diff --git a/gnutls-2.8.6-safe-renegotiation.patch b/gnutls-2.8.6-safe-renegotiation.patch new file mode 100644 index 0000000..3f386a2 --- /dev/null +++ b/gnutls-2.8.6-safe-renegotiation.patch @@ -0,0 +1,4030 @@ +diff -up gnutls-2.8.6/AUTHORS.reneg gnutls-2.8.6/AUTHORS +--- gnutls-2.8.6/AUTHORS.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/AUTHORS 2010-05-31 22:52:31.000000000 +0200 +@@ -51,6 +51,9 @@ OpenPGP discussion and improvements. + David Marín Carreño + Added gnutls_x509_crq_get_key_id. + ++Steve Dispensa ++TLS safe renegotiation fix. ++ + -----BEGIN PGP PUBLIC KEY BLOCK----- + URL: http://josefsson.org/key.txt (always latest version) + Comment: This 0xB565716F key is used to sign releases of GnuTLS. +diff -up gnutls-2.8.6/configure.reneg gnutls-2.8.6/configure +--- gnutls-2.8.6/configure.reneg 2010-05-31 22:52:31.000000000 +0200 ++++ gnutls-2.8.6/configure 2010-05-31 22:52:31.000000000 +0200 +@@ -28559,7 +28559,7 @@ subdirs="$subdirs libextra" + + ac_config_files="$ac_config_files guile/pre-inst-guile" + +-ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile" ++ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/safe-renegotiation/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile" + + cat >confcache <<\_ACEOF + # This file is a shell script that caches the results of configure +@@ -29783,6 +29783,7 @@ do + "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;; + "tests/key-id/Makefile") CONFIG_FILES="$CONFIG_FILES tests/key-id/Makefile" ;; + "tests/openpgp-certs/Makefile") CONFIG_FILES="$CONFIG_FILES tests/openpgp-certs/Makefile" ;; ++ "tests/safe-renegotiation/Makefile") CONFIG_FILES="$CONFIG_FILES tests/safe-renegotiation/Makefile" ;; + "tests/pathlen/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pathlen/Makefile" ;; + "tests/pkcs1-padding/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs1-padding/Makefile" ;; + "tests/pkcs12-decode/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs12-decode/Makefile" ;; +diff -up gnutls-2.8.6/doc/gnutls-api.texi.reneg gnutls-2.8.6/doc/gnutls-api.texi +--- gnutls-2.8.6/doc/gnutls-api.texi.reneg 2010-03-15 11:35:23.000000000 +0100 ++++ gnutls-2.8.6/doc/gnutls-api.texi 2010-05-31 22:52:31.000000000 +0200 +@@ -3307,6 +3307,20 @@ This function will initialize the tempor + @strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, or an negative error code. + @end deftypefun + ++@subheading gnutls_safe_renegotiation_status ++@anchor{gnutls_safe_renegotiation_status} ++@deftypefun {int} {gnutls_safe_renegotiation_status} (gnutls_session_t @var{session}) ++@var{session}: is a @code{gnutls_session_t} structure. ++ ++Can be used to check whether safe renegotiation is being used ++in the current session. ++ ++@strong{Returns:} 0 when safe renegotiation is not used and non zero when ++safe renegotiation is used. ++ ++@strong{Since:} 2.10.0 ++@end deftypefun ++ + @subheading gnutls_server_name_get + @anchor{gnutls_server_name_get} + @deftypefun {int} {gnutls_server_name_get} (gnutls_session_t @var{session}, void * @var{data}, size_t * @var{data_length}, unsigned int * @var{type}, unsigned int @var{indx}) +diff -up gnutls-2.8.6/doc/gnutls.texi.reneg gnutls-2.8.6/doc/gnutls.texi +--- gnutls-2.8.6/doc/gnutls.texi.reneg 2009-06-02 21:07:14.000000000 +0200 ++++ gnutls-2.8.6/doc/gnutls.texi 2010-06-02 10:23:27.000000000 +0200 +@@ -565,6 +565,7 @@ also supports @acronym{X.509} and @acron + * Selecting cryptographic key sizes:: + * On SSL 2 and older protocols:: + * On Record Padding:: ++* Safe Renegotiation:: + @end menu + + @node TLS layers +@@ -1202,6 +1203,94 @@ here are some links: + + @url{http://thread.gmane.org/gmane.ietf.tls/3079} + ++@node Safe Renegotiation ++@section Safe Renegotiation ++@cindex renegotiation ++ ++Some application protocols and implementations uses the TLS ++renegotiation feature in a manner that enables attackers to insert ++content of his choice in the beginning of a TLS session. ++ ++One easy to understand vulnerability is HTTPS when servers request ++client certificates optionally for certain parts of a web site. The ++attack works by having the attacker simulate a client and connect to a ++server, with server-only authentication, and send some data intended ++to cause harm. When the proper client attempts to contact the server, ++the attacker hijacks that connection and uses the TLS renegotiation ++feature with the server and splices in the client connection to the ++already established connection between the attacker and server. The ++attacker will not be able to read the data exchanged between the ++client and the server. However, the server will (incorrectly) assume ++that the data sent by the attacker was sent by the now authenticated ++client. The result is a prefix plain-text injection attack. ++ ++The above is just one example. Other vulnerabilities exists that do ++not rely on the TLS renegotiation to change the client's authenticated ++status (either TLS or application layer). ++ ++While fixing these application protocols and implementations would be ++one natural reaction, an extension to TLS has been designed that ++cryptographically binds together any renegotiated handshakes with the ++initial negotiation. When the extension is used, the attack is ++detected and the session can be terminated. The extension is ++specified in @xcite{RFC5746}. ++ ++GnuTLS supports the safe renegotiation extension. The default ++behavior is as follows. Clients will attempt to negotiate the safe ++renegotiation extension when talking to servers. Servers will accept ++the extension when presented by clients. Clients and servers will ++permit an initial handshake to complete even when the other side does ++not support the safe renegotiation extension. Clients and servers ++will refuse renegotiation attempts when the extension has not been ++negotiated. ++ ++Note that permitting clients to connect to servers even when the safe ++renegotiation extension is not negotiated open up for some attacks. ++Changing this default behaviour would prevent interoperability against ++the majority of deployed servers out there. We will reconsider this ++default behaviour in the future when more servers have been upgraded. ++Note that it is easy to configure clients to always require the safe ++renegotiation extension from servers (see below on the ++%SAFE_RENEGOTIATION priority string). ++ ++To modify the default behaviour, we have introduced some new priority ++strings. The priority strings can be used by applications ++(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority} ++parameter to @code{gnutls-cli} and @code{gnutls-serv}). ++ ++The @code{%UNSAFE_RENEGOTIATION} priority string permits ++(re-)handshakes even when the safe renegotiation extension was not ++negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will ++prevent renegotiation with clients and servers not supporting the ++extension. This is secure for servers but leaves clients vulnerable ++to some attacks, but this is a tradeoff between security and compatibility ++with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes ++clients and servers require the extension for every handshake. The latter ++is the most secure option for clients, at the cost of not being able ++to connect to legacy servers. Servers will also deny clients that ++do not support the extension from connecting. ++ ++It is possible to disable use of the extension completely, in both ++clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION} ++priority string however we strongly recommend you to only do this for ++debugging and test purposes. ++ ++The default values if the flags above are not specified are: ++@table @code ++ ++@item Server: ++%PARTIAL_RENEGOTIATION ++ ++@item Client: ++%PARTIAL_RENEGOTIATION ++ ++@end table ++ ++For applications we have introduced a new API related to safe ++renegotiation. The @ref{gnutls_safe_renegotiation_status} function is ++used to check if the extension has been negotiated on a session, and ++can be used both by clients and servers. ++ + @node Authentication methods + @chapter Authentication Methods + +@@ -4179,6 +4268,11 @@ Pasi Eronen and Hannes Tschofenig, "Pre- + TLS", December 2005, Available from + @url{http://www.ietf.org/rfc/rfc4279.txt}. + ++@item @anchor{RFC5746}[RFC5746] ++E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "Transport Layer ++Security (TLS) Renegotiation Indication Extension", February 2010, ++available from @url{http://www.ietf.org/rfc/rfc5746}. ++ + @item @anchor{TOMSRP}[TOMSRP] + Tom Wu, "The Stanford SRP Authentication Project", Available at + @url{http://srp.stanford.edu/}. +diff -up gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg gnutls-2.8.6/doc/manpages/gnutls-cli.1 +--- gnutls-2.8.6/doc/manpages/gnutls-cli.1.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/doc/manpages/gnutls-cli.1 2010-06-02 10:23:27.000000000 +0200 +@@ -75,6 +75,15 @@ Special keywords: + "%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client + hello. This is to avoid buggy servers from terminating connection. + .IP ++"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones. ++.IP ++"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not ++supporting the safe renegotiation extension. (default) ++.IP ++"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most ++secure and recommended option for clients. However this will prevent from ++connecting to legacy servers. ++.IP + To avoid collisions in order to specify a compression algorithm in + this string you have to prefix it with "COMP-", protocol versions + with "VERS-" and certificate types with "CTYPE-". All other +diff -up gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg gnutls-2.8.6/doc/manpages/gnutls_priority_init.3 +--- gnutls-2.8.6/doc/manpages/gnutls_priority_init.3.reneg 2010-03-15 11:32:37.000000000 +0100 ++++ gnutls-2.8.6/doc/manpages/gnutls_priority_init.3 2010-05-31 22:52:31.000000000 +0200 +@@ -67,6 +67,21 @@ compression methods. + + "%COMPAT" will enable compatibility features for a server. + ++"%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now ++the default for clients, but will change once more servers support the safe renegotiation ++TLS fix). ++ ++"%SAFE_RENEGOTIATION" will allow safe renegotiation only (this is the ++default for servers \- that will reject clients trying to perform an ++unsafe renegotiation). ++ ++"%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if ++renegotiation wasn't requested. Only valid for server side and implies ++"%SAFE_RENEGOTIATION". ++ ++"%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use ++unless you know what you are doing. Testing purposes only. ++ + "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello. + + "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA\-MD5 signatures in +diff -up gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3.reneg gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3 +--- gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3.reneg 2010-05-31 22:52:31.000000000 +0200 ++++ gnutls-2.8.6/doc/manpages/gnutls_safe_renegotiation_status.3 2010-05-31 22:52:31.000000000 +0200 +@@ -0,0 +1,41 @@ ++.\" DO NOT MODIFY THIS FILE! It was generated by gdoc. ++.TH "gnutls_safe_renegotiation_status" 3 "2.9.11" "gnutls" "gnutls" ++.SH NAME ++gnutls_safe_renegotiation_status \- API function ++.SH SYNOPSIS ++.B #include ++.sp ++.BI "int gnutls_safe_renegotiation_status(gnutls_session_t " session ");" ++.SH ARGUMENTS ++.IP "gnutls_session_t session" 12 ++is a \fBgnutls_session_t\fP structure. ++.SH "DESCRIPTION" ++Can be used to check whether safe renegotiation is being used ++in the current session. ++.SH "RETURNS" ++0 when safe renegotiation is not used and non zero when ++safe renegotiation is used. ++.SH "SINCE" ++2.10.0 ++.SH "REPORTING BUGS" ++Report bugs to . ++GnuTLS home page: http://www.gnu.org/software/gnutls/ ++General help using GNU software: http://www.gnu.org/gethelp/ ++.SH COPYRIGHT ++Copyright \(co 2008 Free Software Foundation. ++.br ++Copying and distribution of this file, with or without modification, ++are permitted in any medium without royalty provided the copyright ++notice and this notice are preserved. ++.SH "SEE ALSO" ++The full documentation for ++.B gnutls ++is maintained as a Texinfo manual. If the ++.B info ++and ++.B gnutls ++programs are properly installed at your site, the command ++.IP ++.B info gnutls ++.PP ++should give you access to the complete manual. +diff -up gnutls-2.8.6/doc/manpages/gnutls-serv.1.reneg gnutls-2.8.6/doc/manpages/gnutls-serv.1 +--- gnutls-2.8.6/doc/manpages/gnutls-serv.1.reneg 2009-06-02 21:07:14.000000000 +0200 ++++ gnutls-2.8.6/doc/manpages/gnutls-serv.1 2010-06-02 10:23:27.000000000 +0200 +@@ -75,6 +75,15 @@ Special keywords: + .IP + '%COMPAT' will enable compatibility features for a server. + .IP ++"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones. ++.IP ++"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not ++supporting the safe renegotiation extension. (default) ++.IP ++"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most ++secure and recommended option for clients. However this will prevent from ++connecting to legacy servers. ++.IP + To avoid collisions in order to specify a compression algorithm in + this string you have to prefix it with "COMP-", protocol versions + with "VERS-" and certificate types with "CTYPE-". All other +diff -up gnutls-2.8.6/doc/manpages/Makefile.in.reneg gnutls-2.8.6/doc/manpages/Makefile.in +--- gnutls-2.8.6/doc/manpages/Makefile.in.reneg 2010-03-15 11:32:23.000000000 +0100 ++++ gnutls-2.8.6/doc/manpages/Makefile.in 2010-05-31 22:52:31.000000000 +0200 +@@ -525,7 +525,6 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ + PACKAGE_NAME = @PACKAGE_NAME@ + PACKAGE_STRING = @PACKAGE_STRING@ + PACKAGE_TARNAME = @PACKAGE_TARNAME@ +-PACKAGE_URL = @PACKAGE_URL@ + PACKAGE_VERSION = @PACKAGE_VERSION@ + PATH_SEPARATOR = @PATH_SEPARATOR@ + PKG_CONFIG = @PKG_CONFIG@ +@@ -684,7 +683,8 @@ APIMANS = gnutls_crypto_single_cipher_re + gnutls_crypto_bigint_register2.3 gnutls_crypto_pk_register2.3 \ + gnutls_crypto_cipher_register2.3 gnutls_crypto_mac_register2.3 \ + gnutls_crypto_digest_register2.3 gnutls_oprfi_enable_client.3 \ +- gnutls_oprfi_enable_server.3 gnutls_server_name_get.3 \ ++ gnutls_oprfi_enable_server.3 \ ++ gnutls_safe_renegotiation_status.3 gnutls_server_name_get.3 \ + gnutls_server_name_set.3 gnutls_alert_get_name.3 \ + gnutls_alert_send.3 gnutls_error_to_alert.3 \ + gnutls_alert_send_appropriate.3 gnutls_alert_get.3 \ +diff -up gnutls-2.8.6/lib/ext_safe_renegotiation.c.reneg gnutls-2.8.6/lib/ext_safe_renegotiation.c +--- gnutls-2.8.6/lib/ext_safe_renegotiation.c.reneg 2010-05-31 22:52:31.000000000 +0200 ++++ gnutls-2.8.6/lib/ext_safe_renegotiation.c 2010-06-02 10:23:27.000000000 +0200 +@@ -0,0 +1,139 @@ ++/* ++ * Copyright (C) 2009 Free Software Foundation ++ * ++ * Author: Steve Dispensa () ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, ++ * USA ++ * ++ */ ++ ++#include ++#include ++#include ++ ++int ++_gnutls_safe_renegotiation_recv_params (gnutls_session_t session, ++ const opaque * data, size_t _data_size) ++{ ++ tls_ext_st *ext = &session->security_parameters.extensions; ++ int len = data[0]; ++ ssize_t data_size = _data_size; ++ ++ DECR_LEN (data_size, len+1 /* count the first byte and payload */); ++ ++ if (session->internals.priorities.sr == SR_DISABLED) ++ { ++ gnutls_assert (); ++ return 0; ++ } ++ ++ /* It is not legal to receive this extension on a renegotiation and ++ * not receive it on the initial negotiation. ++ */ ++ if (session->internals.initial_negotiation_completed != 0 && ++ session->internals.connection_using_safe_renegotiation == 0) ++ { ++ gnutls_assert(); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ ++ if (len > sizeof (ext->ri_extension_data)) ++ { ++ gnutls_assert(); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ ++ if (len > 0) ++ memcpy (ext->ri_extension_data, &data[1], len); ++ ext->ri_extension_data_len = len; ++ ++ /* "safe renegotiation received" means on *this* handshake; "connection using ++ * safe renegotiation" means that the initial hello received on the connection ++ * indicated safe renegotiation. ++ */ ++ session->internals.safe_renegotiation_received = 1; ++ session->internals.connection_using_safe_renegotiation = 1; ++ ++ return 0; ++} ++ ++int ++_gnutls_safe_renegotiation_send_params (gnutls_session_t session, ++ opaque * data, size_t _data_size) ++{ ++ /* The format of this extension is a one-byte length of verify data followed ++ * by the verify data itself. Note that the length byte does not include ++ * itself; IOW, empty verify data is represented as a length of 0. That means ++ * the minimum extension is one byte: 0x00. ++ */ ++ ssize_t data_size = _data_size; ++ tls_ext_st *ext = &session->security_parameters.extensions; ++ ++ ++ if (session->internals.priorities.sr == SR_DISABLED) ++ { ++ gnutls_assert(); ++ return 0; ++ } ++ ++ data[0] = 0; ++ ++ /* Always offer the extension if we're a client */ ++ if (session->internals.connection_using_safe_renegotiation || ++ session->security_parameters.entity == GNUTLS_CLIENT) ++ { ++ DECR_LEN (data_size, 1); ++ data[0] = ext->client_verify_data_len; ++ ++ DECR_LEN (data_size, ext->client_verify_data_len); ++ ++ if (ext->client_verify_data_len > 0) ++ memcpy(&data[1], ++ ext->client_verify_data, ++ ext->client_verify_data_len); ++ ++ if (session->security_parameters.entity == GNUTLS_SERVER) ++ { ++ data[0] += ext->server_verify_data_len; ++ ++ DECR_LEN (data_size, ext->server_verify_data_len); ++ ++ if (ext->server_verify_data_len > 0) ++ memcpy(&data[1 + ext->client_verify_data_len], ++ ext->server_verify_data, ++ ext->server_verify_data_len); ++ } ++ } ++ else ++ return 0; ++ ++ return 1 + data[0]; /* don't forget the length byte */ ++} ++ ++/** ++ * gnutls_safe_renegotiation_status: ++ * @session: is a #gnutls_session_t structure. ++ * ++ * Can be used to check whether safe renegotiation is being used ++ * in the current session. Returns 0 when not and non zero when ++ * used. ++ **/ ++int gnutls_safe_renegotiation_status (gnutls_session_t session) ++{ ++ return session->internals.connection_using_safe_renegotiation; ++} +diff -up gnutls-2.8.6/lib/ext_safe_renegotiation.h.reneg gnutls-2.8.6/lib/ext_safe_renegotiation.h +--- gnutls-2.8.6/lib/ext_safe_renegotiation.h.reneg 2010-05-31 22:52:31.000000000 +0200 ++++ gnutls-2.8.6/lib/ext_safe_renegotiation.h 2010-05-31 22:52:31.000000000 +0200 +@@ -0,0 +1,33 @@ ++/* ++ * Copyright (C) 2009 Free Software Foundation ++ * ++ * Author: Steve Dispensa () ++ * ++ * This file is part of GNUTLS. ++ * ++ * The GNUTLS library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public License ++ * as published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, ++ * USA ++ * ++ */ ++ ++#ifndef EXT_SAFE_RENEGOTIATION_H ++# define EXT_SAFE_RENEGOTIATION_H ++ ++int _gnutls_safe_renegotiation_recv_params (gnutls_session_t state, ++ const opaque * data, size_t data_size); ++int _gnutls_safe_renegotiation_send_params (gnutls_session_t state, ++ opaque * data, size_t); ++ ++#endif /* EXT_SAFE_RENEGOTIATION_H */ +diff -up gnutls-2.8.6/lib/gnutls_alert.c.reneg gnutls-2.8.6/lib/gnutls_alert.c +--- gnutls-2.8.6/lib/gnutls_alert.c.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/lib/gnutls_alert.c 2010-05-31 22:52:31.000000000 +0200 +@@ -180,6 +180,10 @@ gnutls_error_to_alert (int err, int *lev + ret = GNUTLS_A_ILLEGAL_PARAMETER; + _level = GNUTLS_AL_FATAL; + break; ++ case GNUTLS_E_UNKNOWN_SRP_USERNAME: ++ ret = GNUTLS_A_UNKNOWN_PSK_IDENTITY; ++ _level = GNUTLS_AL_FATAL; ++ break; + case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND: + case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND: + case GNUTLS_E_ASN1_DER_ERROR: +@@ -199,6 +203,7 @@ gnutls_error_to_alert (int err, int *lev + case GNUTLS_E_INSUFFICIENT_CREDENTIALS: + case GNUTLS_E_NO_CIPHER_SUITES: + case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: ++ case GNUTLS_E_SAFE_RENEGOTIATION_FAILED: + ret = GNUTLS_A_HANDSHAKE_FAILURE; + _level = GNUTLS_AL_FATAL; + break; +@@ -212,6 +217,7 @@ gnutls_error_to_alert (int err, int *lev + _level = GNUTLS_AL_FATAL; + break; + case GNUTLS_E_REHANDSHAKE: ++ case GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED: + ret = GNUTLS_A_NO_RENEGOTIATION; + _level = GNUTLS_AL_WARNING; + break; +diff -up gnutls-2.8.6/lib/gnutls_algorithms.c.reneg gnutls-2.8.6/lib/gnutls_algorithms.c +--- gnutls-2.8.6/lib/gnutls_algorithms.c.reneg 2009-08-12 08:58:22.000000000 +0200 ++++ gnutls-2.8.6/lib/gnutls_algorithms.c 2010-05-31 22:52:31.000000000 +0200 +@@ -457,6 +457,10 @@ typedef struct + #define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x88 } + #endif + ++/* Safe renegotiation */ ++ ++#define GNUTLS_RENEGO_PROTECTION_REQUEST { GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR, GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR } ++ + #define CIPHER_SUITES_COUNT sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1 + + static const gnutls_cipher_suite_entry cs_algorithms[] = { +@@ -624,6 +628,9 @@ static const gnutls_cipher_suite_entry c + GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA, + GNUTLS_MAC_SHA1, GNUTLS_TLS1), + #endif ++ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RENEGO_PROTECTION_REQUEST, ++ GNUTLS_CIPHER_UNKNOWN, GNUTLS_KX_UNKNOWN, ++ GNUTLS_MAC_UNKNOWN, GNUTLS_SSL3), + {0, {{0, 0}}, 0, 0, 0, 0} + }; + +diff -up gnutls-2.8.6/lib/gnutls_algorithms.h.reneg gnutls-2.8.6/lib/gnutls_algorithms.h +--- gnutls-2.8.6/lib/gnutls_algorithms.h.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/lib/gnutls_algorithms.h 2010-05-31 22:52:31.000000000 +0200 +@@ -27,6 +27,9 @@ + + #include "gnutls_auth.h" + ++#define GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR 0x00 ++#define GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR 0xFF ++ + /* Functions for version handling. */ + gnutls_protocol_t _gnutls_version_lowest (gnutls_session_t session); + gnutls_protocol_t _gnutls_version_max (gnutls_session_t session); +diff -up gnutls-2.8.6/lib/gnutls_constate.c.reneg gnutls-2.8.6/lib/gnutls_constate.c +--- gnutls-2.8.6/lib/gnutls_constate.c.reneg 2009-11-06 09:39:42.000000000 +0100 ++++ gnutls-2.8.6/lib/gnutls_constate.c 2010-05-31 22:52:31.000000000 +0200 +@@ -380,6 +380,17 @@ _gnutls_set_write_keys (gnutls_session_t + export_flag); + } + ++#define CPY_EXTENSIONS \ ++ memcpy(dst->extensions.server_names, src->extensions.server_names, sizeof(src->extensions.server_names)); \ ++ dst->extensions.server_names_size = src->extensions.server_names_size; \ ++ memcpy(dst->extensions.srp_username, src->extensions.srp_username, sizeof(src->extensions.srp_username)); \ ++ dst->extensions.gnutls_ia_enable = src->extensions.gnutls_ia_enable; \ ++ dst->extensions.gnutls_ia_peer_enable = src->extensions.gnutls_ia_peer_enable; \ ++ dst->extensions.gnutls_ia_allowskip = src->extensions.gnutls_ia_allowskip; \ ++ dst->extensions.gnutls_ia_peer_allowskip = src->extensions.gnutls_ia_peer_allowskip; \ ++ dst->extensions.do_recv_supplemental = src->extensions.do_recv_supplemental; \ ++ dst->extensions.do_send_supplemental = src->extensions.do_send_supplemental ++ + #define CPY_COMMON dst->entity = src->entity; \ + dst->kx_algorithm = src->kx_algorithm; \ + memcpy( &dst->current_cipher_suite, &src->current_cipher_suite, sizeof(cipher_suite_st)); \ +@@ -393,8 +404,8 @@ _gnutls_set_write_keys (gnutls_session_t + dst->max_record_recv_size = src->max_record_recv_size; \ + dst->max_record_send_size = src->max_record_send_size; \ + dst->version = src->version; \ +- memcpy( &dst->extensions, &src->extensions, sizeof(tls_ext_st)); \ +- memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE); ++ CPY_EXTENSIONS; \ ++ memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE) + + static void + _gnutls_cpy_read_security_parameters (security_parameters_st * +diff -up gnutls-2.8.6/lib/gnutls_errors.c.reneg gnutls-2.8.6/lib/gnutls_errors.c +--- gnutls-2.8.6/lib/gnutls_errors.c.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/lib/gnutls_errors.c 2010-05-31 22:52:31.000000000 +0200 +@@ -220,9 +220,15 @@ static const gnutls_error_entry error_al + GNUTLS_E_OPENPGP_GETKEY_FAILED, 1), + ERROR_ENTRY (N_("Could not find OpenPGP subkey."), + GNUTLS_E_OPENPGP_SUBKEY_ERROR, 1), ++ ERROR_ENTRY (N_("Safe renegotiation failed."), ++ GNUTLS_E_SAFE_RENEGOTIATION_FAILED, 1), ++ ERROR_ENTRY (N_("Unsafe renegotiation denied."), ++ GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED, 1), + + ERROR_ENTRY (N_("The SRP username supplied is illegal."), + GNUTLS_E_ILLEGAL_SRP_USERNAME, 1), ++ ERROR_ENTRY (N_("The SRP username supplied is unknown."), ++ GNUTLS_E_UNKNOWN_SRP_USERNAME, 1), + + ERROR_ENTRY (N_("The OpenPGP fingerprint is not supported."), + GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1), +diff -up gnutls-2.8.6/lib/gnutls_extensions.c.reneg gnutls-2.8.6/lib/gnutls_extensions.c +--- gnutls-2.8.6/lib/gnutls_extensions.c.reneg 2009-06-08 19:11:03.000000000 +0200 ++++ gnutls-2.8.6/lib/gnutls_extensions.c 2010-05-31 22:52:31.000000000 +0200 +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include + + typedef struct +@@ -133,7 +134,7 @@ _gnutls_parse_extensions (gnutls_session + type = _gnutls_read_uint16 (&data[pos]); + pos += 2; + +- _gnutls_debug_log ("EXT[%p]: Received extension '%s/%d'\n", session, ++ _gnutls_debug_log ("EXT[%p]: Found extension '%s/%d'\n", session, + _gnutls_extension_get_name (type), type); + + if ((ret = _gnutls_extension_list_check (session, type)) < 0) +@@ -153,6 +154,8 @@ _gnutls_parse_extensions (gnutls_session + ext_recv = _gnutls_ext_func_recv (type, parse_type); + if (ext_recv == NULL) + continue; ++ ++ + if ((ret = ext_recv (session, sdata, size)) < 0) + { + gnutls_assert (); +@@ -170,7 +173,7 @@ _gnutls_parse_extensions (gnutls_session + * This list is used to check whether the (later) received + * extensions are the ones we requested. + */ +-static void ++void + _gnutls_extension_list_add (gnutls_session_t session, uint16_t type) + { + +@@ -192,7 +195,7 @@ _gnutls_extension_list_add (gnutls_sessi + + int + _gnutls_gen_extensions (gnutls_session_t session, opaque * data, +- size_t data_size) ++ size_t data_size, gnutls_ext_parse_type_t parse_type) + { + int size; + uint16_t pos = 0; +@@ -223,6 +226,9 @@ _gnutls_gen_extensions (gnutls_session_t + + if (p->send_func == NULL) + continue; ++ ++ if (parse_type != GNUTLS_EXT_ANY && p->parse_type != parse_type) ++ continue; + + size = p->send_func (session, sdata, sdata_size); + if (size > 0) +@@ -304,6 +310,14 @@ _gnutls_ext_init (void) + if (ret != GNUTLS_E_SUCCESS) + return ret; + ++ ret = gnutls_ext_register (GNUTLS_EXTENSION_SAFE_RENEGOTIATION, ++ "SAFE_RENEGOTIATION", ++ GNUTLS_EXT_MANDATORY, ++ _gnutls_safe_renegotiation_recv_params, ++ _gnutls_safe_renegotiation_send_params); ++ if (ret != GNUTLS_E_SUCCESS) ++ return ret; ++ + #ifdef ENABLE_OPRFI + ret = gnutls_ext_register (GNUTLS_EXTENSION_OPAQUE_PRF_INPUT, + "OPAQUE_PRF_INPUT", +diff -up gnutls-2.8.6/lib/gnutls_extensions.h.reneg gnutls-2.8.6/lib/gnutls_extensions.h +--- gnutls-2.8.6/lib/gnutls_extensions.h.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/lib/gnutls_extensions.h 2010-05-31 22:52:31.000000000 +0200 +@@ -26,6 +26,8 @@ int _gnutls_parse_extensions (gnutls_ses + gnutls_ext_parse_type_t parse_type, + const opaque *data, int data_size); + int _gnutls_gen_extensions (gnutls_session_t session, opaque * data, +- size_t data_size); ++ size_t data_size, gnutls_ext_parse_type_t); + int _gnutls_ext_init (void); + void _gnutls_ext_deinit (void); ++ ++void _gnutls_extension_list_add (gnutls_session_t session, uint16_t type); +diff -up gnutls-2.8.6/lib/gnutls_handshake.c.reneg gnutls-2.8.6/lib/gnutls_handshake.c +--- gnutls-2.8.6/lib/gnutls_handshake.c.reneg 2009-11-02 11:30:39.000000000 +0100 ++++ gnutls-2.8.6/lib/gnutls_handshake.c 2010-06-02 10:29:00.000000000 +0200 +@@ -48,6 +48,7 @@ + #include + #include + #include ++#include + #include /* for gnutls_get_rsa_params() */ + #include /* for gnutls_anon_server_credentials_t */ + #include /* for gnutls_psk_server_credentials_t */ +@@ -119,6 +120,7 @@ resume_copy_required_values (gnutls_sess + sizeof (session->security_parameters.session_id)); + session->security_parameters.session_id_size = + session->internals.resumed_security_parameters.session_id_size; ++ + } + + void +@@ -404,8 +406,36 @@ _gnutls_read_client_hello (gnutls_sessio + + if (ret == 0) + { /* resumed! */ ++ /* Parse only the safe renegotiation extension ++ * We don't want to parse any other extensions since ++ * we don't want new extension values to overwrite the ++ * resumed ones. ++ */ ++ ++ /* move forward to extensions */ ++ DECR_LEN (len, 2); ++ suite_size = _gnutls_read_uint16 (&data[pos]); ++ pos += 2; ++ ++ DECR_LEN (len, suite_size); ++ pos += suite_size; ++ ++ DECR_LEN (len, 1); ++ comp_size = data[pos++]; /* z is the number of compression methods */ ++ DECR_LEN (len, comp_size); ++ pos += comp_size; ++ ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, ++ &data[pos], len); ++ if (ret < 0) ++ { ++ gnutls_assert (); ++ return ret; ++ } ++ + resume_copy_required_values (session); + session->internals.resumed = RESUME_TRUE; ++ + return _gnutls_user_hello_func (session, adv_version); + } + else +@@ -437,17 +467,17 @@ _gnutls_read_client_hello (gnutls_sessio + pos += comp_size; + + /* Parse the extensions (if any) +- */ +- if (neg_version >= GNUTLS_TLS1) ++ * ++ * Unconditionally try to parse extensions; safe renegotiation uses them in ++ * sslv3 and higher, even though sslv3 doesn't officially support them. ++ */ ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION, ++ &data[pos], len); ++ /* len is the rest of the parsed length */ ++ if (ret < 0) + { +- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION, +- &data[pos], len); +- /* len is the rest of the parsed length */ +- if (ret < 0) +- { +- gnutls_assert (); +- return ret; +- } ++ gnutls_assert (); ++ return ret; + } + + ret = _gnutls_user_hello_func (session, adv_version); +@@ -457,16 +487,20 @@ _gnutls_read_client_hello (gnutls_sessio + return ret; + } + +- if (neg_version >= GNUTLS_TLS1) ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, ++ &data[pos], len); ++ if (ret < 0) + { +- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, +- &data[pos], len); +- /* len is the rest of the parsed length */ +- if (ret < 0) +- { +- gnutls_assert (); +- return ret; +- } ++ gnutls_assert (); ++ return ret; ++ } ++ ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, ++ &data[pos], len); ++ if (ret < 0) ++ { ++ gnutls_assert (); ++ return ret; + } + + /* select an appropriate cipher suite +@@ -531,7 +565,7 @@ _gnutls_handshake_hash_pending (gnutls_s + static int + _gnutls_send_finished (gnutls_session_t session, int again) + { +- uint8_t data[36]; ++ uint8_t data[MAX_VERIFY_DATA_SIZE]; + int ret; + int data_size = 0; + +@@ -556,7 +590,7 @@ _gnutls_send_finished (gnutls_session_t + data_size = 36; + } + else +- { /* TLS 1.0 */ ++ { /* TLS 1.0+ */ + ret = _gnutls_finished (session, + session->security_parameters.entity, data); + data_size = 12; +@@ -572,6 +606,31 @@ _gnutls_send_finished (gnutls_session_t + session->internals.finished_func (session, data, data_size); + } + ++ /* Save data for safe renegotiation. ++ */ ++ if (data_size > MAX_VERIFY_DATA_SIZE) ++ { ++ gnutls_assert (); ++ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; ++ } ++ ++ if (session->security_parameters.entity == GNUTLS_CLIENT) ++ { ++ session->security_parameters.extensions.client_verify_data_len = ++ data_size; ++ ++ memcpy (session->security_parameters.extensions.client_verify_data, ++ data, data_size); ++ } ++ else ++ { ++ session->security_parameters.extensions.server_verify_data_len = ++ data_size; ++ ++ memcpy (session->security_parameters.extensions.server_verify_data, ++ data, data_size); ++ } ++ + ret = + _gnutls_send_handshake (session, data_size ? data : NULL, data_size, + GNUTLS_HANDSHAKE_FINISHED); +@@ -585,10 +644,11 @@ _gnutls_send_finished (gnutls_session_t + static int + _gnutls_recv_finished (gnutls_session_t session) + { +- uint8_t data[36], *vrfy; ++ uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy; + int data_size; + int ret; + int vrfysize; ++ tls_ext_st *ext; + + ret = + _gnutls_recv_handshake (session, &vrfy, &vrfysize, +@@ -646,6 +706,28 @@ _gnutls_recv_finished (gnutls_session_t + } + gnutls_free (vrfy); + ++ /* Save peer's verify data for safe renegotiation */ ++ if (data_size > MAX_VERIFY_DATA_SIZE) ++ { ++ gnutls_assert (); ++ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; ++ } ++ ++ ext = &session->security_parameters.extensions; ++ ++ if (session->security_parameters.entity == GNUTLS_CLIENT) ++ { ++ memcpy (ext->server_verify_data, data, data_size); ++ ext->server_verify_data_len = data_size; ++ } ++ else ++ { ++ memcpy (ext->client_verify_data, data, data_size); ++ ext->client_verify_data_len = data_size; ++ } ++ ++ session->internals.initial_negotiation_completed = 1; ++ + return ret; + } + +@@ -685,7 +767,6 @@ _gnutls_server_find_pk_algos_in_ciphersu + return algo; + } + +- + /* This selects the best supported ciphersuite from the given ones. Then + * it adds the suite to the session and performs some checks. + */ +@@ -700,11 +781,31 @@ _gnutls_server_select_suite (gnutls_sess + * supported by the peer. + */ + ++ /* First, check for safe renegotiation SCSV. ++ */ ++ if (session->internals.priorities.sr != SR_DISABLED) ++ { ++ int offset; ++ ++ for(offset = 0; offset < datalen; offset += 2) ++ { ++ /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */ ++ if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR && ++ data[offset+1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) ++ { ++ _gnutls_handshake_log ("HSK[%p]: Received safe renegotiation CS\n", session); ++ session->internals.safe_renegotiation_received = 1; ++ session->internals.connection_using_safe_renegotiation = 1; ++ break; ++ } ++ } ++ } ++ + pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites (data, datalen); + + x = _gnutls_supported_ciphersuites (session, &ciphers); + if (x < 0) +- { /* the case x==0 is handled within the function. */ ++ { /* the case x==0 is handled within the function. */ + gnutls_assert (); + return x; + } +@@ -752,21 +853,21 @@ _gnutls_server_select_suite (gnutls_sess + + for (j = 0; j < datalen; j += 2) + { +- for (i = 0; i < x; i++) +- { +- if (memcmp (ciphers[i].suite, &data[j], 2) == 0) +- { +- memcpy (&cs.suite, &data[j], 2); +- +- _gnutls_handshake_log +- ("HSK[%p]: Selected cipher suite: %s\n", session, +- _gnutls_cipher_suite_get_name (&cs)); +- memcpy (session->security_parameters.current_cipher_suite.suite, +- ciphers[i].suite, 2); +- retval = 0; +- goto finish; +- } +- } ++ for (i = 0; i < x; i++) ++ { ++ if (memcmp (ciphers[i].suite, &data[j], 2) == 0) ++ { ++ memcpy (&cs.suite, &data[j], 2); ++ ++ _gnutls_handshake_log ++ ("HSK[%p]: Selected cipher suite: %s\n", session, ++ _gnutls_cipher_suite_get_name (&cs)); ++ memcpy (session->security_parameters.current_cipher_suite.suite, ++ ciphers[i].suite, 2); ++ retval = 0; ++ goto finish; ++ } ++ } + } + + finish: +@@ -960,7 +1061,7 @@ _gnutls_send_handshake (gnutls_session_t + if (i_datasize > 0) + memcpy (&data[pos], i_data, i_datasize); + +- _gnutls_handshake_log ("HSK[%p]: %s was send [%ld bytes]\n", ++ _gnutls_handshake_log ("HSK[%p]: %s was sent [%ld bytes]\n", + session, _gnutls_handshake2str (type), + (long) datasize); + +@@ -1042,7 +1143,6 @@ _gnutls_recv_handshake_header (gnutls_se + + if (ret < 0) + { +- gnutls_assert (); + return ret; + } + +@@ -1525,15 +1625,26 @@ _gnutls_read_server_hello (gnutls_sessio + } + DECR_LEN (len, session_id_len); + +- + /* check if we are resuming and set the appropriate + * values; + */ + if (_gnutls_client_check_if_resuming + (session, &data[pos], session_id_len) == 0) +- return 0; +- pos += session_id_len; ++ { ++ pos += session_id_len + 2 + 1; ++ DECR_LEN (len, 2+1); + ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY, ++ &data[pos], len); ++ if (ret < 0) ++ { ++ gnutls_assert (); ++ return ret; ++ } ++ return 0; ++ } ++ ++ pos += session_id_len; + + /* Check if the given cipher suite is supported and copy + * it to the session. +@@ -1548,8 +1659,6 @@ _gnutls_read_server_hello (gnutls_sessio + } + pos += 2; + +- +- + /* move to compression + */ + DECR_LEN (len, 1); +@@ -1563,32 +1672,32 @@ _gnutls_read_server_hello (gnutls_sessio + + /* Parse extensions. + */ +- if (version >= GNUTLS_TLS1) ++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, ++ &data[pos], len); ++ if (ret < 0) + { +- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, +- &data[pos], len); +- /* len is the rest of the parsed length */ +- if (ret < 0) +- { +- gnutls_assert (); +- return ret; +- } ++ gnutls_assert (); ++ return ret; + } ++ + return ret; + } + + + /* This function copies the appropriate ciphersuites to a locally allocated buffer +- * Needed in client hello messages. Returns the new data length. ++ * Needed in client hello messages. Returns the new data length. If add_scsv is ++ * true, add the special safe renegotiation CS. + */ + static int + _gnutls_copy_ciphersuites (gnutls_session_t session, +- opaque * ret_data, size_t ret_data_size) ++ opaque * ret_data, size_t ret_data_size, ++ int add_scsv) + { + int ret, i; + cipher_suite_st *cipher_suites; + uint16_t cipher_num; + int datalen, pos; ++ uint16_t loop_max; + + ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites); + if (ret < 0) +@@ -1619,6 +1728,9 @@ _gnutls_copy_ciphersuites (gnutls_sessio + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + ++ if (add_scsv) ++ ++ret; ++ + cipher_num = ret; + + cipher_num *= sizeof (uint16_t); /* in order to get bytes */ +@@ -1636,11 +1748,21 @@ _gnutls_copy_ciphersuites (gnutls_sessio + _gnutls_write_uint16 (cipher_num, ret_data); + pos += 2; + +- for (i = 0; i < (cipher_num / 2); i++) ++ loop_max = add_scsv ? cipher_num - 2 : cipher_num; ++ ++ for (i = 0; i < (loop_max / 2); i++) + { + memcpy (&ret_data[pos], cipher_suites[i].suite, 2); + pos += 2; + } ++ ++ if (add_scsv) ++ { ++ /* Safe renegotiation signalling CS value is { 0x00, 0xff } */ ++ ret_data[pos++] = 0x00; ++ ret_data[pos++] = 0xff; ++ } ++ + gnutls_free (cipher_suites); + + return datalen; +@@ -1700,7 +1822,7 @@ _gnutls_send_client_hello (gnutls_sessio + { + opaque *data = NULL; + int extdatalen; +- int pos = 0; ++ int pos = 0, type; + int datalen = 0, ret = 0; + opaque rnd[GNUTLS_RANDOM_SIZE]; + gnutls_protocol_t hver; +@@ -1807,9 +1929,21 @@ _gnutls_send_client_hello (gnutls_sessio + + + /* Copy the ciphersuites. +- */ +- extdatalen = +- _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata)); ++ * ++ * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM ++ * prevention on initial negotiation (but not renegotiation; that's ++ * handled with the RI extension below). ++ */ ++ if(!session->internals.initial_negotiation_completed && ++ session->security_parameters.entity == GNUTLS_CLIENT && ++ gnutls_protocol_get_version (session) == GNUTLS_SSL3) ++ { ++ extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), TRUE); ++ _gnutls_extension_list_add (session, GNUTLS_EXTENSION_SAFE_RENEGOTIATION); ++ } ++ else ++ extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), FALSE); ++ + if (extdatalen > 0) + { + datalen += extdatalen; +@@ -1864,11 +1998,19 @@ _gnutls_send_client_hello (gnutls_sessio + /* Generate and copy TLS extensions. + */ + if (hver >= GNUTLS_TLS1) ++ type = GNUTLS_EXT_ANY; ++ else + { +- extdatalen = +- _gnutls_gen_extensions (session, extdata, sizeof (extdata)); ++ if (session->internals.initial_negotiation_completed != 0) ++ type = GNUTLS_EXT_MANDATORY; ++ else ++ type = GNUTLS_EXT_NONE; ++ } ++ ++ extdatalen = ++ _gnutls_gen_extensions (session, extdata, sizeof (extdata), type); + +- if (extdatalen > 0) ++ if (extdatalen > 0) + { + datalen += extdatalen; + data = gnutls_realloc_fast (data, datalen); +@@ -1880,13 +2022,12 @@ _gnutls_send_client_hello (gnutls_sessio + + memcpy (&data[pos], extdata, extdatalen); + } +- else if (extdatalen < 0) ++ else if (extdatalen < 0) + { + gnutls_assert (); + gnutls_free (data); + return extdatalen; + } +- } + } + + ret = +@@ -1932,15 +2073,7 @@ _gnutls_send_server_hello (gnutls_sessio + * alert and abort. + */ + gnutls_assert (); +- ret = gnutls_alert_send (session, GNUTLS_AL_FATAL, +- GNUTLS_A_UNKNOWN_PSK_IDENTITY); +- if (ret < 0) +- { +- gnutls_assert (); +- return ret; +- } +- +- return GNUTLS_E_ILLEGAL_SRP_USERNAME; ++ return GNUTLS_E_UNKNOWN_SRP_USERNAME; + } + } + #endif +@@ -1949,7 +2082,7 @@ _gnutls_send_server_hello (gnutls_sessio + { + datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3; + extdatalen = +- _gnutls_gen_extensions (session, extdata, sizeof (extdata)); ++ _gnutls_gen_extensions (session, extdata, sizeof (extdata), GNUTLS_EXT_ANY); + + if (extdatalen < 0) + { +@@ -2015,6 +2148,8 @@ _gnutls_send_hello (gnutls_session_t ses + { + int ret; + ++ session->internals.safe_renegotiation_received = 0; ++ + if (session->security_parameters.entity == GNUTLS_CLIENT) + { + ret = _gnutls_send_client_hello (session, again); +@@ -2036,6 +2171,7 @@ int + _gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen) + { + int ret; ++ tls_ext_st *ext; + + if (session->security_parameters.entity == GNUTLS_CLIENT) + { +@@ -2047,7 +2183,7 @@ _gnutls_recv_hello (gnutls_session_t ses + } + } + else +- { /* Server side reading a client hello */ ++ { /* Server side reading a client hello */ + + ret = _gnutls_read_client_hello (session, data, datalen); + if (ret < 0) +@@ -2057,6 +2193,89 @@ _gnutls_recv_hello (gnutls_session_t ses + } + } + ++ if (session->internals.priorities.sr == SR_DISABLED) ++ { ++ gnutls_assert(); ++ return ret; ++ } ++ ++ /* Safe renegotiation */ ++ ext = &session->security_parameters.extensions; ++ ++ if (session->internals.safe_renegotiation_received) ++ { ++ if ((ext->ri_extension_data_len < ext->client_verify_data_len) || ++ (memcmp (ext->ri_extension_data, ++ ext->client_verify_data, ++ ext->client_verify_data_len))) ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Safe renegotiation failed [1]\n"); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ if (session->security_parameters.entity == GNUTLS_CLIENT) ++ { ++ if ((ext->ri_extension_data_len != ++ ext->client_verify_data_len + ext->server_verify_data_len) || ++ memcmp (ext->ri_extension_data + ext->client_verify_data_len, ++ ext->server_verify_data, ext->server_verify_data_len) != 0) ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Safe renegotiation failed [2]\n"); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ } ++ else /* Make sure there are 0 extra bytes */ ++ { ++ if (ext->ri_extension_data_len != ext->client_verify_data_len) ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Safe renegotiation failed [3]\n"); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ } ++ ++ _gnutls_handshake_log ("Safe renegotiation succeeded.\n"); ++ } ++ else /* safe renegotiation not received... */ ++ { ++ if (session->internals.connection_using_safe_renegotiation) ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Peer previously asked for safe renegotiation!\n"); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ ++ /* Clients can't tell if it's an initial negotiation */ ++ if (session->internals.initial_negotiation_completed) ++ { ++ ++ if (session->internals.priorities.sr < SR_PARTIAL) ++ { ++ _gnutls_handshake_log ("Allowing unsafe (re)negotiation!\n"); ++ } ++ else ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Denying unsafe (re)negotiation.\n"); ++ return GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED; ++ } ++ } ++ else ++ { ++ if (session->internals.priorities.sr < SR_SAFE) ++ { ++ _gnutls_handshake_log ("Allowing unsafe initial negotiation!\n"); ++ } ++ else ++ { ++ gnutls_assert(); ++ _gnutls_handshake_log ("Denying unsafe initial negotiation.\n"); ++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED; ++ } ++ } ++ } ++ + return ret; + } + +@@ -2097,6 +2316,13 @@ _gnutls_recv_hello (gnutls_session_t ses + * gnutls_handshake() function in order to negotiate the new + * parameters. + * ++ * Since TLS is full duplex some application data might have been ++ * sent during peer's processing of this message. In that case ++ * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE ++ * is returned to clear any pending data. Care must be taken if ++ * rehandshake is mandatory to terminate if it does not start after ++ * some threshold. ++ * + * If the client does not wish to renegotiate parameters he will + * should with an alert message, thus the return code will be + * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be +diff -up gnutls-2.8.6/lib/gnutls_int.h.reneg gnutls-2.8.6/lib/gnutls_int.h +--- gnutls-2.8.6/lib/gnutls_int.h.reneg 2009-11-02 11:30:39.000000000 +0100 ++++ gnutls-2.8.6/lib/gnutls_int.h 2010-06-02 10:23:27.000000000 +0200 +@@ -171,7 +171,8 @@ typedef enum extensions_t + GNUTLS_EXTENSION_OPAQUE_PRF_INPUT = ENABLE_OPRFI, + #endif + GNUTLS_EXTENSION_SRP = 12, +- GNUTLS_EXTENSION_INNER_APPLICATION = 37703 ++ GNUTLS_EXTENSION_INNER_APPLICATION = 37703, ++ GNUTLS_EXTENSION_SAFE_RENEGOTIATION = 65281, /* aka: 0xff01 */ + } extensions_t; + + typedef enum +@@ -282,6 +283,11 @@ typedef struct + + #define MAX_SERVER_NAME_EXTENSIONS 3 + ++#define MAX_VERIFY_DATA_SIZE 36 /* in SSL 3.0, 12 in TLS 1.0 */ ++ ++/* If you want the extension data to be kept across resuming sessions ++ * then modify CPY_EXTENSIONS in gnutls_constate.c ++ */ + typedef struct + { + server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS]; +@@ -297,6 +303,9 @@ typedef struct + /* Used by extensions that enable supplemental data. */ + int do_recv_supplemental, do_send_supplemental; + ++ /*** Those below do not get copied when resuming session ++ ***/ ++ + /* Opaque PRF input. */ + gnutls_oprfi_callback_func oprfi_cb; + void *oprfi_userdata; +@@ -304,6 +313,15 @@ typedef struct + uint16_t oprfi_client_len; + opaque *oprfi_server; + uint16_t oprfi_server_len; ++ ++ /* Safe renegotiation. */ ++ uint8_t client_verify_data[MAX_VERIFY_DATA_SIZE]; ++ size_t client_verify_data_len; ++ uint8_t server_verify_data[MAX_VERIFY_DATA_SIZE]; ++ size_t server_verify_data_len; ++ uint8_t ri_extension_data[MAX_VERIFY_DATA_SIZE*2]; /* max signal is 72 bytes in s->c sslv3 */ ++ size_t ri_extension_data_len; ++ + } tls_ext_st; + + /* auth_info_t structures now MAY contain malloced +@@ -317,7 +335,7 @@ typedef struct + */ + + /* if you add anything in Security_Parameters struct, then +- * also modify CPY_COMMON in gnutls_constate.c ++ * also modify CPY_COMMON in gnutls_constate.c. + */ + + /* Note that the security parameters structure is set up after the +@@ -361,6 +379,7 @@ typedef struct + /* holds the negotiated certificate type */ + gnutls_certificate_type_t cert_type; + gnutls_protocol_t version; /* moved here */ ++ + /* For TLS/IA. XXX: Move to IA credential? */ + opaque inner_secret[GNUTLS_MASTER_SIZE]; + } security_parameters_st; +@@ -400,6 +419,13 @@ typedef struct + unsigned int algorithms; + } priority_st; + ++typedef enum { ++ SR_DISABLED, ++ SR_UNSAFE, ++ SR_PARTIAL, ++ SR_SAFE, ++} safe_renegotiation_t; ++ + /* For the external api */ + struct gnutls_priority_st + { +@@ -411,7 +437,8 @@ struct gnutls_priority_st + priority_st cert_type; + + /* to disable record padding */ +- int no_padding; ++ int no_padding:1; ++ safe_renegotiation_t sr; + int ssl3_record_version; + int additional_verify_flags; + }; +@@ -673,6 +700,10 @@ typedef struct + */ + uint16_t srp_prime_bits; + ++ int safe_renegotiation_received:1; ++ int initial_negotiation_completed:1; ++ int connection_using_safe_renegotiation:1; ++ + /* If you add anything here, check _gnutls_handshake_internal_state_clear(). + */ + } internals_st; +diff -up gnutls-2.8.6/lib/gnutls_priority.c.reneg gnutls-2.8.6/lib/gnutls_priority.c +--- gnutls-2.8.6/lib/gnutls_priority.c.