summaryrefslogtreecommitdiff
path: root/patches/source/gnutls
diff options
context:
space:
mode:
authorPatrick J Volkerding <volkerdi@slackware.com>2018-05-25 23:29:36 +0000
committerEric Hameleers <alien@slackware.com>2018-05-31 15:10:50 -0700
commit329684b59b8d55dd403c2c59f76d37210ba2f517 (patch)
tree10421c6ee3bf179d50915cc00d4c15c1b83cb77a /patches/source/gnutls
parentb76270bf9e6dd375e495fec92140a79a79415d27 (diff)
downloadcurrent-329684b59b8d55dd403c2c59f76d37210ba2f517.tar.gz
Fri May 25 23:29:36 UTC 201813.1
patches/packages/glibc-zoneinfo-2018e-noarch-2_slack13.1.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific.
Diffstat (limited to 'patches/source/gnutls')
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_CVE-2009-3555.diff7376
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_CVE-2011-4128.diff36
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff62
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_CVE-2012-1573.diff39
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_CVE-2013-1619_CVE-2013-2116.diff381
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_CVE-2014-0092.diff108
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_CVE-2014-3466.diff312
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_CVE-2014-3467.diff45
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_CVE-2014-3468.diff45
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_CVE-2014-3469.diff122
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_ipv6.diff51
-rw-r--r--patches/source/gnutls/gnutls-2.8.6_libgcrypt150-fix.diff162
-rwxr-xr-xpatches/source/gnutls/gnutls.SlackBuild145
-rw-r--r--patches/source/gnutls/slack-desc19
14 files changed, 8903 insertions, 0 deletions
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2009-3555.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2009-3555.diff
new file mode 100644
index 00000000..6fe44f26
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2009-3555.diff
@@ -0,0 +1,7376 @@
+From b5063f2621d7d1c032259f921f9944e63b1e24eb Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Sun, 29 Sep 2013
+Subject: CVE-2009-3555 [GNUTLS-SA-2009-5]
+
+Adds safe renegotiation patch from Steve Dispensa, modified by GnuTLS
+to conform with project style guidelines, error checking, and RFC 5746.
+
+This is a backport adaptation for use with GnuTLS 2.8.6.
+
+For background, read Marsh Ray & Steve Dispensa's 2009 paper:
+http://ww1.prweb.com/prfiles/2009/11/05/104435/RenegotiatingTLS.pdf
+
+Relevant upstream commits:
+--------------------------
+https://gitorious.org/gnutls/gnutls/commit/03249cd537c0b5
+https://gitorious.org/gnutls/gnutls/commit/1344b312402d3b
+https://gitorious.org/gnutls/gnutls/commit/15090a5f52a5f5
+https://gitorious.org/gnutls/gnutls/commit/17e65babe44763
+https://gitorious.org/gnutls/gnutls/commit/1875dca5e0f6d7
+https://gitorious.org/gnutls/gnutls/commit/1a338cbaaeec11
+https://gitorious.org/gnutls/gnutls/commit/1ac2d2d55d8411
+https://gitorious.org/gnutls/gnutls/commit/1ced4c4d68cf33
+https://gitorious.org/gnutls/gnutls/commit/1d6766cda39a57
+https://gitorious.org/gnutls/gnutls/commit/1e42526790e54d
+https://gitorious.org/gnutls/gnutls/commit/22553a5d48bcf0
+https://gitorious.org/gnutls/gnutls/commit/250e4ddf478910
+https://gitorious.org/gnutls/gnutls/commit/2d303d2076f53a
+https://gitorious.org/gnutls/gnutls/commit/30748a9bcbfb76
+https://gitorious.org/gnutls/gnutls/commit/36693266659a6d
+https://gitorious.org/gnutls/gnutls/commit/3deda2c2f0c2ac
+https://gitorious.org/gnutls/gnutls/commit/3ee73d04c2a503
+https://gitorious.org/gnutls/gnutls/commit/4ceabba9547dc3
+https://gitorious.org/gnutls/gnutls/commit/4e5d5518c6cb58
+https://gitorious.org/gnutls/gnutls/commit/4f31d28f160a59
+https://gitorious.org/gnutls/gnutls/commit/530fa2957535be
+https://gitorious.org/gnutls/gnutls/commit/555ddcdcf363ca
+https://gitorious.org/gnutls/gnutls/commit/58604f748d324c
+https://gitorious.org/gnutls/gnutls/commit/5cf6a95171b1a8
+https://gitorious.org/gnutls/gnutls/commit/5dfa0b28334e36
+https://gitorious.org/gnutls/gnutls/commit/5fc3704e32462f
+https://gitorious.org/gnutls/gnutls/commit/62e03fb4b0f307
+https://gitorious.org/gnutls/gnutls/commit/705aa8cd3da09a
+https://gitorious.org/gnutls/gnutls/commit/78149b946d3cff
