[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_9-46-g830f671
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_9-46-g830f671 |
|
Date: |
Wed, 13 Jan 2010 19:52:02 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=830f6715779e74501bbbffe395ce7b9264f35ecc
The branch, master has been updated
via 830f6715779e74501bbbffe395ce7b9264f35ecc (commit)
via 4160e1087f3ca75a306bd6afab68f45a0ef97124 (commit)
via ae2540986ed3827540a14e88d717789c808ce243 (commit)
via 3eaebbaf52747064f2bb0fe0648b97f11b91695b (commit)
via de47db3597252793a649158edcbfd5324e011339 (commit)
via 34dae46be6c0c69d60281a4eec17194a835cef38 (commit)
from ef78ef389dd5d7e80848fec91925c61eccea3b40 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 830f6715779e74501bbbffe395ce7b9264f35ecc
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Jan 13 20:48:07 2010 +0100
Tests compile with --enable-gcc-warnings.
commit 4160e1087f3ca75a306bd6afab68f45a0ef97124
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Jan 13 20:38:26 2010 +0100
Specify in detail what to be copied when resuming. It seems there
are extensions (like safe renegotiation) that do not need to read
the stored values. Moreover this might overcome any bugs by the
extensions that used to store pointers in the extension structure.
commit ae2540986ed3827540a14e88d717789c808ce243
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Jan 13 20:33:16 2010 +0100
Initialize the default value to 0. It seemed to have default value of 0
when non resuming :)
commit 3eaebbaf52747064f2bb0fe0648b97f11b91695b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Jan 13 18:52:47 2010 +0100
Removed warnings.
commit de47db3597252793a649158edcbfd5324e011339
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Jan 13 18:34:15 2010 +0100
Added -Wno-int-to-pointer-cast to enable compilation when
enable-gcc-warnings is given.
commit 34dae46be6c0c69d60281a4eec17194a835cef38
Author: Steve Dispensa <address@hidden>
Date: Wed Jan 13 18:14:24 2010 +0100
Here are two more patches. The first adds support for renegotiation of
resumption.
Also, I found a bug in my initial implementation - I was incorrectly sending
the SCSV on all connections, not only those using SSLv3, as should have been
the case.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
-----------------------------------------------------------------------
Summary of changes:
configure.ac | 1 +
doc/examples/ex-client-tlsia.c | 4 +-
lib/ext_safe_renegotiation.c | 17 +++++---
lib/ext_safe_renegotiation.h | 5 ++
lib/gnutls_constate.c | 23 +++++++----
lib/gnutls_extensions.c | 4 +-
lib/gnutls_handshake.c | 80 ++++++++++++++++++++++++++++++---------
lib/gnutls_int.h | 17 ++++++--
lib/gnutls_state.c | 2 +
tests/chainverify.c | 2 +-
tests/crq_apis.c | 4 +-
tests/crq_key_id.c | 2 +-
tests/cve-2008-4989.c | 8 ++--
tests/dn2.c | 2 +-
tests/finished.c | 16 ++++----
tests/mini.c | 12 +++---
tests/pkcs12_s2k_pem.c | 2 +-
tests/resume.c | 6 +-
tests/simple.c | 4 +-
tests/tlsia.c | 8 ++--
tests/utils.c | 2 +-
tests/x509sign-verify.c | 2 +-
22 files changed, 147 insertions(+), 76 deletions(-)
diff --git a/configure.ac b/configure.ac
index c0a4453..a00d58b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -240,6 +240,7 @@ if test "$gl_gcc_warnings" = yes; then
gl_WARN_ADD([-Wno-unused-parameter]) # Too many warnings for now
gl_WARN_ADD([-Wno-unused-parameter]) # Too many warnings for now
gl_WARN_ADD([-Wno-stack-protector]) # Some functions cannot be protected
+ gl_WARN_ADD([-Wno-int-to-pointer-cast]) # Some files cannot be compiled
with that (gl_fd_to_handle)
gl_WARN_ADD([-fdiagnostics-show-option])
fi
diff --git a/doc/examples/ex-client-tlsia.c b/doc/examples/ex-client-tlsia.c
index 53a4613..0e63b39 100644
--- a/doc/examples/ex-client-tlsia.c
+++ b/doc/examples/ex-client-tlsia.c
@@ -30,7 +30,7 @@ client_avp (gnutls_session_t session, void *ptr,
if (last)
printf ("- received %d bytes AVP: `%.*s'\n",
- lastlen, (int) lastlen, last);
+ (int)lastlen, (int) lastlen, last);
else
printf ("- new application phase\n");
@@ -39,7 +39,7 @@ client_avp (gnutls_session_t session, void *ptr,
return -1;
*newlen = strlen (*new);
- printf ("- sending %d bytes AVP: `%s'\n", *newlen, *new);
+ printf ("- sending %d bytes AVP: `%s'\n", (int)*newlen, *new);
gnutls_ia_permute_inner_secret (session, 3, "foo");
diff --git a/lib/ext_safe_renegotiation.c b/lib/ext_safe_renegotiation.c
index 7cd362d..ca725a7 100644
--- a/lib/ext_safe_renegotiation.c
+++ b/lib/ext_safe_renegotiation.c
@@ -31,24 +31,25 @@ _gnutls_safe_renegotiation_recv_params (gnutls_session_t
session,
const opaque * data, size_t _data_size)
{
tls_ext_st *ext = &session->security_parameters.extensions;
-
int len = data[0];
ssize_t data_size = _data_size;
DECR_LEN (data_size, len+1 /* count the first byte and payload */);
- int conservative_len = len;
if (len > sizeof (ext->ri_extension_data))
- conservative_len = sizeof (ext->ri_extension_data);
+ {
+ gnutls_assert();
+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
+ }
- memcpy (ext->ri_extension_data, &data[1], conservative_len);
- ext->ri_extension_data_len = conservative_len;
+ memcpy (ext->ri_extension_data, &data[1], len);
+ ext->ri_extension_data_len = len;
/* "safe renegotiation received" means on *this* handshake; "connection using
* safe renegotiation" means that the initial hello received on the
connection
- * indicatd safe renegotiation.
