon_allocate_client_credentials (&anoncred); +@@ -298,8 +311,13 @@ server (void) + + /* this must be called once in the program, it is mostly for the server. + */ +- gnutls_global_init (); ++ if (debug) ++ { ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (2); ++ } + ++ gnutls_global_init (); + gnutls_anon_allocate_server_credentials (&anoncred); + + success ("Launched, generating DH parameters...\n"); +@@ -385,8 +403,6 @@ server (void) + void + doit (void) + { +- pid_t child; +- + global_start (); + if (error_count) + return; +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/Makefile.am 2013-09-26 +@@ -0,0 +1,37 @@ ++## Process this file with automake to produce Makefile.in ++# Copyright (C) 2010 Free Software Foundation, Inc. ++# ++# This file is part of GnuTLS. ++# ++# This file is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# This file is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this file; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) ++AM_CPPFLAGS = \ ++ -I$(top_srcdir)/lib/includes \ ++ -I$(top_builddir)/lib/includes ++ ++AM_LDFLAGS = -no-install ++LDADD = ../../lib/libgnutls.la $(LTLIBGCRYPT) $(LIBSOCKET) ++ ++ctests = srn0 srn1 srn2 srn3 srn4 srn5 srn6 srn7 ++ ++check_PROGRAMS = $(ctests) ++TESTS = $(ctests) ++TESTS_ENVIRONMENT = $(VALGRIND) ++ ++EXTRA_DIST = README params.dh ++ ++dist_check_SCRIPTS = testsrn ++#TESTS = testsrn +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/Makefile.in 2013-09-26 +@@ -0,0 +1,1299 @@ ++# Makefile.in generated by automake 1.11.1 from Makefile.am. ++# @configure_input@ ++ ++# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, ++# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, ++# Inc. ++# This Makefile.in is free software; the Free Software Foundation ++# gives unlimited permission to copy and/or distribute it, ++# with or without modifications, as long as this notice is preserved. ++ ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY, to the extent permitted by law; without ++# even the implied warranty of MERCHANTABILITY or FITNESS FOR A ++# PARTICULAR PURPOSE. ++ ++@SET_MAKE@ ++ ++# Copyright (C) 2010 Free Software Foundation, Inc. ++# ++# This file is part of GnuTLS. ++# ++# This file is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# This file is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this file; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++VPATH = @srcdir@ ++pkgdatadir = $(datadir)/@PACKAGE@ ++pkgincludedir = $(includedir)/@PACKAGE@ ++pkglibdir = $(libdir)/@PACKAGE@ ++pkglibexecdir = $(libexecdir)/@PACKAGE@ ++am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd ++install_sh_DATA = $(install_sh) -c -m 644 ++install_sh_PROGRAM = $(install_sh) -c ++install_sh_SCRIPT = $(install_sh) -c ++INSTALL_HEADER = $(INSTALL_DATA) ++transform = $(program_transform_name) ++NORMAL_INSTALL = : ++PRE_INSTALL = : ++POST_INSTALL = : ++NORMAL_UNINSTALL = : ++PRE_UNINSTALL = : ++POST_UNINSTALL = : ++build_triplet = @build@ ++host_triplet = @host@ ++check_PROGRAMS = $(am__EXEEXT_1) ++TESTS = $(am__EXEEXT_1) ++subdir = tests/safe-renegotiation ++DIST_COMMON = README $(dist_check_SCRIPTS) $(srcdir)/Makefile.am \ ++ $(srcdir)/Makefile.in ++ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ++am__aclocal_m4_deps = $(top_srcdir)/libextra/m4/hooks.m4 \ ++ $(top_srcdir)/lib/m4/hooks.m4 $(top_srcdir)/lib/gl/m4/po.m4 \ ++ $(top_srcdir)/gl/m4/00gnulib.m4 $(top_srcdir)/gl/m4/alloca.m4 \ ++ $(top_srcdir)/gl/m4/arpa_inet_h.m4 \ ++ $(top_srcdir)/gl/m4/asm-underscore.m4 \ ++ $(top_srcdir)/gl/m4/autobuild.m4 \ ++ $(top_srcdir)/gl/m4/clock_time.m4 $(top_srcdir)/gl/m4/close.m4 \ ++ $(top_srcdir)/gl/m4/errno_h.m4 $(top_srcdir)/gl/m4/error.m4 \ ++ $(top_srcdir)/gl/m4/extensions.m4 \ ++ $(top_srcdir)/gl/m4/fclose.m4 $(top_srcdir)/gl/m4/float_h.m4 \ ++ $(top_srcdir)/gl/m4/fseeko.m4 \ ++ $(top_srcdir)/gl/m4/getaddrinfo.m4 \ ++ $(top_srcdir)/gl/m4/getdelim.m4 $(top_srcdir)/gl/m4/getline.m4 \ ++ $(top_srcdir)/gl/m4/getpass.m4 $(top_srcdir)/gl/m4/gettime.m4 \ ++ $(top_srcdir)/gl/m4/gettimeofday.m4 \ ++ $(top_srcdir)/gl/m4/gnulib-common.m4 \ ++ $(top_srcdir)/gl/m4/gnulib-comp.m4 \ ++ $(top_srcdir)/gl/m4/hostent.m4 \ ++ $(top_srcdir)/gl/m4/include_next.m4 \ ++ $(top_srcdir)/gl/m4/inet_ntop.m4 \ ++ $(top_srcdir)/gl/m4/inet_pton.m4 \ ++ $(top_srcdir)/gl/m4/intmax_t.m4 \ ++ $(top_srcdir)/gl/m4/inttypes_h.m4 $(top_srcdir)/gl/m4/ioctl.m4 \ ++ $(top_srcdir)/gl/m4/lib-ld.m4 $(top_srcdir)/gl/m4/lib-link.m4 \ ++ $(top_srcdir)/gl/m4/lib-prefix.m4 \ ++ $(top_srcdir)/gl/m4/longlong.m4 $(top_srcdir)/gl/m4/lseek.m4 \ ++ $(top_srcdir)/gl/m4/malloc.m4 \ ++ $(top_srcdir)/gl/m4/manywarnings.m4 \ ++ $(top_srcdir)/gl/m4/memchr.m4 $(top_srcdir)/gl/m4/minmax.m4 \ ++ $(top_srcdir)/gl/m4/mmap-anon.m4 \ ++ $(top_srcdir)/gl/m4/multiarch.m4 \ ++ $(top_srcdir)/gl/m4/netdb_h.m4 \ ++ $(top_srcdir)/gl/m4/netinet_in_h.m4 \ ++ $(top_srcdir)/gl/m4/onceonly_2_57.m4 \ ++ $(top_srcdir)/gl/m4/perror.m4 $(top_srcdir)/gl/m4/printf.m4 \ ++ $(top_srcdir)/gl/m4/read-file.m4 \ ++ $(top_srcdir)/gl/m4/readline.m4 $(top_srcdir)/gl/m4/realloc.m4 \ ++ $(top_srcdir)/gl/m4/select.m4 $(top_srcdir)/gl/m4/servent.m4 \ ++ $(top_srcdir)/gl/m4/size_max.m4 \ ++ $(top_srcdir)/gl/m4/snprintf.m4 $(top_srcdir)/gl/m4/sockets.m4 \ ++ $(top_srcdir)/gl/m4/socklen.m4 $(top_srcdir)/gl/m4/sockpfaf.m4 \ ++ $(top_srcdir)/gl/m4/stdarg.m4 $(top_srcdir)/gl/m4/stdbool.m4 \ ++ $(top_srcdir)/gl/m4/stddef_h.m4 $(top_srcdir)/gl/m4/stdint.m4 \ ++ $(top_srcdir)/gl/m4/stdint_h.m4 $(top_srcdir)/gl/m4/stdio_h.m4 \ ++ $(top_srcdir)/gl/m4/stdlib_h.m4 \ ++ $(top_srcdir)/gl/m4/strerror.m4 \ ++ $(top_srcdir)/gl/m4/string_h.m4 \ ++ $(top_srcdir)/gl/m4/sys_ioctl_h.m4 \ ++ $(top_srcdir)/gl/m4/sys_select_h.m4 \ ++ $(top_srcdir)/gl/m4/sys_socket_h.m4 \ ++ $(top_srcdir)/gl/m4/sys_stat_h.m4 \ ++ $(top_srcdir)/gl/m4/sys_time_h.m4 \ ++ $(top_srcdir)/gl/m4/time_h.m4 $(top_srcdir)/gl/m4/timespec.m4 \ ++ $(top_srcdir)/gl/m4/ungetc.m4 $(top_srcdir)/gl/m4/unistd_h.m4 \ ++ $(top_srcdir)/gl/m4/valgrind-tests.m4 \ ++ $(top_srcdir)/gl/m4/vasnprintf.m4 \ ++ $(top_srcdir)/gl/m4/version-etc.m4 \ ++ $(top_srcdir)/gl/m4/warn-on-use.m4 \ ++ $(top_srcdir)/gl/m4/warnings.m4 $(top_srcdir)/gl/m4/wchar_h.m4 \ ++ $(top_srcdir)/gl/m4/wchar_t.m4 $(top_srcdir)/gl/m4/wint_t.m4 \ ++ $(top_srcdir)/gl/m4/xsize.m4 $(top_srcdir)/m4/gtk-doc.m4 \ ++ $(top_srcdir)/m4/guile.m4 $(top_srcdir)/m4/libtool.m4 \ ++ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ ++ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ ++ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/configure.ac ++am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ ++ $(ACLOCAL_M4) ++mkinstalldirs = $(install_sh) -d ++CONFIG_HEADER = $(top_builddir)/config.h ++CONFIG_CLEAN_FILES = ++CONFIG_CLEAN_VPATH_FILES = ++am__EXEEXT_1 = srn0$(EXEEXT) srn1$(EXEEXT) srn2$(EXEEXT) srn3$(EXEEXT) \ ++ srn4$(EXEEXT) srn5$(EXEEXT) srn6$(EXEEXT) srn7$(EXEEXT) ++srn0_SOURCES = srn0.c ++srn0_OBJECTS = srn0.$(OBJEXT) ++srn0_LDADD = $(LDADD) ++am__DEPENDENCIES_1 = ++srn0_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \ ++ $(am__DEPENDENCIES_1) ++srn1_SOURCES = srn1.c ++srn1_OBJECTS = srn1.$(OBJEXT) ++srn1_LDADD = $(LDADD) ++srn1_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \ ++ $(am__DEPENDENCIES_1) ++srn2_SOURCES = srn2.c ++srn2_OBJECTS = srn2.$(OBJEXT) ++srn2_LDADD = $(LDADD) ++srn2_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \ ++ $(am__DEPENDENCIES_1) ++srn3_SOURCES = srn3.c ++srn3_OBJECTS = srn3.$(OBJEXT) ++srn3_LDADD = $(LDADD) ++srn3_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \ ++ $(am__DEPENDENCIES_1) ++srn4_SOURCES = srn4.c ++srn4_OBJECTS = srn4.$(OBJEXT) ++srn4_LDADD = $(LDADD) ++srn4_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \ ++ $(am__DEPENDENCIES_1) ++srn5_SOURCES = srn5.c ++srn5_OBJECTS = srn5.$(OBJEXT) ++srn5_LDADD = $(LDADD) ++srn5_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \ ++ $(am__DEPENDENCIES_1) ++srn6_SOURCES = srn6.c ++srn6_OBJECTS = srn6.$(OBJEXT) ++srn6_LDADD = $(LDADD) ++srn6_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \ ++ $(am__DEPENDENCIES_1) ++srn7_SOURCES = srn7.c ++srn7_OBJECTS = srn7.$(OBJEXT) ++srn7_LDADD = $(LDADD) ++srn7_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \ ++ $(am__DEPENDENCIES_1) ++DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) ++depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp ++am__depfiles_maybe = depfiles ++am__mv = mv -f ++COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ ++ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) ++LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ ++ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ ++ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) ++CCLD = $(CC) ++LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ ++ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ ++ $(LDFLAGS) -o $@ ++SOURCES = srn0.c srn1.c srn2.c srn3.c srn4.c srn5.c srn6.c srn7.c ++DIST_SOURCES = srn0.c srn1.c srn2.c srn3.c srn4.c srn5.c srn6.c srn7.c ++ETAGS = etags ++CTAGS = ctags ++am__tty_colors = \ ++red=; grn=; lgn=; blu=; std= ++DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ++ACLOCAL = @ACLOCAL@ ++ALLOCA = @ALLOCA@ ++ALLOCA_H = @ALLOCA_H@ ++AMTAR = @AMTAR@ ++APPLE_UNIVERSAL_BUILD = @APPLE_UNIVERSAL_BUILD@ ++AR = @AR@ ++AS = @AS@ ++ASM_SYMBOL_PREFIX = @ASM_SYMBOL_PREFIX@ ++AUTOCONF = @AUTOCONF@ ++AUTOHEADER = @AUTOHEADER@ ++AUTOMAKE = @AUTOMAKE@ ++AWK = @AWK@ ++BITSIZEOF_PTRDIFF_T = @BITSIZEOF_PTRDIFF_T@ ++BITSIZEOF_SIG_ATOMIC_T = @BITSIZEOF_SIG_ATOMIC_T@ ++BITSIZEOF_SIZE_T = @BITSIZEOF_SIZE_T@ ++BITSIZEOF_WCHAR_T = @BITSIZEOF_WCHAR_T@ ++BITSIZEOF_WINT_T = @BITSIZEOF_WINT_T@ ++CC = @CC@ ++CCDEPMODE = @CCDEPMODE@ ++CFLAGS = @CFLAGS@ ++CONFIG_INCLUDE = @CONFIG_INCLUDE@ ++CPP = @CPP@ ++CPPFLAGS = @CPPFLAGS@ ++CXX = @CXX@ ++CXXCPP = @CXXCPP@ ++CXXDEPMODE = @CXXDEPMODE@ ++CXXFLAGS = @CXXFLAGS@ ++CYGPATH_W = @CYGPATH_W@ ++DEFS = @DEFS@ ++DEPDIR = @DEPDIR@ ++DLLTOOL = @DLLTOOL@ ++DLL_VERSION = @DLL_VERSION@ ++DSYMUTIL = @DSYMUTIL@ ++DUMPBIN = @DUMPBIN@ ++ECHO_C = @ECHO_C@ ++ECHO_N = @ECHO_N@ ++ECHO_T = @ECHO_T@ ++EGREP = @EGREP@ ++EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ ++EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ ++ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ ++ENOLINK_VALUE = @ENOLINK_VALUE@ ++EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ ++EOVERFLOW_VALUE = @EOVERFLOW_VALUE@ ++ERRNO_H = @ERRNO_H@ ++EXEEXT = @EXEEXT@ ++FGREP = @FGREP@ ++FLOAT_H = @FLOAT_H@ ++GAA = @GAA@ ++GETADDRINFO_LIB = @GETADDRINFO_LIB@ ++GNULIB_ACCEPT = @GNULIB_ACCEPT@ ++GNULIB_ACCEPT4 = @GNULIB_ACCEPT4@ ++GNULIB_ATOLL = @GNULIB_ATOLL@ ++GNULIB_BIND = @GNULIB_BIND@ ++GNULIB_BTOWC = @GNULIB_BTOWC@ ++GNULIB_CALLOC_POSIX = @GNULIB_CALLOC_POSIX@ ++GNULIB_CANONICALIZE_FILE_NAME = @GNULIB_CANONICALIZE_FILE_NAME@ ++GNULIB_CHOWN = @GNULIB_CHOWN@ ++GNULIB_CLOSE = @GNULIB_CLOSE@ ++GNULIB_CONNECT = @GNULIB_CONNECT@ ++GNULIB_DPRINTF = @GNULIB_DPRINTF@ ++GNULIB_DUP2 = @GNULIB_DUP2@ ++GNULIB_DUP3 = @GNULIB_DUP3@ ++GNULIB_ENVIRON = @GNULIB_ENVIRON@ ++GNULIB_EUIDACCESS = @GNULIB_EUIDACCESS@ ++GNULIB_FACCESSAT = @GNULIB_FACCESSAT@ ++GNULIB_FCHDIR = @GNULIB_FCHDIR@ ++GNULIB_FCHMODAT = @GNULIB_FCHMODAT@ ++GNULIB_FCHOWNAT = @GNULIB_FCHOWNAT@ ++GNULIB_FCLOSE = @GNULIB_FCLOSE@ ++GNULIB_FFLUSH = @GNULIB_FFLUSH@ ++GNULIB_FOPEN = @GNULIB_FOPEN@ ++GNULIB_FPRINTF = @GNULIB_FPRINTF@ ++GNULIB_FPRINTF_POSIX = @GNULIB_FPRINTF_POSIX@ ++GNULIB_FPURGE = @GNULIB_FPURGE@ ++GNULIB_FPUTC = @GNULIB_FPUTC@ ++GNULIB_FPUTS = @GNULIB_FPUTS@ ++GNULIB_FREOPEN = @GNULIB_FREOPEN@ ++GNULIB_FSEEK = @GNULIB_FSEEK@ ++GNULIB_FSEEKO = @GNULIB_FSEEKO@ ++GNULIB_FSTATAT = @GNULIB_FSTATAT@ ++GNULIB_FSYNC = @GNULIB_FSYNC@ ++GNULIB_FTELL = @GNULIB_FTELL@ ++GNULIB_FTELLO = @GNULIB_FTELLO@ ++GNULIB_FTRUNCATE = @GNULIB_FTRUNCATE@ ++GNULIB_FUTIMENS = @GNULIB_FUTIMENS@ ++GNULIB_FWRITE = @GNULIB_FWRITE@ ++GNULIB_GETADDRINFO = @GNULIB_GETADDRINFO@ ++GNULIB_GETCWD = @GNULIB_GETCWD@ ++GNULIB_GETDELIM = @GNULIB_GETDELIM@ ++GNULIB_GETDOMAINNAME = @GNULIB_GETDOMAINNAME@ ++GNULIB_GETDTABLESIZE = @GNULIB_GETDTABLESIZE@ ++GNULIB_GETGROUPS = @GNULIB_GETGROUPS@ ++GNULIB_GETHOSTNAME = @GNULIB_GETHOSTNAME@ ++GNULIB_GETLINE = @GNULIB_GETLINE@ ++GNULIB_GETLOADAVG = @GNULIB_GETLOADAVG@ ++GNULIB_GETLOGIN = @GNULIB_GETLOGIN@ ++GNULIB_GETLOGIN_R = @GNULIB_GETLOGIN_R@ ++GNULIB_GETPAGESIZE = @GNULIB_GETPAGESIZE@ ++GNULIB_GETPEERNAME = @GNULIB_GETPEERNAME@ ++GNULIB_GETSOCKNAME = @GNULIB_GETSOCKNAME@ ++GNULIB_GETSOCKOPT = @GNULIB_GETSOCKOPT@ ++GNULIB_GETSUBOPT = @GNULIB_GETSUBOPT@ ++GNULIB_GETTIMEOFDAY = @GNULIB_GETTIMEOFDAY@ ++GNULIB_GETUSERSHELL = @GNULIB_GETUSERSHELL@ ++GNULIB_GRANTPT = @GNULIB_GRANTPT@ ++GNULIB_INET_NTOP = @GNULIB_INET_NTOP@ ++GNULIB_INET_PTON = @GNULIB_INET_PTON@ ++GNULIB_IOCTL = @GNULIB_IOCTL@ ++GNULIB_LCHMOD = @GNULIB_LCHMOD@ ++GNULIB_LCHOWN = @GNULIB_LCHOWN@ ++GNULIB_LINK = @GNULIB_LINK@ ++GNULIB_LINKAT = @GNULIB_LINKAT@ ++GNULIB_LISTEN = @GNULIB_LISTEN@ ++GNULIB_LSEEK = @GNULIB_LSEEK@ ++GNULIB_LSTAT = @GNULIB_LSTAT@ ++GNULIB_MALLOC_POSIX = @GNULIB_MALLOC_POSIX@ ++GNULIB_MBRLEN = @GNULIB_MBRLEN@ ++GNULIB_MBRTOWC = @GNULIB_MBRTOWC@ ++GNULIB_MBSCASECMP = @GNULIB_MBSCASECMP@ ++GNULIB_MBSCASESTR = @GNULIB_MBSCASESTR@ ++GNULIB_MBSCHR = @GNULIB_MBSCHR@ ++GNULIB_MBSCSPN = @GNULIB_MBSCSPN@ ++GNULIB_MBSINIT = @GNULIB_MBSINIT@ ++GNULIB_MBSLEN = @GNULIB_MBSLEN@ ++GNULIB_MBSNCASECMP = @GNULIB_MBSNCASECMP@ ++GNULIB_MBSNLEN = @GNULIB_MBSNLEN@ ++GNULIB_MBSNRTOWCS = @GNULIB_MBSNRTOWCS@ ++GNULIB_MBSPBRK = @GNULIB_MBSPBRK@ ++GNULIB_MBSPCASECMP = @GNULIB_MBSPCASECMP@ ++GNULIB_MBSRCHR = @GNULIB_MBSRCHR@ ++GNULIB_MBSRTOWCS = @GNULIB_MBSRTOWCS@ ++GNULIB_MBSSEP = @GNULIB_MBSSEP@ ++GNULIB_MBSSPN = @GNULIB_MBSSPN@ ++GNULIB_MBSSTR = @GNULIB_MBSSTR@ ++GNULIB_MBSTOK_R = @GNULIB_MBSTOK_R@ ++GNULIB_MEMCHR = @GNULIB_MEMCHR@ ++GNULIB_MEMMEM = @GNULIB_MEMMEM@ ++GNULIB_MEMPCPY = @GNULIB_MEMPCPY@ ++GNULIB_MEMRCHR = @GNULIB_MEMRCHR@ ++GNULIB_MKDIRAT = @GNULIB_MKDIRAT@ ++GNULIB_MKDTEMP = @GNULIB_MKDTEMP@ ++GNULIB_MKFIFO = @GNULIB_MKFIFO@ ++GNULIB_MKFIFOAT = @GNULIB_MKFIFOAT@ ++GNULIB_MKNOD = @GNULIB_MKNOD@ ++GNULIB_MKNODAT = @GNULIB_MKNODAT@ ++GNULIB_MKOSTEMP = @GNULIB_MKOSTEMP@ ++GNULIB_MKOSTEMPS = @GNULIB_MKOSTEMPS@ ++GNULIB_MKSTEMP = @GNULIB_MKSTEMP@ ++GNULIB_MKSTEMPS = @GNULIB_MKSTEMPS@ ++GNULIB_MKTIME = @GNULIB_MKTIME@ ++GNULIB_NANOSLEEP = @GNULIB_NANOSLEEP@ ++GNULIB_OBSTACK_PRINTF = @GNULIB_OBSTACK_PRINTF@ ++GNULIB_OBSTACK_PRINTF_POSIX = @GNULIB_OBSTACK_PRINTF_POSIX@ ++GNULIB_PERROR = @GNULIB_PERROR@ ++GNULIB_PIPE2 = @GNULIB_PIPE2@ ++GNULIB_POPEN = @GNULIB_POPEN@ ++GNULIB_PREAD = @GNULIB_PREAD@ ++GNULIB_PRINTF = @GNULIB_PRINTF@ ++GNULIB_PRINTF_POSIX = @GNULIB_PRINTF_POSIX@ ++GNULIB_PTSNAME = @GNULIB_PTSNAME@ ++GNULIB_PUTC = @GNULIB_PUTC@ ++GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ ++GNULIB_PUTENV = @GNULIB_PUTENV@ ++GNULIB_PUTS = @GNULIB_PUTS@ ++GNULIB_PWRITE = @GNULIB_PWRITE@ ++GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ ++GNULIB_RAWMEMCHR = @GNULIB_RAWMEMCHR@ ++GNULIB_READLINK = @GNULIB_READLINK@ ++GNULIB_READLINKAT = @GNULIB_READLINKAT@ ++GNULIB_REALLOC_POSIX = @GNULIB_REALLOC_POSIX@ ++GNULIB_REALPATH = @GNULIB_REALPATH@ ++GNULIB_RECV = @GNULIB_RECV@ ++GNULIB_RECVFROM = @GNULIB_RECVFROM@ ++GNULIB_REMOVE = @GNULIB_REMOVE@ ++GNULIB_RENAME = @GNULIB_RENAME@ ++GNULIB_RENAMEAT = @GNULIB_RENAMEAT@ ++GNULIB_RMDIR = @GNULIB_RMDIR@ ++GNULIB_RPMATCH = @GNULIB_RPMATCH@ ++GNULIB_SELECT = @GNULIB_SELECT@ ++GNULIB_SEND = @GNULIB_SEND@ ++GNULIB_SENDTO = @GNULIB_SENDTO@ ++GNULIB_SETENV = @GNULIB_SETENV@ ++GNULIB_SETSOCKOPT = @GNULIB_SETSOCKOPT@ ++GNULIB_SHUTDOWN = @GNULIB_SHUTDOWN@ ++GNULIB_SLEEP = @GNULIB_SLEEP@ ++GNULIB_SNPRINTF = @GNULIB_SNPRINTF@ ++GNULIB_SOCKET = @GNULIB_SOCKET@ ++GNULIB_SPRINTF_POSIX = @GNULIB_SPRINTF_POSIX@ ++GNULIB_STAT = @GNULIB_STAT@ ++GNULIB_STDIO_H_SIGPIPE = @GNULIB_STDIO_H_SIGPIPE@ ++GNULIB_STPCPY = @GNULIB_STPCPY@ ++GNULIB_STPNCPY = @GNULIB_STPNCPY@ ++GNULIB_STRCASESTR = @GNULIB_STRCASESTR@ ++GNULIB_STRCHRNUL = @GNULIB_STRCHRNUL@ ++GNULIB_STRDUP = @GNULIB_STRDUP@ ++GNULIB_STRERROR = @GNULIB_STRERROR@ ++GNULIB_STRNCAT = @GNULIB_STRNCAT@ ++GNULIB_STRNDUP = @GNULIB_STRNDUP@ ++GNULIB_STRNLEN = @GNULIB_STRNLEN@ ++GNULIB_STRPBRK = @GNULIB_STRPBRK@ ++GNULIB_STRPTIME = @GNULIB_STRPTIME@ ++GNULIB_STRSEP = @GNULIB_STRSEP@ ++GNULIB_STRSIGNAL = @GNULIB_STRSIGNAL@ ++GNULIB_STRSTR = @GNULIB_STRSTR@ ++GNULIB_STRTOD = @GNULIB_STRTOD@ ++GNULIB_STRTOK_R = @GNULIB_STRTOK_R@ ++GNULIB_STRTOLL = @GNULIB_STRTOLL@ ++GNULIB_STRTOULL = @GNULIB_STRTOULL@ ++GNULIB_STRVERSCMP = @GNULIB_STRVERSCMP@ ++GNULIB_SYMLINK = @GNULIB_SYMLINK@ ++GNULIB_SYMLINKAT = @GNULIB_SYMLINKAT@ ++GNULIB_TIMEGM = @GNULIB_TIMEGM@ ++GNULIB_TIME_R = @GNULIB_TIME_R@ ++GNULIB_TMPFILE = @GNULIB_TMPFILE@ ++GNULIB_TTYNAME_R = @GNULIB_TTYNAME_R@ ++GNULIB_UNISTD_H_GETOPT = @GNULIB_UNISTD_H_GETOPT@ ++GNULIB_UNISTD_H_SIGPIPE = @GNULIB_UNISTD_H_SIGPIPE@ ++GNULIB_UNLINK = @GNULIB_UNLINK@ ++GNULIB_UNLINKAT = @GNULIB_UNLINKAT@ ++GNULIB_UNLOCKPT = @GNULIB_UNLOCKPT@ ++GNULIB_UNSETENV = @GNULIB_UNSETENV@ ++GNULIB_USLEEP = @GNULIB_USLEEP@ ++GNULIB_UTIMENSAT = @GNULIB_UTIMENSAT@ ++GNULIB_VASPRINTF = @GNULIB_VASPRINTF@ ++GNULIB_VDPRINTF = @GNULIB_VDPRINTF@ ++GNULIB_VFPRINTF = @GNULIB_VFPRINTF@ ++GNULIB_VFPRINTF_POSIX = @GNULIB_VFPRINTF_POSIX@ ++GNULIB_VPRINTF = @GNULIB_VPRINTF@ ++GNULIB_VPRINTF_POSIX = @GNULIB_VPRINTF_POSIX@ ++GNULIB_VSNPRINTF = @GNULIB_VSNPRINTF@ ++GNULIB_VSPRINTF_POSIX = @GNULIB_VSPRINTF_POSIX@ ++GNULIB_WCRTOMB = @GNULIB_WCRTOMB@ ++GNULIB_WCSNRTOMBS = @GNULIB_WCSNRTOMBS@ ++GNULIB_WCSRTOMBS = @GNULIB_WCSRTOMBS@ ++GNULIB_WCTOB = @GNULIB_WCTOB@ ++GNULIB_WCWIDTH = @GNULIB_WCWIDTH@ ++GNULIB_WRITE = @GNULIB_WRITE@ ++GREP = @GREP@ ++GTKDOC_CHECK = @GTKDOC_CHECK@ ++GTKDOC_MKPDF = @GTKDOC_MKPDF@ ++GTKDOC_REBASE = @GTKDOC_REBASE@ ++GUILE = @GUILE@ ++GUILE_CFLAGS = @GUILE_CFLAGS@ ++GUILE_CONFIG = @GUILE_CONFIG@ ++GUILE_LDFLAGS = @GUILE_LDFLAGS@ ++GUILE_SITE = @GUILE_SITE@ ++GUILE_TOOLS = @GUILE_TOOLS@ ++HAVE_ACCEPT4 = @HAVE_ACCEPT4@ ++HAVE_ARPA_INET_H = @HAVE_ARPA_INET_H@ ++HAVE_ATOLL = @HAVE_ATOLL@ ++HAVE_BTOWC = @HAVE_BTOWC@ ++HAVE_CALLOC_POSIX = @HAVE_CALLOC_POSIX@ ++HAVE_CANONICALIZE_FILE_NAME = @HAVE_CANONICALIZE_FILE_NAME@ ++HAVE_CHOWN = @HAVE_CHOWN@ ++HAVE_DECL_ENVIRON = @HAVE_DECL_ENVIRON@ ++HAVE_DECL_FPURGE = @HAVE_DECL_FPURGE@ ++HAVE_DECL_FREEADDRINFO = @HAVE_DECL_FREEADDRINFO@ ++HAVE_DECL_GAI_STRERROR = @HAVE_DECL_GAI_STRERROR@ ++HAVE_DECL_GETADDRINFO = @HAVE_DECL_GETADDRINFO@ ++HAVE_DECL_GETDELIM = @HAVE_DECL_GETDELIM@ ++HAVE_DECL_GETLINE = @HAVE_DECL_GETLINE@ ++HAVE_DECL_GETLOADAVG = @HAVE_DECL_GETLOADAVG@ ++HAVE_DECL_GETLOGIN_R = @HAVE_DECL_GETLOGIN_R@ ++HAVE_DECL_GETNAMEINFO = @HAVE_DECL_GETNAMEINFO@ ++HAVE_DECL_GETPAGESIZE = @HAVE_DECL_GETPAGESIZE@ ++HAVE_DECL_GETUSERSHELL = @HAVE_DECL_GETUSERSHELL@ ++HAVE_DECL_INET_NTOP = @HAVE_DECL_INET_NTOP@ ++HAVE_DECL_INET_PTON = @HAVE_DECL_INET_PTON@ ++HAVE_DECL_MEMMEM = @HAVE_DECL_MEMMEM@ ++HAVE_DECL_MEMRCHR = @HAVE_DECL_MEMRCHR@ ++HAVE_DECL_OBSTACK_PRINTF = @HAVE_DECL_OBSTACK_PRINTF@ ++HAVE_DECL_SNPRINTF = @HAVE_DECL_SNPRINTF@ ++HAVE_DECL_STRDUP = @HAVE_DECL_STRDUP@ ++HAVE_DECL_STRNDUP = @HAVE_DECL_STRNDUP@ ++HAVE_DECL_STRNLEN = @HAVE_DECL_STRNLEN@ ++HAVE_DECL_STRSIGNAL = @HAVE_DECL_STRSIGNAL@ ++HAVE_DECL_STRTOK_R = @HAVE_DECL_STRTOK_R@ ++HAVE_DECL_VSNPRINTF = @HAVE_DECL_VSNPRINTF@ ++HAVE_DECL_WCTOB = @HAVE_DECL_WCTOB@ ++HAVE_DECL_WCWIDTH = @HAVE_DECL_WCWIDTH@ ++HAVE_DPRINTF = @HAVE_DPRINTF@ ++HAVE_DUP2 = @HAVE_DUP2@ ++HAVE_DUP3 = @HAVE_DUP3@ ++HAVE_EUIDACCESS = @HAVE_EUIDACCESS@ ++HAVE_FACCESSAT = @HAVE_FACCESSAT@ ++HAVE_FCHDIR = @HAVE_FCHDIR@ ++HAVE_FCHMODAT = @HAVE_FCHMODAT@ ++HAVE_FCHOWNAT = @HAVE_FCHOWNAT@ ++HAVE_FSEEKO = @HAVE_FSEEKO@ ++HAVE_FSTATAT = @HAVE_FSTATAT@ ++HAVE_FSYNC = @HAVE_FSYNC@ ++HAVE_FTELLO = @HAVE_FTELLO@ ++HAVE_FTRUNCATE = @HAVE_FTRUNCATE@ ++HAVE_FUTIMENS = @HAVE_FUTIMENS@ ++HAVE_GETDOMAINNAME = @HAVE_GETDOMAINNAME@ ++HAVE_GETDTABLESIZE = @HAVE_GETDTABLESIZE@ ++HAVE_GETGROUPS = @HAVE_GETGROUPS@ ++HAVE_GETHOSTNAME = @HAVE_GETHOSTNAME@ ++HAVE_GETLOGIN = @HAVE_GETLOGIN@ ++HAVE_GETPAGESIZE = @HAVE_GETPAGESIZE@ ++HAVE_GETSUBOPT = @HAVE_GETSUBOPT@ ++HAVE_GETTIMEOFDAY = @HAVE_GETTIMEOFDAY@ ++HAVE_GRANTPT = @HAVE_GRANTPT@ ++HAVE_INTTYPES_H = @HAVE_INTTYPES_H@ ++HAVE_LCHMOD = @HAVE_LCHMOD@ ++HAVE_LCHOWN = @HAVE_LCHOWN@ ++HAVE_LIBGCRYPT = @HAVE_LIBGCRYPT@ ++HAVE_LIBTASN1 = @HAVE_LIBTASN1@ ++HAVE_LINK = @HAVE_LINK@ ++HAVE_LINKAT = @HAVE_LINKAT@ ++HAVE_LOCALTIME_R = @HAVE_LOCALTIME_R@ ++HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ ++HAVE_LSTAT = @HAVE_LSTAT@ ++HAVE_MALLOC_POSIX = @HAVE_MALLOC_POSIX@ ++HAVE_MBRLEN = @HAVE_MBRLEN@ ++HAVE_MBRTOWC = @HAVE_MBRTOWC@ ++HAVE_MBSINIT = @HAVE_MBSINIT@ ++HAVE_MBSLEN = @HAVE_MBSLEN@ ++HAVE_MBSNRTOWCS = @HAVE_MBSNRTOWCS@ ++HAVE_MBSRTOWCS = @HAVE_MBSRTOWCS@ ++HAVE_MEMCHR = @HAVE_MEMCHR@ ++HAVE_MEMPCPY = @HAVE_MEMPCPY@ ++HAVE_MKDIRAT = @HAVE_MKDIRAT@ ++HAVE_MKDTEMP = @HAVE_MKDTEMP@ ++HAVE_MKFIFO = @HAVE_MKFIFO@ ++HAVE_MKFIFOAT = @HAVE_MKFIFOAT@ ++HAVE_MKNOD = @HAVE_MKNOD@ ++HAVE_MKNODAT = @HAVE_MKNODAT@ ++HAVE_MKOSTEMP = @HAVE_MKOSTEMP@ ++HAVE_MKOSTEMPS = @HAVE_MKOSTEMPS@ ++HAVE_MKSTEMP = @HAVE_MKSTEMP@ ++HAVE_MKSTEMPS = @HAVE_MKSTEMPS@ ++HAVE_NANOSLEEP = @HAVE_NANOSLEEP@ ++HAVE_NETDB_H = @HAVE_NETDB_H@ ++HAVE_NETINET_IN_H = @HAVE_NETINET_IN_H@ ++HAVE_OS_H = @HAVE_OS_H@ ++HAVE_PIPE2 = @HAVE_PIPE2@ ++HAVE_PREAD = @HAVE_PREAD@ ++HAVE_PTSNAME = @HAVE_PTSNAME@ ++HAVE_PWRITE = @HAVE_PWRITE@ ++HAVE_RANDOM_H = @HAVE_RANDOM_H@ ++HAVE_RANDOM_R = @HAVE_RANDOM_R@ ++HAVE_RAWMEMCHR = @HAVE_RAWMEMCHR@ ++HAVE_READLINK = @HAVE_READLINK@ ++HAVE_READLINKAT = @HAVE_READLINKAT@ ++HAVE_REALLOC_POSIX = @HAVE_REALLOC_POSIX@ ++HAVE_REALPATH = @HAVE_REALPATH@ ++HAVE_RENAMEAT = @HAVE_RENAMEAT@ ++HAVE_RPMATCH = @HAVE_RPMATCH@ ++HAVE_SA_FAMILY_T = @HAVE_SA_FAMILY_T@ ++HAVE_SETENV = @HAVE_SETENV@ ++HAVE_SIGNED_SIG_ATOMIC_T = @HAVE_SIGNED_SIG_ATOMIC_T@ ++HAVE_SIGNED_WCHAR_T = @HAVE_SIGNED_WCHAR_T@ ++HAVE_SIGNED_WINT_T = @HAVE_SIGNED_WINT_T@ ++HAVE_SLEEP = @HAVE_SLEEP@ ++HAVE_STDINT_H = @HAVE_STDINT_H@ ++HAVE_STPCPY = @HAVE_STPCPY@ ++HAVE_STPNCPY = @HAVE_STPNCPY@ ++HAVE_STRCASESTR = @HAVE_STRCASESTR@ ++HAVE_STRCHRNUL = @HAVE_STRCHRNUL@ ++HAVE_STRPBRK = @HAVE_STRPBRK@ ++HAVE_STRPTIME = @HAVE_STRPTIME@ ++HAVE_STRSEP = @HAVE_STRSEP@ ++HAVE_STRTOD = @HAVE_STRTOD@ ++HAVE_STRTOLL = @HAVE_STRTOLL@ ++HAVE_STRTOULL = @HAVE_STRTOULL@ ++HAVE_STRUCT_ADDRINFO = @HAVE_STRUCT_ADDRINFO@ ++HAVE_STRUCT_RANDOM_DATA = @HAVE_STRUCT_RANDOM_DATA@ ++HAVE_STRUCT_SOCKADDR_STORAGE = @HAVE_STRUCT_SOCKADDR_STORAGE@ ++HAVE_STRUCT_TIMEVAL = @HAVE_STRUCT_TIMEVAL@ ++HAVE_STRVERSCMP = @HAVE_STRVERSCMP@ ++HAVE_SYMLINK = @HAVE_SYMLINK@ ++HAVE_SYMLINKAT = @HAVE_SYMLINKAT@ ++HAVE_SYS_BITYPES_H = @HAVE_SYS_BITYPES_H@ ++HAVE_SYS_INTTYPES_H = @HAVE_SYS_INTTYPES_H@ ++HAVE_SYS_IOCTL_H = @HAVE_SYS_IOCTL_H@ ++HAVE_SYS_LOADAVG_H = @HAVE_SYS_LOADAVG_H@ ++HAVE_SYS_PARAM_H = @HAVE_SYS_PARAM_H@ ++HAVE_SYS_SELECT_H = @HAVE_SYS_SELECT_H@ ++HAVE_SYS_SOCKET_H = @HAVE_SYS_SOCKET_H@ ++HAVE_SYS_TIME_H = @HAVE_SYS_TIME_H@ ++HAVE_SYS_TYPES_H = @HAVE_SYS_TYPES_H@ ++HAVE_TIMEGM = @HAVE_TIMEGM@ ++HAVE_TTYNAME_R = @HAVE_TTYNAME_R@ ++HAVE_UNISTD_H = @HAVE_UNISTD_H@ ++HAVE_UNLINKAT = @HAVE_UNLINKAT@ ++HAVE_UNLOCKPT = @HAVE_UNLOCKPT@ ++HAVE_UNSETENV = @HAVE_UNSETENV@ ++HAVE_UNSIGNED_LONG_LONG_INT = @HAVE_UNSIGNED_LONG_LONG_INT@ ++HAVE_USLEEP = @HAVE_USLEEP@ ++HAVE_UTIMENSAT = @HAVE_UTIMENSAT@ ++HAVE_VASPRINTF = @HAVE_VASPRINTF@ ++HAVE_VDPRINTF = @HAVE_VDPRINTF@ ++HAVE_WCHAR_H = @HAVE_WCHAR_H@ ++HAVE_WCHAR_T = @HAVE_WCHAR_T@ ++HAVE_WCRTOMB = @HAVE_WCRTOMB@ ++HAVE_WCSNRTOMBS = @HAVE_WCSNRTOMBS@ ++HAVE_WCSRTOMBS = @HAVE_WCSRTOMBS@ ++HAVE_WINSOCK2_H = @HAVE_WINSOCK2_H@ ++HAVE_WINT_T = @HAVE_WINT_T@ ++HAVE_WS2TCPIP_H = @HAVE_WS2TCPIP_H@ ++HAVE__BOOL = @HAVE__BOOL@ ++HOSTENT_LIB = @HOSTENT_LIB@ ++HTML_DIR = @HTML_DIR@ ++INCLUDE_NEXT = @INCLUDE_NEXT@ ++INCLUDE_NEXT_AS_FIRST_DIRECTIVE = @INCLUDE_NEXT_AS_FIRST_DIRECTIVE@ ++INET_NTOP_LIB = @INET_NTOP_LIB@ ++INET_PTON_LIB = @INET_PTON_LIB@ ++INSTALL = @INSTALL@ ++INSTALL_DATA = @INSTALL_DATA@ ++INSTALL_PROGRAM = @INSTALL_PROGRAM@ ++INSTALL_SCRIPT = @INSTALL_SCRIPT@ ++INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ ++LD = @LD@ ++LDFLAGS = @LDFLAGS@ ++LIBGCRYPT = @LIBGCRYPT@ ++LIBGCRYPT_PREFIX = @LIBGCRYPT_PREFIX@ ++LIBINTL = @LIBINTL@ ++LIBOBJS = @LIBOBJS@ ++LIBREADLINE = @LIBREADLINE@ ++LIBS = @LIBS@ ++LIBSOCKET = @LIBSOCKET@ ++LIBTASN1 = @LIBTASN1@ ++LIBTASN1_PREFIX = @LIBTASN1_PREFIX@ ++LIBTESTS_LIBDEPS = @LIBTESTS_LIBDEPS@ ++LIBTOOL = @LIBTOOL@ ++LIB_CLOCK_GETTIME = @LIB_CLOCK_GETTIME@ ++LIPO = @LIPO@ ++LN_S = @LN_S@ ++LTALLOCA = @LTALLOCA@ ++LTLIBGCRYPT = @LTLIBGCRYPT@ ++LTLIBINTL = @LTLIBINTL@ ++LTLIBOBJS = @LTLIBOBJS@ ++LTLIBREADLINE = @LTLIBREADLINE@ ++LTLIBTASN1 = @LTLIBTASN1@ ++LT_AGE = @LT_AGE@ ++LT_CURRENT = @LT_CURRENT@ ++LT_REVISION = @LT_REVISION@ ++LZO_LIBS = @LZO_LIBS@ ++MAKEINFO = @MAKEINFO@ ++MKDIR_P = @MKDIR_P@ ++NETINET_IN_H = @NETINET_IN_H@ ++NEXT_ARPA_INET_H = @NEXT_ARPA_INET_H@ ++NEXT_AS_FIRST_DIRECTIVE_ARPA_INET_H = @NEXT_AS_FIRST_DIRECTIVE_ARPA_INET_H@ ++NEXT_AS_FIRST_DIRECTIVE_ERRNO_H = @NEXT_AS_FIRST_DIRECTIVE_ERRNO_H@ ++NEXT_AS_FIRST_DIRECTIVE_FLOAT_H = @NEXT_AS_FIRST_DIRECTIVE_FLOAT_H@ ++NEXT_AS_FIRST_DIRECTIVE_NETDB_H = @NEXT_AS_FIRST_DIRECTIVE_NETDB_H@ ++NEXT_AS_FIRST_DIRECTIVE_NETINET_IN_H = @NEXT_AS_FIRST_DIRECTIVE_NETINET_IN_H@ ++NEXT_AS_FIRST_DIRECTIVE_STDARG_H = @NEXT_AS_FIRST_DIRECTIVE_STDARG_H@ ++NEXT_AS_FIRST_DIRECTIVE_STDDEF_H = @NEXT_AS_FIRST_DIRECTIVE_STDDEF_H@ ++NEXT_AS_FIRST_DIRECTIVE_STDINT_H = @NEXT_AS_FIRST_DIRECTIVE_STDINT_H@ ++NEXT_AS_FIRST_DIRECTIVE_STDIO_H = @NEXT_AS_FIRST_DIRECTIVE_STDIO_H@ ++NEXT_AS_FIRST_DIRECTIVE_STDLIB_H = @NEXT_AS_FIRST_DIRECTIVE_STDLIB_H@ ++NEXT_AS_FIRST_DIRECTIVE_STRING_H = @NEXT_AS_FIRST_DIRECTIVE_STRING_H@ ++NEXT_AS_FIRST_DIRECTIVE_SYS_IOCTL_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_IOCTL_H@ ++NEXT_AS_FIRST_DIRECTIVE_SYS_SELECT_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_SELECT_H@ ++NEXT_AS_FIRST_DIRECTIVE_SYS_SOCKET_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_SOCKET_H@ ++NEXT_AS_FIRST_DIRECTIVE_SYS_STAT_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_STAT_H@ ++NEXT_AS_FIRST_DIRECTIVE_SYS_TIME_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_TIME_H@ ++NEXT_AS_FIRST_DIRECTIVE_TIME_H = @NEXT_AS_FIRST_DIRECTIVE_TIME_H@ ++NEXT_AS_FIRST_DIRECTIVE_UNISTD_H = @NEXT_AS_FIRST_DIRECTIVE_UNISTD_H@ ++NEXT_AS_FIRST_DIRECTIVE_WCHAR_H = @NEXT_AS_FIRST_DIRECTIVE_WCHAR_H@ ++NEXT_ERRNO_H = @NEXT_ERRNO_H@ ++NEXT_FLOAT_H = @NEXT_FLOAT_H@ ++NEXT_NETDB_H = @NEXT_NETDB_H@ ++NEXT_NETINET_IN_H = @NEXT_NETINET_IN_H@ ++NEXT_STDARG_H = @NEXT_STDARG_H@ ++NEXT_STDDEF_H = @NEXT_STDDEF_H@ ++NEXT_STDINT_H = @NEXT_STDINT_H@ ++NEXT_STDIO_H = @NEXT_STDIO_H@ ++NEXT_STDLIB_H = @NEXT_STDLIB_H@ ++NEXT_STRING_H = @NEXT_STRING_H@ ++NEXT_SYS_IOCTL_H = @NEXT_SYS_IOCTL_H@ ++NEXT_SYS_SELECT_H = @NEXT_SYS_SELECT_H@ ++NEXT_SYS_SOCKET_H = @NEXT_SYS_SOCKET_H@ ++NEXT_SYS_STAT_H = @NEXT_SYS_STAT_H@ ++NEXT_SYS_TIME_H = @NEXT_SYS_TIME_H@ ++NEXT_TIME_H = @NEXT_TIME_H@ ++NEXT_UNISTD_H = @NEXT_UNISTD_H@ ++NEXT_WCHAR_H = @NEXT_WCHAR_H@ ++NM = @NM@ ++NMEDIT = @NMEDIT@ ++OBJDUMP = @OBJDUMP@ ++OBJEXT = @OBJEXT@ ++OTOOL = @OTOOL@ ++OTOOL64 = @OTOOL64@ ++PACKAGE = @PACKAGE@ ++PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ ++PACKAGE_NAME = @PACKAGE_NAME@ ++PACKAGE_STRING = @PACKAGE_STRING@ ++PACKAGE_TARNAME = @PACKAGE_TARNAME@ ++PACKAGE_URL = @PACKAGE_URL@ ++PACKAGE_VERSION = @PACKAGE_VERSION@ ++PATH_SEPARATOR = @PATH_SEPARATOR@ ++PKG_CONFIG = @PKG_CONFIG@ ++PMCCABE = @PMCCABE@ ++PRAGMA_SYSTEM_HEADER = @PRAGMA_SYSTEM_HEADER@ ++PTHREAD_H_DEFINES_STRUCT_TIMESPEC = @PTHREAD_H_DEFINES_STRUCT_TIMESPEC@ ++PTRDIFF_T_SUFFIX = @PTRDIFF_T_SUFFIX@ ++RANLIB = @RANLIB@ ++REPLACE_BTOWC = @REPLACE_BTOWC@ ++REPLACE_CANONICALIZE_FILE_NAME = @REPLACE_CANONICALIZE_FILE_NAME@ ++REPLACE_CHOWN = @REPLACE_CHOWN@ ++REPLACE_CLOSE = @REPLACE_CLOSE@ ++REPLACE_DPRINTF = @REPLACE_DPRINTF@ ++REPLACE_DUP = @REPLACE_DUP@ ++REPLACE_DUP2 = @REPLACE_DUP2@ ++REPLACE_FCHOWNAT = @REPLACE_FCHOWNAT@ ++REPLACE_FCLOSE = @REPLACE_FCLOSE@ ++REPLACE_FFLUSH = @REPLACE_FFLUSH@ ++REPLACE_FOPEN = @REPLACE_FOPEN@ ++REPLACE_FPRINTF = @REPLACE_FPRINTF@ ++REPLACE_FPURGE = @REPLACE_FPURGE@ ++REPLACE_FREOPEN = @REPLACE_FREOPEN@ ++REPLACE_FSEEK = @REPLACE_FSEEK@ ++REPLACE_FSEEKO = @REPLACE_FSEEKO@ ++REPLACE_FSTAT = @REPLACE_FSTAT@ ++REPLACE_FSTATAT = @REPLACE_FSTATAT@ ++REPLACE_FTELL = @REPLACE_FTELL@ ++REPLACE_FTELLO = @REPLACE_FTELLO@ ++REPLACE_FUTIMENS = @REPLACE_FUTIMENS@ ++REPLACE_GETCWD = @REPLACE_GETCWD@ ++REPLACE_GETDELIM = @REPLACE_GETDELIM@ ++REPLACE_GETGROUPS = @REPLACE_GETGROUPS@ ++REPLACE_GETLINE = @REPLACE_GETLINE@ ++REPLACE_GETPAGESIZE = @REPLACE_GETPAGESIZE@ ++REPLACE_GETTIMEOFDAY = @REPLACE_GETTIMEOFDAY@ ++REPLACE_IOCTL = @REPLACE_IOCTL@ ++REPLACE_LCHOWN = @REPLACE_LCHOWN@ ++REPLACE_LINK = @REPLACE_LINK@ ++REPLACE_LINKAT = @REPLACE_LINKAT@ ++REPLACE_LOCALTIME_R = @REPLACE_LOCALTIME_R@ ++REPLACE_LSEEK = @REPLACE_LSEEK@ ++REPLACE_LSTAT = @REPLACE_LSTAT@ ++REPLACE_MBRLEN = @REPLACE_MBRLEN@ ++REPLACE_MBRTOWC = @REPLACE_MBRTOWC@ ++REPLACE_MBSINIT = @REPLACE_MBSINIT@ ++REPLACE_MBSNRTOWCS = @REPLACE_MBSNRTOWCS@ ++REPLACE_MBSRTOWCS = @REPLACE_MBSRTOWCS@ ++REPLACE_MBSTATE_T = @REPLACE_MBSTATE_T@ ++REPLACE_MEMCHR = @REPLACE_MEMCHR@ ++REPLACE_MEMMEM = @REPLACE_MEMMEM@ ++REPLACE_MKDIR = @REPLACE_MKDIR@ ++REPLACE_MKFIFO = @REPLACE_MKFIFO@ ++REPLACE_MKNOD = @REPLACE_MKNOD@ ++REPLACE_MKSTEMP = @REPLACE_MKSTEMP@ ++REPLACE_MKTIME = @REPLACE_MKTIME@ ++REPLACE_NANOSLEEP = @REPLACE_NANOSLEEP@ ++REPLACE_NULL = @REPLACE_NULL@ ++REPLACE_OBSTACK_PRINTF = @REPLACE_OBSTACK_PRINTF@ ++REPLACE_PERROR = @REPLACE_PERROR@ ++REPLACE_POPEN = @REPLACE_POPEN@ ++REPLACE_PREAD = @REPLACE_PREAD@ ++REPLACE_PRINTF = @REPLACE_PRINTF@ ++REPLACE_PUTENV = @REPLACE_PUTENV@ ++REPLACE_PWRITE = @REPLACE_PWRITE@ ++REPLACE_READLINK = @REPLACE_READLINK@ ++REPLACE_REALPATH = @REPLACE_REALPATH@ ++REPLACE_REMOVE = @REPLACE_REMOVE@ ++REPLACE_RENAME = @REPLACE_RENAME@ ++REPLACE_RENAMEAT = @REPLACE_RENAMEAT@ ++REPLACE_RMDIR = @REPLACE_RMDIR@ ++REPLACE_SELECT = @REPLACE_SELECT@ ++REPLACE_SETENV = @REPLACE_SETENV@ ++REPLACE_SLEEP = @REPLACE_SLEEP@ ++REPLACE_SNPRINTF = @REPLACE_SNPRINTF@ ++REPLACE_SPRINTF = @REPLACE_SPRINTF@ ++REPLACE_STAT = @REPLACE_STAT@ ++REPLACE_STDIO_WRITE_FUNCS = @REPLACE_STDIO_WRITE_FUNCS@ ++REPLACE_STPNCPY = @REPLACE_STPNCPY@ ++REPLACE_STRCASESTR = @REPLACE_STRCASESTR@ ++REPLACE_STRDUP = @REPLACE_STRDUP@ ++REPLACE_STRERROR = @REPLACE_STRERROR@ ++REPLACE_STRNCAT = @REPLACE_STRNCAT@ ++REPLACE_STRNDUP = @REPLACE_STRNDUP@ ++REPLACE_STRNLEN = @REPLACE_STRNLEN@ ++REPLACE_STRSIGNAL = @REPLACE_STRSIGNAL@ ++REPLACE_STRSTR = @REPLACE_STRSTR@ ++REPLACE_STRTOD = @REPLACE_STRTOD@ ++REPLACE_STRTOK_R = @REPLACE_STRTOK_R@ ++REPLACE_SYMLINK = @REPLACE_SYMLINK@ ++REPLACE_TIMEGM = @REPLACE_TIMEGM@ ++REPLACE_TMPFILE = @REPLACE_TMPFILE@ ++REPLACE_TTYNAME_R = @REPLACE_TTYNAME_R@ ++REPLACE_UNLINK = @REPLACE_UNLINK@ ++REPLACE_UNLINKAT = @REPLACE_UNLINKAT@ ++REPLACE_UNSETENV = @REPLACE_UNSETENV@ ++REPLACE_USLEEP = @REPLACE_USLEEP@ ++REPLACE_UTIMENSAT = @REPLACE_UTIMENSAT@ ++REPLACE_VASPRINTF = @REPLACE_VASPRINTF@ ++REPLACE_VDPRINTF = @REPLACE_VDPRINTF@ ++REPLACE_VFPRINTF = @REPLACE_VFPRINTF@ ++REPLACE_VPRINTF = @REPLACE_VPRINTF@ ++REPLACE_VSNPRINTF = @REPLACE_VSNPRINTF@ ++REPLACE_VSPRINTF = @REPLACE_VSPRINTF@ ++REPLACE_WCRTOMB = @REPLACE_WCRTOMB@ ++REPLACE_WCSNRTOMBS = @REPLACE_WCSNRTOMBS@ ++REPLACE_WCSRTOMBS = @REPLACE_WCSRTOMBS@ ++REPLACE_WCTOB = @REPLACE_WCTOB@ ++REPLACE_WCWIDTH = @REPLACE_WCWIDTH@ ++REPLACE_WRITE = @REPLACE_WRITE@ ++SED = @SED@ ++SERVENT_LIB = @SERVENT_LIB@ ++SET_MAKE = @SET_MAKE@ ++SHELL = @SHELL@ ++SIG_ATOMIC_T_SUFFIX = @SIG_ATOMIC_T_SUFFIX@ ++SIZE_T_SUFFIX = @SIZE_T_SUFFIX@ ++STDARG_H = @STDARG_H@ ++STDBOOL_H = @STDBOOL_H@ ++STDDEF_H = @STDDEF_H@ ++STDINT_H = @STDINT_H@ ++STRIP = @STRIP@ ++SYS_IOCTL_H_HAVE_WINSOCK2_H = @SYS_IOCTL_H_HAVE_WINSOCK2_H@ ++SYS_IOCTL_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS = @SYS_IOCTL_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS@ ++SYS_TIME_H_DEFINES_STRUCT_TIMESPEC = @SYS_TIME_H_DEFINES_STRUCT_TIMESPEC@ ++TIME_H_DEFINES_STRUCT_TIMESPEC = @TIME_H_DEFINES_STRUCT_TIMESPEC@ ++UNDEFINE_STRTOK_R = @UNDEFINE_STRTOK_R@ ++UNISTD_H_HAVE_WINSOCK2_H = @UNISTD_H_HAVE_WINSOCK2_H@ ++UNISTD_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS = @UNISTD_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS@ ++VALGRIND = @VALGRIND@ ++VERSION = @VERSION@ ++WARN_CFLAGS = @WARN_CFLAGS@ ++WCHAR_T_SUFFIX = @WCHAR_T_SUFFIX@ ++WERROR_CFLAGS = @WERROR_CFLAGS@ ++WINT_T_SUFFIX = @WINT_T_SUFFIX@ ++WSTACK_CFLAGS = @WSTACK_CFLAGS@ ++abs_aux_dir = @abs_aux_dir@ ++abs_builddir = @abs_builddir@ ++abs_srcdir = @abs_srcdir@ ++abs_top_builddir = @abs_top_builddir@ ++abs_top_srcdir = @abs_top_srcdir@ ++ac_ct_CC = @ac_ct_CC@ ++ac_ct_CXX = @ac_ct_CXX@ ++ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ ++am__include = @am__include@ ++am__leading_dot = @am__leading_dot@ ++am__quote = @am__quote@ ++am__tar = @am__tar@ ++am__untar = @am__untar@ ++bindir = @bindir@ ++build = @build@ ++build_alias = @build_alias@ ++build_cpu = @build_cpu@ ++build_os = @build_os@ ++build_vendor = @build_vendor@ ++builddir = @builddir@ ++datadir = @datadir@ ++datarootdir = @datarootdir@ ++docdir = @docdir@ ++dvidir = @dvidir@ ++exec_prefix = @exec_prefix@ ++gl_LIBOBJS = @gl_LIBOBJS@ ++gl_LTLIBOBJS = @gl_LTLIBOBJS@ ++gltests_LIBOBJS = @gltests_LIBOBJS@ ++gltests_LTLIBOBJS = @gltests_LTLIBOBJS@ ++gltests_WITNESS = @gltests_WITNESS@ ++guile_snarf = @guile_snarf@ ++host = @host@ ++host_alias = @host_alias@ ++host_cpu = @host_cpu@ ++host_os = @host_os@ ++host_vendor = @host_vendor@ ++htmldir = @htmldir@ ++includedir = @includedir@ ++infodir = @infodir@ ++install_sh = @install_sh@ ++libdir = @libdir@ ++libexecdir = @libexecdir@ ++localedir = @localedir@ ++localstatedir = @localstatedir@ ++mandir = @mandir@ ++mkdir_p = @mkdir_p@ ++oldincludedir = @oldincludedir@ ++pdfdir = @pdfdir@ ++prefix = @prefix@ ++program_transform_name = @program_transform_name@ ++psdir = @psdir@ ++sbindir = @sbindir@ ++sharedstatedir = @sharedstatedir@ ++srcdir = @srcdir@ ++subdirs = @subdirs@ ++sysconfdir = @sysconfdir@ ++target_alias = @target_alias@ ++top_build_prefix = @top_build_prefix@ ++top_builddir = @top_builddir@ ++top_srcdir = @top_srcdir@ ++AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) ++AM_CPPFLAGS = \ ++ -I$(top_srcdir)/lib/includes \ ++ -I$(top_builddir)/lib/includes ++ ++AM_LDFLAGS = -no-install ++LDADD = ../../lib/libgnutls.la $(LTLIBGCRYPT) $(LIBSOCKET) ++ctests = srn0 srn1 srn2 srn3 srn4 srn5 srn6 srn7 ++TESTS_ENVIRONMENT = $(VALGRIND) ++EXTRA_DIST = README params.dh ++dist_check_SCRIPTS = testsrn ++all: all-am ++ ++.SUFFIXES: ++.SUFFIXES: .c .lo .o .obj ++$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) ++ @for dep in $?; do \ ++ case '$(am__configure_deps)' in \ ++ *$$dep*) \ ++ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ ++ && { if test -f $@; then exit 0; else break; fi; }; \ ++ exit 1;; \ ++ esac; \ ++ done; \ ++ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile'; \ ++ $(am__cd) $(top_srcdir) && \ ++ $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile ++.PRECIOUS: Makefile ++Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status ++ @case '$?' in \ ++ *config.status*) \ ++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ ++ *) \ ++ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ ++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ ++ esac; ++ ++$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) ++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ++ ++$(top_srcdir)/configure: $(am__configure_deps) ++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ++$(ACLOCAL_M4): $(am__aclocal_m4_deps) ++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ++$(am__aclocal_m4_deps): ++ ++clean-checkPROGRAMS: ++ @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ ++ echo " rm -f" $$list; \ ++ rm -f $$list || exit $$?; \ ++ test -n "$(EXEEXT)" || exit 0; \ ++ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ ++ echo " rm -f" $$list; \ ++ rm -f $$list ++srn0$(EXEEXT): $(srn0_OBJECTS) $(srn0_DEPENDENCIES) ++ @rm -f srn0$(EXEEXT) ++ $(LINK) $(srn0_OBJECTS) $(srn0_LDADD) $(LIBS) ++srn1$(EXEEXT): $(srn1_OBJECTS) $(srn1_DEPENDENCIES) ++ @rm -f srn1$(EXEEXT) ++ $(LINK) $(srn1_OBJECTS) $(srn1_LDADD) $(LIBS) ++srn2$(EXEEXT): $(srn2_OBJECTS) $(srn2_DEPENDENCIES) ++ @rm -f srn2$(EXEEXT) ++ $(LINK) $(srn2_OBJECTS) $(srn2_LDADD) $(LIBS) ++srn3$(EXEEXT): $(srn3_OBJECTS) $(srn3_DEPENDENCIES) ++ @rm -f srn3$(EXEEXT) ++ $(LINK) $(srn3_OBJECTS) $(srn3_LDADD) $(LIBS) ++srn4$(EXEEXT): $(srn4_OBJECTS) $(srn4_DEPENDENCIES) ++ @rm -f srn4$(EXEEXT) ++ $(LINK) $(srn4_OBJECTS) $(srn4_LDADD) $(LIBS) ++srn5$(EXEEXT): $(srn5_OBJECTS) $(srn5_DEPENDENCIES) ++ @rm -f srn5$(EXEEXT) ++ $(LINK) $(srn5_OBJECTS) $(srn5_LDADD) $(LIBS) ++srn6$(EXEEXT): $(srn6_OBJECTS) $(srn6_DEPENDENCIES) ++ @rm -f srn6$(EXEEXT) ++ $(LINK) $(srn6_OBJECTS) $(srn6_LDADD) $(LIBS) ++srn7$(EXEEXT): $(srn7_OBJECTS) $(srn7_DEPENDENCIES) ++ @rm -f srn7$(EXEEXT) ++ $(LINK) $(srn7_OBJECTS) $(srn7_LDADD) $(LIBS) ++ ++mostlyclean-compile: ++ -rm -f *.$(OBJEXT) ++ ++distclean-compile: ++ -rm -f *.tab.c ++ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn0.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn1.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn2.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn3.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn4.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn5.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn6.