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/lib/gnutls_priority.c 2010-06-02 10:23:27.000000000 +0200 +@@ -491,6 +491,21 @@ gnutls_priority_set (gnutls_session_t se + * + * "%COMPAT" will enable compatibility features for a server. + * ++ * "%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use ++ * unless you know what you are doing. Testing purposes only. ++ * ++ * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now ++ * the default for clients, but will change once more servers support the safe renegotiation ++ * TLS fix). ++ * ++ * "%PARTIAL_SAFE_RENEGOTIATION" In server side it will enable safe renegotiation ++ * and will protect all clients from known attacks, but will not prevent insecure clients ++ * from connecting. In client side it will disallow from renegotiating with an insecure server ++ * but will not prevent connecting to one (this leaves the client vulnerable to attacks). ++ * ++ * "%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and Servers will refuse ++ * to talk to an insecure peer. ++ * + * "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello. + * + * "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA-MD5 signatures in +@@ -523,7 +538,7 @@ gnutls_priority_init (gnutls_priority_t + { + char *broken_list[MAX_ELEMENTS]; + int broken_list_size, i, j; +- char *darg; ++ char *darg = NULL; + int algo; + rmadd_func *fn; + +@@ -533,6 +548,11 @@ gnutls_priority_init (gnutls_priority_t + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } ++ ++ /* for now unsafe renegotiation is default on everyone. To be removed ++ * when we make it the default. ++ */ ++ (*priority_cache)->sr = SR_PARTIAL; + + if (priorities == NULL) + priorities = "NORMAL"; +@@ -541,9 +561,10 @@ gnutls_priority_init (gnutls_priority_t + if (darg == NULL) + { + gnutls_assert (); +- return GNUTLS_E_MEMORY_ERROR; ++ goto error; + } + ++ + break_comma_list (darg, broken_list, &broken_list_size, MAX_ELEMENTS, ':'); + /* This is our default set of protocol version, certificate types and + * compression methods. +@@ -652,6 +673,25 @@ gnutls_priority_init (gnutls_priority_t + "VERIFY_ALLOW_X509_V1_CA_CRT") == 0) + (*priority_cache)->additional_verify_flags |= + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT; ++ else if (strcasecmp (&broken_list[i][1], ++ "UNSAFE_RENEGOTIATION") == 0) ++ { ++ (*priority_cache)->sr = SR_UNSAFE; ++ } ++ else if (strcasecmp (&broken_list[i][1], "SAFE_RENEGOTIATION") == 0) ++ { ++ (*priority_cache)->sr = SR_SAFE; ++ } ++ else if (strcasecmp (&broken_list[i][1], ++ "PARTIAL_RENEGOTIATION") == 0) ++ { ++ (*priority_cache)->sr = SR_PARTIAL; ++ } ++ else if (strcasecmp (&broken_list[i][1], ++ "DISABLE_SAFE_RENEGOTIATION") == 0) ++ { ++ (*priority_cache)->sr = SR_DISABLED; ++ } + else + goto error; + } +@@ -672,6 +712,7 @@ error: + } + } + gnutls_free (darg); ++ gnutls_free(*priority_cache); + + return GNUTLS_E_INVALID_REQUEST; + +diff -up gnutls-2.8.6/lib/gnutls_record.c.reneg gnutls-2.8.6/lib/gnutls_record.c +--- gnutls-2.8.6/lib/gnutls_record.c.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/lib/gnutls_record.c 2010-05-31 22:52:31.000000000 +0200 +@@ -744,6 +744,14 @@ record_check_type (gnutls_session_t sess + if (session->security_parameters.entity == GNUTLS_SERVER) + { + gnutls_assert (); ++ ret = ++ _gnutls_record_buffer_put (recv_type, session, (void *) data, ++ data_size); ++ if (ret < 0) ++ { ++ gnutls_assert (); ++ return ret; ++ } + return GNUTLS_E_REHANDSHAKE; + } + +@@ -896,9 +904,13 @@ begin: + _gnutls_io_read_buffered (session, &headers, header_size, + -1)) != header_size) + { ++ _gnutls_handshake_log ("XXX[]: ret: %d %s\n", ret, gnutls_strerror(ret)); ++ + if (ret < 0 && gnutls_error_is_fatal (ret) == 0) + return ret; + ++ _gnutls_handshake_log ("XXX2[]: ret: %d %s\n", ret, gnutls_strerror(ret)); ++ + session_invalidate (session); + if (type == GNUTLS_ALERT) + { +diff -up gnutls-2.8.6/lib/gnutls_state.c.reneg gnutls-2.8.6/lib/gnutls_state.c +--- gnutls-2.8.6/lib/gnutls_state.c.reneg 2009-11-02 11:30:39.000000000 +0100 ++++ gnutls-2.8.6/lib/gnutls_state.c 2010-06-02 10:23:27.000000000 +0200 +@@ -223,6 +223,7 @@ _gnutls_handshake_internal_state_clear ( + session->internals.adv_version_minor = 0; + session->internals.adv_version_minor = 0; + session->internals.direction = 0; ++ session->internals.safe_renegotiation_received = 0; + + /* use out of band data for the last + * handshake messages received. +@@ -338,6 +339,11 @@ gnutls_init (gnutls_session_t * session, + + _gnutls_handshake_internal_state_clear (*session); + ++ /* emulate old gnutls behavior for old applications that do not use the priority_* ++ * functions. ++ */ ++ (*session)->internals.priorities.sr = SR_PARTIAL; ++ + return 0; + } + +diff -up gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in.reneg gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in +--- gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/lib/includes/gnutls/gnutls.h.in 2010-05-31 22:52:31.000000000 +0200 +@@ -503,7 +503,9 @@ extern "C" { + { + GNUTLS_EXT_ANY, + GNUTLS_EXT_APPLICATION, +- GNUTLS_EXT_TLS ++ GNUTLS_EXT_TLS, ++ GNUTLS_EXT_MANDATORY, /* parse even if resuming or extensions disabled */ ++ GNUTLS_EXT_NONE, + } gnutls_ext_parse_type_t; + + int gnutls_ext_register (int type, +@@ -525,6 +527,9 @@ extern "C" { + void *data, size_t * data_length, + unsigned int *type, unsigned int indx); + ++ /* Safe renegotiation */ ++ int gnutls_safe_renegotiation_status (gnutls_session_t session); ++ + /* Opaque PRF Input + * http://tools.ietf.org/id/draft-rescorla-tls-opaque-prf-input-00.txt + */ +@@ -1368,6 +1373,9 @@ extern "C" { + #define GNUTLS_E_IA_VERIFY_FAILED -104 + + #define GNUTLS_E_UNKNOWN_ALGORITHM -105 ++#define GNUTLS_E_SAFE_RENEGOTIATION_FAILED -107 ++#define GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED -108 ++#define GNUTLS_E_UNKNOWN_SRP_USERNAME -109 + + #define GNUTLS_E_BASE64_ENCODING_ERROR -201 + #define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202 /* obsolete */ +diff -up gnutls-2.8.6/lib/libgnutls.map.reneg gnutls-2.8.6/lib/libgnutls.map +--- gnutls-2.8.6/lib/libgnutls.map.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/lib/libgnutls.map 2010-05-31 22:52:31.000000000 +0200 +@@ -567,6 +567,12 @@ GNUTLS_2_8 + gnutls_x509_crt_verify_hash; + } GNUTLS_1_4; + ++GNUTLS_2_10 ++{ ++ global: ++ gnutls_safe_renegotiation_status; ++} GNUTLS_2_8; ++ + GNUTLS_PRIVATE { + global: + # Internal symbols needed by libgnutls-extra: +diff -up gnutls-2.8.6/lib/Makefile.in.reneg gnutls-2.8.6/lib/Makefile.in +--- gnutls-2.8.6/lib/Makefile.in.reneg 2010-03-15 11:28:41.000000000 +0100 ++++ gnutls-2.8.6/lib/Makefile.in 2010-05-31 22:52:31.000000000 +0200 +@@ -214,7 +214,7 @@ am__objects_4 = gnutls_record.lo gnutls_ + ext_server_name.lo auth_dh_common.lo gnutls_helper.lo \ + gnutls_supplemental.lo crypto.lo random.lo pk-libgcrypt.lo \ + mpi-libgcrypt.lo rnd-libgcrypt.lo cipher-libgcrypt.lo \ +- mac-libgcrypt.lo $(am__objects_3) ++ mac-libgcrypt.lo ext_safe_renegotiation.lo $(am__objects_3) + am__objects_5 = ext_srp.lo gnutls_srp.lo auth_srp.lo \ + auth_srp_passwd.lo auth_srp_sb64.lo auth_srp_rsa.lo + am__objects_6 = auth_psk.lo auth_psk_passwd.lo gnutls_psk.lo \ +@@ -854,6 +854,7 @@ COBJECTS = gnutls_record.c gnutls_compre + auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \ + crypto.c random.c pk-libgcrypt.c mpi-libgcrypt.c \ + rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c \ ++ ext_safe_renegotiation.c \ + $(am__append_5) + HFILES = debug.h gnutls_compress.h gnutls_cipher.h gnutls_buffers.h \ + gnutls_errors.h gnutls_int.h gnutls_handshake.h gnutls_num.h \ +@@ -868,7 +869,8 @@ HFILES = debug.h gnutls_compress.h gnutl + gnutls_rsa_export.h ext_server_name.h auth_dh_common.h \ + ext_srp.h gnutls_srp.h auth_srp.h auth_srp_passwd.h \ + gnutls_helper.h auth_psk.h auth_psk_passwd.h \ +- gnutls_supplemental.h ext_oprfi.h crypto.h random.h ++ gnutls_supplemental.h ext_oprfi.h crypto.h random.h \ ++ ext_safe_renegotiation.h + + + # Separate so we can create the documentation +@@ -1058,6 +1060,7 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gnutls_x509.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libgnutlsxx_la-gnutlsxx.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mac-libgcrypt.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ext_safe_renegotiation.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mpi-libgcrypt.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pk-libgcrypt.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkix_asn1_tab.Plo@am__quote@ +diff -up gnutls-2.8.6/NEWS.reneg gnutls-2.8.6/NEWS +--- gnutls-2.8.6/NEWS.reneg 2010-03-15 13:49:42.000000000 +0100 ++++ gnutls-2.8.6/NEWS 2010-05-31 22:52:31.000000000 +0200 +@@ -3,6 +3,23 @@ Copyright (C) 2000, 2001, 2002, 2003, 20 + 2006, 2007, 2008, 2009, 2010 Free Software Foundation + See the end for copying conditions. + ++** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746) ++Solves the issue discussed in: ++ and ++. ++Note that to allow connecting to unpatched servers the full protection ++is only enabled if the priority string %SAFE_RENEGOTIATION is ++specified. You can check whether protection is in place by querying ++gnutls_safe_renegotiation_status(). New error codes ++GNUTLS_E_SAFE_RENEGOTIATION_FAILED and ++GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED added. ++ ++gnutls_safe_renegotiation_status: Added ++ ++%UNSAFE_RENEGOTIATION: Added to priority strings ++%INITIAL_SAFE_RENEGOTIATION: Added to priority strings ++%DISABLE_SAFE_RENEGOTIATION: Added to priority strings (do not use) ++ + * Version 2.8.6 (released 2010-03-15) + + ** libgnutls: For CSRs, don't null pad integers for RSA/DSA value. +diff -up gnutls-2.8.6/src/cli.c.reneg gnutls-2.8.6/src/cli.c +--- gnutls-2.8.6/src/cli.c.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/src/cli.c 2010-05-31 22:52:31.000000000 +0200 +@@ -53,7 +53,7 @@ + #define MAX_BUF 4096 + + /* global stuff here */ +-int resume, starttls, insecure; ++int resume, starttls, insecure, rehandshake; + const char *hostname = NULL; + char *service; + int record_max_size; +@@ -674,6 +674,23 @@ after_handshake: + programs to search for when gnutls-cli has reached this point. */ + printf ("\n- Simple Client Mode:\n\n"); + ++ if (rehandshake) ++ { ++ ret = do_handshake (&hd); ++ ++ if (ret < 0) ++ { ++ fprintf (stderr, "*** ReHandshake has failed\n"); ++ gnutls_perror (ret); ++ gnutls_deinit (hd.session); ++ return 1; ++ } ++ else ++ { ++ printf ("- ReHandshake was completed\n"); ++ } ++ } ++ + #ifndef _WIN32 + signal (SIGALRM, &starttls_alarm); + #endif +@@ -838,6 +855,7 @@ gaa_parser (int argc, char **argv) + print_cert = info.print_cert; + starttls = info.starttls; + resume = info.resume; ++ rehandshake = info.rehandshake; + insecure = info.insecure; + service = info.port; + record_max_size = info.record_size; +@@ -962,6 +980,11 @@ do_handshake (socket_st * socket) + socket->secure = 1; + + } ++ else ++ { ++ gnutls_alert_send_appropriate(socket->session, ret); ++ shutdown (socket->fd, SHUT_RDWR); ++ } + return ret; + } + +diff -up gnutls-2.8.6/src/cli-gaa.c.reneg gnutls-2.8.6/src/cli-gaa.c +--- gnutls-2.8.6/src/cli-gaa.c.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/src/cli-gaa.c 2010-05-31 22:52:31.000000000 +0200 +@@ -129,6 +129,7 @@ void gaa_help(void) + printf("GNU TLS test client\nUsage: gnutls-cli [options] hostname\n\n\n"); + __gaa_helpsingle('d', "debug", "integer ", "Enable debugging"); + __gaa_helpsingle('r', "resume", "", "Connect, establish a session. Connect again and resume this session."); ++ __gaa_helpsingle('e', "rehandshake", "", "Connect, establish a session and rehandshake immediately."); + __gaa_helpsingle('s', "starttls", "", "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received."); + __gaa_helpsingle(0, "crlf", "", "Send CR LF instead of LF."); + __gaa_helpsingle(0, "x509fmtder", "", "Use DER format for certificates to read from."); +@@ -250,6 +251,8 @@ struct _gaainfo + int crlf; + #line 20 "cli.gaa" + int starttls; ++#line 20 "cli.gaa" ++ int rehandshake; + #line 17 "cli.gaa" + int resume; + #line 14 "cli.gaa" +@@ -342,8 +345,9 @@ static int gaa_error = 0; + #define GAAOPTID_x509fmtder 31 + #define GAAOPTID_crlf 32 + #define GAAOPTID_starttls 33 +-#define GAAOPTID_resume 34 +-#define GAAOPTID_debug 35 ++#define GAAOPTID_rehandshake 34 ++#define GAAOPTID_resume 35 ++#define GAAOPTID_debug 36 + + #line 168 "gaa.skel" + +@@ -721,6 +725,7 @@ static int gaa_get_option_num(char *str, + GAA_CHECK1STR("", GAAOPTID_x509fmtder); + GAA_CHECK1STR("", GAAOPTID_crlf); + GAA_CHECK1STR("s", GAAOPTID_starttls); ++ GAA_CHECK1STR("e", GAAOPTID_rehandshake); + GAA_CHECK1STR("r", GAAOPTID_resume); + + #line 277 "gaa.skel" +@@ -759,6 +764,7 @@ static int gaa_get_option_num(char *str, + GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder); + GAA_CHECKSTR("crlf", GAAOPTID_crlf); + GAA_CHECKSTR("starttls", GAAOPTID_starttls); ++ GAA_CHECKSTR("rehandshake", GAAOPTID_rehandshake); + GAA_CHECKSTR("resume", GAAOPTID_resume); + GAA_CHECKSTR("debug", GAAOPTID_debug); + +@@ -1101,6 +1107,13 @@ static int gaa_try(int gaa_num, int gaa_ + + return GAA_OK; + break; ++ case GAAOPTID_rehandshake: ++ OK = 0; ++#line 21 "cli.gaa" ++{ gaaval->rehandshake = 1 ;}; ++ ++ return GAA_OK; ++ break; + case GAAOPTID_resume: + OK = 0; + #line 18 "cli.gaa" +@@ -1164,7 +1177,7 @@ int gaa(int argc, char **argv, gaainfo * + gaaval->srp_username=NULL; gaaval->srp_passwd=NULL; gaaval->fmtder = 0; gaaval->starttls =0; + gaaval->debug = 0; gaaval->print_cert = 0; gaaval->verbose = 0; gaaval->psk_key = NULL; + gaaval->psk_username = NULL; gaaval->priorities = NULL; +- gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; ;}; ++ gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; gaaval->rehandshake = 0; ;}; + + } + inited = 1; +diff -up gnutls-2.8.6/src/cli-gaa.h.reneg gnutls-2.8.6/src/cli-gaa.h +--- gnutls-2.8.6/src/cli-gaa.h.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/src/cli-gaa.h 2010-05-31 22:52:31.000000000 +0200 +@@ -82,6 +82,7 @@ struct _gaainfo + int crlf; + #line 20 "cli.gaa" + int starttls; ++ int rehandshake; + #line 17 "cli.gaa" + int resume; + #line 14 "cli.gaa" +diff -up gnutls-2.8.6/src/cli.gaa.reneg gnutls-2.8.6/src/cli.gaa +--- gnutls-2.8.6/src/cli.gaa.