+ * indicated safe renegotiation.
*/
- ext->safe_renegotiation_received = 1;
+ session->internals.safe_renegotiation_received = 1;
ext->connection_using_safe_renegotiation = 1;
return 0;
@@ -67,6 +68,8 @@ _gnutls_safe_renegotiation_send_params (gnutls_session_t
session,
ssize_t data_size = _data_size;
tls_ext_st *ext = &session->security_parameters.extensions;
+ data[0] = 0;
+
/* Always offer the extension if we're a client */
if (ext->connection_using_safe_renegotiation ||
session->security_parameters.entity == GNUTLS_CLIENT)
diff --git a/lib/ext_safe_renegotiation.h b/lib/ext_safe_renegotiation.h
index 4551e80..4b63995 100644
--- a/lib/ext_safe_renegotiation.h
+++ b/lib/ext_safe_renegotiation.h
@@ -22,7 +22,12 @@
*
*/
+#ifndef EXT_SAFE_RENEGOTIATION_H
+# define EXT_SAFE_RENEGOTIATION_H
+
int _gnutls_safe_renegotiation_recv_params (gnutls_session_t state,
const opaque * data, size_t data_size);
int _gnutls_safe_renegotiation_send_params (gnutls_session_t state,
opaque * data, size_t);
+
+#endif /* EXT_SAFE_RENEGOTIATION_H */
diff --git a/lib/gnutls_constate.c b/lib/gnutls_constate.c
index d3fd256..78a38cc 100644
--- a/lib/gnutls_constate.c
+++ b/lib/gnutls_constate.c
@@ -380,6 +380,19 @@ _gnutls_set_write_keys (gnutls_session_t session)
export_flag);
}
+#define CPY_EXTENSIONS \
+ memcpy(dst->extensions.server_names, src->extensions.server_names,
sizeof(src->extensions.server_names)); \
+ dst->extensions.server_names_size = src->extensions.server_names_size; \
+ memcpy(dst->extensions.srp_username, src->extensions.srp_username,
sizeof(src->extensions.srp_username)); \
+ memcpy(dst->extensions.sign_algorithms,
src->extensions.sign_algorithms, sizeof(src->extensions.sign_algorithms)); \
+ dst->extensions.sign_algorithms_size =
src->extensions.sign_algorithms_size; \
+ dst->extensions.gnutls_ia_enable = src->extensions.gnutls_ia_enable; \
+ dst->extensions.gnutls_ia_peer_enable =
src->extensions.gnutls_ia_peer_enable; \
+ dst->extensions.gnutls_ia_allowskip =
src->extensions.gnutls_ia_allowskip; \
+ dst->extensions.gnutls_ia_peer_allowskip =
src->extensions.gnutls_ia_peer_allowskip; \
+ dst->extensions.do_recv_supplemental =
src->extensions.do_recv_supplemental; \
+ dst->extensions.do_send_supplemental =
src->extensions.do_send_supplemental
+
#define CPY_COMMON dst->entity = src->entity; \
dst->kx_algorithm = src->kx_algorithm; \
memcpy( &dst->current_cipher_suite, &src->current_cipher_suite,
sizeof(cipher_suite_st)); \
@@ -393,8 +406,8 @@ _gnutls_set_write_keys (gnutls_session_t session)
dst->max_record_recv_size = src->max_record_recv_size; \
dst->max_record_send_size = src->max_record_send_size; \
dst->version = src->version; \
- memcpy( &dst->extensions, &src->extensions, sizeof(tls_ext_st)); \
- memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE);
+ CPY_EXTENSIONS; \
+ memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE)
static void
_gnutls_cpy_read_security_parameters (security_parameters_st *
@@ -486,12 +499,9 @@ _gnutls_read_connection_state_init (gnutls_session_t
session)
}
else
{ /* RESUME_TRUE */
- opaque *session_ticket =
- session->security_parameters.extensions.session_ticket;
_gnutls_cpy_read_security_parameters (&session->security_parameters,
&session->internals.