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn7.Po@am__quote@ ++ ++.c.o: ++@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(COMPILE) -c $< ++ ++.c.obj: ++@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` ++ ++.c.lo: ++@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< ++ ++mostlyclean-libtool: ++ -rm -f *.lo ++ ++clean-libtool: ++ -rm -rf .libs _libs ++ ++ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) ++ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ ++ unique=`for i in $$list; do \ ++ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ ++ done | \ ++ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ ++ END { if (nonempty) { for (i in files) print i; }; }'`; \ ++ mkid -fID $$unique ++tags: TAGS ++ ++TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ ++ $(TAGS_FILES) $(LISP) ++ set x; \ ++ here=`pwd`; \ ++ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ ++ unique=`for i in $$list; do \ ++ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ ++ done | \ ++ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ ++ END { if (nonempty) { for (i in files) print i; }; }'`; \ ++ shift; \ ++ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ ++ test -n "$$unique" || unique=$$empty_fix; \ ++ if test $$# -gt 0; then \ ++ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ ++ "$$@" $$unique; \ ++ else \ ++ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ ++ $$unique; \ ++ fi; \ ++ fi ++ctags: CTAGS ++CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ ++ $(TAGS_FILES) $(LISP) ++ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ ++ unique=`for i in $$list; do \ ++ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ ++ done | \ ++ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ ++ END { if (nonempty) { for (i in files) print i; }; }'`; \ ++ test -z "$(CTAGS_ARGS)$$unique" \ ++ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ ++ $$unique ++ ++GTAGS: ++ here=`$(am__cd) $(top_builddir) && pwd` \ ++ && $(am__cd) $(top_srcdir) \ ++ && gtags -i $(GTAGS_ARGS) "$$here" ++ ++distclean-tags: ++ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags ++ ++check-TESTS: $(TESTS) ++ @failed=0; all=0; xfail=0; xpass=0; skip=0; \ ++ srcdir=$(srcdir); export srcdir; \ ++ list=' $(TESTS) '; \ ++ $(am__tty_colors); \ ++ if test -n "$$list"; then \ ++ for tst in $$list; do \ ++ if test -f ./$$tst; then dir=./; \ ++ elif test -f $$tst; then dir=; \ ++ else dir="$(srcdir)/"; fi; \ ++ if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ ++ all=`expr $$all + 1`; \ ++ case " $(XFAIL_TESTS) " in \ ++ *[\ \ ]$$tst[\ \ ]*) \ ++ xpass=`expr $$xpass + 1`; \ ++ failed=`expr $$failed + 1`; \ ++ col=$$red; res=XPASS; \ ++ ;; \ ++ *) \ ++ col=$$grn; res=PASS; \ ++ ;; \ ++ esac; \ ++ elif test $$? -ne 77; then \ ++ all=`expr $$all + 1`; \ ++ case " $(XFAIL_TESTS) " in \ ++ *[\ \ ]$$tst[\ \ ]*) \ ++ xfail=`expr $$xfail + 1`; \ ++ col=$$lgn; res=XFAIL; \ ++ ;; \ ++ *) \ ++ failed=`expr $$failed + 1`; \ ++ col=$$red; res=FAIL; \ ++ ;; \ ++ esac; \ ++ else \ ++ skip=`expr $$skip + 1`; \ ++ col=$$blu; res=SKIP; \ ++ fi; \ ++ echo "$${col}$$res$${std}: $$tst"; \ ++ done; \ ++ if test "$$all" -eq 1; then \ ++ tests="test"; \ ++ All=""; \ ++ else \ ++ tests="tests"; \ ++ All="All "; \ ++ fi; \ ++ if test "$$failed" -eq 0; then \ ++ if test "$$xfail" -eq 0; then \ ++ banner="$$All$$all $$tests passed"; \ ++ else \ ++ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ ++ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ ++ fi; \ ++ else \ ++ if test "$$xpass" -eq 0; then \ ++ banner="$$failed of $$all $$tests failed"; \ ++ else \ ++ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ ++ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ ++ fi; \ ++ fi; \ ++ dashes="$$banner"; \ ++ skipped=""; \ ++ if test "$$skip" -ne 0; then \ ++ if test "$$skip" -eq 1; then \ ++ skipped="($$skip test was not run)"; \ ++ else \ ++ skipped="($$skip tests were not run)"; \ ++ fi; \ ++ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ ++ dashes="$$skipped"; \ ++ fi; \ ++ report=""; \ ++ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ ++ report="Please report to $(PACKAGE_BUGREPORT)"; \ ++ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ ++ dashes="$$report"; \ ++ fi; \ ++ dashes=`echo "$$dashes" | sed s/./=/g`; \ ++ if test "$$failed" -eq 0; then \ ++ echo "$$grn$$dashes"; \ ++ else \ ++ echo "$$red$$dashes"; \ ++ fi; \ ++ echo "$$banner"; \ ++ test -z "$$skipped" || echo "$$skipped"; \ ++ test -z "$$report" || echo "$$report"; \ ++ echo "$$dashes$$std"; \ ++ test "$$failed" -eq 0; \ ++ else :; fi ++ ++distdir: $(DISTFILES) ++ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ ++ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ ++ list='$(DISTFILES)'; \ ++ dist_files=`for file in $$list; do echo $$file; done | \ ++ sed -e "s|^$$srcdirstrip/||;t" \ ++ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ ++ case $$dist_files in \ ++ */*) $(MKDIR_P) `echo "$$dist_files" | \ ++ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ ++ sort -u` ;; \ ++ esac; \ ++ for file in $$dist_files; do \ ++ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ ++ if test -d $$d/$$file; then \ ++ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ ++ if test -d "$(distdir)/$$file"; then \ ++ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ ++ fi; \ ++ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ ++ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ ++ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ ++ fi; \ ++ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ ++ else \ ++ test -f "$(distdir)/$$file" \ ++ || cp -p $$d/$$file "$(distdir)/$$file" \ ++ || exit 1; \ ++ fi; \ ++ done ++check-am: all-am ++ $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ ++ $(dist_check_SCRIPTS) ++ $(MAKE) $(AM_MAKEFLAGS) check-TESTS ++check: check-am ++all-am: Makefile ++installdirs: ++install: install-am ++install-exec: install-exec-am ++install-data: install-data-am ++uninstall: uninstall-am ++ ++install-am: all-am ++ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am ++ ++installcheck: installcheck-am ++install-strip: ++ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ ++ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ ++ `test -z '$(STRIP)' || \ ++ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install ++mostlyclean-generic: ++ ++clean-generic: ++ ++distclean-generic: ++ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) ++ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) ++ ++maintainer-clean-generic: ++ @echo "This command is intended for maintainers to use" ++ @echo "it deletes files that may require special tools to rebuild." ++clean: clean-am ++ ++clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ ++ mostlyclean-am ++ ++distclean: distclean-am ++ -rm -rf ./$(DEPDIR) ++ -rm -f Makefile ++distclean-am: clean-am distclean-compile distclean-generic \ ++ distclean-tags ++ ++dvi: dvi-am ++ ++dvi-am: ++ ++html: html-am ++ ++html-am: ++ ++info: info-am ++ ++info-am: ++ ++install-data-am: ++ ++install-dvi: install-dvi-am ++ ++install-dvi-am: ++ ++install-exec-am: ++ ++install-html: install-html-am ++ ++install-html-am: ++ ++install-info: install-info-am ++ ++install-info-am: ++ ++install-man: ++ ++install-pdf: install-pdf-am ++ ++install-pdf-am: ++ ++install-ps: install-ps-am ++ ++install-ps-am: ++ ++installcheck-am: ++ ++maintainer-clean: maintainer-clean-am ++ -rm -rf ./$(DEPDIR) ++ -rm -f Makefile ++maintainer-clean-am: distclean-am maintainer-clean-generic ++ ++mostlyclean: mostlyclean-am ++ ++mostlyclean-am: mostlyclean-compile mostlyclean-generic \ ++ mostlyclean-libtool ++ ++pdf: pdf-am ++ ++pdf-am: ++ ++ps: ps-am ++ ++ps-am: ++ ++uninstall-am: ++ ++.MAKE: check-am install-am install-strip ++ ++.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ ++ clean-checkPROGRAMS clean-generic clean-libtool ctags \ ++ distclean distclean-compile distclean-generic \ ++ distclean-libtool distclean-tags distdir dvi dvi-am html \ ++ html-am info info-am install install-am install-data \ ++ install-data-am install-dvi install-dvi-am install-exec \ ++ install-exec-am install-html install-html-am install-info \ ++ install-info-am install-man install-pdf install-pdf-am \ ++ install-ps install-ps-am install-strip installcheck \ ++ installcheck-am installdirs maintainer-clean \ ++ maintainer-clean-generic mostlyclean mostlyclean-compile \ ++ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ ++ tags uninstall uninstall-am ++ ++#TESTS = testsrn ++ ++# Tell versions [3.59,3.63) of GNU make to not export all variables. ++# Otherwise a system limit (for SysV at least) may be exceeded. ++.NOEXPORT: +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/params.dh 2013-09-26 +@@ -0,0 +1,35 @@ ++ ++Generator: 05 ++ ++Prime: c9:e9:2d:fc:94:15:1a:10:4f:3c:b5:16 ++ 7e:34:10:7d:eb:3d:d5:7d:61:ff:b0:ce ++ da:7f:6e:0c:ea:db:b4:87:f6:c6:34:a8 ++ 3c:f8:84:52:14:59:ab:17:5c:d0:f0:86 ++ c4:02:93:dc:09:83:57:16:98:21:d0:42 ++ 8e:33:fc:48:69:e6:04:0d:4e:50:09:33 ++ 2e:28:60:4f:05:08:7c:ce:2f:a6:1a:4c ++ 41:d1:a3:dd:f6:37:56:44:1d:b0:54:af ++ f7:4a:a0:c2:19:5d:ce:62:b0:7a:1b:e1 ++ 5c:7f:bb:4d:7e:9e:28:48:00:a4:9a:86 ++ 3e:6e:6e:9c:57:41:c7:ec:bf:7f:09:fc ++ da:25:c2:1e:e0:52:dc:65:8c:40:a3:6e ++ bd:99:4e:0b:1a:04:e0:23:20:46:5a:d0 ++ 3f:b3:a4:d6:76:73:b7:cc:61:33:11:54 ++ a6:32:ff:94:08:d5:66:36:fd:99:69:21 ++ cc:28:5d:11:52:32:48:b6:a5:b5:c3:b0 ++ 21:3f:f9:69:25:83:b1:3d:79:a6:ed:ae ++ db:95:62:fc:72:ca:ad:46:fc:b6:b1:ea ++ 98:68:97:ba:f2:54:aa:86:ed:62:b1:78 ++ 5f:d5:19:80:ce:41:ee:98:a1:71:9f:fa ++ 5b:6b:d8:5e:7e:b3:18:0a:f0:4c:96:76 ++ 6c:0c:b0:a3 ++ ++ ++-----BEGIN DH PARAMETERS----- ++MIIBCAKCAQEAyekt/JQVGhBPPLUWfjQQfes91X1h/7DO2n9uDOrbtIf2xjSoPPiE ++UhRZqxdc0PCGxAKT3AmDVxaYIdBCjjP8SGnmBA1OUAkzLihgTwUIfM4vphpMQdGj ++3fY3VkQdsFSv90qgwhldzmKwehvhXH+7TX6eKEgApJqGPm5unFdBx+y/fwn82iXC ++HuBS3GWMQKNuvZlOCxoE4CMgRlrQP7Ok1nZzt8xhMxFUpjL/lAjVZjb9mWkhzChd ++EVIySLaltcOwIT/5aSWDsT15pu2u25Vi/HLKrUb8trHqmGiXuvJUqobtYrF4X9UZ ++gM5B7pihcZ/6W2vYXn6zGArwTJZ2bAywowIBBQ== ++-----END DH PARAMETERS----- +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/README 2013-09-26 +@@ -0,0 +1,93 @@ ++Testing safe renegotiation is relatively complex, here is a summary of ++what we test and what how we believe it should work. ++ ++ Client setting ++ Server setting ++ Initial handshake outcome ++ Rehandshake outcome ++srn0.c ++ ++ This tests that the safe renegotiation extension is negotiated ++ properly by default on initial connections and on rehandshaked ++ connections. Consequently, it also verifies that rehandshaked ++ connections work with the extension enabled. ++ ++ NORMAL ++ NORMAL ++ OK ++ OK ++ ++srn1.c ++ ++ This tests that clients without support for safe renegotiation is ++ able to handshake against servers with support, but not able to ++ rehandshake (server will refuse rehandshake). ++ ++ NORMAL:%DISABLE_SAFE_RENEGOTIATION ++ NORMAL ++ OK ++ Server refuses ++ ++srn2.c ++ ++ This tests that clients with support for safe renegotiation is able ++ to handshake against servers without support, but not able to ++ rehandshake (client will refuse rehandshake). ++ ++ NORMAL ++ NORMAL:%DISABLE_SAFE_RENEGOTIATION ++ OK ++ Client refuses ++ ++srn3.c ++ ++ This tests that a %SAFE_RENEGOTIATION client will reject handshakes ++ against servers that do not support the extension (server uses ++ %DISABLE_SAFE_RENEGOTIATION). ++ ++ NORMAL:%SAFE_RENEGOTIATION ++ NORMAL:%DISABLE_SAFE_RENEGOTIATION ++ Client refuses ++ N/A ++ ++srn4.c ++ ++ This tests that a %SAFE_RENEGOTIATION server will reject handshakes ++ against clients that do not support the extension. ++ ++ NORMAL:%DISABLE_SAFE_RENEGOTIATION ++ NORMAL:%SAFE_RENEGOTIATION ++ Server refuses ++ N/A ++ ++srn5.c ++ ++ This tests that a client with a permissive policy ++ (%UNSAFE_RENEGOTIATION) is able to handshake and rehandshake with a ++ server with no support for the extension. ++ ++ NORMAL:%DISABLE_SAFE_RENEGOTIATION ++ NORMAL:%UNSAFE_RENEGOTIATION ++ OK ++ OK ++ ++srn6.c ++ ++ This tests that a server with a permissive policy ++ (%UNSAFE_RENEGOTIATION) is able to handshake and rehandshake with a ++ client with no support for the extension. ++ ++ NORMAL:%UNSAFE_RENEGOTIATION ++ NORMAL:%DISABLE_SAFE_RENEGOTIATION ++ OK ++ OK ++ ++srn7.c ++ ++ This tests that clients and servers in %SAFE_RENEGOTIATION mode are ++ able to handshake and rehandshake. ++ ++ NORMAL:%SAFE_RENEGOTIATION ++ NORMAL:%SAFE_RENEGOTIATION ++ OK ++ OK +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/srn0.c 2013-09-26 +@@ -0,0 +1,338 @@ ++/* ++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc. ++ * ++ * Author: Simon Josefsson ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++/* Code based on ../mini-x509-rehandshake.c. ++ * ++ * This tests that the safe renegotiation extension is negotiated ++ * properly by default on initial connections and on rehandshaked ++ * connections. Consequently, it also verifies that rehandshaked ++ * connections work with the extension enabled. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++# include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <errno.h> ++#include <gnutls/gnutls.h> ++ ++static void ++tls_log_func (int level, const char *str) ++{ ++ fprintf (stderr, "|<%d>| %s", level, str); ++} ++ ++static char *to_server; ++static size_t to_server_len; ++ ++static char *to_client; ++static size_t to_client_len; ++ ++static ssize_t ++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_client_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_client, len); ++ ++ memmove (to_client, to_client + len, to_client_len - len); ++ to_client_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_server_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_server, newlen); ++ if (!tmp) ++ abort (); ++ to_server = tmp; ++ ++ memcpy (to_server + to_server_len, data, len); ++ to_server_len = newlen; ++ ++ return len; ++} ++ ++static ssize_t ++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_server_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_server, len); ++ ++ memmove (to_server, to_server + len, to_server_len - len); ++ to_server_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_client_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_client, newlen); ++ if (!tmp) ++ abort (); ++ to_client = tmp; ++ ++ memcpy (to_client + to_client_len, data, len); ++ to_client_len = newlen; ++ ++ return len; ++} ++ ++static unsigned char server_cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" ++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" ++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" ++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" ++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" ++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" ++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" ++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" ++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" ++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" ++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" ++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" ++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t server_cert = { server_cert_pem, ++ sizeof (server_cert_pem) ++}; ++ ++static unsigned char server_key_pem[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" ++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" ++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" ++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" ++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" ++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" ++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" ++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" ++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" ++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" ++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" ++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" ++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++const gnutls_datum_t server_key = { server_key_pem, ++ sizeof (server_key_pem) ++}; ++ ++int ++main (int argc, char *argv[]) ++{ ++ int debug_level = argc - 1; ++ int exit_code = EXIT_SUCCESS; ++ /* Server stuff. */ ++ gnutls_certificate_credentials_t serverx509cred; ++ gnutls_session_t server; ++ int sret = GNUTLS_E_AGAIN; ++ /* Client stuff. */ ++ gnutls_certificate_credentials_t clientx509cred; ++ gnutls_session_t client; ++ int cret = GNUTLS_E_AGAIN; ++ ++ /* General init. */ ++ gnutls_global_init (); ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (debug_level); ++ ++ /* Init server */ ++ gnutls_certificate_allocate_credentials (&serverx509cred); ++ gnutls_certificate_set_x509_key_mem (serverx509cred, ++ &server_cert, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ gnutls_init (&server, GNUTLS_SERVER); ++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); ++ gnutls_priority_set_direct (server, "NORMAL", NULL); ++ gnutls_transport_set_push_function (server, server_push); ++ gnutls_transport_set_pull_function (server, server_pull); ++ ++ /* Init client */ ++ gnutls_certificate_allocate_credentials (&clientx509cred); ++ gnutls_init (&client, GNUTLS_CLIENT); ++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); ++ gnutls_priority_set_direct (client, "NORMAL", NULL); ++ gnutls_transport_set_push_function (client, client_push); ++ gnutls_transport_set_pull_function (client, client_pull); ++ ++ /* Check that initially no session use the extension. */ ++ if (gnutls_safe_renegotiation_status (server) ++ || gnutls_safe_renegotiation_status (client)) ++ { ++ puts ("Client or server using extension before handshake?"); ++ abort (); ++ } ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) ++ exit_code = EXIT_FAILURE; ++ ++ if (!gnutls_safe_renegotiation_status (client) || ++ !gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, "Session not using safe renegotiation!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ sret = gnutls_rehandshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_rehandshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ ++ { ++ ssize_t n; ++ char b[1]; ++ n = gnutls_record_recv (client, b, 1); ++ if (n != GNUTLS_E_REHANDSHAKE) ++ abort (); ++ } ++ ++ cret = GNUTLS_E_AGAIN; ++ sret = GNUTLS_E_AGAIN; ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) ++ exit_code = 1; ++ ++ if (!gnutls_safe_renegotiation_status (client) || ++ !gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, ++ "Rehandshaked session not using safe renegotiation!