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/src/cli.gaa 2010-05-31 22:52:31.000000000 +0200 +@@ -17,6 +17,9 @@ option (d, debug) INT "integer" { $debug + #int resume; + option (r, resume) { $resume = 1 } "Connect, establish a session. Connect again and resume this session." + ++#int rehandshake; ++option (e, rehandshake) { $rehandshake = 1 } "Connect, establish a session and rehandshake immediately." ++ + #int starttls; + option (s, starttls) { $starttls = 1 } "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received." + +@@ -130,4 +133,4 @@ init { $resume=0; $port="443"; $rest_arg + $srp_username=NULL; $srp_passwd=NULL; $fmtder = 0; $starttls =0; + $debug = 0; $print_cert = 0; $verbose = 0; $psk_key = NULL; + $psk_username = NULL; $priorities = NULL; +- $opaque_prf_input = NULL; $pgp_subkey = NULL; } ++ $opaque_prf_input = NULL; $pgp_subkey = NULL; $rehandshake = 0; } +diff -up gnutls-2.8.6/src/serv.c.reneg gnutls-2.8.6/src/serv.c +--- gnutls-2.8.6/src/serv.c.reneg 2009-11-06 09:39:42.000000000 +0100 ++++ gnutls-2.8.6/src/serv.c 2010-05-31 22:52:31.000000000 +0200 +@@ -764,6 +764,18 @@ get_response (gnutls_session_t session, + } + else + { ++ fprintf(stderr, "received: %s\n", request); ++ if (request[0] == request[1] && request[0] == '*') ++ { ++ if (strncmp(request, "**REHANDSHAKE**", sizeof("**REHANDSHAKE**")-1)==0) ++ { ++ fprintf(stderr, "*** Sending rehandshake request\n"); ++ gnutls_rehandshake(session); ++ } ++ *response = NULL; ++ *response_length = 0; ++ return; ++ } + *response = strdup (request); + *response_length = ((*response) ? strlen (*response) : 0); + } +@@ -1177,7 +1189,7 @@ main (int argc, char **argv) + ret = + gnutls_alert_send_appropriate (j->tls_session, r); + } +- while (ret == GNUTLS_E_AGAIN); ++ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + j->http_state = HTTP_STATE_CLOSING; + } + else if (r == 0) +@@ -1210,14 +1222,37 @@ main (int argc, char **argv) + } + else if (r <= 0) + { +- j->http_state = HTTP_STATE_CLOSING; +- if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH) ++ if (r == GNUTLS_E_REHANDSHAKE) + { +- check_alert (j->tls_session, r); +- fprintf (stderr, "Error while receiving data\n"); +- GERR (r); +- } +- ++ fprintf(stderr, "*** Received hello message\n"); ++ do ++ { ++ r = gnutls_handshake (j->tls_session); ++ } ++ while (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN); ++ if (r < 0) ++ { ++ ++ do ++ { ++ ret = gnutls_alert_send_appropriate (j->tls_session, r); ++ } ++ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); ++ ++ GERR (r); ++ j->http_state = HTTP_STATE_CLOSING; ++ } ++ } ++ else ++ { ++ j->http_state = HTTP_STATE_CLOSING; ++ if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH) ++ { ++ check_alert (j->tls_session, r); ++ fprintf (stderr, "Error while receiving data\n"); ++ GERR (r); ++ } ++ } + } + else + { +@@ -1299,7 +1334,7 @@ main (int argc, char **argv) + } + } + +- if (j->handshake_ok == 1) ++ if (j->handshake_ok == 1 && j->http_response != NULL) + { + /* FIXME if j->http_response == NULL? */ + r = gnutls_record_send (j->tls_session, +@@ -1351,6 +1386,12 @@ main (int argc, char **argv) + } + } + } ++ else ++ { ++ j->request_length = 0; ++ j->http_request[0] = 0; ++ j->http_state = HTTP_STATE_REQUEST; ++ } + } + } + lloopend (listener_list, j); +diff -up gnutls-2.8.6/src/tests.c.reneg gnutls-2.8.6/src/tests.c +--- gnutls-2.8.6/src/tests.c.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/src/tests.c 2010-05-31 22:52:31.000000000 +0200 +@@ -45,6 +45,7 @@ extern int verbose; + int tls1_ok = 0; + int ssl3_ok = 0; + int tls1_1_ok = 0; ++int tls1_2_ok = 0; + + /* keep session info */ + static char *session_data = NULL; +@@ -103,158 +104,28 @@ do_handshake (gnutls_session_t session) + return TEST_SUCCEED; + } + +-static int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; ++char protocol_str[] = "+VERS-TLS1.0:+VERS-SSL3.0"; ++char prio_str[256] = ""; + +-static const int kx_priority[16] = +- { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, +- GNUTLS_KX_ANON_DH, +- GNUTLS_KX_RSA_EXPORT, 0 +-}; +- +-static const int cipher_priority[16] = +- { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, +- GNUTLS_CIPHER_ARCFOUR_40, 0 +-}; +-static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 }; +-static const int mac_priority[16] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 }; +-static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 }; +- +-#define ADD_ALL_CIPHERS(session) gnutls_cipher_set_priority(session, cipher_priority) +-#define ADD_ALL_COMP(session) gnutls_compression_set_priority(session, comp_priority) +-#define ADD_ALL_MACS(session) gnutls_mac_set_priority(session, mac_priority) +-#define ADD_ALL_KX(session) gnutls_kx_set_priority(session, kx_priority) +-#define ADD_ALL_PROTOCOLS(session) gnutls_protocol_set_priority(session, protocol_priority) +-#define ADD_ALL_CERTTYPES(session) gnutls_certificate_type_set_priority(session, cert_type_priority) +- +-static void +-ADD_KX (gnutls_session_t session, int kx) +-{ +- static int _kx_priority[] = { 0, 0 }; +- _kx_priority[0] = kx; +- +- gnutls_kx_set_priority (session, _kx_priority); +-} +- +-static void +-ADD_KX2 (gnutls_session_t session, int kx1, int kx2) +-{ +- static int _kx_priority[] = { 0, 0, 0 }; +- _kx_priority[0] = kx1; +- _kx_priority[1] = kx2; +- +- gnutls_kx_set_priority (session, _kx_priority); +-} +- +-static void +-ADD_CIPHER (gnutls_session_t session, int cipher) +-{ +- static int _cipher_priority[] = { 0, 0 }; +- _cipher_priority[0] = cipher; +- +- gnutls_cipher_set_priority (session, _cipher_priority); +-} +- +-static void +-ADD_CIPHER4 (gnutls_session_t session, int cipher1, int cipher2, int cipher3, +- int cipher4) +-{ +- static int _cipher_priority[] = { 0, 0, 0, 0, 0 }; +- _cipher_priority[0] = cipher1; +- _cipher_priority[1] = cipher2; +- _cipher_priority[2] = cipher3; +- _cipher_priority[3] = cipher4; +- +- gnutls_cipher_set_priority (session, _cipher_priority); +-} +- +-static void +-ADD_MAC (gnutls_session_t session, int mac) +-{ +- static int _mac_priority[] = { 0, 0 }; +- _mac_priority[0] = mac; +- +- gnutls_mac_set_priority (session, _mac_priority); +-} +- +-static void +-ADD_COMP (gnutls_session_t session, int c) +-{ +- static int _comp_priority[] = { 0, 0 }; +- _comp_priority[0] = c; +- +- gnutls_compression_set_priority (session, _comp_priority); +-} +- +-static void +-ADD_CERTTYPE (gnutls_session_t session, int ctype) +-{ +- static int _ct_priority[] = { 0, 0 }; +- _ct_priority[0] = ctype; +- +- gnutls_certificate_type_set_priority (session, _ct_priority); +-} +- +-static void +-ADD_PROTOCOL (gnutls_session_t session, int protocol) +-{ +- static int _proto_priority[] = { 0, 0 }; +- _proto_priority[0] = protocol; +- +- gnutls_protocol_set_priority (session, _proto_priority); +-} +- +-static void +-ADD_PROTOCOL3 (gnutls_session_t session, int p1, int p2, int p3) +-{ +- static int _proto_priority[] = { 0, 0, 0, 0 }; +- _proto_priority[0] = p1; +- _proto_priority[1] = p2; +- _proto_priority[2] = p3; +- +- gnutls_protocol_set_priority (session, _proto_priority); +-} +- +-#ifdef ENABLE_SRP +-static int srp_detected; +- +-int +-_test_srp_username_callback (gnutls_session_t session, +- char **username, char **password) +-{ +- srp_detected = 1; +- +- return -1; +-} +- +-test_code_t +-test_srp (gnutls_session_t session) +-{ +- int ret; +- +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- +- ADD_KX (session, GNUTLS_KX_SRP); +- srp_detected = 0; +- +- gnutls_srp_set_client_credentials_function (srp_cred, +- _test_srp_username_callback); +- +- gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); +- +- ret = do_handshake (session); +- +- gnutls_srp_set_client_credentials_function (srp_cred, NULL); +- +- if (srp_detected != 0) +- return TEST_SUCCEED; +- else +- return TEST_FAILED; ++#define ALL_CIPHERS "+3DES-CBC:+ARCFOUR-128:+ARCFOUR-40" ++#define ALL_COMP "+COMP-NULL" ++#define ALL_MACS "+SHA1:+MD5" ++#define ALL_CERTTYPES "+CTYPE-X509" ++#define REST "%%UNSAFE_RENEGOTIATION" ++#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+RSA-EXPORT" ++#define INIT_STR "NONE:" ++ ++static inline void _gnutls_priority_set_direct(gnutls_session_t session, const char* str) ++{ ++ const char* err; ++ int ret = gnutls_priority_set_direct(session, str, &err); ++ ++ if (ret < 0) ++ { ++ fprintf(stderr, "Error in %s\n", err); ++ exit(1); ++ } + } +-#endif + + test_code_t + test_server (gnutls_session_t session) +@@ -269,12 +140,8 @@ test_server (gnutls_session_t session) + + buf[sizeof (buf) - 1] = 0; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + +@@ -318,13 +185,9 @@ test_export (gnutls_session_t session) + { + int ret; + +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); ++ sprintf(prio_str, "+ARCFOUR-40:+RSA-EXPORT:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + +- ADD_KX (session, GNUTLS_KX_RSA_EXPORT); +- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -348,13 +211,9 @@ test_export_info (gnutls_session_t sessi + if (verbose == 0 || export_true == 0) + return TEST_IGNORE; + +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); ++ sprintf(prio_str, "+ARCFOUR-40:+RSA-EXPORT:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + +- ADD_KX (session, GNUTLS_KX_RSA_EXPORT); +- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -395,13 +254,9 @@ test_dhe (gnutls_session_t session) + { + int ret; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); ++ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+DHE-RSA:+DHE-DSS:"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + +- ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -411,6 +266,37 @@ test_dhe (gnutls_session_t session) + return ret; + } + ++ ++test_code_t ++test_safe_renegotiation (gnutls_session_t session) ++{ ++ int ret; ++ ++ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":%%INITIAL_SAFE_RENEGOTIATION", protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ ++ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ++ ++ ret = do_handshake (session); ++ ++ return ret; ++} ++ ++test_code_t ++test_safe_renegotiation_scsv (gnutls_session_t session) ++{ ++ int ret; ++ ++ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-SSL3.0:"ALL_MACS":"ALL_KX":%%INITIAL_SAFE_RENEGOTIATION"); ++ _gnutls_priority_set_direct (session, prio_str); ++ ++ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); ++ ++ ret = do_handshake (session); ++ ++ return ret; ++} ++ + test_code_t + test_dhe_group (gnutls_session_t session) + { +@@ -421,13 +307,8 @@ test_dhe_group (gnutls_session_t session + if (verbose == 0 || pubkey.data == NULL) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); ++ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+DHE-RSA:+DHE-DSS:"REST, protocol_str); + +- ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -463,12 +344,9 @@ test_code_t + test_ssl3 (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_PROTOCOL (session, GNUTLS_SSL3); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-SSL3.0:"ALL_MACS":"ALL_KX":"REST); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -496,12 +374,9 @@ test_bye (gnutls_session_t session) + signal (SIGALRM, got_alarm); + #endif + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -548,12 +423,10 @@ test_code_t + test_aes (gnutls_session_t session) + { + int ret; +- ADD_CIPHER (session, GNUTLS_CIPHER_AES_128_CBC); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST , protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -565,12 +438,10 @@ test_code_t + test_camellia (gnutls_session_t session) + { + int ret; +- ADD_CIPHER (session, GNUTLS_CIPHER_CAMELLIA_128_CBC); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+CAMELLIA-128-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -582,12 +453,10 @@ test_code_t + test_openpgp1 (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_CERTTYPE (session, GNUTLS_CRT_OPENPGP); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":+CTYPE-OPENPGP:%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -604,18 +473,16 @@ test_code_t + test_unknown_ciphersuites (gnutls_session_t session) + { + int ret; ++ ++ + #ifdef ENABLE_CAMELLIA +- ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, +- GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_ARCFOUR_128); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + #else +- ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, +- GNUTLS_CIPHER_ARCFOUR_128, 0); ++ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + #endif +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -626,12 +493,10 @@ test_code_t + test_md5 (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_MAC (session, GNUTLS_MAC_MD5); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:+MD5:"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -643,12 +508,10 @@ test_code_t + test_zlib (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_COMP (session, GNUTLS_COMP_ZLIB); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":+COMP-ZLIB:"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -657,34 +520,25 @@ test_zlib (gnutls_session_t session) + #endif + + test_code_t +-test_lzo (gnutls_session_t session) ++test_sha (gnutls_session_t session) + { + int ret; +- gnutls_handshake_set_private_extensions (session, 1); + +- ADD_ALL_CIPHERS (session); +- ADD_COMP (session, GNUTLS_COMP_LZO); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR "+AES-128-CBC:"ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:+SHA1:"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +- + return ret; + } + + test_code_t +-test_sha (gnutls_session_t session) ++test_3des (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_MAC (session, GNUTLS_MAC_SHA1); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+3DES-CBC:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -692,15 +546,12 @@ test_sha (gnutls_session_t session) + } + + test_code_t +-test_3des (gnutls_session_t session) ++test_arcfour (gnutls_session_t session) + { + int ret; +- ADD_CIPHER (session, GNUTLS_CIPHER_3DES_CBC); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+ARCFOUR-128:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -708,15 +559,13 @@ test_3des (gnutls_session_t session) + } + + test_code_t +-test_arcfour (gnutls_session_t session) ++test_arcfour_40 (gnutls_session_t session) + { + int ret; +- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_128); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR "+ARCFOUR-40:"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":""+RSA-EXPORT"":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -724,36 +573,36 @@ test_arcfour (gnutls_session_t session) + } + + test_code_t +-test_arcfour_40 (gnutls_session_t session) ++test_tls1 (gnutls_session_t session) + { + int ret; +- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.0:"ALL_MACS":"ALL_KX":"REST); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); ++ if (ret == TEST_SUCCEED) ++ tls1_ok = 1; ++ + return ret; ++ + } + + test_code_t +-test_tls1 (gnutls_session_t session) ++test_tls1_2 (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_PROTOCOL (session, GNUTLS_TLS1); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.2:"ALL_MACS":"ALL_KX":"REST); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); + if (ret == TEST_SUCCEED) +- tls1_ok = 1; ++ tls1_2_ok = 1; + + return ret; + +@@ -763,12 +612,10 @@ test_code_t + test_tls1_1 (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_PROTOCOL (session, GNUTLS_TLS1_1); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.1:"ALL_MACS":"ALL_KX":"REST); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -786,12 +633,9 @@ test_tls1_1_fallback (gnutls_session_t s + if (tls1_1_ok) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_PROTOCOL3 (session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0:"ALL_MACS":"ALL_KX":"REST); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -817,12 +661,9 @@ test_tls_disable (gnutls_session_t sessi + if (tls1_ok != 0) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); ++ + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -831,8 +672,7 @@ test_tls_disable (gnutls_session_t sessi + /* disable TLS 1.0 */ + if (ssl3_ok != 0) + { +- protocol_priority[0] = GNUTLS_SSL3; +- protocol_priority[1] = 0; ++ strcpy(protocol_str, "+VERS-SSL3.0"); + } + } + return ret; +@@ -849,12 +689,8 @@ test_rsa_pms (gnutls_session_t session) + * If the server is old, buggy and only supports + * SSL 3.0 then the handshake will fail. + */ +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_KX (session, GNUTLS_KX_RSA); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+RSA:"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); +@@ -870,12 +706,8 @@ test_code_t + test_max_record_size (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_record_set_max_size (session, 512); + +@@ -894,12 +726,9 @@ test_code_t + test_hello_extension (gnutls_session_t session) + { + int ret; +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_record_set_max_size (session, 512); + +@@ -925,12 +754,8 @@ test_version_rollback (gnutls_session_t + * attacks which allow a version downgrade) and this + * connection will fail. + */ +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + _gnutls_record_set_default_version (session, 3, 0); + +@@ -955,12 +780,8 @@ test_version_oob (gnutls_session_t sessi + /* here we enable both SSL 3.0 and TLS 1.0 + * and we connect using a 5.5 record version. + */ +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + _gnutls_record_set_default_version (session, 5, 5); + +@@ -980,12 +801,8 @@ test_rsa_pms_version_check (gnutls_sessi + * + * A normal server would abort this handshake. + */ +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + _gnutls_rsa_pms_set_version (session, 5, 5); /* use SSL 5.5 version */ + +@@ -1000,12 +817,8 @@ test_anonymous (gnutls_session_t session + { + int ret; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_KX (session, GNUTLS_KX_ANON_DH); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":+ANON-DH:"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); + + ret = do_handshake (session); +@@ -1027,12 +840,8 @@ test_session_resume2 (gnutls_session_t s + if (session == NULL) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); +@@ -1074,12 +883,8 @@ test_certificate (gnutls_session_t sessi + if (verbose == 0) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + +@@ -1143,12 +948,8 @@ test_server_cas (gnutls_session_t sessio + if (verbose == 0) + return TEST_IGNORE; + +- ADD_ALL_CIPHERS (session); +- ADD_ALL_COMP (session); +- ADD_ALL_CERTTYPES (session); +- ADD_ALL_PROTOCOLS (session); +- ADD_ALL_MACS (session); +- ADD_ALL_KX (session); ++ sprintf(prio_str, INIT_STR ALL_CIPHERS":"ALL_COMP":"ALL_CERTTYPES":%s:"ALL_MACS":"ALL_KX":"REST, protocol_str); ++ _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); +diff -up gnutls-2.8.6/src/tests.h.reneg gnutls-2.8.6/src/tests.h +--- gnutls-2.8.6/src/tests.h.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/src/tests.h 2010-05-31 22:52:31.000000000 +0200 +@@ -3,7 +3,6 @@ typedef enum + TEST_SUCCEED, TEST_FAILED, TEST_UNSURE, TEST_IGNORE + } test_code_t; + +-test_code_t test_srp (gnutls_session_t state); + test_code_t test_server (gnutls_session_t state); + test_code_t test_export (gnutls_session_t state); + test_code_t test_export_info (gnutls_session_t state); +@@ -21,7 +20,10 @@ test_code_t test_3des (gnutls_session_t + test_code_t test_arcfour (gnutls_session_t state); + test_code_t test_arcfour_40 (gnutls_session_t state); + test_code_t test_tls1 (gnutls_session_t state); ++test_code_t test_safe_renegotiation (gnutls_session_t state); ++test_code_t test_safe_renegotiation_scsv (gnutls_session_t state); + test_code_t test_tls1_1 (gnutls_session_t state); ++test_code_t test_tls1_2 (gnutls_session_t state); + test_code_t test_tls1_1_fallback (gnutls_session_t state); + test_code_t test_tls_disable (gnutls_session_t state); + test_code_t test_rsa_pms (gnutls_session_t state); +@@ -37,6 +39,5 @@ test_code_t test_session_resume2 (gnutls + test_code_t test_rsa_pms_version_check (gnutls_session_t session); + test_code_t test_version_oob (gnutls_session_t session); + test_code_t test_zlib (gnutls_session_t session); +-test_code_t test_lzo (gnutls_session_t session); + int _test_srp_username_callback (gnutls_session_t session, + char **username, char **password); +diff -up gnutls-2.8.6/src/tls_test.c.reneg gnutls-2.8.6/src/tls_test.c +--- gnutls-2.8.6/src/tls_test.c.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/src/tls_test.c 2010-05-31 22:52:31.000000000 +0200 +@@ -79,6 +79,9 @@ typedef struct + } TLS_TEST; + + static const TLS_TEST tls_tests[] = { ++ {"for Safe renegotiation support", test_safe_renegotiation, "yes", "no", "dunno"}, ++ {"for Safe renegotiation support (SCSV)", test_safe_renegotiation_scsv, "yes", "no", "dunno"}, ++ {"for TLS 1.2 support", test_tls1_2, "yes", "no", "dunno"}, + {"for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno"}, + {"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "failed", + "SSL 3.0"}, +@@ -139,14 +142,8 @@ static const TLS_TEST tls_tests[] = { + {"for ZLIB compression support (TLS extension)", test_zlib, "yes", + "no", "dunno"}, + #endif +- {"for LZO compression support (GnuTLS extension)", test_lzo, "yes", +- "no", "dunno"}, + {"for max record size (TLS extension)", test_max_record_size, "yes", + "no", "dunno"}, +-#ifdef ENABLE_SRP +- {"for SRP authentication support (TLS extension)", test_srp, "yes", +- "no", "dunno"}, +-#endif + {"for OpenPGP authentication support (TLS extension)", test_openpgp1, + "yes", "no", "dunno"}, + {NULL, NULL, NULL, NULL, NULL} +@@ -233,7 +230,7 @@ main (int argc, char **argv) + + /* if neither of SSL3 and TLSv1 are supported, exit + */ +- if (i > 3 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) ++ if (i > 6 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) + { + fprintf (stderr, + "\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1\n"); +diff -up gnutls-2.8.6/tests/Makefile.in.reneg gnutls-2.8.6/tests/Makefile.in +--- gnutls-2.8.6/tests/Makefile.in.reneg 2010-03-15 11:29:22.000000000 +0100 ++++ gnutls-2.8.6/tests/Makefile.in 2010-05-31 22:52:31.000000000 +0200 +@@ -422,7 +422,7 @@ CTAGS = ctags + am__tty_colors = \ + red=; grn=; lgn=; blu=; std= + DIST_SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode \ +- pkcs12-decode userid pathlen key-id sha2 openpgp-certs ++ pkcs12-decode userid pathlen key-id sha2 openpgp-certs safe-renegotiation + DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) + am__relativize = \ + dir0=`pwd`; \ +@@ -972,7 +972,7 @@ top_build_prefix = @top_build_prefix@ + top_builddir = @top_builddir@ + top_srcdir = @top_srcdir@ + SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode pkcs12-decode \ +- userid pathlen key-id sha2 $(am__append_1) ++ userid pathlen key-id sha2 safe-renegotiation $(am__append_1) + EXTRA_DIST = libgcrypt.supp hostname-check.README + AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) + AM_CPPFLAGS = -I$(top_srcdir)/gl -I$(top_builddir)/gl \ +diff -up gnutls-2.8.6/tests/resume.c.reneg gnutls-2.8.6/tests/resume.c +--- gnutls-2.8.6/tests/resume.c.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/tests/resume.c 2010-05-31 22:52:31.000000000 +0200 +@@ -47,6 +47,8 @@ static int wrap_db_store (void *dbf, gnu + static gnutls_datum_t wrap_db_fetch (void *dbf, gnutls_datum_t key); + static int wrap_db_delete (void *dbf, gnutls_datum_t key); + ++pid_t child; ++ + #define TLS_SESSION_CACHE 50 + + /* A very basic TLS client, with anonymous authentication. +@@ -56,6 +58,12 @@ static int wrap_db_delete (void *dbf, gn + #define MSG "Hello TLS" + + static void ++tls_log_func (int level, const char *str) ++{ ++ fprintf (stderr, "%s |<%d>| %s", child ? "server" : "client", level, str); ++} ++ ++static void + client (void) + { + int ret, sd, ii; +@@ -70,6 +78,11 @@ client (void) + int t; + gnutls_datum session_data; + ++ if (debug) ++ { ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (2); ++ } + gnutls_global_init (); + + gnutls_anon_allocate_client_credentials (&anoncred); +@@ -298,8 +311,13 @@ server (void) + + /* this must be called once in the program, it is mostly for the server. + */ +- gnutls_global_init (); ++ if (debug) ++ { ++ gnutls_global_set_log_function (tls_log_func); ++ gnutls_global_set_log_level (2); ++ } + ++ gnutls_global_init (); + gnutls_anon_allocate_server_credentials (&anoncred); + + success ("Launched, generating DH parameters...\n"); +@@ -385,8 +403,6 @@ server (void) + void + doit (void) + { +- pid_t child; +- + global_start (); + if (error_count) + return; +diff -up gnutls-2.8.6/tests/safe-renegotiation/Makefile.am.reneg gnutls-2.8.6/tests/safe-renegotiation/Makefile.am +--- gnutls-2.8.6/tests/safe-renegotiation/Makefile.am.reneg 2010-05-31 22:52:31.000000000 +0200 ++++ gnutls-2.8.6/tests/safe-renegotiation/Makefile.am 2010-05-31 22:52:31.000000000 +0200 +@@ -0,0 +1,24 @@ ++## Process this file with automake to produce Makefile.in ++# Copyright (C) 2010 Free Software Foundation ++# ++# This file is part of GNUTLS. ++# ++# This file is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# This file is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this file; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++EXTRA_DIST = params.dh ++ ++dist_check_SCRIPTS = testsrn ++TESTS = testsrn ++ +diff -up gnutls-2.8.6/tests/safe-renegotiation/Makefile.in.reneg gnutls-2.8.6/tests/safe-renegotiation/Makefile.in +--- gnutls-2.8.6/tests/safe-renegotiation/Makefile.in.reneg 2010-05-31 22:52:31.000000000 +0200 ++++ gnutls-2.8.6/tests/safe-renegotiation/Makefile.in 2010-05-31 22:52:31.000000000 +0200 +@@ -0,0 +1,937 @@ ++# Makefile.in generated by automake 1.11.1 from Makefile.am. ++# @configure_input@ ++ ++# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, ++# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, ++# Inc. ++# This Makefile.in is free software; the Free Software Foundation ++# gives unlimited permission to copy and/or distribute it, ++# with or without modifications, as long as this notice is preserved. ++ ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY, to the extent permitted by law; without ++# even the implied warranty of MERCHANTABILITY or FITNESS FOR A ++# PARTICULAR PURPOSE. ++ ++@SET_MAKE@ ++ ++# Copyright (C) 2006, 2008 Free Software Foundation ++# ++# Author: Simon Josefsson ++# ++# This file is part of GNUTLS. ++# ++# This file is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# This file is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this file; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++VPATH = @srcdir@ ++pkgdatadir = $(datadir)/@PACKAGE@ ++pkgincludedir = $(includedir)/@PACKAGE@ ++pkglibdir = $(libdir)/@PACKAGE@ ++pkglibexecdir = $(libexecdir)/@PACKAGE@ ++am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd ++install_sh_DATA = $(install_sh) -c -m 644 ++install_sh_PROGRAM = $(install_sh) -c ++install_sh_SCRIPT = $(install_sh) -c ++INSTALL_HEADER = $(INSTALL_DATA) ++transform = $(program_transform_name) ++NORMAL_INSTALL = : ++PRE_INSTALL = : ++POST_INSTALL = : ++NORMAL_UNINSTALL = : ++PRE_UNINSTALL = : ++POST_UNINSTALL = : ++build_triplet = @build@ ++host_triplet = @host@ ++subdir = tests/safe-renegotiation ++DIST_COMMON = $(dist_check_SCRIPTS) $(srcdir)/Makefile.am \ ++ $(srcdir)/Makefile.in ++ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ++am__aclocal_m4_deps = $(top_srcdir)/libextra/m4/hooks.m4 \ ++ $(top_srcdir)/lib/m4/hooks.m4 $(top_srcdir)/lib/gl/m4/po.m4 \ ++ $(top_srcdir)/gl/m4/00gnulib.m4 $(top_srcdir)/gl/m4/alloca.m4 \ ++ $(top_srcdir)/gl/m4/arpa_inet_h.m4 \ ++ $(top_srcdir)/gl/m4/autobuild.m4 $(top_srcdir)/gl/m4/close.m4 \ ++ $(top_srcdir)/gl/m4/errno_h.m4 $(top_srcdir)/gl/m4/error.m4 \ ++ $(top_srcdir)/gl/m4/extensions.m4 \ ++ $(top_srcdir)/gl/m4/fclose.m4 $(top_srcdir)/gl/m4/float_h.m4 \ ++ $(top_srcdir)/gl/m4/fseeko.m4 \ ++ $(top_srcdir)/gl/m4/getaddrinfo.m4 \ ++ $(top_srcdir)/gl/m4/getdelim.m4 $(top_srcdir)/gl/m4/getline.m4 \ ++ $(top_srcdir)/gl/m4/getpass.m4 \ ++ $(top_srcdir)/gl/m4/gettimeofday.m4 \ ++ $(top_srcdir)/gl/m4/gnulib-common.m4 \ ++ $(top_srcdir)/gl/m4/gnulib-comp.m4 \ ++ $(top_srcdir)/gl/m4/hostent.m4 \ ++ $(top_srcdir)/gl/m4/include_next.m4 \ ++ $(top_srcdir)/gl/m4/inet_ntop.m4 \ ++ $(top_srcdir)/gl/m4/inet_pton.m4 \ ++ $(top_srcdir)/gl/m4/intmax_t.m4 \ ++ $(top_srcdir)/gl/m4/inttypes_h.m4 \ ++ $(top_srcdir)/gl/m4/lib-ld.m4 $(top_srcdir)/gl/m4/lib-link.m4 \ ++ $(top_srcdir)/gl/m4/lib-prefix.m4 \ ++ $(top_srcdir)/gl/m4/longlong.m4 $(top_srcdir)/gl/m4/lseek.m4 \ ++ $(top_srcdir)/gl/m4/malloc.m4 \ ++ $(top_srcdir)/gl/m4/manywarnings.m4 \ ++ $(top_srcdir)/gl/m4/minmax.m4 $(top_srcdir)/gl/m4/multiarch.m4 \ ++ $(top_srcdir)/gl/m4/netdb_h.m4 \ ++ $(top_srcdir)/gl/m4/netinet_in_h.m4 \ ++ $(top_srcdir)/gl/m4/onceonly_2_57.m4 \ ++ $(top_srcdir)/gl/m4/perror.m4 \ ++ $(top_srcdir)/gl/m4/pmccabe2html.m4 \ ++ $(top_srcdir)/gl/m4/printf.m4 $(top_srcdir)/gl/m4/read-file.m4 \ ++ $(top_srcdir)/gl/m4/readline.m4 $(top_srcdir)/gl/m4/realloc.m4 \ ++ $(top_srcdir)/gl/m4/select.m4 $(top_srcdir)/gl/m4/servent.m4 \ ++ $(top_srcdir)/gl/m4/size_max.m4 \ ++ $(top_srcdir)/gl/m4/snprintf.m4 $(top_srcdir)/gl/m4/sockets.m4 \ ++ $(top_srcdir)/gl/m4/socklen.m4 $(top_srcdir)/gl/m4/sockpfaf.m4 \ ++ $(top_srcdir)/gl/m4/stdarg.m4 $(top_srcdir)/gl/m4/stdbool.m4 \ ++ $(top_srcdir)/gl/m4/stdint.m4 $(top_srcdir)/gl/m4/stdint_h.m4 \ ++ $(top_srcdir)/gl/m4/stdio_h.m4 $(top_srcdir)/gl/m4/stdlib_h.m4 \ ++ $(top_srcdir)/gl/m4/strerror.m4 \ ++ $(top_srcdir)/gl/m4/string_h.m4 \ ++ $(top_srcdir)/gl/m4/sys_ioctl_h.m4 \ ++ $(top_srcdir)/gl/m4/sys_select_h.m4 \ ++ $(top_srcdir)/gl/m4/sys_socket_h.m4 \ ++ $(top_srcdir)/gl/m4/sys_stat_h.m4 \ ++ $(top_srcdir)/gl/m4/sys_time_h.m4 \ ++ $(top_srcdir)/gl/m4/ungetc.m4 $(top_srcdir)/gl/m4/unistd_h.m4 \ ++ $(top_srcdir)/gl/m4/vasnprintf.m4 \ ++ $(top_srcdir)/gl/m4/warnings.m4 $(top_srcdir)/gl/m4/wchar.m4 \ ++ $(top_srcdir)/gl/m4/wchar_t.m4 $(top_srcdir)/gl/m4/wint_t.m4 \ ++ $(top_srcdir)/gl/m4/xsize.m4 $(top_srcdir)/m4/gtk-doc.m4 \ ++ $(top_srcdir)/m4/guile.m4 $(top_srcdir)/m4/libtool.m4 \ ++ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ ++ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ ++ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/m4/valgrind.m4 \ ++ $(top_srcdir)/configure.ac ++am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ ++ $(ACLOCAL_M4) ++mkinstalldirs = $(install_sh) -d ++CONFIG_HEADER = $(top_builddir)/config.h ++CONFIG_CLEAN_FILES = ++CONFIG_CLEAN_VPATH_FILES = ++SOURCES = ++DIST_SOURCES = ++am__tty_colors = \ ++red=; grn=; lgn=; blu=; std= ++DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ++ACLOCAL = @ACLOCAL@ ++ALLOCA = @ALLOCA@ ++ALLOCA_H = @ALLOCA_H@ ++AMTAR = @AMTAR@ ++APPLE_UNIVERSAL_BUILD = @APPLE_UNIVERSAL_BUILD@ ++AR = @AR@ ++ARPA_INET_H = @ARPA_INET_H@ ++AS = @AS@ ++AUTOCONF = @AUTOCONF@ ++AUTOHEADER = @AUTOHEADER@ ++AUTOMAKE = @AUTOMAKE@ ++AWK = @AWK@ ++BITSIZEOF_PTRDIFF_T = @BITSIZEOF_PTRDIFF_T@ ++BITSIZEOF_SIG_ATOMIC_T = @BITSIZEOF_SIG_ATOMIC_T@ ++BITSIZEOF_SIZE_T = @BITSIZEOF_SIZE_T@ ++BITSIZEOF_WCHAR_T = @BITSIZEOF_WCHAR_T@ ++BITSIZEOF_WINT_T = @BITSIZEOF_WINT_T@ ++CC = @CC@ ++CCDEPMODE = @CCDEPMODE@ ++CFLAGS = @CFLAGS@ ++CPP = @CPP@ ++CPPFLAGS = @CPPFLAGS@ ++CXX = @CXX@ ++CXXCPP = @CXXCPP@ ++CXXDEPMODE = @CXXDEPMODE@ ++CXXFLAGS = @CXXFLAGS@ ++CYGPATH_W = @CYGPATH_W@ ++DEFS = @DEFS@ ++DEPDIR = @DEPDIR@ ++DLLTOOL = @DLLTOOL@ ++DLL_VERSION = @DLL_VERSION@ ++DSYMUTIL = @DSYMUTIL@ ++DUMPBIN = @DUMPBIN@ ++ECHO_C = @ECHO_C@ ++ECHO_N = @ECHO_N@ ++ECHO_T = @ECHO_T@ ++EGREP = @EGREP@ ++EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ ++EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ ++ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ ++ENOLINK_VALUE = @ENOLINK_VALUE@ ++EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ ++EOVERFLOW_VALUE = @EOVERFLOW_VALUE@ ++ERRNO_H = @ERRNO_H@ ++EXEEXT = @EXEEXT@ ++FGREP = @FGREP@ ++FLOAT_H = @FLOAT_H@ ++GAA = @GAA@ ++GETADDRINFO_LIB = @GETADDRINFO_LIB@ ++GNULIB_ACCEPT = @GNULIB_ACCEPT@ ++GNULIB_ATOLL = @GNULIB_ATOLL@ ++GNULIB_BIND = @GNULIB_BIND@ ++GNULIB_BTOWC = @GNULIB_BTOWC@ ++GNULIB_CALLOC_POSIX = @GNULIB_CALLOC_POSIX@ ++GNULIB_CHOWN = @GNULIB_CHOWN@ ++GNULIB_CLOSE = @GNULIB_CLOSE@ ++GNULIB_CONNECT = @GNULIB_CONNECT@ ++GNULIB_DPRINTF = @GNULIB_DPRINTF@ ++GNULIB_DUP2 = @GNULIB_DUP2@ ++GNULIB_ENVIRON = @GNULIB_ENVIRON@ ++GNULIB_EUIDACCESS = @GNULIB_EUIDACCESS@ ++GNULIB_FCHDIR = @GNULIB_FCHDIR@ ++GNULIB_FCLOSE = @GNULIB_FCLOSE@ ++GNULIB_FFLUSH = @GNULIB_FFLUSH@ ++GNULIB_FOPEN = @GNULIB_FOPEN@ ++GNULIB_FPRINTF = @GNULIB_FPRINTF@ ++GNULIB_FPRINTF_POSIX = @GNULIB_FPRINTF_POSIX@ ++GNULIB_FPUTC = @GNULIB_FPUTC@ ++GNULIB_FPUTS = @GNULIB_FPUTS@ ++GNULIB_FREOPEN = @GNULIB_FREOPEN@ ++GNULIB_FSEEK = @GNULIB_FSEEK@ ++GNULIB_FSEEKO = @GNULIB_FSEEKO@ ++GNULIB_FSYNC = @GNULIB_FSYNC@ ++GNULIB_FTELL = @GNULIB_FTELL@ ++GNULIB_FTELLO = @GNULIB_FTELLO@ ++GNULIB_FTRUNCATE = @GNULIB_FTRUNCATE@ ++GNULIB_FWRITE = @GNULIB_FWRITE@ ++GNULIB_GETADDRINFO = @GNULIB_GETADDRINFO@ ++GNULIB_GETCWD = @GNULIB_GETCWD@ ++GNULIB_GETDELIM = @GNULIB_GETDELIM@ ++GNULIB_GETDOMAINNAME = @GNULIB_GETDOMAINNAME@ ++GNULIB_GETDTABLESIZE = @GNULIB_GETDTABLESIZE@ ++GNULIB_GETHOSTNAME = @GNULIB_GETHOSTNAME@ ++GNULIB_GETLINE = @GNULIB_GETLINE@ ++GNULIB_GETLOADAVG = @GNULIB_GETLOADAVG@ ++GNULIB_GETLOGIN_R = @GNULIB_GETLOGIN_R@ ++GNULIB_GETPAGESIZE = @GNULIB_GETPAGESIZE@ ++GNULIB_GETPEERNAME = @GNULIB_GETPEERNAME@ ++GNULIB_GETSOCKNAME = @GNULIB_GETSOCKNAME@ ++GNULIB_GETSOCKOPT = @GNULIB_GETSOCKOPT@ ++GNULIB_GETSUBOPT = @GNULIB_GETSUBOPT@ ++GNULIB_GETUSERSHELL = @GNULIB_GETUSERSHELL@ ++GNULIB_INET_NTOP = @GNULIB_INET_NTOP@ ++GNULIB_INET_PTON = @GNULIB_INET_PTON@ ++GNULIB_IOCTL = @GNULIB_IOCTL@ ++GNULIB_LCHMOD = @GNULIB_LCHMOD@ ++GNULIB_LCHOWN = @GNULIB_LCHOWN@ ++GNULIB_LINK = @GNULIB_LINK@ ++GNULIB_LISTEN = @GNULIB_LISTEN@ ++GNULIB_LSEEK = @GNULIB_LSEEK@ ++GNULIB_LSTAT = @GNULIB_LSTAT@ ++GNULIB_MALLOC_POSIX = @GNULIB_MALLOC_POSIX@ ++GNULIB_MBRLEN = @GNULIB_MBRLEN@ ++GNULIB_MBRTOWC = @GNULIB_MBRTOWC@ ++GNULIB_MBSCASECMP = @GNULIB_MBSCASECMP@ ++GNULIB_MBSCASESTR = @GNULIB_MBSCASESTR@ ++GNULIB_MBSCHR = @GNULIB_MBSCHR@ ++GNULIB_MBSCSPN = @GNULIB_MBSCSPN@ ++GNULIB_MBSINIT = @GNULIB_MBSINIT@ ++GNULIB_MBSLEN = @GNULIB_MBSLEN@ ++GNULIB_MBSNCASECMP = @GNULIB_MBSNCASECMP@ ++GNULIB_MBSNLEN = @GNULIB_MBSNLEN@ ++GNULIB_MBSNRTOWCS = @GNULIB_MBSNRTOWCS@ ++GNULIB_MBSPBRK = @GNULIB_MBSPBRK@ ++GNULIB_MBSPCASECMP = @GNULIB_MBSPCASECMP@ ++GNULIB_MBSRCHR = @GNULIB_MBSRCHR@ ++GNULIB_MBSRTOWCS = @GNULIB_MBSRTOWCS@ ++GNULIB_MBSSEP = @GNULIB_MBSSEP@ ++GNULIB_MBSSPN = @GNULIB_MBSSPN@ ++GNULIB_MBSSTR = @GNULIB_MBSSTR@ ++GNULIB_MBSTOK_R = @GNULIB_MBSTOK_R@ ++GNULIB_MEMMEM = @GNULIB_MEMMEM@ ++GNULIB_MEMPCPY = @GNULIB_MEMPCPY@ ++GNULIB_MEMRCHR = @GNULIB_MEMRCHR@ ++GNULIB_MKDTEMP = @GNULIB_MKDTEMP@ ++GNULIB_MKSTEMP = @GNULIB_MKSTEMP@ ++GNULIB_OBSTACK_PRINTF = @GNULIB_OBSTACK_PRINTF@ ++GNULIB_OBSTACK_PRINTF_POSIX = @GNULIB_OBSTACK_PRINTF_POSIX@ ++GNULIB_PERROR = @GNULIB_PERROR@ ++GNULIB_PRINTF = @GNULIB_PRINTF@ ++GNULIB_PRINTF_POSIX = @GNULIB_PRINTF_POSIX@ ++GNULIB_PUTC = @GNULIB_PUTC@ ++GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ ++GNULIB_PUTENV = @GNULIB_PUTENV@ ++GNULIB_PUTS = @GNULIB_PUTS@ ++GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ ++GNULIB_RAWMEMCHR = @GNULIB_RAWMEMCHR@ ++GNULIB_READLINK = @GNULIB_READLINK@ ++GNULIB_REALLOC_POSIX = @GNULIB_REALLOC_POSIX@ ++GNULIB_RECV = @GNULIB_RECV@ ++GNULIB_RECVFROM = @GNULIB_RECVFROM@ ++GNULIB_RPMATCH = @GNULIB_RPMATCH@ ++GNULIB_SELECT = @GNULIB_SELECT@ ++GNULIB_SEND = @GNULIB_SEND@ ++GNULIB_SENDTO = @GNULIB_SENDTO@ ++GNULIB_SETENV = @GNULIB_SETENV@ ++GNULIB_SETSOCKOPT = @GNULIB_SETSOCKOPT@ ++GNULIB_SHUTDOWN = @GNULIB_SHUTDOWN@ ++GNULIB_SLEEP = @GNULIB_SLEEP@ ++GNULIB_SNPRINTF = @GNULIB_SNPRINTF@ ++GNULIB_SOCKET = @GNULIB_SOCKET@ ++GNULIB_SPRINTF_POSIX = @GNULIB_SPRINTF_POSIX@ ++GNULIB_STDIO_H_SIGPIPE = @GNULIB_STDIO_H_SIGPIPE@ ++GNULIB_STPCPY = @GNULIB_STPCPY@ ++GNULIB_STPNCPY = @GNULIB_STPNCPY@ ++GNULIB_STRCASESTR = @GNULIB_STRCASESTR@ ++GNULIB_STRCHRNUL = @GNULIB_STRCHRNUL@ ++GNULIB_STRDUP = @GNULIB_STRDUP@ ++GNULIB_STRERROR = @GNULIB_STRERROR@ ++GNULIB_STRNDUP = @GNULIB_STRNDUP@ ++GNULIB_STRNLEN = @GNULIB_STRNLEN@ ++GNULIB_STRPBRK = @GNULIB_STRPBRK@ ++GNULIB_STRSEP = @GNULIB_STRSEP@ ++GNULIB_STRSIGNAL = @GNULIB_STRSIGNAL@ ++GNULIB_STRSTR = @GNULIB_STRSTR@ ++GNULIB_STRTOD = @GNULIB_STRTOD@ ++GNULIB_STRTOK_R = @GNULIB_STRTOK_R@ ++GNULIB_STRTOLL = @GNULIB_STRTOLL@ ++GNULIB_STRTOULL = @GNULIB_STRTOULL@ ++GNULIB_STRVERSCMP = @GNULIB_STRVERSCMP@ ++GNULIB_UNISTD_H_SIGPIPE = @GNULIB_UNISTD_H_SIGPIPE@ ++GNULIB_UNSETENV = @GNULIB_UNSETENV@ ++GNULIB_VASPRINTF = @GNULIB_VASPRINTF@ ++GNULIB_VDPRINTF = @GNULIB_VDPRINTF@ ++GNULIB_VFPRINTF = @GNULIB_VFPRINTF@ ++GNULIB_VFPRINTF_POSIX = @GNULIB_VFPRINTF_POSIX@ ++GNULIB_VPRINTF = @GNULIB_VPRINTF@ ++GNULIB_VPRINTF_POSIX = @GNULIB_VPRINTF_POSIX@ ++GNULIB_VSNPRINTF = @GNULIB_VSNPRINTF@ ++GNULIB_VSPRINTF_POSIX = @GNULIB_VSPRINTF_POSIX@ ++GNULIB_WCRTOMB = @GNULIB_WCRTOMB@ ++GNULIB_WCSNRTOMBS = @GNULIB_WCSNRTOMBS@ ++GNULIB_WCSRTOMBS = @GNULIB_WCSRTOMBS@ ++GNULIB_WCTOB = @GNULIB_WCTOB@ ++GNULIB_WCWIDTH = @GNULIB_WCWIDTH@ ++GNULIB_WRITE = @GNULIB_WRITE@ ++GREP = @GREP@ ++GTKDOC_CHECK = @GTKDOC_CHECK@ ++GTKDOC_MKPDF = @GTKDOC_MKPDF@ ++GTKDOC_REBASE = @GTKDOC_REBASE@ ++GUILE = @GUILE@ ++GUILE_CFLAGS = @GUILE_CFLAGS@ ++GUILE_CONFIG = @GUILE_CONFIG@ ++GUILE_LDFLAGS = @GUILE_LDFLAGS@ ++GUILE_SITE = @GUILE_SITE@ ++GUILE_TOOLS = @GUILE_TOOLS@ ++HAVE_ARPA_INET_H = @HAVE_ARPA_INET_H@ ++HAVE_ATOLL = @HAVE_ATOLL@ ++HAVE_BTOWC = @HAVE_BTOWC@ ++HAVE_CALLOC_POSIX = @HAVE_CALLOC_POSIX@ ++HAVE_DECL_ENVIRON = @HAVE_DECL_ENVIRON@ ++HAVE_DECL_FREEADDRINFO = @HAVE_DECL_FREEADDRINFO@ ++HAVE_DECL_GAI_STRERROR = @HAVE_DECL_GAI_STRERROR@ ++HAVE_DECL_GETADDRINFO = @HAVE_DECL_GETADDRINFO@ ++HAVE_DECL_GETDELIM = @HAVE_DECL_GETDELIM@ ++HAVE_DECL_GETLINE = @HAVE_DECL_GETLINE@ ++HAVE_DECL_GETLOADAVG = @HAVE_DECL_GETLOADAVG@ ++HAVE_DECL_GETLOGIN_R = @HAVE_DECL_GETLOGIN_R@ ++HAVE_DECL_GETNAMEINFO = @HAVE_DECL_GETNAMEINFO@ ++HAVE_DECL_INET_NTOP = @HAVE_DECL_INET_NTOP@ ++HAVE_DECL_INET_PTON = @HAVE_DECL_INET_PTON@ ++HAVE_DECL_MEMMEM = @HAVE_DECL_MEMMEM@ ++HAVE_DECL_MEMRCHR = @HAVE_DECL_MEMRCHR@ ++HAVE_DECL_OBSTACK_PRINTF = @HAVE_DECL_OBSTACK_PRINTF@ ++HAVE_DECL_SNPRINTF = @HAVE_DECL_SNPRINTF@ ++HAVE_DECL_STRDUP = @HAVE_DECL_STRDUP@ ++HAVE_DECL_STRERROR = @HAVE_DECL_STRERROR@ ++HAVE_DECL_STRNDUP = @HAVE_DECL_STRNDUP@ ++HAVE_DECL_STRNLEN = @HAVE_DECL_STRNLEN@ ++HAVE_DECL_STRSIGNAL = @HAVE_DECL_STRSIGNAL@ ++HAVE_DECL_STRTOK_R = @HAVE_DECL_STRTOK_R@ ++HAVE_DECL_VSNPRINTF = @HAVE_DECL_VSNPRINTF@ ++HAVE_DECL_WCTOB = @HAVE_DECL_WCTOB@ ++HAVE_DECL_WCWIDTH = @HAVE_DECL_WCWIDTH@ ++HAVE_DPRINTF = @HAVE_DPRINTF@ ++HAVE_DUP2 = @HAVE_DUP2@ ++HAVE_EUIDACCESS = @HAVE_EUIDACCESS@ ++HAVE_FSEEKO = @HAVE_FSEEKO@ ++HAVE_FSYNC = @HAVE_FSYNC@ ++HAVE_FTELLO = @HAVE_FTELLO@ ++HAVE_FTRUNCATE = @HAVE_FTRUNCATE@ ++HAVE_GETDOMAINNAME = @HAVE_GETDOMAINNAME@ ++HAVE_GETDTABLESIZE = @HAVE_GETDTABLESIZE@ ++HAVE_GETHOSTNAME = @HAVE_GETHOSTNAME@ ++HAVE_GETPAGESIZE = @HAVE_GETPAGESIZE@ ++HAVE_GETSUBOPT = @HAVE_GETSUBOPT@ ++HAVE_GETUSERSHELL = @HAVE_GETUSERSHELL@ ++HAVE_INTTYPES_H = @HAVE_INTTYPES_H@ ++HAVE_LCHMOD = @HAVE_LCHMOD@ ++HAVE_LIBGCRYPT = @HAVE_LIBGCRYPT@ ++HAVE_LIBTASN1 = @HAVE_LIBTASN1@ ++HAVE_LINK = @HAVE_LINK@ ++HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ ++HAVE_LSTAT = @HAVE_LSTAT@ ++HAVE_MALLOC_POSIX = @HAVE_MALLOC_POSIX@ ++HAVE_MBRLEN = @HAVE_MBRLEN@ ++HAVE_MBRTOWC = @HAVE_MBRTOWC@ ++HAVE_MBSINIT = @HAVE_MBSINIT@ ++HAVE_MBSNRTOWCS = @HAVE_MBSNRTOWCS@ ++HAVE_MBSRTOWCS = @HAVE_MBSRTOWCS@ ++HAVE_MEMPCPY = @HAVE_MEMPCPY@ ++HAVE_MKDTEMP = @HAVE_MKDTEMP@ ++HAVE_NETDB_H = @HAVE_NETDB_H@ ++HAVE_NETINET_IN_H = @HAVE_NETINET_IN_H@ ++HAVE_OS_H = @HAVE_OS_H@ ++HAVE_RANDOM_H = @HAVE_RANDOM_H@ ++HAVE_RANDOM_R = @HAVE_RANDOM_R@ ++HAVE_RAWMEMCHR = @HAVE_RAWMEMCHR@ ++HAVE_READLINK = @HAVE_READLINK@ ++HAVE_REALLOC_POSIX = @HAVE_REALLOC_POSIX@ ++HAVE_RPMATCH = @HAVE_RPMATCH@ ++HAVE_SA_FAMILY_T = @HAVE_SA_FAMILY_T@ ++HAVE_SETENV = @HAVE_SETENV@ ++HAVE_SIGNED_SIG_ATOMIC_T = @HAVE_SIGNED_SIG_ATOMIC_T@ ++HAVE_SIGNED_WCHAR_T = @HAVE_SIGNED_WCHAR_T@ ++HAVE_SIGNED_WINT_T = @HAVE_SIGNED_WINT_T@ ++HAVE_SLEEP = @HAVE_SLEEP@ ++HAVE_STDINT_H = @HAVE_STDINT_H@ ++HAVE_STPCPY = @HAVE_STPCPY@ ++HAVE_STPNCPY = @HAVE_STPNCPY@ ++HAVE_STRCASESTR = @HAVE_STRCASESTR@ ++HAVE_STRCHRNUL = @HAVE_STRCHRNUL@ ++HAVE_STRNDUP = @HAVE_STRNDUP@ ++HAVE_STRPBRK = @HAVE_STRPBRK@ ++HAVE_STRSEP = @HAVE_STRSEP@ ++HAVE_STRTOD = @HAVE_STRTOD@ ++HAVE_STRTOLL = @HAVE_STRTOLL@ ++HAVE_STRTOULL = @HAVE_STRTOULL@ ++HAVE_STRUCT_ADDRINFO = @HAVE_STRUCT_ADDRINFO@ ++HAVE_STRUCT_RANDOM_DATA = @HAVE_STRUCT_RANDOM_DATA@ ++HAVE_STRUCT_SOCKADDR_STORAGE = @HAVE_STRUCT_SOCKADDR_STORAGE@ ++HAVE_STRUCT_TIMEVAL = @HAVE_STRUCT_TIMEVAL@ ++HAVE_STRVERSCMP = @HAVE_STRVERSCMP@ ++HAVE_SYS_BITYPES_H = @HAVE_SYS_BITYPES_H@ ++HAVE_SYS_INTTYPES_H = @HAVE_SYS_INTTYPES_H@ ++HAVE_SYS_IOCTL_H = @HAVE_SYS_IOCTL_H@ ++HAVE_SYS_LOADAVG_H = @HAVE_SYS_LOADAVG_H@ ++HAVE_SYS_PARAM_H = @HAVE_SYS_PARAM_H@ ++HAVE_SYS_SELECT_H = @HAVE_SYS_SELECT_H@ ++HAVE_SYS_SOCKET_H = @HAVE_SYS_SOCKET_H@ ++HAVE_SYS_TIME_H = @HAVE_SYS_TIME_H@ ++HAVE_SYS_TYPES_H = @HAVE_SYS_TYPES_H@ ++HAVE_UNISTD_H = @HAVE_UNISTD_H@ ++HAVE_UNSETENV = @HAVE_UNSETENV@ ++HAVE_UNSIGNED_LONG_LONG_INT = @HAVE_UNSIGNED_LONG_LONG_INT@ ++HAVE_VASPRINTF = @HAVE_VASPRINTF@ ++HAVE_VDPRINTF = @HAVE_VDPRINTF@ ++HAVE_WCHAR_H = @HAVE_WCHAR_H@ ++HAVE_WCRTOMB = @HAVE_WCRTOMB@ ++HAVE_WCSNRTOMBS = @HAVE_WCSNRTOMBS@ ++HAVE_WCSRTOMBS = @HAVE_WCSRTOMBS@ ++HAVE_WINSOCK2_H = @HAVE_WINSOCK2_H@ ++HAVE_WINT_T = @HAVE_WINT_T@ ++HAVE_WS2TCPIP_H = @HAVE_WS2TCPIP_H@ ++HAVE__BOOL = @HAVE__BOOL@ ++HOSTENT_LIB = @HOSTENT_LIB@ ++HTML_DIR = @HTML_DIR@ ++INCLUDE_NEXT = @INCLUDE_NEXT@ ++INCLUDE_NEXT_AS_FIRST_DIRECTIVE = @INCLUDE_NEXT_AS_FIRST_DIRECTIVE@ ++INET_NTOP_LIB = @INET_NTOP_LIB@ ++INET_PTON_LIB = @INET_PTON_LIB@ ++INSTALL = @INSTALL@ ++INSTALL_DATA = @INSTALL_DATA@ ++INSTALL_PROGRAM = @INSTALL_PROGRAM@ ++INSTALL_SCRIPT = @INSTALL_SCRIPT@ ++INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ ++LD = @LD@ ++LDFLAGS = @LDFLAGS@ ++LIBGCRYPT = @LIBGCRYPT@ ++LIBGCRYPT_PREFIX = @LIBGCRYPT_PREFIX@ ++LIBINTL = @LIBINTL@ ++LIBOBJS = @LIBOBJS@ ++LIBREADLINE = @LIBREADLINE@ ++LIBS = @LIBS@ ++LIBSOCKET = @LIBSOCKET@ ++LIBTASN1 = @LIBTASN1@ ++LIBTASN1_PREFIX = @LIBTASN1_PREFIX@ ++LIBTESTS_LIBDEPS = @LIBTESTS_LIBDEPS@ ++LIBTOOL = @LIBTOOL@ ++LIPO = @LIPO@ ++LN_S = @LN_S@ ++LTALLOCA = @LTALLOCA@ ++LTLIBGCRYPT = @LTLIBGCRYPT@ ++LTLIBINTL = @LTLIBINTL@ ++LTLIBOBJS = @LTLIBOBJS@ ++LTLIBREADLINE = @LTLIBREADLINE@ ++LTLIBTASN1 = @LTLIBTASN1@ ++LT_AGE = @LT_AGE@ ++LT_CURRENT = @LT_CURRENT@ ++LT_REVISION = @LT_REVISION@ ++LZO_LIBS = @LZO_LIBS@ ++MAKEINFO = @MAKEINFO@ ++MKDIR_P = @MKDIR_P@ ++NETDB_H = @NETDB_H@ ++NETINET_IN_H = @NETINET_IN_H@ ++NEXT_ARPA_INET_H = @NEXT_ARPA_INET_H@ ++NEXT_ERRNO_H = @NEXT_ERRNO_H@ ++NEXT_FLOAT_H = @NEXT_FLOAT_H@ ++NEXT_NETDB_H = @NEXT_NETDB_H@ ++NEXT_NETINET_IN_H = @NEXT_NETINET_IN_H@ ++NEXT_STDARG_H = @NEXT_STDARG_H@ ++NEXT_STDINT_H = @NEXT_STDINT_H@ ++NEXT_STDIO_H = @NEXT_STDIO_H@ ++NEXT_STDLIB_H = @NEXT_STDLIB_H@ ++NEXT_STRING_H = @NEXT_STRING_H@ ++NEXT_SYS_IOCTL_H = @NEXT_SYS_IOCTL_H@ ++NEXT_SYS_SELECT_H = @NEXT_SYS_SELECT_H@ ++NEXT_SYS_SOCKET_H = @NEXT_SYS_SOCKET_H@ ++NEXT_SYS_STAT_H = @NEXT_SYS_STAT_H@ ++NEXT_SYS_TIME_H = @NEXT_SYS_TIME_H@ ++NEXT_UNISTD_H = @NEXT_UNISTD_H@ ++NEXT_WCHAR_H = @NEXT_WCHAR_H@ ++NM = @NM@ ++NMEDIT = @NMEDIT@ ++OBJDUMP = @OBJDUMP@ ++OBJEXT = @OBJEXT@ ++OTOOL = @OTOOL@ ++OTOOL64 = @OTOOL64@ ++PACKAGE = @PACKAGE@ ++PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ ++PACKAGE_NAME = @PACKAGE_NAME@ ++PACKAGE_STRING = @PACKAGE_STRING@ ++PACKAGE_TARNAME = @PACKAGE_TARNAME@ ++PACKAGE_URL = @PACKAGE_URL@ ++PACKAGE_VERSION = @PACKAGE_VERSION@ ++PATH_SEPARATOR = @PATH_SEPARATOR@ ++PKG_CONFIG = @PKG_CONFIG@ ++PMCCABE = @PMCCABE@ ++PRAGMA_SYSTEM_HEADER = @PRAGMA_SYSTEM_HEADER@ ++PTRDIFF_T_SUFFIX = @PTRDIFF_T_SUFFIX@ ++RANLIB = @RANLIB@ ++REPLACE_BTOWC = @REPLACE_BTOWC@ ++REPLACE_CHOWN = @REPLACE_CHOWN@ ++REPLACE_CLOSE = @REPLACE_CLOSE@ ++REPLACE_DPRINTF = @REPLACE_DPRINTF@ ++REPLACE_FCHDIR = @REPLACE_FCHDIR@ ++REPLACE_FCLOSE = @REPLACE_FCLOSE@ ++REPLACE_FFLUSH = @REPLACE_FFLUSH@ ++REPLACE_FOPEN = @REPLACE_FOPEN@ ++REPLACE_FPRINTF = @REPLACE_FPRINTF@ ++REPLACE_FREOPEN = @REPLACE_FREOPEN@ ++REPLACE_FSEEK = @REPLACE_FSEEK@ ++REPLACE_FSEEKO = @REPLACE_FSEEKO@ ++REPLACE_FTELL = @REPLACE_FTELL@ ++REPLACE_FTELLO = @REPLACE_FTELLO@ ++REPLACE_GETCWD = @REPLACE_GETCWD@ ++REPLACE_GETLINE = @REPLACE_GETLINE@ ++REPLACE_GETPAGESIZE = @REPLACE_GETPAGESIZE@ ++REPLACE_GETTIMEOFDAY = @REPLACE_GETTIMEOFDAY@ ++REPLACE_LCHOWN = @REPLACE_LCHOWN@ ++REPLACE_LSEEK = @REPLACE_LSEEK@ ++REPLACE_LSTAT = @REPLACE_LSTAT@ ++REPLACE_MBRLEN = @REPLACE_MBRLEN@ ++REPLACE_MBRTOWC = @REPLACE_MBRTOWC@ ++REPLACE_MBSINIT = @REPLACE_MBSINIT@ ++REPLACE_MBSNRTOWCS = @REPLACE_MBSNRTOWCS@ ++REPLACE_MBSRTOWCS = @REPLACE_MBSRTOWCS@ ++REPLACE_MBSTATE_T = @REPLACE_MBSTATE_T@ ++REPLACE_MEMMEM = @REPLACE_MEMMEM@ ++REPLACE_MKDIR = @REPLACE_MKDIR@ ++REPLACE_MKSTEMP = @REPLACE_MKSTEMP@ ++REPLACE_OBSTACK_PRINTF = @REPLACE_OBSTACK_PRINTF@ ++REPLACE_PERROR = @REPLACE_PERROR@ ++REPLACE_PRINTF = @REPLACE_PRINTF@ ++REPLACE_PUTENV = @REPLACE_PUTENV@ ++REPLACE_SELECT = @REPLACE_SELECT@ ++REPLACE_SNPRINTF = @REPLACE_SNPRINTF@ ++REPLACE_SPRINTF = @REPLACE_SPRINTF@ ++REPLACE_STDIO_WRITE_FUNCS = @REPLACE_STDIO_WRITE_FUNCS@ ++REPLACE_STRCASESTR = @REPLACE_STRCASESTR@ ++REPLACE_STRDUP = @REPLACE_STRDUP@ ++REPLACE_STRERROR = @REPLACE_STRERROR@ ++REPLACE_STRSIGNAL = @REPLACE_STRSIGNAL@ ++REPLACE_STRSTR = @REPLACE_STRSTR@ ++REPLACE_STRTOD = @REPLACE_STRTOD@ ++REPLACE_VASPRINTF = @REPLACE_VASPRINTF@ ++REPLACE_VDPRINTF = @REPLACE_VDPRINTF@ ++REPLACE_VFPRINTF = @REPLACE_VFPRINTF@ ++REPLACE_VPRINTF = @REPLACE_VPRINTF@ ++REPLACE_VSNPRINTF = @REPLACE_VSNPRINTF@ ++REPLACE_VSPRINTF = @REPLACE_VSPRINTF@ ++REPLACE_WCRTOMB = @REPLACE_WCRTOMB@ ++REPLACE_WCSNRTOMBS = @REPLACE_WCSNRTOMBS@ ++REPLACE_WCSRTOMBS = @REPLACE_WCSRTOMBS@ ++REPLACE_WCTOB = @REPLACE_WCTOB@ ++REPLACE_WCWIDTH = @REPLACE_WCWIDTH@ ++REPLACE_WRITE = @REPLACE_WRITE@ ++SED = @SED@ ++SERVENT_LIB = @SERVENT_LIB@ ++SET_MAKE = @SET_MAKE@ ++SHELL = @SHELL@ ++SIG_ATOMIC_T_SUFFIX = @SIG_ATOMIC_T_SUFFIX@ ++SIZE_T_SUFFIX = @SIZE_T_SUFFIX@ ++STDARG_H = @STDARG_H@ ++STDBOOL_H = @STDBOOL_H@ ++STDINT_H = @STDINT_H@ ++STRIP = @STRIP@ ++SYS_IOCTL_H = @SYS_IOCTL_H@ ++SYS_IOCTL_H_HAVE_WINSOCK2_H = @SYS_IOCTL_H_HAVE_WINSOCK2_H@ ++SYS_SELECT_H = @SYS_SELECT_H@ ++SYS_SOCKET_H = @SYS_SOCKET_H@ ++SYS_STAT_H = @SYS_STAT_H@ ++SYS_TIME_H = @SYS_TIME_H@ ++UNISTD_H_HAVE_WINSOCK2_H = @UNISTD_H_HAVE_WINSOCK2_H@ ++VALGRIND = @VALGRIND@ ++VERSION = @VERSION@ ++VOID_UNSETENV = @VOID_UNSETENV@ ++WARN_CFLAGS = @WARN_CFLAGS@ ++WCHAR_H = @WCHAR_H@ ++WCHAR_T_SUFFIX = @WCHAR_T_SUFFIX@ ++WERROR_CFLAGS = @WERROR_CFLAGS@ ++WINT_T_SUFFIX = @WINT_T_SUFFIX@ ++abs_aux_dir = @abs_aux_dir@ ++abs_builddir = @abs_builddir@ ++abs_srcdir = @abs_srcdir@ ++abs_top_builddir = @abs_top_builddir@ ++abs_top_srcdir = @abs_top_srcdir@ ++ac_ct_CC = @ac_ct_CC@ ++ac_ct_CXX = @ac_ct_CXX@ ++ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ ++am__include = @am__include@ ++am__leading_dot = @am__leading_dot@ ++am__quote = @am__quote@ ++am__tar = @am__tar@ ++am__untar = @am__untar@ ++bindir = @bindir@ ++build = @build@ ++build_alias = @build_alias@ ++build_cpu = @build_cpu@ ++build_os = @build_os@ ++build_vendor = @build_vendor@ ++builddir = @builddir@ ++datadir = @datadir@ ++datarootdir = @datarootdir@ ++docdir = @docdir@ ++dvidir = @dvidir@ ++exec_prefix = @exec_prefix@ ++gl_LIBOBJS = @gl_LIBOBJS@ ++gl_LTLIBOBJS = @gl_LTLIBOBJS@ ++gltests_LIBOBJS = @gltests_LIBOBJS@ ++gltests_LTLIBOBJS = @gltests_LTLIBOBJS@ ++guile_snarf = @guile_snarf@ ++host = @host@ ++host_alias = @host_alias@ ++host_cpu = @host_cpu@ ++host_os = @host_os@ ++host_vendor = @host_vendor@ ++htmldir = @htmldir@ ++includedir = @includedir@ ++infodir = @infodir@ ++install_sh = @install_sh@ ++libdir = @libdir@ ++libexecdir = @libexecdir@ ++localedir = @localedir@ ++localstatedir = @localstatedir@ ++lt_ECHO = @lt_ECHO@ ++mandir = @mandir@ ++mkdir_p = @mkdir_p@ ++oldincludedir = @oldincludedir@ ++pdfdir = @pdfdir@ ++prefix = @prefix@ ++program_transform_name = @program_transform_name@ ++psdir = @psdir@ ++sbindir = @sbindir@ ++sharedstatedir = @sharedstatedir@ ++srcdir = @srcdir@ ++subdirs = @subdirs@ ++sysconfdir = @sysconfdir@ ++target_alias = @target_alias@ ++top_build_prefix = @top_build_prefix@ ++top_builddir = @top_builddir@ ++top_srcdir = @top_srcdir@ ++EXTRA_DIST = params.dh ++dist_check_SCRIPTS = testsrn ++TESTS = testsrn ++TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) ++all: all-am ++ ++.SUFFIXES: ++$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) ++ @for dep in $?; do \ ++ case '$(am__configure_deps)' in \ ++ *$$dep*) \ ++ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ ++ && { if test -f $@; then exit 0; else break; fi; }; \ ++ exit 1;; \ ++ esac; \ ++ done; \ ++ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile'; \ ++ $(am__cd) $(top_srcdir) && \ ++ $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile ++.PRECIOUS: Makefile ++Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status ++ @case '$?' in \ ++ *config.status*) \ ++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ ++ *) \ ++ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ ++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ ++ esac; ++ ++$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) ++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ++ ++$(top_srcdir)/configure: $(am__configure_deps) ++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ++$(ACLOCAL_M4): $(am__aclocal_m4_deps) ++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ++$(am__aclocal_m4_deps): ++ ++mostlyclean-libtool: ++ -rm -f *.lo ++ ++clean-libtool: ++ -rm -rf .libs _libs ++tags: TAGS ++TAGS: ++ ++ctags: CTAGS ++CTAGS: ++ ++ ++check-TESTS: $(TESTS) ++ @failed=0; all=0; xfail=0; xpass=0; skip=0; \ ++ srcdir=$(srcdir); export srcdir; \ ++ list=' $(TESTS) '; \ ++ $(am__tty_colors); \ ++ if test -n "$$list"; then \ ++ for tst in $$list; do \ ++ if test -f ./$$tst; then dir=./; \ ++ elif test -f $$tst; then dir=; \ ++ else dir="$(srcdir)/"; fi; \ ++ if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ ++ all=`expr $$all + 1`; \ ++ case " $(XFAIL_TESTS) " in \ ++ *[\ \ ]$$tst[\ \ ]*) \ ++ xpass=`expr $$xpass + 1`; \ ++ failed=`expr $$failed + 1`; \ ++ col=$$red; res=XPASS; \ ++ ;; \ ++ *) \ ++ col=$$grn; res=PASS; \ ++ ;; \ ++ esac; \ ++ elif test $$? -ne 77; then \ ++ all=`expr $$all + 1`; \ ++ case " $(XFAIL_TESTS) " in \ ++ *[\ \ ]$$tst[\ \ ]*) \ ++ xfail=`expr $$xfail + 1`; \ ++ col=$$lgn; res=XFAIL; \ ++ ;; \ ++ *) \ ++ failed=`expr $$failed + 1`; \ ++ col=$$red; res=FAIL; \ ++ ;; \ ++ esac; \ ++ else \ ++ skip=`expr $$skip + 1`; \ ++ col=$$blu; res=SKIP; \ ++ fi; \ ++ echo "$${col}$$res$${std}: $$tst"; \ ++ done; \ ++ if test "$$all" -eq 1; then \ ++ tests="test"; \ ++ All=""; \ ++ else \ ++ tests="tests"; \ ++ All="All "; \ ++ fi; \ ++ if test "$$failed" -eq 0; then \ ++ if test "$$xfail" -eq 0; then \ ++ banner="$$All$$all $$tests passed"; \ ++ else \ ++ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ ++ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ ++ fi; \ ++ else \ ++ if test "$$xpass" -eq 0; then \ ++ banner="$$failed of $$all $$tests failed"; \ ++ else \ ++ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ ++ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ ++ fi; \ ++ fi; \ ++ dashes="$$banner"; \ ++ skipped=""; \ ++ if test "$$skip" -ne 0; then \ ++ if test "$$skip" -eq 1; then \ ++ skipped="($$skip test was not run)"; \ ++ else \ ++ skipped="($$skip tests were not run)"; \ ++ fi; \ ++ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ ++ dashes="$$skipped"; \ ++ fi; \ ++ report=""; \ ++ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ ++ report="Please report to $(PACKAGE_BUGREPORT)"; \ ++ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ ++ dashes="$$report"; \ ++ fi; \ ++ dashes=`echo "$$dashes" | sed s/./=/g`; \ ++ if test "$$failed" -eq 0; then \ ++ echo "$$grn$$dashes"; \ ++ else \ ++ echo "$$red$$dashes"; \ ++ fi; \ ++ echo "$$banner"; \ ++ test -z "$$skipped" || echo "$$skipped"; \ ++ test -z "$$report" || echo "$$report"; \ ++ echo "$$dashes$$std"; \ ++ test "$$failed" -eq 0; \ ++ else :; fi ++ ++distdir: $(DISTFILES) ++ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ ++ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ ++ list='$(DISTFILES)'; \ ++ dist_files=`for file in $$list; do echo $$file; done | \ ++ sed -e "s|^$$srcdirstrip/||;t" \ ++ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ ++ case $$dist_files in \ ++ */*) $(MKDIR_P) `echo "$$dist_files" | \ ++ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ ++ sort -u` ;; \ ++ esac; \ ++ for file in $$dist_files; do \ ++ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ ++ if test -d $$d/$$file; then \ ++ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ ++ if test -d "$(distdir)/$$file"; then \ ++ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ ++ fi; \ ++ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ ++ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ ++ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ ++ fi; \ ++ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ ++ else \ ++ test -f "$(distdir)/$$file" \ ++ || cp -p $$d/$$file "$(distdir)/$$file" \ ++ || exit 1; \ ++ fi; \ ++ done ++check-am: all-am ++ $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS) ++ $(MAKE) $(AM_MAKEFLAGS) check-TESTS ++check: check-am ++all-am: Makefile ++installdirs: ++install: install-am ++install-exec: install-exec-am ++install-data: install-data-am ++uninstall: uninstall-am ++ ++install-am: all-am ++ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am ++ ++installcheck: installcheck-am ++install-strip: ++ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ ++ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ ++ `test -z '$(STRIP)' || \ ++ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install ++mostlyclean-generic: ++ ++clean-generic: ++ ++distclean-generic: ++ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) ++ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) ++ ++maintainer-clean-generic: ++ @echo "This command is intended for maintainers to use" ++ @echo "it deletes files that may require special tools to rebuild." ++clean: clean-am ++ ++clean-am: clean-generic clean-libtool mostlyclean-am ++ ++distclean: distclean-am ++ -rm -f Makefile ++distclean-am: clean-am distclean-generic ++ ++dvi: dvi-am ++ ++dvi-am: ++ ++html: html-am ++ ++html-am: ++ ++info: info-am ++ ++info-am: ++ ++install-data-am: ++ ++install-dvi: install-dvi-am ++ ++install-dvi-am: ++ ++install-exec-am: ++ ++install-html: install-html-am ++ ++install-html-am: ++ ++install-info: install-info-am ++ ++install-info-am: ++ ++install-man: ++ ++install-pdf: install-pdf-am ++ ++install-pdf-am: ++ ++install-ps: install-ps-am ++ ++install-ps-am: ++ ++installcheck-am: ++ ++maintainer-clean: maintainer-clean-am ++ -rm -f Makefile ++maintainer-clean-am: distclean-am maintainer-clean-generic ++ ++mostlyclean: mostlyclean-am ++ ++mostlyclean-am: mostlyclean-generic mostlyclean-libtool ++ ++pdf: pdf-am ++ ++pdf-am: ++ ++ps: ps-am ++ ++ps-am: ++ ++uninstall-am: ++ ++.MAKE: check-am install-am install-strip ++ ++.PHONY: all all-am check check-TESTS check-am clean clean-generic \ ++ clean-libtool distclean distclean-generic distclean-libtool \ ++ distdir dvi dvi-am html html-am info info-am install \ ++ install-am install-data install-data-am install-dvi \ ++ install-dvi-am install-exec install-exec-am install-html \ ++ install-html-am install-info install-info-am install-man \ ++ install-pdf install-pdf-am install-ps install-ps-am \ ++ install-strip installcheck installcheck-am installdirs \ ++ maintainer-clean maintainer-clean-generic mostlyclean \ ++ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ ++ uninstall uninstall-am ++ ++ ++# Tell versions [3.59,3.63) of GNU make to not export all variables. ++# Otherwise a system limit (for SysV at least) may be exceeded. ++.NOEXPORT: +diff -up gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg gnutls-2.8.6/tests/safe-renegotiation/params.dh +--- gnutls-2.8.6/tests/safe-renegotiation/params.dh.reneg 2010-05-31 22:52:31.000000000 +0200 ++++ gnutls-2.8.6/tests/safe-renegotiation/params.dh 2010-05-31 22:52:31.000000000 +0200 +@@ -0,0 +1,35 @@ ++ ++Generator: 05 ++ ++Prime: c9:e9:2d:fc:94:15:1a:10:4f:3c:b5:16 ++ 7e:34:10:7d:eb:3d:d5:7d:61:ff:b0:ce ++ da:7f:6e:0c:ea:db:b4:87:f6:c6:34:a8 ++ 3c:f8:84:52:14:59:ab:17:5c:d0:f0:86 ++ c4:02:93:dc:09:83:57:16:98:21:d0:42 ++ 8e:33:fc:48:69:e6:04:0d:4e:50:09:33 ++ 2e:28:60:4f:05:08:7c:ce:2f:a6:1a:4c ++ 41:d1:a3:dd:f6:37:56:44:1d:b0:54:af ++ f7:4a:a0:c2:19:5d:ce:62:b0:7a:1b:e1 ++ 5c:7f:bb:4d:7e:9e:28:48:00:a4:9a:86 ++ 3e:6e:6e:9c:57:41:c7:ec:bf:7f:09:fc ++ da:25:c2:1e:e0:52:dc:65:8c:40:a3:6e ++ bd:99:4e:0b:1a:04:e0:23:20:46:5a:d0 ++ 3f:b3:a4:d6:76:73:b7:cc:61:33:11:54 ++ a6:32:ff:94:08:d5:66:36:fd:99:69:21 ++ cc:28:5d:11:52:32:48:b6:a5:b5:c3:b0 ++ 21:3f:f9:69:25:83:b1:3d:79:a6:ed:ae ++ db:95:62:fc:72:ca:ad:46:fc:b6:b1:ea ++ 98:68:97:ba:f2:54:aa:86:ed:62:b1:78 ++ 5f:d5:19:80:ce:41:ee:98:a1:71:9f:fa ++ 5b:6b:d8:5e:7e:b3:18:0a:f0:4c:96:76 ++ 6c:0c:b0:a3 ++ ++ ++-----BEGIN DH PARAMETERS----- ++MIIBCAKCAQEAyekt/JQVGhBPPLUWfjQQfes91X1h/7DO2n9uDOrbtIf2xjSoPPiE ++UhRZqxdc0PCGxAKT3AmDVxaYIdBCjjP8SGnmBA1OUAkzLihgTwUIfM4vphpMQdGj ++3fY3VkQdsFSv90qgwhldzmKwehvhXH+7TX6eKEgApJqGPm5unFdBx+y/fwn82iXC ++HuBS3GWMQKNuvZlOCxoE4CMgRlrQP7Ok1nZzt8xhMxFUpjL/lAjVZjb9mWkhzChd ++EVIySLaltcOwIT/5aSWDsT15pu2u25Vi/HLKrUb8trHqmGiXuvJUqobtYrF4X9UZ ++gM5B7pihcZ/6W2vYXn6zGArwTJZ2bAywowIBBQ== ++-----END DH PARAMETERS----- +diff -up gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg gnutls-2.8.6/tests/safe-renegotiation/testsrn +--- gnutls-2.8.6/tests/safe-renegotiation/testsrn.reneg 2010-05-31 22:52:31.000000000 +0200 ++++ gnutls-2.8.6/tests/safe-renegotiation/testsrn 2010-06-02 10:23:35.000000000 +0200 +@@ -0,0 +1,103 @@ ++#!/bin/sh ++ ++# Copyright (C) 2010 Free Software Foundation ++# ++# Author: Nikos Mavrogiannopoulos ++# ++# This file is part of GNUTLS. ++# ++# GNUTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GNUTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GNUTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++srcdir="${srcdir:-.}" ++SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q" ++CLI="${CLI:-../../src/gnutls-cli$EXEEXT}" ++PORT="${PORT:-5558}" ++unset RETCODE ++ ++fail() { ++ echo "Failure: $1" >&2 ++ RETCODE=${RETCODE:-${2:-1}} ++} ++ ++echo "Checking Safe renegotiation" ++ ++$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%PARTIAL_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & ++pid=$! ++ ++# give the server a chance to initialize ++sleep 2 ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-SSL3.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ ++ fail "0. Renegotiation should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ ++ fail "1. Safe rehandshake should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ ++ fail "2. Unsafe rehandshake should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ ++ fail "3. Unsafe negotiation should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ ++ fail "4. Unsafe renegotiation should have failed!" ++ ++ ++kill $pid ++wait ++ ++$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & ++pid=$! ++ ++# give the server a chance to initialize ++sleep 2 ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 || \ ++ fail "5. Safe rehandshake should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ ++ fail "6. Unsafe rehandshake should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ ++ fail "7. Unsafe negotiation should have failed!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 && \ ++ fail "8. Unsafe renegotiation should have failed!" ++ ++kill $pid ++wait ++ ++$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 & ++pid=$! ++ ++# give the server a chance to initialize ++sleep 2 ++ ++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION /dev/null 2>&1 && \ ++ fail "9. Initial connection should have failed!" ++ ++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION /dev/null 2>&1 || \ ++ fail "10. Unsafe connection should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ ++ fail "11. Unsafe negotiation should have succeeded!" ++ ++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION /dev/null 2>&1 || \ ++ fail "12. Unsafe renegotiation should have succeeded!" ++ ++kill $pid ++wait ++ ++exit ${RETCODE:-0} +diff -up gnutls-2.8.6/tests/simple.c.reneg gnutls-2.8.6/tests/simple.c +--- gnutls-2.8.6/tests/simple.c.reneg 2009-06-02 20:59:32.000000000 +0200 ++++ gnutls-2.8.6/tests/simple.c 2010-05-31 22:52:31.000000000 +0200 +@@ -50,7 +50,7 @@ doit (void) + + for (i = 0; algs[i]; i++) + { +- printf ("pk_list[%d] = %d = %s = %d\n", i, algs[i], ++ printf ("pk_list[%d] = %d = %s = %d\n", (int)i, algs[i], + gnutls_pk_algorithm_get_name (algs[i]), + gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i]))); + if (gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i])) +@@ -76,7 +76,7 @@ doit (void) + + for (i = 0; algs[i]; i++) + { +- printf ("sign_list[%d] = %d = %s = %d\n", i, algs[i], ++ printf ("sign_list[%d] = %d = %s = %d\n", (int)i, algs[i], + gnutls_sign_algorithm_get_name (algs[i]), + gnutls_sign_get_id (gnutls_sign_algorithm_get_name + (algs[i]))); diff --git a/gnutls.spec b/gnutls.spec index 3c6f41a..cd13c86 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -1,7 +1,7 @@ Summary: A TLS protocol implementation Name: gnutls Version: 2.8.6 -Release: 1%{?dist} +Release: 2%{?dist} # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+ License: GPLv3+ and LGPLv2+ Group: System Environment/Libraries @@ -17,6 +17,7 @@ Source0: %{name}-%{version}-nosrp.tar.bz2 Source1: libgnutls-config Patch1: gnutls-2.8.5-rpath.patch Patch2: gnutls-2.8.6-link-libgcrypt.patch +Patch3: gnutls-2.8.6-safe-renegotiation.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: libgcrypt >= 1.2.2 @@ -71,11 +72,14 @@ This package contains Guile bindings for the library. %setup -q %patch1 -p1 -b .rpath %patch2 -p1 -b .link +%patch3 -p1 -b .reneg for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do touch lib/$i done +chmod a+x tests/safe-renegotiation/testsrn + %build export LDFLAGS="-Wl,--no-add-needed" @@ -154,6 +158,9 @@ fi %{_datadir}/guile/site/gnutls.scm %changelog +* Wed Jun 2 2010 Tomas Mraz 2.8.6-2 +- add support for safe renegotiation CVE-2009-3555 (#533125) + * Wed May 12 2010 Tomas Mraz 2.8.6-1 - upgrade to a new upstream version