resumed_security_parameters);
- session->security_parameters.extensions.session_ticket = session_ticket;
}
@@ -671,12 +681,9 @@ _gnutls_write_connection_state_init (gnutls_session_t
session)
}
else
{ /* RESUME_TRUE */
- opaque *session_ticket =
- session->security_parameters.extensions.session_ticket;
_gnutls_cpy_write_security_parameters (&session->security_parameters,
&session->internals.
resumed_security_parameters);
- session->security_parameters.extensions.session_ticket = session_ticket;
}
rc = _gnutls_set_write_keys (session);
diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c
index 2e8ad07..24b3f4d 100644
--- a/lib/gnutls_extensions.c
+++ b/lib/gnutls_extensions.c
@@ -148,7 +148,7 @@ _gnutls_parse_extensions (gnutls_session_t session,
type = _gnutls_read_uint16 (&data[pos]);
pos += 2;
- _gnutls_debug_log ("EXT[%p]: Received extension '%s/%d'\n", session,
+ _gnutls_debug_log ("EXT[%p]: Found extension '%s/%d'\n", session,
_gnutls_extension_get_name (type), type);
if ((ret = _gnutls_extension_list_check (session, type)) < 0)
@@ -168,6 +168,8 @@ _gnutls_parse_extensions (gnutls_session_t session,
ext_recv = _gnutls_ext_func_recv (type, parse_type);
if (ext_recv == NULL)
continue;
+
+
if ((ret = ext_recv (session, sdata, size)) < 0)
{
gnutls_assert ();
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 41a9f0e..9ea7bd2 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -49,6 +49,7 @@
#include <gnutls_state.h>
#include <ext_srp.h>
#include <ext_session_ticket.h>
+#include <ext_safe_renegotiation.h>
#include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
#include <auth_anon.h> /* for gnutls_anon_server_credentials_t */
#include <auth_psk.h> /* for gnutls_psk_server_credentials_t */
@@ -106,6 +107,9 @@ _gnutls_handshake_hash_buffers_clear (gnutls_session_t
session)
static void
resume_copy_required_values (gnutls_session_t session)
{
+ tls_ext_st *newext;
+ tls_ext_st *resext;
+
/* get the new random values */
memcpy (session->internals.resumed_security_parameters.server_random,
session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
@@ -141,6 +145,23 @@ resume_copy_required_values (gnutls_session_t session)
sizeof (session->security_parameters.session_id));
session->security_parameters.session_id_size =
session->internals.resumed_security_parameters.session_id_size;
+
+ /* safe renegotiation */
+ newext = &session->security_parameters.extensions;
+ resext = &session->internals.resumed_security_parameters.extensions;
+
+ newext->connection_using_safe_renegotiation =
+ resext->connection_using_safe_renegotiation;
+
+ session->internals.initial_negotiation_completed = TRUE;
+
+ newext->client_verify_data_len = resext->client_verify_data_len;
+ memcpy (newext->client_verify_data, resext->client_verify_data,
+ resext->client_verify_data_len);
+
+ newext->server_verify_data_len = resext->server_verify_data_len;
+ memcpy (newext->server_verify_data, resext->server_verify_data,
+ resext->server_verify_data_len);
}
void
@@ -726,6 +747,7 @@ _gnutls_recv_finished (gnutls_session_t session)
int data_size;
int ret;
int vrfysize;
+ tls_ext_st *ext;
ret =
_gnutls_recv_handshake (session, &vrfy, &vrfysize,
@@ -790,7 +812,7 @@ _gnutls_recv_finished (gnutls_session_t session)
return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
}
- tls_ext_st *ext = &session->security_parameters.extensions;
+ ext = &session->security_parameters.extensions;
if (session->security_parameters.entity == GNUTLS_CLIENT)
{
@@ -803,7 +825,7 @@ _gnutls_recv_finished (gnutls_session_t session)
ext->client_verify_data_len = data_size;
}
- ext->initial_negotiation_completed = 1;
+ session->internals.initial_negotiation_completed = 1;
return ret;
}
@@ -870,7 +892,7 @@ _gnutls_server_select_suite (gnutls_session_t session,