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ gnutls_bye (client, GNUTLS_SHUT_RDWR); ++ gnutls_bye (server, GNUTLS_SHUT_RDWR); ++ ++ gnutls_deinit (client); ++ gnutls_deinit (server); ++ ++ free (to_server); ++ free (to_client); ++ ++ gnutls_certificate_free_credentials (serverx509cred); ++ ++ gnutls_global_deinit (); ++ ++ if (debug_level > 0) ++ { ++ if (exit_code == 0) ++ puts ("Self-test successful"); ++ else ++ puts ("Self-test failed"); ++ } ++ ++ return exit_code; ++} +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/srn1.c 2013-09-26 +@@ -0,0 +1,341 @@ ++/* ++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc. ++ * ++ * Author: Simon Josefsson ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++/* Code based on ./srn0.c. ++ * ++ * This tests that clients without support for safe renegotiation is ++ * able to handshake against servers with support, but not able to ++ * rehandshake (server will refuse rehandshake). ++ */ ++ ++#ifdef HAVE_CONFIG_H ++# include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <errno.h> ++#include <gnutls/gnutls.h> ++ ++static void ++tls_log_func (int level, const char *str) ++{ ++ fprintf (stderr, "|<%d>| %s", level, str); ++} ++ ++static char *to_server; ++static size_t to_server_len; ++ ++static char *to_client; ++static size_t to_client_len; ++ ++static ssize_t ++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_client_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_client, len); ++ ++ memmove (to_client, to_client + len, to_client_len - len); ++ to_client_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_server_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_server, newlen); ++ if (!tmp) ++ abort (); ++ to_server = tmp; ++ ++ memcpy (to_server + to_server_len, data, len); ++ to_server_len = newlen; ++ ++ return len; ++} ++ ++static ssize_t ++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_server_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_server, len); ++ ++ memmove (to_server, to_server + len, to_server_len - len); ++ to_server_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_client_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_client, newlen); ++ if (!tmp) ++ abort (); ++ to_client = tmp; ++ ++ memcpy (to_client + to_client_len, data, len); ++ to_client_len = newlen; ++ ++ return len; ++} ++ ++static unsigned char server_cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" ++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" ++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" ++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" ++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" ++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" ++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" ++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" ++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" ++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" ++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" ++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" ++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t server_cert = { server_cert_pem, ++ sizeof (server_cert_pem) ++}; ++ ++static unsigned char server_key_pem[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" ++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" ++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" ++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" ++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" ++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" ++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" ++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" ++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" ++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" ++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" ++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" ++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++const gnutls_datum_t server_key = { server_key_pem, ++ sizeof (server_key_pem) ++}; ++ ++int ++main (int argc, char *argv[]) ++{ ++ int debug_level = argc - 1; ++ int exit_code = EXIT_SUCCESS; ++ /* Server stuff. */ ++ gnutls_certificate_credentials_t serverx509cred; ++ gnutls_session_t server; ++ int sret = GNUTLS_E_AGAIN; ++ /* Client stuff. */ ++ gnutls_certificate_credentials_t clientx509cred; ++ gnutls_session_t client; ++ int cret = GNUTLS_E_AGAIN; ++ ++ /* General init. */ ++ gnutls_global_init (); ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (debug_level); ++ ++ /* Init server */ ++ gnutls_certificate_allocate_credentials (&serverx509cred); ++ gnutls_certificate_set_x509_key_mem (serverx509cred, ++ &server_cert, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ gnutls_init (&server, GNUTLS_SERVER); ++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); ++ gnutls_priority_set_direct (server, "NORMAL", NULL); ++ gnutls_transport_set_push_function (server, server_push); ++ gnutls_transport_set_pull_function (server, server_pull); ++ ++ /* Init client */ ++ gnutls_certificate_allocate_credentials (&clientx509cred); ++ gnutls_init (&client, GNUTLS_CLIENT); ++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); ++ gnutls_priority_set_direct (client, "NORMAL:%DISABLE_SAFE_RENEGOTIATION", ++ NULL); ++ gnutls_transport_set_push_function (client, client_push); ++ gnutls_transport_set_pull_function (client, client_pull); ++ ++ /* Check that initially no session use the extension. */ ++ if (gnutls_safe_renegotiation_status (server) ++ || gnutls_safe_renegotiation_status (client)) ++ { ++ puts ("Client or server using extension before handshake?"); ++ abort (); ++ } ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) ++ exit_code = EXIT_FAILURE; ++ ++ if (gnutls_safe_renegotiation_status (client) || ++ gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, "Session using safe renegotiation but shouldn't?!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ sret = gnutls_rehandshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_rehandshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ ++ { ++ ssize_t n; ++ char b[1]; ++ n = gnutls_record_recv (client, b, 1); ++ if (n != GNUTLS_E_REHANDSHAKE) ++ abort (); ++ } ++ ++ cret = GNUTLS_E_AGAIN; ++ sret = GNUTLS_E_AGAIN; ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED) ++ break; ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_SUCCESS ++ && sret != GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED) ++ exit_code = 1; ++ ++ if (gnutls_safe_renegotiation_status (client) || ++ gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, "Rehandshaked worked and uses safe reneg?!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ gnutls_bye (client, GNUTLS_SHUT_RDWR); ++ gnutls_bye (server, GNUTLS_SHUT_RDWR); ++ ++ gnutls_deinit (client); ++ gnutls_deinit (server); ++ ++ free (to_server); ++ free (to_client); ++ ++ gnutls_certificate_free_credentials (serverx509cred); ++ ++ gnutls_global_deinit (); ++ ++ if (debug_level > 0) ++ { ++ if (exit_code == 0) ++ puts ("Self-test successful"); ++ else ++ puts ("Self-test failed"); ++ } ++ ++ return exit_code; ++} +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/srn2.c 2013-09-26 +@@ -0,0 +1,341 @@ ++/* ++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc. ++ * ++ * Author: Simon Josefsson ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++/* Code based on ./srn1.c. ++ * ++ * This tests that clients with support for safe renegotiation is able ++ * to handshake against servers without support, but not able to ++ * rehandshake (client will refuse rehandshake). ++ */ ++ ++#ifdef HAVE_CONFIG_H ++# include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <errno.h> ++#include <gnutls/gnutls.h> ++ ++static void ++tls_log_func (int level, const char *str) ++{ ++ fprintf (stderr, "|<%d>| %s", level, str); ++} ++ ++static char *to_server; ++static size_t to_server_len; ++ ++static char *to_client; ++static size_t to_client_len; ++ ++static ssize_t ++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_client_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_client, len); ++ ++ memmove (to_client, to_client + len, to_client_len - len); ++ to_client_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_server_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_server, newlen); ++ if (!tmp) ++ abort (); ++ to_server = tmp; ++ ++ memcpy (to_server + to_server_len, data, len); ++ to_server_len = newlen; ++ ++ return len; ++} ++ ++static ssize_t ++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_server_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_server, len); ++ ++ memmove (to_server, to_server + len, to_server_len - len); ++ to_server_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_client_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_client, newlen); ++ if (!tmp) ++ abort (); ++ to_client = tmp; ++ ++ memcpy (to_client + to_client_len, data, len); ++ to_client_len = newlen; ++ ++ return len; ++} ++ ++static unsigned char server_cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" ++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" ++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" ++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" ++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" ++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" ++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" ++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" ++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" ++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" ++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" ++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" ++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t server_cert = { server_cert_pem, ++ sizeof (server_cert_pem) ++}; ++ ++static unsigned char server_key_pem[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" ++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" ++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" ++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" ++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" ++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" ++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" ++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" ++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" ++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" ++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" ++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" ++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++const gnutls_datum_t server_key = { server_key_pem, ++ sizeof (server_key_pem) ++}; ++ ++int ++main (int argc, char *argv[]) ++{ ++ int debug_level = argc - 1; ++ int exit_code = EXIT_SUCCESS; ++ /* Server stuff. */ ++ gnutls_certificate_credentials_t serverx509cred; ++ gnutls_session_t server; ++ int sret = GNUTLS_E_AGAIN; ++ /* Client stuff. */ ++ gnutls_certificate_credentials_t clientx509cred; ++ gnutls_session_t client; ++ int cret = GNUTLS_E_AGAIN; ++ ++ /* General init. */ ++ gnutls_global_init (); ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (debug_level); ++ ++ /* Init server */ ++ gnutls_certificate_allocate_credentials (&serverx509cred); ++ gnutls_certificate_set_x509_key_mem (serverx509cred, ++ &server_cert, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ gnutls_init (&server, GNUTLS_SERVER); ++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); ++ gnutls_priority_set_direct (server, "NORMAL:%DISABLE_SAFE_RENEGOTIATION", ++ NULL); ++ gnutls_transport_set_push_function (server, server_push); ++ gnutls_transport_set_pull_function (server, server_pull); ++ ++ /* Init client */ ++ gnutls_certificate_allocate_credentials (&clientx509cred); ++ gnutls_init (&client, GNUTLS_CLIENT); ++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); ++ gnutls_priority_set_direct (client, "NORMAL", NULL); ++ gnutls_transport_set_push_function (client, client_push); ++ gnutls_transport_set_pull_function (client, client_pull); ++ ++ /* Check that initially no session use the extension. */ ++ if (gnutls_safe_renegotiation_status (server) ++ || gnutls_safe_renegotiation_status (client)) ++ { ++ puts ("Client or server using extension before handshake?"); ++ abort (); ++ } ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) ++ exit_code = EXIT_FAILURE; ++ ++ if (gnutls_safe_renegotiation_status (client) || ++ gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, "Session using safe renegotiation but shouldn't?!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ sret = gnutls_rehandshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_rehandshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ ++ { ++ ssize_t n; ++ char b[1]; ++ n = gnutls_record_recv (client, b, 1); ++ if (n != GNUTLS_E_REHANDSHAKE) ++ abort (); ++ } ++ ++ cret = GNUTLS_E_AGAIN; ++ sret = GNUTLS_E_AGAIN; ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (cret == GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED) ++ break; ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED ++ && sret != GNUTLS_E_SUCCESS) ++ exit_code = 1; ++ ++ if (gnutls_safe_renegotiation_status (client) || ++ gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, "Rehandshaked worked and uses safe reneg?!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ gnutls_bye (client, GNUTLS_SHUT_RDWR); ++ gnutls_bye (server, GNUTLS_SHUT_RDWR); ++ ++ gnutls_deinit (client); ++ gnutls_deinit (server); ++ ++ free (to_server); ++ free (to_client); ++ ++ gnutls_certificate_free_credentials (serverx509cred); ++ ++ gnutls_global_deinit (); ++ ++ if (debug_level > 0) ++ { ++ if (exit_code == 0) ++ puts ("Self-test successful"); ++ else ++ puts ("Self-test failed"); ++ } ++ ++ return exit_code; ++} +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/srn3.c 2013-09-26 +@@ -0,0 +1,264 @@ ++/* ++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc. ++ * ++ * Author: Simon Josefsson ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++/* Code based on ../mini-x509.c. ++ * ++ * This tests that a %SAFE_RENEGOTIATION client will reject handshakes ++ * against servers that do not support the extension (server uses ++ * %DISABLE_SAFE_RENEGOTIATION). ++ */ ++ ++#ifdef HAVE_CONFIG_H ++# include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <errno.h> ++#include <gnutls/gnutls.h> ++ ++static void ++tls_log_func (int level, const char *str) ++{ ++ fprintf (stderr, "|<%d>| %s", level, str); ++} ++ ++static char *to_server; ++static size_t to_server_len; ++ ++static char *to_client; ++static size_t to_client_len; ++ ++static ssize_t ++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_client_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_client, len); ++ ++ memmove (to_client, to_client + len, to_client_len - len); ++ to_client_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_server_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_server, newlen); ++ if (!tmp) ++ abort (); ++ to_server = tmp; ++ ++ memcpy (to_server + to_server_len, data, len); ++ to_server_len = newlen; ++ ++ return len; ++} ++ ++static ssize_t ++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_server_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_server, len); ++ ++ memmove (to_server, to_server + len, to_server_len - len); ++ to_server_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_client_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_client, newlen); ++ if (!tmp) ++ abort (); ++ to_client = tmp; ++ ++ memcpy (to_client + to_client_len, data, len); ++ to_client_len = newlen; ++ ++ return len; ++} ++ ++static unsigned char server_cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" ++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" ++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" ++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" ++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" ++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" ++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" ++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" ++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" ++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" ++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" ++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" ++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t server_cert = { server_cert_pem, ++ sizeof (server_cert_pem) ++}; ++ ++static unsigned char server_key_pem[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" ++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" ++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" ++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" ++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" ++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" ++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" ++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" ++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" ++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" ++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" ++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" ++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++const gnutls_datum_t server_key = { server_key_pem, ++ sizeof (server_key_pem) ++}; ++ ++int ++main (int argc, char *argv[]) ++{ ++ int debug_level = argc - 1; ++ int exit_code = EXIT_SUCCESS; ++ /* Server stuff. */ ++ gnutls_certificate_credentials_t serverx509cred; ++ gnutls_session_t server; ++ int sret = GNUTLS_E_AGAIN; ++ /* Client stuff. */ ++ gnutls_certificate_credentials_t clientx509cred; ++ gnutls_session_t client; ++ int cret = GNUTLS_E_AGAIN; ++ ++ /* General init. */ ++ gnutls_global_init (); ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (debug_level); ++ ++ /* Init server */ ++ gnutls_certificate_allocate_credentials (&serverx509cred); ++ gnutls_certificate_set_x509_key_mem (serverx509cred, ++ &server_cert, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ gnutls_init (&server, GNUTLS_SERVER); ++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); ++ gnutls_priority_set_direct (server, "NORMAL:%DISABLE_SAFE_RENEGOTIATION", ++ NULL); ++ gnutls_transport_set_push_function (server, server_push); ++ gnutls_transport_set_pull_function (server, server_pull); ++ ++ /* Init client */ ++ gnutls_certificate_allocate_credentials (&clientx509cred); ++ gnutls_init (&client, GNUTLS_CLIENT); ++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); ++ gnutls_priority_set_direct (client, "NORMAL:%SAFE_RENEGOTIATION", NULL); ++ gnutls_transport_set_push_function (client, client_push); ++ gnutls_transport_set_pull_function (client, client_pull); ++ ++ /* Check that initially no session use the extension. */ ++ if (gnutls_safe_renegotiation_status (server) ++ || gnutls_safe_renegotiation_status (client)) ++ { ++ puts ("Client or server using extension before handshake?"); ++ abort (); ++ } ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ((cret == GNUTLS_E_AGAIN || cret == GNUTLS_E_SUCCESS) ++ && (sret == GNUTLS_E_AGAIN || sret == GNUTLS_E_SUCCESS)); ++ ++ if (cret != GNUTLS_E_SAFE_RENEGOTIATION_FAILED && sret != GNUTLS_E_SUCCESS) ++ exit_code = EXIT_FAILURE; ++ ++ gnutls_bye (client, GNUTLS_SHUT_RDWR); ++ gnutls_bye (server, GNUTLS_SHUT_RDWR); ++ ++ gnutls_deinit (client); ++ gnutls_deinit (server); ++ ++ free (to_server); ++ free (to_client); ++ ++ gnutls_certificate_free_credentials (serverx509cred); ++ ++ gnutls_global_deinit (); ++ ++ if (debug_level > 0) ++ { ++ if (exit_code == 0) ++ puts ("Self-test successful"); ++ else ++ puts ("Self-test failed"); ++ } ++ ++ return exit_code; ++} +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/srn4.c 2013-09-26 +@@ -0,0 +1,263 @@ ++/* ++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc. ++ * ++ * Author: Simon Josefsson ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++/* Code based on ../mini-x509.c. ++ * ++ * This tests that a %SAFE_RENEGOTIATION server will reject handshakes ++ * against clients that do not support the extension. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++# include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <errno.h> ++#include <gnutls/gnutls.h> ++ ++static void ++tls_log_func (int level, const char *str) ++{ ++ fprintf (stderr, "|<%d>| %s", level, str); ++} ++ ++static char *to_server; ++static size_t to_server_len; ++ ++static char *to_client; ++static size_t to_client_len; ++ ++static ssize_t ++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_client_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_client, len); ++ ++ memmove (to_client, to_client + len, to_client_len - len); ++ to_client_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_server_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_server, newlen); ++ if (!tmp) ++ abort (); ++ to_server = tmp; ++ ++ memcpy (to_server + to_server_len, data, len); ++ to_server_len = newlen; ++ ++ return len; ++} ++ ++static ssize_t ++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_server_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_server, len); ++ ++ memmove (to_server, to_server + len, to_server_len - len); ++ to_server_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_client_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_client, newlen); ++ if (!tmp) ++ abort (); ++ to_client = tmp; ++ ++ memcpy (to_client + to_client_len, data, len); ++ to_client_len = newlen; ++ ++ return len; ++} ++ ++static unsigned char server_cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" ++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" ++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" ++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" ++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" ++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" ++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" ++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" ++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" ++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" ++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" ++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" ++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t server_cert = { server_cert_pem, ++ sizeof (server_cert_pem) ++}; ++ ++static unsigned char server_key_pem[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" ++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" ++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" ++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" ++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" ++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" ++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" ++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" ++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" ++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" ++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" ++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" ++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++const gnutls_datum_t server_key = { server_key_pem, ++ sizeof (server_key_pem) ++}; ++ ++int ++main (int argc, char *argv[]) ++{ ++ int debug_level = argc - 1; ++ int exit_code = EXIT_SUCCESS; ++ /* Server stuff. */ ++ gnutls_certificate_credentials_t serverx509cred; ++ gnutls_session_t server; ++ int sret = GNUTLS_E_AGAIN; ++ /* Client stuff. */ ++ gnutls_certificate_credentials_t clientx509cred; ++ gnutls_session_t client; ++ int cret = GNUTLS_E_AGAIN; ++ ++ /* General init. */ ++ gnutls_global_init (); ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (debug_level); ++ ++ /* Init server */ ++ gnutls_certificate_allocate_credentials (&serverx509cred); ++ gnutls_certificate_set_x509_key_mem (serverx509cred, ++ &server_cert, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ gnutls_init (&server, GNUTLS_SERVER); ++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); ++ gnutls_priority_set_direct (server, "NORMAL:%SAFE_RENEGOTIATION", NULL); ++ gnutls_transport_set_push_function (server, server_push); ++ gnutls_transport_set_pull_function (server, server_pull); ++ ++ /* Init client */ ++ gnutls_certificate_allocate_credentials (&clientx509cred); ++ gnutls_init (&client, GNUTLS_CLIENT); ++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); ++ gnutls_priority_set_direct (client, "NORMAL:%DISABLE_SAFE_RENEGOTIATION", ++ NULL); ++ gnutls_transport_set_push_function (client, client_push); ++ gnutls_transport_set_pull_function (client, client_pull); ++ ++ /* Check that initially no session use the extension. */ ++ if (gnutls_safe_renegotiation_status (server) ++ || gnutls_safe_renegotiation_status (client)) ++ { ++ puts ("Client or server using extension before handshake?"); ++ abort (); ++ } ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ((cret == GNUTLS_E_AGAIN || cret == GNUTLS_E_SUCCESS) ++ && (sret == GNUTLS_E_AGAIN || sret == GNUTLS_E_SUCCESS)); ++ ++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SAFE_RENEGOTIATION_FAILED) ++ exit_code = EXIT_FAILURE; ++ ++ gnutls_bye (client, GNUTLS_SHUT_RDWR); ++ gnutls_bye (server, GNUTLS_SHUT_RDWR); ++ ++ gnutls_deinit (client); ++ gnutls_deinit (server); ++ ++ free (to_server); ++ free (to_client); ++ ++ gnutls_certificate_free_credentials (serverx509cred); ++ ++ gnutls_global_deinit (); ++ ++ if (debug_level > 0) ++ { ++ if (exit_code == 0) ++ puts ("Self-test successful"); ++ else ++ puts ("Self-test failed"); ++ } ++ ++ return exit_code; ++} +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/srn5.c 2013-09-26 +@@ -0,0 +1,337 @@ ++/* ++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc. ++ * ++ * Author: Simon Josefsson ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++/* Code based on ./srn0.c. ++ * ++ * This tests that a client with a permissive policy ++ * (%UNSAFE_RENEGOTIATION) is able to handshake and rehandshake with a ++ * server with no support for the extension. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++# include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <errno.h> ++#include <gnutls/gnutls.h> ++ ++static void ++tls_log_func (int level, const char *str) ++{ ++ fprintf (stderr, "|<%d>| %s", level, str); ++} ++ ++static char *to_server; ++static size_t to_server_len; ++ ++static char *to_client; ++static size_t to_client_len; ++ ++static ssize_t ++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_client_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_client, len); ++ ++ memmove (to_client, to_client + len, to_client_len - len); ++ to_client_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_server_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_server, newlen); ++ if (!tmp) ++ abort (); ++ to_server = tmp; ++ ++ memcpy (to_server + to_server_len, data, len); ++ to_server_len = newlen; ++ ++ return len; ++} ++ ++static ssize_t ++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_server_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_server, len); ++ ++ memmove (to_server, to_server + len, to_server_len - len); ++ to_server_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_client_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_client, newlen); ++ if (!tmp) ++ abort (); ++ to_client = tmp; ++ ++ memcpy (to_client + to_client_len, data, len); ++ to_client_len = newlen; ++ ++ return len; ++} ++ ++static unsigned char server_cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" ++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" ++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" ++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" ++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" ++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" ++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" ++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" ++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" ++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" ++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" ++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" ++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t server_cert = { server_cert_pem, ++ sizeof (server_cert_pem) ++}; ++ ++static unsigned char server_key_pem[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" ++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" ++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" ++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" ++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" ++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" ++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" ++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" ++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" ++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" ++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" ++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" ++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++const gnutls_datum_t server_key = { server_key_pem, ++ sizeof (server_key_pem) ++}; ++ ++int ++main (int argc, char *argv[]) ++{ ++ int debug_level = argc - 1; ++ int exit_code = EXIT_SUCCESS; ++ /* Server stuff. */ ++ gnutls_certificate_credentials_t serverx509cred; ++ gnutls_session_t server; ++ int sret = GNUTLS_E_AGAIN; ++ /* Client stuff. */ ++ gnutls_certificate_credentials_t clientx509cred; ++ gnutls_session_t client; ++ int cret = GNUTLS_E_AGAIN; ++ ++ /* General init. */ ++ gnutls_global_init (); ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (debug_level); ++ ++ /* Init server */ ++ gnutls_certificate_allocate_credentials (&serverx509cred); ++ gnutls_certificate_set_x509_key_mem (serverx509cred, ++ &server_cert, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ gnutls_init (&server, GNUTLS_SERVER); ++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); ++ gnutls_priority_set_direct (server, "NORMAL:%DISABLE_SAFE_RENEGOTIATION", ++ NULL); ++ gnutls_transport_set_push_function (server, server_push); ++ gnutls_transport_set_pull_function (server, server_pull); ++ ++ /* Init client */ ++ gnutls_certificate_allocate_credentials (&clientx509cred); ++ gnutls_init (&client, GNUTLS_CLIENT); ++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); ++ gnutls_priority_set_direct (client, "NORMAL:%UNSAFE_RENEGOTIATION", NULL); ++ gnutls_transport_set_push_function (client, client_push); ++ gnutls_transport_set_pull_function (client, client_pull); ++ ++ /* Check that initially no session use the extension. */ ++ if (gnutls_safe_renegotiation_status (server) ++ || gnutls_safe_renegotiation_status (client)) ++ { ++ puts ("Client or server using extension before handshake?"); ++ abort (); ++ } ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) ++ exit_code = EXIT_FAILURE; ++ ++ if (gnutls_safe_renegotiation_status (client) || ++ gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, "Session using safe renegotiation?!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ sret = gnutls_rehandshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_rehandshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ ++ { ++ ssize_t n; ++ char b[1]; ++ n = gnutls_record_recv (client, b, 1); ++ if (n != GNUTLS_E_REHANDSHAKE) ++ abort (); ++ } ++ ++ cret = GNUTLS_E_AGAIN; ++ sret = GNUTLS_E_AGAIN; ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) ++ exit_code = 1; ++ ++ if (gnutls_safe_renegotiation_status (client) || ++ gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, "Rehandshaked using safe renegotiation?!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ gnutls_bye (client, GNUTLS_SHUT_RDWR); ++ gnutls_bye (server, GNUTLS_SHUT_RDWR); ++ ++ gnutls_deinit (client); ++ gnutls_deinit (server); ++ ++ free (to_server); ++ free (to_client); ++ ++ gnutls_certificate_free_credentials (serverx509cred); ++ ++ gnutls_global_deinit (); ++ ++ if (debug_level > 0) ++ { ++ if (exit_code == 0) ++ puts ("Self-test successful"); ++ else ++ puts ("Self-test failed"); ++ } ++ ++ return exit_code; ++} +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/srn6.c 2013-09-26 +@@ -0,0 +1,337 @@ ++/* ++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc. ++ * ++ * Author: Simon Josefsson ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++/* Code based on ./srn5.c. ++ * ++ * This tests that a server with a permissive policy ++ * (%UNSAFE_RENEGOTIATION) is able to handshake and rehandshake with a ++ * client with no support for the extension. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++# include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <errno.h> ++#include <gnutls/gnutls.h> ++ ++static void ++tls_log_func (int level, const char *str) ++{ ++ fprintf (stderr, "|<%d>| %s", level, str); ++} ++ ++static char *to_server; ++static size_t to_server_len; ++ ++static char *to_client; ++static size_t to_client_len; ++ ++static ssize_t ++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_client_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_client, len); ++ ++ memmove (to_client, to_client + len, to_client_len - len); ++ to_client_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_server_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_server, newlen); ++ if (!tmp) ++ abort (); ++ to_server = tmp; ++ ++ memcpy (to_server + to_server_len, data, len); ++ to_server_len = newlen; ++ ++ return len; ++} ++ ++static ssize_t ++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_server_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_server, len); ++ ++ memmove (to_server, to_server + len, to_server_len - len); ++ to_server_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_client_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_client, newlen); ++ if (!tmp) ++ abort (); ++ to_client = tmp; ++ ++ memcpy (to_client + to_client_len, data, len); ++ to_client_len = newlen; ++ ++ return len; ++} ++ ++static unsigned char server_cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" ++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" ++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" ++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" ++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" ++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" ++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" ++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" ++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" ++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" ++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" ++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" ++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t server_cert = { server_cert_pem, ++ sizeof (server_cert_pem) ++}; ++ ++static unsigned char server_key_pem[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" ++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" ++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" ++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" ++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" ++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" ++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" ++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" ++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" ++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" ++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" ++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" ++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++const gnutls_datum_t server_key = { server_key_pem, ++ sizeof (server_key_pem) ++}; ++ ++int ++main (int argc, char *argv[]) ++{ ++ int debug_level = argc - 1; ++ int exit_code = EXIT_SUCCESS; ++ /* Server stuff. */ ++ gnutls_certificate_credentials_t serverx509cred; ++ gnutls_session_t server; ++ int sret = GNUTLS_E_AGAIN; ++ /* Client stuff. */ ++ gnutls_certificate_credentials_t clientx509cred; ++ gnutls_session_t client; ++ int cret = GNUTLS_E_AGAIN; ++ ++ /* General init. */ ++ gnutls_global_init (); ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (debug_level); ++ ++ /* Init server */ ++ gnutls_certificate_allocate_credentials (&serverx509cred); ++ gnutls_certificate_set_x509_key_mem (serverx509cred, ++ &server_cert, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ gnutls_init (&server, GNUTLS_SERVER); ++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); ++ gnutls_priority_set_direct (server, "NORMAL:%UNSAFE_RENEGOTIATION", NULL); ++ gnutls_transport_set_push_function (server, server_push); ++ gnutls_transport_set_pull_function (server, server_pull); ++ ++ /* Init client */ ++ gnutls_certificate_allocate_credentials (&clientx509cred); ++ gnutls_init (&client, GNUTLS_CLIENT); ++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); ++ gnutls_priority_set_direct (client, "NORMAL:%DISABLE_SAFE_RENEGOTIATION", ++ NULL); ++ gnutls_transport_set_push_function (client, client_push); ++ gnutls_transport_set_pull_function (client, client_pull); ++ ++ /* Check that initially no session use the extension. */ ++ if (gnutls_safe_renegotiation_status (server) ++ || gnutls_safe_renegotiation_status (client)) ++ { ++ puts ("Client or server using extension before handshake?"); ++ abort (); ++ } ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) ++ exit_code = EXIT_FAILURE; ++ ++ if (gnutls_safe_renegotiation_status (client) || ++ gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, "Session using safe renegotiation?!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ sret = gnutls_rehandshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_rehandshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ ++ { ++ ssize_t n; ++ char b[1]; ++ n = gnutls_record_recv (client, b, 1); ++ if (n != GNUTLS_E_REHANDSHAKE) ++ abort (); ++ } ++ ++ cret = GNUTLS_E_AGAIN; ++ sret = GNUTLS_E_AGAIN; ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) ++ exit_code = 1; ++ ++ if (gnutls_safe_renegotiation_status (client) || ++ gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, "Rehandshaked using safe renegotiation?!