opaque * data,
data[offset+1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR)
{
_gnutls_handshake_log ("HSK[%p]: Received safe renegotiation CS\n",
session);
-
session->security_parameters.extensions.safe_renegotiation_received = 1;
+ session->internals.safe_renegotiation_received = 1;
session->security_parameters.extensions.connection_using_safe_renegotiation = 1;
break;
}
@@ -1656,6 +1678,8 @@ _gnutls_client_check_if_resuming (gnutls_session_t
session,
opaque * session_id, int session_id_len)
{
opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
+ tls_ext_st *newext;
+ tls_ext_st *resext;
_gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session,
session_id_len);
@@ -1677,6 +1701,23 @@ _gnutls_client_check_if_resuming (gnutls_session_t
session,
session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
session->internals.resumed = RESUME_TRUE; /* we are resuming */
+ /* safe renegotiation after resumption */
+ newext = &session->security_parameters.extensions;
+ resext = &session->internals.resumed_security_parameters.extensions;
+
+ newext->connection_using_safe_renegotiation =
+ resext->connection_using_safe_renegotiation;
+
+ session->internals.initial_negotiation_completed = TRUE;
+
+ newext->client_verify_data_len = resext->client_verify_data_len;
+ memcpy (newext->client_verify_data, resext->client_verify_data,
+ resext->client_verify_data_len);
+
+ newext->server_verify_data_len = resext->server_verify_data_len;
+ memcpy (newext->server_verify_data, resext->server_verify_data,
+ resext->server_verify_data_len);
+
return 0;
}
else
@@ -1746,7 +1787,6 @@ _gnutls_read_server_hello (gnutls_session_t session,
}
DECR_LEN (len, session_id_len);
-
/* check if we are resuming and set the appropriate
* values;
*/
@@ -1781,8 +1821,6 @@ _gnutls_read_server_hello (gnutls_session_t session,
}
pos += 2;
-
-
/* move to compression
*/
DECR_LEN (len, 1);
@@ -1821,6 +1859,7 @@ _gnutls_copy_ciphersuites (gnutls_session_t session,
cipher_suite_st *cipher_suites;
uint16_t cipher_num;
int datalen, pos;
+ uint16_t loop_max;
ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites);
if (ret < 0)
@@ -1871,7 +1910,7 @@ _gnutls_copy_ciphersuites (gnutls_session_t session,
_gnutls_write_uint16 (cipher_num, ret_data);
pos += 2;
- uint16_t loop_max = add_scsv ? cipher_num - 2 : cipher_num;
+ loop_max = add_scsv ? cipher_num - 2 : cipher_num;
for (i = 0; i < (loop_max / 2); i++)
{
@@ -2065,8 +2104,9 @@ _gnutls_send_client_hello (gnutls_session_t session, int
again)
* prevention on initial negotiation (but not renegotiation; that's
* handled with the RI extension below).
*/
-
if(!session->security_parameters.extensions.initial_negotiation_completed &&
- session->security_parameters.entity == GNUTLS_CLIENT)
+ if(!session->internals.initial_negotiation_completed &&
+ session->security_parameters.entity == GNUTLS_CLIENT &&
+ gnutls_protocol_get_version (session) == GNUTLS_SSL3)
{
ret = _gnutls_copy_ciphersuites (session, extdata, extdatalen, TRUE);
_gnutls_extension_list_add (session,
GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
@@ -2155,8 +2195,10 @@ _gnutls_send_client_hello (gnutls_session_t session, int
again)
return ret;
}
}
- else
if(session->security_parameters.extensions.initial_negotiation_completed)
+ else if(session->internals.initial_negotiation_completed != 0)
{
+ opaque buf[256]; /* opaque renegotiated_connection<0..255> */
+
/* For SSLv3 only, we will (only) to send the RI extension; we must
* send it every time we renegotiate. We don't want to send anything
* else, out of concern for interoperability.
@@ -2164,7 +2206,6 @@ _gnutls_send_client_hello (gnutls_session_t session, int
again)
* If this is an initial negotiation, we already sent SCSV above.
*/
- opaque buf[256]; /* opaque renegotiated_connection<0..255> */
ret = _gnutls_safe_renegotiation_send_params (session, buf,
sizeof(buf));
if (ret < 0)
@@ -2327,7 +2368,7 @@ _gnutls_send_hello (gnutls_session_t session, int again)
{
int ret;
- session->security_parameters.extensions.safe_renegotiation_received = 0;
+ session->internals.safe_renegotiation_received = 0;
if (session->security_parameters.entity == GNUTLS_CLIENT)
{
@@ -2350,6 +2391,7 @@ int
_gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen)
{
int ret;
+ tls_ext_st *ext;
if (session->security_parameters.entity == GNUTLS_CLIENT)
{
@@ -2372,9 +2414,9 @@ _gnutls_recv_hello (gnutls_session_t session, opaque *
data, int datalen)
}
/* Safe renegotiation */
- tls_ext_st *ext = &session->security_parameters.extensions;
+ ext = &session->security_parameters.extensions;
- if (ext->safe_renegotiation_received)
+ if (session->internals.safe_renegotiation_received)
{
if ((ext->ri_extension_data_len < ext->client_verify_data_len) ||
(memcmp (ext->ri_extension_data,
@@ -2382,7 +2424,7 @@ _gnutls_recv_hello (gnutls_session_t session, opaque *
data, int datalen)
ext->client_verify_data_len)))
{
gnutls_assert();
- _gnutls_handshake_log ("Safe renegotiation failed (1)\n");
+ _gnutls_handshake_log ("Safe renegotiation failed [1]\n");
return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
}
if (session->security_parameters.entity == GNUTLS_CLIENT)
@@ -2390,10 +2432,10 @@ _gnutls_recv_hello (gnutls_session_t session, opaque *
data, int datalen)
if ((ext->ri_extension_data_len !=
ext->client_verify_data_len + ext->server_verify_data_len) ||
memcmp (ext->ri_extension_data + ext->client_verify_data_len,
- ext->server_verify_data, ext->server_verify_data_len))
+ ext->server_verify_data, ext->server_verify_data_len) !=
0)
{
gnutls_assert();
- _gnutls_handshake_log ("Safe renegotiation failed (2)\n");
+ _gnutls_handshake_log ("Safe renegotiation failed [2]\n");
return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
}
}
@@ -2402,7 +2444,7 @@ _gnutls_recv_hello (gnutls_session_t session, opaque *
data, int datalen)
if (ext->ri_extension_data_len != ext->client_verify_data_len)
{
gnutls_assert();
- _gnutls_handshake_log ("Safe renegotiation failed (3)\n");
+ _gnutls_handshake_log ("Safe renegotiation failed [3]\n");
return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
}
}
@@ -2419,7 +2461,7 @@ _gnutls_recv_hello (gnutls_session_t session, opaque *
data, int datalen)
}
/* Clients can't tell if it's an initial negotiation */
- if (ext->initial_negotiation_completed ||
+ if (session->internals.initial_negotiation_completed ||
session->security_parameters.entity == GNUTLS_CLIENT)
{
if (session->internals.priorities.unsafe_renegotiation != 0)
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index ba8ed9b..fec71a7 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -309,6 +309,9 @@ struct gnutls_session_ticket_key_st {
#define MAX_VERIFY_DATA_SIZE 36 /* in SSL 3.0, 12 in TLS 1.0 */
+/* If you want the extension data to be kept across resuming sessions
+ * then modify CPY_EXTENSIONS in gnutls_constate.c
+ */
typedef struct
{
server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS];
@@ -328,6 +331,9 @@ typedef struct
/* Used by extensions that enable supplemental data. */
int do_recv_supplemental, do_send_supplemental;
+ /*** Those below do not get copied when resuming session
+ ***/
+
/* Opaque PRF input. */
gnutls_oprfi_callback_func oprfi_cb;
void *oprfi_userdata;
@@ -343,9 +349,6 @@ typedef struct
opaque session_ticket_IV[SESSION_TICKET_IV_SIZE];
/* Safe renegotiation. */
- int connection_using_safe_renegotiation:1;
- int safe_renegotiation_received:1;
- int initial_negotiation_completed:1;
uint8_t client_verify_data[MAX_VERIFY_DATA_SIZE];
size_t client_verify_data_len;
uint8_t server_verify_data[MAX_VERIFY_DATA_SIZE];
@@ -353,6 +356,8 @@ typedef struct
uint8_t ri_extension_data[MAX_VERIFY_DATA_SIZE*2]; /* max signal is 72 bytes
in s->c sslv3 */
size_t ri_extension_data_len;
+ int connection_using_safe_renegotiation:1;
+
} tls_ext_st;
/* auth_info_t structures now MAY contain malloced
@@ -366,7 +371,7 @@ typedef struct
*/
/* if you add anything in Security_Parameters struct, then
- * also modify CPY_COMMON in gnutls_constate.c
+ * also modify CPY_COMMON in gnutls_constate.c.
*/
/* Note that the security parameters structure is set up after the
@@ -411,6 +416,7 @@ typedef struct
/* holds the negotiated certificate type */
gnutls_certificate_type_t cert_type;
gnutls_protocol_t version; /* moved here */
+
/* For TLS/IA. XXX: Move to IA credential? */
opaque inner_secret[GNUTLS_MASTER_SIZE];
} security_parameters_st;
@@ -740,6 +746,9 @@ typedef struct
int session_ticket_enable, session_ticket_renew;
+ int safe_renegotiation_received:1;
+ int initial_negotiation_completed:1;
+
/* If you add anything here, check _gnutls_handshake_internal_state_clear().