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ gnutls_bye (client, GNUTLS_SHUT_RDWR); ++ gnutls_bye (server, GNUTLS_SHUT_RDWR); ++ ++ gnutls_deinit (client); ++ gnutls_deinit (server); ++ ++ free (to_server); ++ free (to_client); ++ ++ gnutls_certificate_free_credentials (serverx509cred); ++ ++ gnutls_global_deinit (); ++ ++ if (debug_level > 0) ++ { ++ if (exit_code == 0) ++ puts ("Self-test successful"); ++ else ++ puts ("Self-test failed"); ++ } ++ ++ return exit_code; ++} +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/srn7.c 2013-09-26 +@@ -0,0 +1,336 @@ ++/* ++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc. ++ * ++ * Author: Simon Josefsson ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++/* Code based on ../srn0.c. ++ * ++ * This tests that clients and servers in %SAFE_RENEGOTIATION mode are ++ * able to handshake and rehandshake. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++# include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <errno.h> ++#include <gnutls/gnutls.h> ++ ++static void ++tls_log_func (int level, const char *str) ++{ ++ fprintf (stderr, "|<%d>| %s", level, str); ++} ++ ++static char *to_server; ++static size_t to_server_len; ++ ++static char *to_client; ++static size_t to_client_len; ++ ++static ssize_t ++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_client_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_client, len); ++ ++ memmove (to_client, to_client + len, to_client_len - len); ++ to_client_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_server_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_server, newlen); ++ if (!tmp) ++ abort (); ++ to_server = tmp; ++ ++ memcpy (to_server + to_server_len, data, len); ++ to_server_len = newlen; ++ ++ return len; ++} ++ ++static ssize_t ++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len) ++{ ++ if (to_server_len < len) ++ { ++ gnutls_transport_set_global_errno (EAGAIN); ++ return -1; ++ } ++ ++ memcpy (data, to_server, len); ++ ++ memmove (to_server, to_server + len, to_server_len - len); ++ to_server_len -= len; ++ ++ return len; ++} ++ ++static ssize_t ++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len) ++{ ++ size_t newlen = to_client_len + len; ++ char *tmp; ++ ++ tmp = realloc (to_client, newlen); ++ if (!tmp) ++ abort (); ++ to_client = tmp; ++ ++ memcpy (to_client + to_client_len, data, len); ++ to_client_len = newlen; ++ ++ return len; ++} ++ ++static unsigned char server_cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" ++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" ++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" ++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" ++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" ++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" ++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" ++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" ++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" ++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" ++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" ++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" ++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t server_cert = { server_cert_pem, ++ sizeof (server_cert_pem) ++}; ++ ++static unsigned char server_key_pem[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" ++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" ++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" ++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" ++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" ++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" ++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" ++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" ++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" ++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" ++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" ++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" ++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++const gnutls_datum_t server_key = { server_key_pem, ++ sizeof (server_key_pem) ++}; ++ ++int ++main (int argc, char *argv[]) ++{ ++ int debug_level = argc - 1; ++ int exit_code = EXIT_SUCCESS; ++ /* Server stuff. */ ++ gnutls_certificate_credentials_t serverx509cred; ++ gnutls_session_t server; ++ int sret = GNUTLS_E_AGAIN; ++ /* Client stuff. */ ++ gnutls_certificate_credentials_t clientx509cred; ++ gnutls_session_t client; ++ int cret = GNUTLS_E_AGAIN; ++ ++ /* General init. */ ++ gnutls_global_init (); ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (debug_level); ++ ++ /* Init server */ ++ gnutls_certificate_allocate_credentials (&serverx509cred); ++ gnutls_certificate_set_x509_key_mem (serverx509cred, ++ &server_cert, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ gnutls_init (&server, GNUTLS_SERVER); ++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); ++ gnutls_priority_set_direct (server, "NORMAL:%SAFE_RENEGOTIATION", NULL); ++ gnutls_transport_set_push_function (server, server_push); ++ gnutls_transport_set_pull_function (server, server_pull); ++ ++ /* Init client */ ++ gnutls_certificate_allocate_credentials (&clientx509cred); ++ gnutls_init (&client, GNUTLS_CLIENT); ++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); ++ gnutls_priority_set_direct (client, "NORMAL:%SAFE_RENEGOTIATION", NULL); ++ gnutls_transport_set_push_function (client, client_push); ++ gnutls_transport_set_pull_function (client, client_pull); ++ ++ /* Check that initially no session use the extension. */ ++ if (gnutls_safe_renegotiation_status (server) ++ || gnutls_safe_renegotiation_status (client)) ++ { ++ puts ("Client or server using extension before handshake?"); ++ abort (); ++ } ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) ++ exit_code = EXIT_FAILURE; ++ ++ if (!gnutls_safe_renegotiation_status (client) || ++ !gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, "Session not using safe renegotiation!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ sret = gnutls_rehandshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "gnutls_rehandshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ ++ { ++ ssize_t n; ++ char b[1]; ++ n = gnutls_record_recv (client, b, 1); ++ if (n != GNUTLS_E_REHANDSHAKE) ++ abort (); ++ } ++ ++ cret = GNUTLS_E_AGAIN; ++ sret = GNUTLS_E_AGAIN; ++ ++ do ++ { ++ static int max_iter = 0; ++ if (max_iter++ > 10) ++ abort (); ++ ++ if (cret == GNUTLS_E_AGAIN) ++ { ++ cret = gnutls_handshake (client); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (client)...\n"); ++ tls_log_func (0, gnutls_strerror (cret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ ++ if (sret == GNUTLS_E_AGAIN) ++ { ++ sret = gnutls_handshake (server); ++ if (debug_level > 0) ++ { ++ tls_log_func (0, "second gnutls_handshake (server)...\n"); ++ tls_log_func (0, gnutls_strerror (sret)); ++ tls_log_func (0, "\n"); ++ } ++ } ++ } ++ while ( ++ /* Not done: */ ++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) ++ /* No error: */ ++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); ++ ++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) ++ exit_code = 1; ++ ++ if (!gnutls_safe_renegotiation_status (client) || ++ !gnutls_safe_renegotiation_status (server)) ++ { ++ tls_log_func (0, ++ "Rehandshaked session not using safe renegotiation!\n"); ++ exit_code = EXIT_FAILURE; ++ } ++ ++ gnutls_bye (client, GNUTLS_SHUT_RDWR); ++ gnutls_bye (server, GNUTLS_SHUT_RDWR); ++ ++ gnutls_deinit (client); ++ gnutls_deinit (server); ++ ++ free (to_server); ++ free (to_client); ++ ++ gnutls_certificate_free_credentials (serverx509cred); ++ ++ gnutls_global_deinit (); ++ ++ if (debug_level > 0) ++ { ++ if (exit_code == 0) ++ puts ("Self-test successful"); ++ else ++ puts ("Self-test failed"); ++ } ++ ++ return exit_code; ++} +--- /dev/null 2013-09-26 ++++ b/tests/safe-renegotiation/testsrn 2013-09-26 +@@ -0,0 +1,103 @@ ++#!/bin/sh ++ ++# Copyright (C) 2010 Free Software Foundation, Inc. ++# ++# Author: Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++srcdir="${srcdir:-.}" ++SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q" ++CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" ++PORT="${PORT:-5558}" ++unset RETCODE ++ ++fail() { ++ echo "Failure: $1" >&2 ++ RETCODE=${RETCODE:-${2:-1}} ++} ++ ++echo "Checking Safe renegotiation" ++ ++$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%PARTIAL_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & ++pid=$! ++ ++# give the server a chance to initialize ++sleep 2 ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-SSL3.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \ ++ fail "0. Renegotiation should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \ ++ fail "1. Safe rehandshake should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \ ++ fail "2. Unsafe rehandshake should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \ ++ fail "3. Unsafe negotiation should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \ ++ fail "4. Unsafe renegotiation should have failed!" ++ ++ ++kill $pid ++wait ++ ++$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & ++pid=$! ++ ++# give the server a chance to initialize ++sleep 2 ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \ ++ fail "5. Safe rehandshake should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \ ++ fail "6. Unsafe rehandshake should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \ ++ fail "7. Unsafe negotiation should have failed!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \ ++ fail "8. Unsafe renegotiation should have failed!" ++ ++kill $pid ++wait ++ ++$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & ++pid=$! ++ ++# give the server a chance to initialize ++sleep 2 ++ ++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \ ++ fail "9. Initial connection should have failed!" ++ ++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \ ++ fail "10. Unsafe connection should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \ ++ fail "11. Unsafe negotiation should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \ ++ fail "12. Unsafe renegotiation should have succeeded!" ++ ++kill $pid ++wait ++ ++exit ${RETCODE:-0} +--- a/tests/simple.c 2009-06-02 ++++ b/tests/simple.c 2013-09-26 +@@ -50,7 +50,7 @@ doit (void) + + for (i = 0; algs[i]; i++) + { +- printf ("pk_list[%d] = %d = %s = %d\n", i, algs[i], ++ printf ("pk_list[%d] = %d = %s = %d\n", (int)i, algs[i], + gnutls_pk_algorithm_get_name (algs[i]), + gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i]))); + if (gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i])) +@@ -76,7 +76,7 @@ doit (void) + + for (i = 0; algs[i]; i++) + { +- printf ("sign_list[%d] = %d = %s = %d\n", i, algs[i], ++ printf ("sign_list[%d] = %d = %s = %d\n", (int)i, algs[i], + gnutls_sign_algorithm_get_name (algs[i]), + gnutls_sign_get_id (gnutls_sign_algorithm_get_name + (algs[i]))); diff --git a/patches/source/gnutls/gnutls-2.8.4_CVE-2011-4128.diff b/patches/source/gnutls/gnutls-2.8.4_CVE-2011-4128.diff new file mode 100644 index 00000000..0f933d17 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_CVE-2011-4128.diff @@ -0,0 +1,36 @@ +From 944118eba2ba7d1ffae2402e50e143e34d3a42ba Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Sun, 29 Sep 2013 +Subject: CVE-2011-4128 [GNUTLS-SA-2011-2] + +gnutls_session_get_data: fix possible buffer overflow + +This is a backport adaptation for use with GnuTLS 2.8.4. + +Relevant upstream commits: +-------------------------- +https://gitorious.org/gnutls/gnutls/commit/190cef6eed37d0 +https://gitorious.org/gnutls/gnutls/commit/e82ef4545e9e98 + +--- + gnutls_session.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/gnutls_session.c 2013-09-27 ++++ b/lib/gnutls_session.c 2013-09-27 +@@ -64,13 +64,14 @@ gnutls_session_get_data (gnutls_session_ + gnutls_assert (); + return ret; + } +- *session_data_size = psession.size; + + if (psession.size > *session_data_size) + { ++ *session_data_size = psession.size; + ret = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto error; + } ++ *session_data_size = psession.size; + + if (session_data != NULL) + memcpy (session_data, psession.data, psession.size); diff --git a/patches/source/gnutls/gnutls-2.8.4_CVE-2012-1569.diff b/patches/source/gnutls/gnutls-2.8.4_CVE-2012-1569.diff new file mode 100644 index 00000000..98ae99ff --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_CVE-2012-1569.diff @@ -0,0 +1,62 @@ +From 6f3bce4bdaf45c23107ba07b65eeaa00c1436346 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Thu, 3 Oct 2013 +Subject: CVE-2012-1569 [GNUTLS-SA-2012-3] + +asn1_get_length_der() in decoding.c in GNU Libtasn1 before 2.12 +does not properly handle certain large length values. This can be +exploited by attackers to cause a DoS or other impacts via a +crafted ASN.1 structure. + +Fix adapted for use with libtasn1 embedded in GnuTLS 2.8.4. + +Relevant upstream patch: +------------------------ +http://article.gmane.org/gmane.comp.gnu.libtasn1.general/54 + +--- + decoding.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/lib/minitasn1/decoding.c ++++ b/lib/minitasn1/decoding.c +@@ -55,12 +55,13 @@ _asn1_error_description_tag_error (ASN1_TYPE node, char *ErrorDescription) + * Extract a length field from DER data. + * + * Return value: Return the decoded length value, or -1 on indefinite +- * length, or -2 when the value was too big. ++ * length, or -2 when the value was too big to fit in a int, or -4 ++ * when the decoded length value plus @len would exceed @der_len. + **/ + signed long + asn1_get_length_der (const unsigned char *der, int der_len, int *len) + { +- unsigned long ans; ++ int ans; + int k, punt; + + *len = 0; +@@ -83,7 +84,7 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len) + ans = 0; + while (punt <= k && punt < der_len) + { +- unsigned long last = ans; ++ int last = ans; + + ans = ans * 256 + der[punt++]; + if (ans < last) +@@ -93,10 +94,13 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len) + } + else + { /* indefinite length method */ +- ans = -1; ++ *len = punt; ++ return -1; + } + + *len = punt; ++ if (ans + *len < ans || ans + *len > der_len) ++ return -4; + return ans; + } + } diff --git a/patches/source/gnutls/gnutls-2.8.4_CVE-2012-1573.diff b/patches/source/gnutls/gnutls-2.8.4_CVE-2012-1573.diff new file mode 100644 index 00000000..f135ac33 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_CVE-2012-1573.diff @@ -0,0 +1,39 @@ +From d33a1132a5e53ce2c8e5957a587ee28f4f0ccfcb Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Sun, 29 Sep 2013 +Subject: CVE-2012-1573 [GNUTLS-SA-2012-2] + +Address a TLS record handling vulnerability in GnuTLS. + +This is a backport adaptation for use with GnuTLS 2.8.4. + +Relevant upstream commit: +------------------------- +https://gitorious.org/gnutls/gnutls/commit/42221486806137 + +--- + gnutls_cipher.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/lib/gnutls_cipher.c 2013-09-27 ++++ b/lib/gnutls_cipher.c 2013-09-27 +@@ -501,14 +501,13 @@ _gnutls_ciphertext2compressed (gnutls_se + { + ciphertext.size -= blocksize; + ciphertext.data += blocksize; +- +- if (ciphertext.size == 0) +- { +- gnutls_assert (); +- return GNUTLS_E_DECRYPTION_FAILED; +- } + } + ++ if (ciphertext.size < hash_size) ++ { ++ gnutls_assert (); ++ return GNUTLS_E_DECRYPTION_FAILED; ++ } + pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ + + if ((int) pad > (int) ciphertext.size - hash_size) diff --git a/patches/source/gnutls/gnutls-2.8.4_CVE-2013-1619_CVE-2013-2116.diff b/patches/source/gnutls/gnutls-2.8.4_CVE-2013-1619_CVE-2013-2116.diff new file mode 100644 index 00000000..3b3ccf7f --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_CVE-2013-1619_CVE-2013-2116.diff @@ -0,0 +1,381 @@ +From e9e4cb4ed045a12c984a367bee0ddcbb3f27ae0d Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Sun, 29 Sep 2013 +Subject: CVE-2013-1619 and CVE-2013-2116 [GNUTLS-SA-2013-1,GNUTLS-SA-2013-2] + +Fix to avoid a timing attack in TLS CBC record parsing (aka Lucky 13). + +For background, see http://www.isg.rhul.ac.uk/tls/Lucky13.html + +The fix for CVE-2013-2116 is folded into this patch since it addresses +a problem introduced by the fix for CVE-2013-1619. + +This is a backport adaptation for use with GnuTLS 2.8.4. + +Relevant upstream commits: +-------------------------- +https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e +https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9 +https://gitorious.org/gnutls/gnutls/commit/32a7367601a3fd +https://gitorious.org/gnutls/gnutls/commit/63a331df6aa0ec + +--- + gnutls_algorithms.c | 14 +++++ + gnutls_algorithms.h | 3 + + gnutls_cipher.c | 132 ++++++++++++++++++++++++++++++++-------------------- + gnutls_hash_int.h | 21 ++++++++ + 4 files changed, 121 insertions(+), 49 deletions(-) + +--- a/lib/gnutls_cipher.c 2013-09-27 ++++ b/lib/gnutls_cipher.c 2013-09-27 +@@ -287,6 +287,26 @@ calc_enc_length (gnutls_session_t sessio + return length; + } + ++#define PREAMBLE_SIZE 16 ++static inline int make_preamble(opaque* uint64_data, opaque type, uint16_t c_length, opaque ver, opaque* preamble) ++{ ++ opaque minor = _gnutls_version_get_minor (ver); ++ opaque major = _gnutls_version_get_major (ver); ++ opaque *p = preamble; ++ ++ memcpy(p, uint64_data, 8); ++ p+=8; ++ *p=type; p++; ++ if (_gnutls_version_has_variable_padding (ver)) ++ { /* TLS 1.0 or higher */ ++ *p = major; p++; ++ *p = minor; p++; ++ } ++ memcpy(p, &c_length, 2); ++ p+=2; ++ return p-preamble; ++} ++ + /* This is the actual encryption + * Encrypts the given compressed datum, and puts the result to cipher_data, + * which has cipher_size size. +@@ -304,11 +324,11 @@ _gnutls_compressed2ciphertext (gnutls_se + int length, ret; + digest_hd_st td; + uint8_t type = _type; +- uint8_t major, minor; ++ opaque preamble[PREAMBLE_SIZE]; ++ int preamble_size; + int hash_size = + _gnutls_hash_get_algo_len (session->security_parameters. + write_mac_algorithm); +- gnutls_protocol_t ver; + int blocksize = + _gnutls_cipher_get_block_size (session->security_parameters. + write_bulk_cipher_algorithm); +@@ -316,40 +336,27 @@ _gnutls_compressed2ciphertext (gnutls_se + _gnutls_cipher_is_block (session->security_parameters. + write_bulk_cipher_algorithm); + opaque *data_ptr; +- +- +- ver = gnutls_protocol_get_version (session); +- minor = _gnutls_version_get_minor (ver); +- major = _gnutls_version_get_major (ver); +- ++ int ver = gnutls_protocol_get_version (session); + + /* Initialize MAC */ +- ret = mac_init (&td, session->security_parameters.write_mac_algorithm, +- session->connection_state.write_mac_secret.data, +- session->connection_state.write_mac_secret.size, ver); +- +- if (ret < 0 +- && session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL) +- { +- gnutls_assert (); +- return ret; +- } + + c_length = _gnutls_conv_uint16 (compressed.size); + + if (session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL) + { /* actually when the algorithm in not the NULL one */ +- _gnutls_hmac (&td, +- UINT64DATA (session->connection_state. +- write_sequence_number), 8); +- +- _gnutls_hmac (&td, &type, 1); +- if (ver >= GNUTLS_TLS1) +- { /* TLS 1.0 or higher */ +- _gnutls_hmac (&td, &major, 1); +- _gnutls_hmac (&td, &minor, 1); +- } +- _gnutls_hmac (&td, &c_length, 2); ++ digest_hd_st td; ++ ++ ret = mac_init (&td, session->security_parameters.write_mac_algorithm, ++ session->connection_state.write_mac_secret.data, ++ session->connection_state.write_mac_secret.size, ver); ++ ++ if (ret < 0) ++ { ++ gnutls_assert (); ++ return ret; ++ } ++ preamble_size = make_preamble( UINT64DATA (session->connection_state.write_sequence_number), type, c_length, ver, preamble); ++ _gnutls_hmac (&td, preamble, preamble_size); + _gnutls_hmac (&td, compressed.data, compressed.size); + mac_deinit (&td, MAC, ver); + } +@@ -418,6 +425,49 @@ _gnutls_compressed2ciphertext (gnutls_se + return length; + } + ++static void dummy_wait(gnutls_session_t session, gnutls_datum_t* plaintext, ++ unsigned pad_failed, unsigned int pad, unsigned total, int ver) ++{ ++ /* this hack is only needed on CBC ciphers */ ++ if (_gnutls_cipher_is_block (session->security_parameters.read_bulk_cipher_algorithm) == CIPHER_BLOCK) ++ { ++ uint8_t MAC[MAX_HASH_SIZE]; ++ unsigned len; ++ digest_hd_st td; ++ int ret; ++ ++ ret = mac_init (&td, session->security_parameters.read_mac_algorithm, ++ session->connection_state.read_mac_secret.data, ++ session->connection_state.read_mac_secret.size, ver); ++ ++ if (ret < 0) ++ return; ++ ++ /* force an additional hash compression function evaluation to prevent timing ++ * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. ++ */ ++ if (pad_failed == 0 && pad > 0) ++ { ++ len = _gnutls_get_hash_block_len(session->security_parameters.read_mac_algorithm); ++ if (len > 0) ++ { ++ /* This is really specific to the current hash functions. ++ * It should be removed once a protocol fix is in place. ++ */ ++ if ((pad+total) % len > len-9 && total % len <= len-9) ++ { ++ if (len < plaintext->size) ++ _gnutls_hmac (&td, plaintext->data, len); ++ else ++ _gnutls_hmac (&td, plaintext->data, plaintext->size); ++ } ++ } ++ } ++ ++ mac_deinit (&td, MAC, ver); ++ } ++} ++ + /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. + * Returns the actual compressed packet size. + */ +@@ -429,38 +479,22 @@ _gnutls_ciphertext2compressed (gnutls_se + { + uint8_t MAC[MAX_HASH_SIZE]; + uint16_t c_length; +- uint8_t pad; ++ unsigned int pad = 0; + int length; + digest_hd_st td; + uint16_t blocksize; + int ret, i, pad_failed = 0; +- uint8_t major, minor; +- gnutls_protocol_t ver; ++ opaque preamble[PREAMBLE_SIZE]; ++ int preamble_size = 0; ++ int ver = gnutls_protocol_get_version (session); + int hash_size = + _gnutls_hash_get_algo_len (session->security_parameters. + read_mac_algorithm); + +- ver = gnutls_protocol_get_version (session); +- minor = _gnutls_version_get_minor (ver); +- major = _gnutls_version_get_major (ver); +- + blocksize = + _gnutls_cipher_get_block_size (session->security_parameters. + read_bulk_cipher_algorithm); + +- /* initialize MAC +- */ +- ret = mac_init (&td, session->security_parameters.read_mac_algorithm, +- session->connection_state.read_mac_secret.data, +- session->connection_state.read_mac_secret.size, ver); +- +- if (ret < 0 +- && session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL) +- { +- gnutls_assert (); +- return GNUTLS_E_INTERNAL_ERROR; +- } +- + /* actual decryption (inplace) + */ + switch (_gnutls_cipher_is_block +@@ -508,31 +542,25 @@ _gnutls_ciphertext2compressed (gnutls_se + gnutls_assert (); + return GNUTLS_E_DECRYPTION_FAILED; + } +- pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ +- +- if ((int) pad > (int) ciphertext.size - hash_size) +- { +- gnutls_assert (); +- _gnutls_record_log +- ("REC[%p]: Short record length %d > %d - %d (under attack?)\n", +- session, pad, ciphertext.size, hash_size); +- /* We do not fail here. We check below for the +- * the pad_failed. If zero means success. +- */ +- pad_failed = GNUTLS_E_DECRYPTION_FAILED; +- } +- +- length = ciphertext.size - hash_size - pad; +- +- /* Check the pading bytes (TLS 1.x) ++ pad = ciphertext.data[ciphertext.size - 1]; /* pad */ ++ if (pad+1 > ciphertext.size-hash_size) ++ pad_failed = GNUTLS_E_DECRYPTION_FAILED; ++ ++ /* Check the pading bytes (TLS 1.x). ++ * Note that we access all 256 bytes of ciphertext for padding check ++ * because there is a timing channel in that memory access (in certain CPUs + */ + if (ver >= GNUTLS_TLS1 && pad_failed == 0) + for (i = 2; i < pad; i++) + { +- if (ciphertext.data[ciphertext.size - i] != +- ciphertext.data[ciphertext.size - 1]) ++ if (ciphertext.data[ciphertext.size - i] != pad) + pad_failed = GNUTLS_E_DECRYPTION_FAILED; + } ++ ++ if (pad_failed) ++ pad = 0; ++ length = ciphertext.size - hash_size - pad - 1; ++ + break; + default: + gnutls_assert (); +@@ -548,17 +576,20 @@ _gnutls_ciphertext2compressed (gnutls_se + */ + if (session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL) + { +- _gnutls_hmac (&td, +- UINT64DATA (session->connection_state. +- read_sequence_number), 8); +- +- _gnutls_hmac (&td, &type, 1); +- if (ver >= GNUTLS_TLS1) +- { /* TLS 1.x */ +- _gnutls_hmac (&td, &major, 1); +- _gnutls_hmac (&td, &minor, 1); +- } +- _gnutls_hmac (&td, &c_length, 2); ++ digest_hd_st td; ++ ++ ret = mac_init (&td, session->security_parameters.read_mac_algorithm, ++ session->connection_state.read_mac_secret.data, ++ session->connection_state.read_mac_secret.size, ver); ++ ++ if (ret < 0) ++ { ++ gnutls_assert (); ++ return GNUTLS_E_INTERNAL_ERROR; ++ } ++ ++ preamble_size = make_preamble( UINT64DATA (session->connection_state.read_sequence_number), type, c_length, ver, preamble); ++ _gnutls_hmac (&td, preamble, preamble_size); + + if (length > 0) + _gnutls_hmac (&td, ciphertext.data, length); +@@ -566,16 +597,14 @@ _gnutls_ciphertext2compressed (gnutls_se + mac_deinit (&td, MAC, ver); + } + +- /* This one was introduced to avoid a timing attack against the TLS +- * 1.0 protocol. +- */ +- if (pad_failed != 0) +- return pad_failed; +- + /* HMAC was not the same. + */ +- if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0) ++ if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0 || pad_failed != 0) + { ++ gnutls_datum_t compressed = {compress_data, compress_size}; ++ /* HMAC was not the same. */ ++ dummy_wait(session, &compressed, pad_failed, pad, length+preamble_size, ver); ++ + gnutls_assert (); + return GNUTLS_E_DECRYPTION_FAILED; + } +--- a/lib/gnutls_hash_int.h 2013-09-27 ++++ b/lib/gnutls_hash_int.h 2013-09-27 +@@ -92,4 +92,25 @@ void _gnutls_mac_deinit_ssl3_handshake ( + + int _gnutls_hash_copy (digest_hd_st* dst_handle, digest_hd_st * src_handle); + ++/* We shouldn't need to know that, but a work-around in decoding ++ * TLS record padding requires that. ++ */ ++inline static size_t ++_gnutls_get_hash_block_len (gnutls_digest_algorithm_t algo) ++{ ++ switch (algo) ++ { ++ case GNUTLS_DIG_MD5: ++ case GNUTLS_DIG_SHA1: ++ case GNUTLS_DIG_RMD160: ++ case GNUTLS_DIG_SHA256: ++ case GNUTLS_DIG_SHA384: ++ case GNUTLS_DIG_SHA512: ++ case GNUTLS_DIG_SHA224: ++ return 64; ++ default: ++ return 0; ++ } ++} ++ + #endif /* GNUTLS_HASH_INT_H */ +--- a/lib/gnutls_algorithms.c 2013-09-27 ++++ b/lib/gnutls_algorithms.c 2013-09-27 +@@ -1185,6 +1185,20 @@ _gnutls_version_is_supported (gnutls_ses + return 1; + } + ++/* This function determines if the version specified can have ++ non-minimal padding. */ ++int _gnutls_version_has_variable_padding (gnutls_protocol_t version) ++{ ++ switch(version) { ++ case GNUTLS_TLS1_0: ++ case GNUTLS_TLS1_1: ++ case GNUTLS_TLS1_2: ++ return 1; ++ default: ++ return 0; ++ } ++} ++ + /* Type to KX mappings */ + gnutls_kx_algorithm_t + _gnutls_map_kx_get_kx (gnutls_credentials_type_t type, int server) +--- a/lib/gnutls_algorithms.h 2013-09-27 ++++ b/lib/gnutls_algorithms.h 2013-09-27 +@@ -41,6 +41,9 @@ int _gnutls_version_get_major (gnutls_pr + int _gnutls_version_get_minor (gnutls_protocol_t ver); + gnutls_protocol_t _gnutls_version_get (int major, int minor); + ++/* Functions for feature checks */ ++int _gnutls_version_has_variable_padding (gnutls_protocol_t version); ++ + /* Functions for MACs. */ + int _gnutls_mac_is_ok (gnutls_mac_algorithm_t algorithm); + gnutls_mac_algorithm_t _gnutls_x509_oid2mac_algorithm (const char *oid); diff --git a/patches/source/gnutls/gnutls-2.8.4_CVE-2014-0092.diff b/patches/source/gnutls/gnutls-2.8.4_CVE-2014-0092.diff new file mode 100644 index 00000000..a6da6edc --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_CVE-2014-0092.diff @@ -0,0 +1,108 @@ +From 9ae432113c485518a6ea5c68e15b4a18e87cf878 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Mon, 03 Mar 2014 +Subject: CVE-2014-0092 (GNUTLS-SA-2014-2) + +Fix vulnerabilities in the certificate verification code path. +The vulnerabilities can be exploited such that specially-crafted +certificates can bypass certificate validation checks. + +This is a backport adaptation for use with GnuTLS 2.8.4. + +Relevant upstream commit: +------------------------- +https://gitorious.org/gnutls/gnutls/commit/6aa26f78150ccb + +--- + lib/x509/verify.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -112,7 +112,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -121,7 +121,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -129,7 +129,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + result = +@@ -137,7 +137,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu + if (result < 0) + { + gnutls_assert (); +- goto cleanup; ++ goto fail; + } + + /* If the subject certificate is the same as the issuer +@@ -177,6 +177,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu + else + gnutls_assert (); + ++fail: + result = 0; + + cleanup: +@@ -269,7 +270,7 @@ _gnutls_verify_certificate2 (gnutls_x509 + gnutls_datum_t cert_signed_data = { NULL, 0 }; + gnutls_datum_t cert_signature = { NULL, 0 }; + gnutls_x509_crt_t issuer; +- int ret, issuer_version, result; ++ int ret, issuer_version, result = 0; + + if (output) + *output = 0; +@@ -299,7 +300,7 @@ _gnutls_verify_certificate2 (gnutls_x509 + if (issuer_version < 0) + { + gnutls_assert (); +- return issuer_version; ++ return 0; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && +@@ -320,6 +321,7 @@ _gnutls_verify_certificate2 (gnutls_x509 + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -328,6 +330,7 @@ _gnutls_verify_certificate2 (gnutls_x509 + if (result < 0) + { + gnutls_assert (); ++ result = 0; + goto cleanup; + } + +@@ -337,6 +340,8 @@ _gnutls_verify_certificate2 (gnutls_x509 + if (ret < 0) + { + gnutls_assert (); ++ result = 0; ++ goto cleanup; + } + else if (ret == 0) + { diff --git a/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3466.diff b/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3466.diff new file mode 100644 index 00000000..b135bbc1 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3466.diff @@ -0,0 +1,312 @@ +From 7fc8bb1f29a2ca1ddedc7f5aa0204ab091c69431 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@zoho.com> +Date: Mon, 2 Jun 2014 +Subject: CVE-2014-3466 + +This is a backport adaptation for use with GnuTLS 2.8.4. + +Relevant upstream commit(s): +------------------------- +https://gitorious.org/gnutls/gnutls/commit/688ea6428a432c +https://gitorious.org/gnutls/gnutls/commit/a7be326f0e33cf + +--- + lib/gnutls_handshake.c | 2 + tests/Makefile.am | 2 + tests/long-session-id.c | 268 ++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 270 insertions(+), 2 deletions(-) + +--- a/lib/gnutls_handshake.c ++++ b/lib/gnutls_handshake.c +@@ -1518,7 +1518,7 @@ _gnutls_read_server_hello (gnutls_sessio + DECR_LEN (len, 1); + session_id_len = data[pos++]; + +- if (len < session_id_len) ++ if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE) + { + gnutls_assert (); + return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -56,7 +56,8 @@ + ctests = simple gc set_pkcs12_cred certder mpi \ + certificate_set_x509_crl dn parse_ca moredn crypto_rng mini \ + finished hostname-check cve-2008-4989 pkcs12_s2k chainverify \ +- crq_key_id x509sign-verify cve-2009-1415 cve-2009-1416 mini-eagain ++ crq_key_id x509sign-verify cve-2009-1415 cve-2009-1416 \ ++ mini-eagain long-session-id + + if ENABLE_OPENSSL + ctests += openssl +--- /dev/null ++++ b/tests/long-session-id.c +@@ -0,0 +1,268 @@ ++/* ++ * Copyright (C) 2012 Free Software Foundation, Inc. ++ * ++ * Author: Nikos Mavrogiannopoulos ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <stdlib.h> ++ ++#if defined(_WIN32) ++ ++int main() ++{ ++ exit(77); ++} ++ ++#else ++ ++#include <string.h> ++#include <sys/types.h> ++#include <netinet/in.h> ++#include <sys/socket.h> ++#include <sys/wait.h> ++#include <arpa/inet.h> ++#include <unistd.h> ++#include <gnutls/gnutls.h> ++#include <signal.h> ++ ++static int debug = 0; ++static void terminate(int); ++ ++/* This program tests the robustness of record ++ * decoding. ++ */ ++ ++static void client_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "client|<%d>| %s", level, str); ++} ++ ++static unsigned char server_cert_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" ++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" ++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" ++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" ++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" ++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" ++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" ++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" ++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" ++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" ++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" ++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" ++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; ++ ++const gnutls_datum_t server_cert = { server_cert_pem, ++ sizeof(server_cert_pem) ++}; ++ ++static unsigned char server_key_pem[] = ++ "-----BEGIN RSA PRIVATE KEY-----\n" ++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" ++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" ++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" ++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" ++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" ++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" ++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" ++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" ++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" ++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" ++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" ++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" ++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" ++ "-----END RSA PRIVATE KEY-----\n"; ++ ++const gnutls_datum_t server_key = { server_key_pem, ++ sizeof(server_key_pem) ++}; ++ ++ ++/* A very basic TLS client, with anonymous authentication. ++ */ ++ ++static void client(int fd, const char *prio) ++{ ++ int ret; ++ gnutls_anon_client_credentials_t anoncred; ++ gnutls_certificate_credentials_t x509_cred; ++ gnutls_session_t session; ++ /* Need to enable anonymous KX specifically. */ ++ ++ gnutls_global_init(); ++ ++ if (debug) { ++ gnutls_global_set_log_function(client_log_func); ++ gnutls_global_set_log_level(7); ++ } ++ ++ gnutls_anon_allocate_client_credentials(&anoncred); ++ gnutls_certificate_allocate_credentials(&x509_cred); ++ ++ /* Initialize TLS session ++ */ ++ gnutls_init(&session, GNUTLS_CLIENT); ++ ++ /* Use default priorities */ ++ gnutls_priority_set_direct(session, prio, NULL); ++ ++ /* put the anonymous credentials to the current session ++ */ ++ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); ++ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); ++ ++ gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd); ++ ++ /* Perform the TLS handshake ++ */ ++ do { ++ ret = gnutls_handshake(session); ++ } ++ while (ret < 0 && gnutls_error_is_fatal(ret) == 0); ++ ++ if (ret < 0) { ++ fprintf(stderr, "client: Handshake failed (expected)\n"); ++ gnutls_perror(ret); ++ exit(0); ++ } else { ++ if (debug) ++ fprintf(stderr, "client: Handshake was completed\n"); ++ } ++ ++ close(fd); ++ ++ gnutls_deinit(session); ++ ++ gnutls_anon_free_client_credentials(anoncred); ++ gnutls_certificate_free_credentials(x509_cred); ++ ++ gnutls_global_deinit(); ++} ++ ++ ++/* These are global */ ++pid_t child; ++ ++static void terminate(int ret) ++{ ++ kill(child, SIGTERM); ++ exit(ret); ++} ++ ++static void server(int fd, const char *prio) ++{ ++ int ret; ++ uint8_t id[255]; ++ uint8_t buffer[] = "\x16\x03\x00\x01\x25" ++ "\x02\x00\x01\x21" ++ "\x03\x00"/*Server Version */ ++ /*Random*/"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00" ++ /*SessionID*/"\xfe"; ++ ++ ret = read(fd, id, sizeof(id)); ++ if (ret < 0) { ++ abort(); ++ } ++ ++ ret = write(fd, buffer, sizeof(buffer)); ++ if (ret < 0) { ++ return; ++ } ++ ++ memset(id, 0xff, sizeof(id)); ++ ret = write(fd, id, sizeof(id)); ++ if (ret < 0) { ++ return; ++ } ++ ++ memset(id, 0xff, sizeof(id)); ++ ret = write(fd, id, sizeof(id)); ++ if (ret < 0) { ++ return; ++ } ++ sleep(3); ++ ++ return; ++} ++ ++static void start(const char *prio) ++{ ++ int fd[2]; ++ int ret; ++ ++ ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); ++ if (ret < 0) { ++ perror("socketpair"); ++ exit(1); ++ } ++ ++ child = fork(); ++ if (child < 0) { ++ perror("fork"); ++ exit(1); ++ } ++ ++ if (child) { ++ /* parent */ ++ close(fd[1]); ++ server(fd[0], prio); ++ kill(child, SIGTERM); ++ } else { ++ close(fd[0]); ++ client(fd[1], prio); ++ exit(0); ++ } ++} ++ ++static void ch_handler(int sig) ++{ ++ int status, ret = 0; ++ wait(&status); ++ if (WEXITSTATUS(status) != 0 || ++ (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV)) { ++ if (WIFSIGNALED(status)) { ++ fprintf(stderr, "Child died with sigsegv\n"); ++ ret = 1; ++ } else { ++ fprintf(stderr, "Child died with status %d\n", ++ WEXITSTATUS(status)); ++ } ++ terminate(ret); ++ } ++ return; ++} ++ ++int main(int argc, char **argv) ++{ ++ signal(SIGCHLD, ch_handler); ++ ++ if (argc > 1) ++ debug = 1; ++ ++ start("NORMAL"); ++ return 0; ++} ++ ++#endif /* _WIN32 */ diff --git a/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3467.diff b/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3467.diff new file mode 100644 index 00000000..368e9ed9 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3467.diff @@ -0,0 +1,45 @@ +From 314dc68b64bbc62cab5fd1b6a76a324e3cc8398b Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@zoho.com> +Date: Mon, 2 Jun 2014 +Subject: CVE-2014-3467 + +This is a backport adaptation for use with GnuTLS 2.8.4. + +Relevant upstream commit(s): +------------------------- +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=ff3b5c68cc32e3 +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=51612fca32dda4 + +--- + lib/minitasn1/decoding.