*/
} internals_st;
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 3ba533b..0545757 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -226,6 +226,8 @@ _gnutls_handshake_internal_state_init (gnutls_session_t
session)
session->internals.adv_version_minor = 0;
session->internals.adv_version_minor = 0;
session->internals.direction = 0;
+ session->internals.safe_renegotiation_received = 0;
+ session->internals.initial_negotiation_completed = 0;
/* use out of band data for the last
* handshake messages received.
diff --git a/tests/chainverify.c b/tests/chainverify.c
index 0407d14..7dccea1 100644
--- a/tests/chainverify.c
+++ b/tests/chainverify.c
@@ -833,7 +833,7 @@ main (int argc, char *argv[])
&verify_status);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify[%d,%d]: %s",
- i, j, gnutls_strerror (ret));
+ (int)i, (int)j, gnutls_strerror (ret));
if (verify_status != chains[i].expected_verify_result)
{
diff --git a/tests/crq_apis.c b/tests/crq_apis.c
index 63742b2..26ab321 100644
--- a/tests/crq_apis.c
+++ b/tests/crq_apis.c
@@ -126,13 +126,13 @@ doit (void)
s = 0;
ret = gnutls_x509_crq_get_challenge_password (crq, NULL, &s);
if (ret != 0 || s != 3)
- fail ("gnutls_x509_crq_get_challenge_password2 %d/%d\n", ret, s);
+ fail ("gnutls_x509_crq_get_challenge_password2 %d/%d\n", ret, (int)s);
s = 10;
ret = gnutls_x509_crq_get_challenge_password (crq, smallbuf, &s);
if (ret != 0 || s != 3 || strcmp (smallbuf, "foo") != 0)
fail ("gnutls_x509_crq_get_challenge_password3 %d/%d/%s\n",
- ret, s, smallbuf);
+ ret,(int) s, smallbuf);
s = 0;
ret = gnutls_x509_crq_get_extension_info (crq, 0, NULL, &s, NULL);
diff --git a/tests/crq_key_id.c b/tests/crq_key_id.c
index 0ba128b..7658874 100644
--- a/tests/crq_key_id.c
+++ b/tests/crq_key_id.c
@@ -159,7 +159,7 @@ doit (void)
else
{
fail ("Key_id lengths differ incorrectly: %d - %d\n",
- crq_key_id_len, pkey_key_id_len);
+ (int)crq_key_id_len, (int)pkey_key_id_len);
}
diff --git a/tests/cve-2008-4989.c b/tests/cve-2008-4989.c
index fd4fb85..84413a4 100644
--- a/tests/cve-2008-4989.c
+++ b/tests/cve-2008-4989.c
@@ -165,7 +165,7 @@ main (int argc, char *argv[])
{
ret = gnutls_x509_crt_init (&certs[i]);
if (ret < 0)
- error (EXIT_FAILURE, 0, "gnutls_x509_crt_init[%d]: %s", i,
+ error (EXIT_FAILURE, 0, "gnutls_x509_crt_init[%d]: %s", (int)i,
gnutls_strerror (ret));
tmp.data = (char *) pem_certs[i];
@@ -173,7 +173,7 @@ main (int argc, char *argv[])
ret = gnutls_x509_crt_import (certs[i], &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0)
- error (EXIT_FAILURE, 0, "gnutls_x509_crt_import[%d]: %s", i,
+ error (EXIT_FAILURE, 0, "gnutls_x509_crt_import[%d]: %s", (int)i,
gnutls_strerror (ret));
}
@@ -196,7 +196,7 @@ main (int argc, char *argv[])
GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
&verify_status);
if (ret < 0)
- error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify[%d]: %s", i,
+ error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify[%d]: %s", (int)i,
gnutls_strerror (ret));
if (verify_status != (GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID))
@@ -228,7 +228,7 @@ main (int argc, char *argv[])
GNUTLS_VERIFY_DISABLE_TIME_CHECKS,
&verify_status);
if (ret < 0)
- error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify[%d]: %s", i,
+ error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify[%d]: %s", (int)i,
gnutls_strerror (ret));
if (verify_status != 0)
diff --git a/tests/dn2.c b/tests/dn2.c
index 5ea4fb9..ebe189e 100644
--- a/tests/dn2.c
+++ b/tests/dn2.c
@@ -94,7 +94,7 @@ doit (void)
success ("comparison ok\n");
else
fail ("comparison fail (%d/%d)\nexpect: %s\n got: %.*s\n",
- out.size, strlen (info), info, out.size, out.data);
+ out.size, (int)strlen (info), info, out.size, out.data);
gnutls_x509_crt_deinit (cert);
gnutls_global_deinit ();
diff --git a/tests/finished.c b/tests/finished.c
index f482ef8..8567d47 100644
--- a/tests/finished.c
+++ b/tests/finished.c
@@ -49,7 +49,7 @@ size_t to_client_len;
static ssize_t
client_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
{
- success ("client_pull len %d has %d\n", len, to_client_len);
+ success ("client_pull len %d has %d\n", (int)len, (int)to_client_len);
if (to_client_len < len)
{
@@ -71,7 +71,7 @@ client_push (gnutls_transport_ptr_t tr, const void *data,
size_t len)
size_t newlen = to_server_len + len;
char *tmp;
- success ("client_push len %d has %d\n", len, to_server_len);
+ success ("client_push len %d has %d\n", (int)len, (int)to_server_len);
hexprint (data, len);
tmp = realloc (to_server, newlen);
@@ -91,7 +91,7 @@ client_push (gnutls_transport_ptr_t tr, const void *data,
size_t len)
static ssize_t
server_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
{
- success ("server_pull len %d has %d\n", len, to_server_len);
+ success ("server_pull len %d has %d\n", (int)len, (int)to_server_len);
if (to_server_len < len)
{
@@ -113,7 +113,7 @@ server_push (gnutls_transport_ptr_t tr, const void *data,
size_t len)
size_t newlen = to_client_len + len;
char *tmp;
- success ("server_push len %d has %d\n", len, to_client_len);
+ success ("server_push len %d has %d\n", (int)len, (int)to_client_len);
hexprint (data, len);
@@ -135,7 +135,7 @@ static void
client_finished_callback (gnutls_session_t session,
const void *finished, size_t len)
{
- success ("client finished (length %d)\n", len);
+ success ("client finished (length %d)\n", (int)len);
hexprint (finished, len);
}
@@ -143,7 +143,7 @@ static void
server_finished_callback (gnutls_session_t session,
const void *finished, size_t len)
{
- success ("server finished (length %d)\n", len);
+ success ("server finished (length %d)\n", (int)len);
hexprint (finished, len);
}
@@ -220,7 +220,7 @@ doit (void)
success ("Handshake established\n");
ns = gnutls_record_send (client, MSG, strlen (MSG));
- success ("client: sent %d\n", ns);
+ success ("client: sent %d\n", (int)ns);
ret = gnutls_record_recv (server, buffer, MAX_BUF);
if (ret == 0)
@@ -236,7 +236,7 @@ doit (void)
}
ns = gnutls_record_send (server, MSG, strlen (MSG));
- success ("server: sent %d\n", ns);
+ success ("server: sent %d\n", (int)ns);
ret = gnutls_record_recv (client, buffer, MAX_BUF);
if (ret == 0)
diff --git a/tests/mini.c b/tests/mini.c
index 21a426e..e1da277 100644
--- a/tests/mini.c
+++ b/tests/mini.c
@@ -47,7 +47,7 @@ size_t to_client_len;
static ssize_t
client_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
{
- success ("client_pull len %d has %d\n", len, to_client_len);
+ success ("client_pull len %d has %d\n", (int)len, (int)to_client_len);
if (to_client_len < len)
{
@@ -69,7 +69,7 @@ client_push (gnutls_transport_ptr_t tr, const void *data,
size_t len)
size_t newlen = to_server_len + len;
char *tmp;
- success ("client_push len %d has %d\n", len, to_server_len);
+ success ("client_push len %d has %d\n", (int)len, (int)to_server_len);
hexprint (data, len);
tmp = realloc (to_server, newlen);
@@ -89,7 +89,7 @@ client_push (gnutls_transport_ptr_t tr, const void *data,
size_t len)
static ssize_t
server_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
{
- success ("server_pull len %d has %d\n", len, to_server_len);
+ success ("server_pull len %d has %d\n", (int)len, (int)to_server_len);
if (to_server_len < len)
{
@@ -111,7 +111,7 @@ server_push (gnutls_transport_ptr_t tr, const void *data,
size_t len)
size_t newlen = to_client_len + len;
char *tmp;
- success ("server_push len %d has %d\n", len, to_client_len);
+ success ("server_push len %d has %d\n", (int)len, (int)to_client_len);
hexprint (data, len);
@@ -200,7 +200,7 @@ doit (void)
success ("Handshake established\n");
ns = gnutls_record_send (client, MSG, strlen (MSG));
- success ("client: sent %d\n", ns);
+ success ("client: sent %d\n", (int)ns);
ret = gnutls_record_recv (server, buffer, MAX_BUF);
if (ret == 0)
@@ -216,7 +216,7 @@ doit (void)
}
ns = gnutls_record_send (server, MSG, strlen (MSG));
- success ("server: sent %d\n", ns);
+ success ("server: sent %d\n", (int)ns);