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/lib/minitasn1/decoding.c ++++ b/lib/minitasn1/decoding.c +@@ -135,7 +135,7 @@ asn1_get_tag_der (const unsigned char *d + /* Long form */ + punt = 1; + ris = 0; +- while (punt <= der_len && der[punt] & 128) ++ while (punt < der_len && der[punt] & 128) + { + int last = ris; + ris = ris * 128 + (der[punt++] & 0x7F); +@@ -245,7 +245,7 @@ _asn1_get_time_der (const unsigned char + if (der_len <= 0 || str == NULL) + return ASN1_DER_ERROR; + str_len = asn1_get_length_der (der, der_len, &len_len); +- if (str_len < 0 || str_size < str_len) ++ if (str_len <= 0 || str_size < str_len) + return ASN1_DER_ERROR; + memcpy (str, der + len_len, str_len); + str[str_len] = 0; +@@ -273,7 +273,7 @@ _asn1_get_objectid_der (const unsigned c + return ASN1_GENERIC_ERROR; + len = asn1_get_length_der (der, der_len, &len_len); + +- if (len < 0 || len > der_len || len_len > der_len) ++ if (len <= 0 || len > der_len || len_len > der_len) + return ASN1_DER_ERROR; + + val1 = der[len_len] / 40; diff --git a/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3468.diff b/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3468.diff new file mode 100644 index 00000000..1a4549e5 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3468.diff @@ -0,0 +1,45 @@ +From d5a10d4ff449621eed08a5c32d4390d49578602f Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@zoho.com> +Date: Mon, 2 Jun 2014 +Subject: CVE-2014-3468 + +This is a backport adaptation for use with GnuTLS 2.8.4. + +Relevant upstream commit(s): +------------------------- +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=1c3ccb3e040bf1 + +--- + lib/minitasn1/decoding.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/lib/minitasn1/decoding.c ++++ b/lib/minitasn1/decoding.c +@@ -210,7 +210,7 @@ asn1_get_octet_der (const unsigned char + int *ret_len, unsigned char *str, int str_size, + int *str_len) + { +- int len_len; ++ int len_len = 0; + + if (der_len <= 0) + return ASN1_GENERIC_ERROR; +@@ -335,7 +335,7 @@ asn1_get_bit_der (const unsigned char *d + int *ret_len, unsigned char *str, int str_size, + int *bit_len) + { +- int len_len, len_byte; ++ int len_len = 0, len_byte; + + if (der_len <= 0) + return ASN1_GENERIC_ERROR; +@@ -346,6 +346,9 @@ asn1_get_bit_der (const unsigned char *d + *ret_len = len_byte + len_len + 1; + *bit_len = len_byte * 8 - der[len_len]; + ++ if (*bit_len <= 0) ++ return ASN1_DER_ERROR; ++ + if (str_size >= len_byte) + memcpy (str, der + len_len + 1, len_byte); + else diff --git a/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3469.diff b/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3469.diff new file mode 100644 index 00000000..91522847 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_CVE-2014-3469.diff @@ -0,0 +1,122 @@ +From aac80016867869e7eca20954db36a9d466daa43c Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@zoho.com> +Date: Mon, 2 Jun 2014 +Subject: CVE-2014-3469 + +This is a backport adaptation for use with GnuTLS 2.8.4. + +Relevant upstream commit(s): +------------------------- +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=a8b3e14f84174e +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=3d6a02f19ff15a +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=53958290ab731c + +--- + lib/minitasn1/decoding.c | 11 ++++++++--- + lib/minitasn1/element.c | 27 ++++++++++++++++++--------- + 2 files changed, 26 insertions(+), 12 deletions(-) + +--- a/lib/minitasn1/decoding.c ++++ b/lib/minitasn1/decoding.c +@@ -215,7 +215,6 @@ asn1_get_octet_der (const unsigned char + if (der_len <= 0) + return ASN1_GENERIC_ERROR; + +- /* if(str==NULL) return ASN1_SUCCESS; */ + *str_len = asn1_get_length_der (der, der_len, &len_len); + + if (*str_len < 0) +@@ -223,7 +222,10 @@ asn1_get_octet_der (const unsigned char + + *ret_len = *str_len + len_len; + if (str_size >= *str_len) +- memcpy (str, der + len_len, *str_len); ++ { ++ if (*str_len > 0 && str != NULL) ++ memcpy (str, der + len_len, *str_len); ++ } + else + { + return ASN1_MEM_ERROR; +@@ -350,7 +352,10 @@ asn1_get_bit_der (const unsigned char *d + return ASN1_DER_ERROR; + + if (str_size >= len_byte) +- memcpy (str, der + len_len + 1, len_byte); ++ { ++ if (len_byte > 0 && str) ++ memcpy (str, der + len_len + 1, len_byte); ++ } + else + { + return ASN1_MEM_ERROR; +--- a/lib/minitasn1/element.c ++++ b/lib/minitasn1/element.c +@@ -113,8 +113,11 @@ _asn1_convert_integer (const unsigned ch + /* VALUE_OUT is too short to contain the value conversion */ + return ASN1_MEM_ERROR; + +- for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) +- value_out[k2 - k] = val[k2]; ++ if (value_out != NULL) ++ { ++ for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) ++ value_out[k2 - k] = val[k2]; ++ } + + #if 0 + printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len); +@@ -623,7 +626,8 @@ asn1_write_value (asn1_node node_root, c + if (ptr_size < data_size) { \ + return ASN1_MEM_ERROR; \ + } else { \ +- memcpy( ptr, data, data_size); \ ++ if (ptr && data_size > 0) \ ++ memcpy( ptr, data, data_size); \ + } + + #define PUT_STR_VALUE( ptr, ptr_size, data) \ +@@ -632,16 +626,19 @@ asn1_write_value (asn1_node node_root, c + return ASN1_MEM_ERROR; \ + } else { \ + /* this strcpy is checked */ \ +- strcpy(ptr, data); \ ++ if (ptr) { \ ++ strcpy(ptr, data); \ ++ } \ + } + + #define ADD_STR_VALUE( ptr, ptr_size, data) \ +- *len = (int) strlen(data) + 1; \ +- if (ptr_size < (int) strlen(ptr)+(*len)) { \ ++ *len += strlen(data); \ ++ if (ptr_size < (int) *len) { \ ++ (*len)++; \ + return ASN1_MEM_ERROR; \ + } else { \ + /* this strcat is checked */ \ +- strcat(ptr, data); \ ++ if (ptr) strcat (ptr, data); \ + } + + /** +@@ -803,7 +810,9 @@ asn1_read_value (asn1_node root, const c + case TYPE_OBJECT_ID: + if (node->type & CONST_ASSIGN) + { +- value[0] = 0; ++ *len = 0; ++ if (value) ++ value[0] = 0; + p = node->down; + while (p) + { +@@ -817,7 +826,7 @@ asn1_read_value (asn1_node root, const c + } + p = p->right; + } +- *len = strlen (value) + 1; ++ (*len)++; + } + else if ((node->type & CONST_DEFAULT) && (node->value == NULL)) + { diff --git a/patches/source/gnutls/gnutls-2.8.4_fix-expired-cert.diff b/patches/source/gnutls/gnutls-2.8.4_fix-expired-cert.diff new file mode 100644 index 00000000..cb0a8d56 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_fix-expired-cert.diff @@ -0,0 +1,23 @@ +commit 45c1fd2912e1680e7aafda931a6acdf97c8f3c00 +Author: Simon Josefsson <simon@josefsson.org> +Date: Tue Oct 20 11:27:13 2009 +0200 + + Fix expired cert. + +diff --git a/tests/chainverify.c b/tests/chainverify.c +index 745cd7c..0192da2 100644 +--- a/tests/chainverify.c ++++ b/tests/chainverify.c +@@ -701,8 +701,11 @@ static struct + { "rsa-md5 not ok", mayfirst_chain, &mayfirst_chain[1], + GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2, + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID }, ++ { "rsa-md5 not ok2", mayfirst_chain, &mayfirst_chain[1], ++ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5, ++ GNUTLS_CERT_EXPIRED | GNUTLS_CERT_INVALID }, + { "rsa-md5 ok", mayfirst_chain, &mayfirst_chain[1], +- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5, 0 }, ++ GNUTLS_VERIFY_DISABLE_TIME_CHECKS | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5, 0 }, + { "v1ca fail", v1ca, &v1ca[2], + 0, GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID }, + { "v1ca expired", v1ca, &v1ca[2], diff --git a/patches/source/gnutls/gnutls-2.8.4_fix-timebomb.diff b/patches/source/gnutls/gnutls-2.8.4_fix-timebomb.diff new file mode 100644 index 00000000..38e14429 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_fix-timebomb.diff @@ -0,0 +1,35 @@ +commit 087fdeec5076ae1270f460685d8d36a50d9c3822 +Author: Simon Josefsson <simon@josefsson.org> +Date: Mon Nov 2 11:25:27 2009 +0100 + + Fix time bomb in chainverify self-test. + + Reported by Andreas Metzler <ametzler@downhill.at.eu.org> + in <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3925>. + +diff --git a/tests/chainverify.c b/tests/chainverify.c +index 0192da2..16c59ee 100644 +--- a/tests/chainverify.c ++++ b/tests/chainverify.c +@@ -32,6 +32,21 @@ + #include <gnutls/gnutls.h> + #include <gnutls/x509.h> + ++/* GnuTLS internally calls time() to find out the current time when ++ verifying certificates. To avoid a time bomb, we hard code the ++ current time. This should work fine on systems where the library ++ call to time is resolved at run-time. */ ++time_t ++time (time_t *t) ++{ ++ time_t then = 1256803113; ++ ++ if (t) ++ *t = then; ++ ++ return then; ++} ++ + /* *INDENT-OFF* */ + + /* Triggers incorrect verification success on older versions */ diff --git a/patches/source/gnutls/gnutls-2.8.4_ipv6.diff b/patches/source/gnutls/gnutls-2.8.4_ipv6.diff new file mode 100644 index 00000000..f6b2ac11 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_ipv6.diff @@ -0,0 +1,51 @@ +From a32fb84bcc1b15b184b4fb0905be18532c04ecb3 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Sun, 29 Sep 2013 +Subject: Fix binding of IPV6 address in gnutls-serv + +On Linux with /proc/sys/net/ipv6/bindv6only == 0 (which is now the +default), gnutls-serv cannot listen on ipv6. + +Fix adapted for use with GnuTLS 2.8.4. + +Relevant upstream commits: +-------------------------- +https://gitorious.org/gnutls/gnutls/commit/1c315602306afc +https://gitorious.org/gnutls/gnutls/commit/9c1536d514dd83 + +--- + serv.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/src/serv.c 2013-09-29 ++++ b/src/serv.c 2013-09-29 +@@ -673,6 +673,11 @@ listen_socket (const char *name, int lis + + for (ptr = res; ptr != NULL; ptr = ptr->ai_next) + { ++#ifndef HAVE_IPV6 ++ if (ptr->ai_family != AF_INET) ++ continue; ++#endif ++ + /* Print what we are doing. */ + { + char topbuf[512]; +@@ -690,6 +695,17 @@ listen_socket (const char *name, int lis + continue; + } + ++#if defined(HAVE_IPV6) && !defined(_WIN32) ++ if (ptr->ai_family == AF_INET6) ++ { ++ yes = 1; ++ /* avoid listen on ipv6 addresses failing ++ * because already listening on ipv4 addresses: */ ++ setsockopt (s, IPPROTO_IPV6, IPV6_V6ONLY, ++ (const void *) &yes, sizeof (yes)); ++ } ++#endif ++ + yes = 1; + if (setsockopt (s, SOL_SOCKET, SO_REUSEADDR, + (const void *) &yes, sizeof (yes)) < 0) diff --git a/patches/source/gnutls/gnutls-2.8.4_libgcrypt150-fix.diff b/patches/source/gnutls/gnutls-2.8.4_libgcrypt150-fix.diff new file mode 100644 index 00000000..6f1f19c5 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.4_libgcrypt150-fix.diff @@ -0,0 +1,162 @@ +From 96fb09172b20200d5f7c5a2f883d482510993f19 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Sun, 29 Sep 2013 +Subject: Fix problem when using libgcrypt 1.5.0+ + +Fix GnuTLS to not rely on a bug present in libgcrypt before 1.5.0 +in gcry_sexp_nth_mpi(). + +Relevant discussion: +-------------------- +https://lists.gnu.org/archive/html/gnutls-devel/2011-07/msg00006.html + +--- + pk-libgcrypt.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/lib/pk-libgcrypt.c 2013-09-27 ++++ b/lib/pk-libgcrypt.c 2013-09-27 +@@ -112,7 +112,7 @@ _wrap_gcry_pk_encrypt (gnutls_pk_algorit + goto cleanup; + } + +- res = gcry_sexp_nth_mpi (list, 1, 0); ++ res = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + if (res == NULL) + { +@@ -202,7 +202,7 @@ _wrap_gcry_pk_decrypt (gnutls_pk_algorit + goto cleanup; + } + +- res = gcry_sexp_nth_mpi (s_plain, 0, 0); ++ res = gcry_sexp_nth_mpi (s_plain, 0, GCRYMPI_FMT_USG); + if (res == NULL) + { + gnutls_assert (); +@@ -327,7 +327,7 @@ _wrap_gcry_pk_sign (gnutls_pk_algorithm_ + goto cleanup; + } + +- res[0] = gcry_sexp_nth_mpi (list, 1, 0); ++ res[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (s_sig, "s", 0); +@@ -338,7 +338,7 @@ _wrap_gcry_pk_sign (gnutls_pk_algorithm_ + goto cleanup; + } + +- res[1] = gcry_sexp_nth_mpi (list, 1, 0); ++ res[1] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + ret = _gnutls_encode_ber_rs (signature, res[0], res[1]); +@@ -360,7 +360,7 @@ _wrap_gcry_pk_sign (gnutls_pk_algorithm_ + goto cleanup; + } + +- res[0] = gcry_sexp_nth_mpi (list, 1, 0); ++ res[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + ret = _gnutls_mpi_dprint (res[0], signature); +@@ -559,7 +559,7 @@ _dsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[0] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "q", 0); +@@ -570,7 +570,7 @@ _dsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[1] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[1] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "g", 0); +@@ -581,7 +581,7 @@ _dsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[2] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[2] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "y", 0); +@@ -592,7 +592,7 @@ _dsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[3] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[3] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + +@@ -604,7 +604,7 @@ _dsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[4] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[4] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + + gcry_sexp_release (list); + gcry_sexp_release (key); +@@ -653,7 +653,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[0] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "e", 0); +@@ -664,7 +664,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[1] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[1] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "d", 0); +@@ -675,7 +675,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[2] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[2] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + list = gcry_sexp_find_token (key, "p", 0); +@@ -686,7 +686,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[3] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[3] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + +@@ -698,7 +698,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[4] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[4] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + gcry_sexp_release (list); + + +@@ -710,7 +710,7 @@ _rsa_generate_params (bigint_t * resarr, + return GNUTLS_E_INTERNAL_ERROR; + } + +- resarr[5] = gcry_sexp_nth_mpi (list, 1, 0); ++ resarr[5] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + + gcry_sexp_release (list); + gcry_sexp_release (key); diff --git a/patches/source/gnutls/gnutls.SlackBuild b/patches/source/gnutls/gnutls.SlackBuild new file mode 100755 index 00000000..2473e217 --- /dev/null +++ b/patches/source/gnutls/gnutls.SlackBuild @@ -0,0 +1,138 @@ +#!/bin/sh + +# Copyright 2007 Robby Workman (http://rlworkman.net) +# Copyright 2007, 2008, 2009, 2014 Patrick Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +PKGNAM=gnutls +VERSION=2.8.4 +BUILD=${BUILD:-4_slack13.0} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$(uname -m)" in + i?86) ARCH=i486 ;; + arm*) readelf /usr/bin/file -A | egrep -q "Tag_CPU.*[4,5]" && ARCH=arm || ARCH=armv7lh ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) ARCH=$(uname -m) ;; + esac + export ARCH +fi + +NUMJOBS=${NUMJOBS:-" -j7 "} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "s390" ]; then + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp} +PKG=$TMP/package-$PKGNAM +rm -rf $PKG +mkdir -p $TMP $PKG + +cd $TMP + +rm -rf $PKGNAM-$VERSION +if [ -r $CWD/$PKGNAM-$VERSION.tar.gz ]; then + tar xf $CWD/$PKGNAM-$VERSION.tar.gz || exit 1 +elif [ -r $CWD/$PKGNAM-$VERSION.tar.bz2 ]; then + tar xf $CWD/$PKGNAM-$VERSION.tar.bz2 || exit 1 +elif [ -r $CWD/$PKGNAM-$VERSION.tar.xz ]; then + tar xf $CWD/$PKGNAM-$VERSION.tar.xz || exit 1 +elif [ -r $CWD/$PKGNAM-$VERSION.tar.lzma ]; then + tar xf $CWD/$PKGNAM-$VERSION.tar.lzma || exit 1 +else + exit 1 +fi + + +cd $PKGNAM-$VERSION +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +zcat $CWD/gnutls-2.8.4_CVE-2009-3555.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_CVE-2011-4128.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_CVE-2012-1569.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_CVE-2012-1573.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_CVE-2013-1619_CVE-2013-2116.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_libgcrypt150-fix.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_fix-expired-cert.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_fix-timebomb.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_ipv6.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_CVE-2014-0092.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_CVE-2014-3466.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_CVE-2014-3467.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_CVE-2014-3468.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/gnutls-2.8.4_CVE-2014-3469.diff.gz | patch -p1 --verbose || exit 1 + + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --infodir=/usr/info \ + --mandir=/usr/man \ + --enable-static=no \ + --build=$ARCH-slackware-linux \ + --host=$ARCH-slackware-linux + +make $NUMJOBS || make || exit 1 +make install DESTDIR=$PKG || exit 1 + +find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + +( cd $PKG/usr/man + find . -type f -exec gzip -9 {} \; + for i in $(find . -type l) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done +) + +( cd $PKG/usr/info + rm -f dir + gzip -9 *.info* +) + +mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION +cp -a \ + ABOUT-NLS AUTHORS COPYING* INSTALL NEWS README* THANKS \ + $PKG/usr/doc/$PKGNAM-$VERSION + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n -p $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD.txz + diff --git a/patches/source/gnutls/slack-desc b/patches/source/gnutls/slack-desc new file mode 100644 index 00000000..49fdb9f0 --- /dev/null +++ b/patches/source/gnutls/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +gnutls: gnutls (GNU TLS library) +gnutls: +gnutls: This is a TLS (Transport Layer Security) 1.0 and SSL (Secure Sockets +gnutls: Layer) 3.0 implementation. In brief, GnuTLS can be described as a +gnutls: library which offers an API to access secure communication protocols. +gnutls: These protocols provide privacy over insecure lines, and were designed +gnutls: to prevent eavesdropping, tampering, or message forgery. +gnutls: +gnutls: Homepage: http://www.gnu.org/software/gnutls/ +gnutls: +gnutls: |