ret = gnutls_record_recv (client, buffer, MAX_BUF);
if (ret == 0)
diff --git a/tests/pkcs12_s2k_pem.c b/tests/pkcs12_s2k_pem.c
index 7298e19..9db3842 100644
--- a/tests/pkcs12_s2k_pem.c
+++ b/tests/pkcs12_s2k_pem.c
@@ -284,7 +284,7 @@ main (void)
keys[i].password, 0);
if (ret != keys[i].expected_result)
{
- printf ("fail[%d]: %d: %s\n", i, ret, gnutls_strerror (ret));
+ printf ("fail[%d]: %d: %s\n", (int)i, ret, gnutls_strerror (ret));
return 1;
}
diff --git a/tests/resume.c b/tests/resume.c
index 80a4c7d..cf26669 100644
--- a/tests/resume.c
+++ b/tests/resume.c
@@ -100,7 +100,7 @@ client (struct params_res *params)
if (debug)
{
gnutls_global_set_log_function (tls_log_func);
- gnutls_global_set_log_level (4);
+ gnutls_global_set_log_level (2);
}
gnutls_global_init ();
@@ -178,7 +178,7 @@ client (struct params_res *params)
if (params->expect_resume)
fail ("*** Previous session was NOT resumed\n");
else
- success ("*** Previous session was NOT resumed\n");
+ success ("*** Previous session was NOT resumed (expected)\n");
}
}
@@ -352,7 +352,7 @@ server (struct params_res *params)
if (debug)
{
gnutls_global_set_log_function (tls_log_func);
- gnutls_global_set_log_level (4);
+ gnutls_global_set_log_level (2);
}
gnutls_global_init ();
diff --git a/tests/simple.c b/tests/simple.c
index 5f16454..a3774e5 100644
--- a/tests/simple.c
+++ b/tests/simple.c
@@ -50,7 +50,7 @@ doit (void)
for (i = 0; algs[i]; i++)
{
- printf ("pk_list[%d] = %d = %s = %d\n", i, algs[i],
+ printf ("pk_list[%d] = %d = %s = %d\n", (int)i, algs[i],
gnutls_pk_algorithm_get_name (algs[i]),
gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i])));
if (gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i]))
@@ -76,7 +76,7 @@ doit (void)
for (i = 0; algs[i]; i++)
{
- printf ("sign_list[%d] = %d = %s = %d\n", i, algs[i],
+ printf ("sign_list[%d] = %d = %s = %d\n", (int)i, algs[i],
gnutls_sign_algorithm_get_name (algs[i]),
gnutls_sign_get_id (gnutls_sign_algorithm_get_name
(algs[i])));
diff --git a/tests/tlsia.c b/tests/tlsia.c
index cc1dbce..b2f6841 100644
--- a/tests/tlsia.c
+++ b/tests/tlsia.c
@@ -59,7 +59,7 @@ client_avp (gnutls_session_t session, void *ptr,
if (last)
printf ("client: received %d bytes AVP: `%.*s'\n",
- lastlen, (int) lastlen, last);
+ (int)lastlen, (int) lastlen, last);
else
printf ("client: new application phase\n");
@@ -93,7 +93,7 @@ client_avp (gnutls_session_t session, void *ptr,
return -1;
*newlen = strlen (*new);
- printf ("client: sending %d bytes AVP: `%s'\n", *newlen, *new);
+ printf ("client: sending %d bytes AVP: `%s'\n", (int)*newlen, *new);
gnutls_ia_permute_inner_secret (session, 3, "foo");
@@ -291,7 +291,7 @@ server_avp (gnutls_session_t session, void *ptr,
if (last)
printf ("server: received %d bytes AVP: `%.*s'\n",
- lastlen, (int) lastlen, last);
+ (int)lastlen, (int) lastlen, last);
gnutls_ia_permute_inner_secret (session, 3, "foo");
@@ -355,7 +355,7 @@ server_avp (gnutls_session_t session, void *ptr,
return -1;
*newlen = strlen (*new);
- printf ("server: sending %d bytes AVP: `%s'\n", *newlen, *new);
+ printf ("server: sending %d bytes AVP: `%s'\n", (int)*newlen, *new);
return 0;
}
diff --git a/tests/utils.c b/tests/utils.c
index 441a9d0..b0c2845 100644
--- a/tests/utils.c
+++ b/tests/utils.c
@@ -68,7 +68,7 @@ escapeprint (const char *str, size_t len)
{
size_t i;
- printf (" (length %d bytes):\n\t", len);
+ printf (" (length %d bytes):\n\t", (int)len);
for (i = 0; i < len; i++)
{
if (((str[i] & 0xFF) >= 'A' && (str[i] & 0xFF) <= 'Z') ||
diff --git a/tests/x509sign-verify.c b/tests/x509sign-verify.c
index 532114f..c844c35 100644
--- a/tests/x509sign-verify.c
+++ b/tests/x509sign-verify.c
@@ -147,7 +147,7 @@ doit (void)
for (i = 0; i < sizeof (key_dat) / sizeof (key_dat[0]); i++)
{
- success ("loop %d\n", i);
+ success ("loop %d\n", (int)i);
ret = gnutls_x509_privkey_init (&key);
if (ret < 0)
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_9_9-46-g830f671,
Nikos Mavrogiannopoulos <=