+https://gitorious.org/gnutls/gnutls/commit/783bfc6415ca0a
+https://gitorious.org/gnutls/gnutls/commit/7b6ae740e8e8a4
+https://gitorious.org/gnutls/gnutls/commit/87ff666e310cfa
+https://gitorious.org/gnutls/gnutls/commit/8cb3fee16deb3f
+https://gitorious.org/gnutls/gnutls/commit/987076c0b8fce9
+https://gitorious.org/gnutls/gnutls/commit/a23f37448755d8
+https://gitorious.org/gnutls/gnutls/commit/a4d4458cf2ec08
+https://gitorious.org/gnutls/gnutls/commit/ae2540986ed382
+https://gitorious.org/gnutls/gnutls/commit/bbc7b93c9e1720
+https://gitorious.org/gnutls/gnutls/commit/bef37bc1f17c83
+https://gitorious.org/gnutls/gnutls/commit/bfe6ede9843c0c
+https://gitorious.org/gnutls/gnutls/commit/c1953c310b347b
+https://gitorious.org/gnutls/gnutls/commit/caab2fd62fdd32
+https://gitorious.org/gnutls/gnutls/commit/ce53777e3ad877
+https://gitorious.org/gnutls/gnutls/commit/d20cd80b62148c
+https://gitorious.org/gnutls/gnutls/commit/dc468cee92c5ae
+https://gitorious.org/gnutls/gnutls/commit/de9bc9b3dc1ec0
+https://gitorious.org/gnutls/gnutls/commit/dea2ff7150f00f
+https://gitorious.org/gnutls/gnutls/commit/df861cb8ae9728
+https://gitorious.org/gnutls/gnutls/commit/e543db08dc98d4
+https://gitorious.org/gnutls/gnutls/commit/ed8a5c018ea46d
+https://gitorious.org/gnutls/gnutls/commit/f623b9904535b8
+https://gitorious.org/gnutls/gnutls/commit/d4ea78c390dff6
+https://gitorious.org/gnutls/gnutls/commit/b2fca85c8fe5db
+https://gitorious.org/gnutls/gnutls/commit/100563a343b9e3
+https://gitorious.org/gnutls/gnutls/commit/67ff3f2cedabcf
+https://gitorious.org/gnutls/gnutls/commit/8a39da8c8eba54
+https://gitorious.org/gnutls/gnutls/commit/dc5a475674af59
+
+---
+ AUTHORS | 3
+ NEWS | 17
+ configure | 3
+ configure.ac | 1
+ doc/gnutls-api.texi | 14
+ doc/gnutls.texi | 94 +
+ doc/manpages/Makefile.in | 4
+ doc/manpages/gnutls-cli.1 | 9
+ doc/manpages/gnutls-serv.1 | 9
+ doc/manpages/gnutls_priority_init.3 | 15
+ doc/manpages/gnutls_safe_renegotiation_status.3 | 41
+ lib/Makefile.am | 4
+ lib/Makefile.in | 7
+ lib/ext_safe_renegotiation.c | 139 ++
+ lib/ext_safe_renegotiation.h | 33
+ lib/gnutls_alert.c | 6
+ lib/gnutls_algorithms.c | 7
+ lib/gnutls_algorithms.h | 3
+ lib/gnutls_constate.c | 15
+ lib/gnutls_errors.c | 6
+ lib/gnutls_extensions.c | 20
+ lib/gnutls_extensions.h | 4
+ lib/gnutls_handshake.c | 391 +++++--
+ lib/gnutls_int.h | 39
+ lib/gnutls_priority.c | 105 +
+ lib/gnutls_record.c | 12
+ lib/gnutls_state.c | 6
+ lib/includes/gnutls/gnutls.h.in | 10
+ lib/libgnutls.map | 6
+ src/cli-gaa.c | 19
+ src/cli-gaa.h | 1
+ src/cli.c | 25
+ src/cli.gaa | 5
+ src/serv.c | 59 -
+ src/tests.c | 513 ++-------
+ src/tests.h | 5
+ src/tls_test.c | 11
+ tests/Makefile.am | 2
+ tests/Makefile.in | 4
+ tests/resume.c | 22
+ tests/safe-renegotiation/Makefile.am | 37
+ tests/safe-renegotiation/Makefile.in | 1299 ++++++++++++++++++++++++
+ tests/safe-renegotiation/README | 93 +
+ tests/safe-renegotiation/params.dh | 35
+ tests/safe-renegotiation/srn0.c | 338 ++++++
+ tests/safe-renegotiation/srn1.c | 341 ++++++
+ tests/safe-renegotiation/srn2.c | 341 ++++++
+ tests/safe-renegotiation/srn3.c | 264 ++++
+ tests/safe-renegotiation/srn4.c | 263 ++++
+ tests/safe-renegotiation/srn5.c | 337 ++++++
+ tests/safe-renegotiation/srn6.c | 337 ++++++
+ tests/safe-renegotiation/srn7.c | 336 ++++++
+ tests/safe-renegotiation/testsrn | 103 +
+ tests/simple.c | 4
+ 54 files changed, 5330 insertions(+), 487 deletions(-)
+
+--- a/AUTHORS 2009-06-02
++++ b/AUTHORS 2013-09-26
+@@ -51,6 +51,9 @@ OpenPGP discussion and improvements.
+ David Marín Carreño <davefx@gmail.com>
+ Added gnutls_x509_crq_get_key_id.
+
++Steve Dispensa <dispensa@phonefactor.com>
++TLS safe renegotiation fix.
++
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+ URL: http://josefsson.org/key.txt (always latest version)
+ Comment: This 0xB565716F key is used to sign releases of GnuTLS.
+--- a/configure.ac 2009-11-06
++++ b/configure.ac 2013-09-26
+@@ -284,6 +284,7 @@ AC_CONFIG_FILES([
+ tests/pkcs8-decode/Makefile
+ tests/rsa-md5-collision/Makefile
+ tests/sha2/Makefile
++ tests/safe-renegotiation/Makefile
+ tests/userid/Makefile
+ ])
+ AC_OUTPUT
+--- a/configure 2010-03-15
++++ b/configure 2013-09-26
+@@ -28559,7 +28559,7 @@ subdirs="$subdirs libextra"
+
+ ac_config_files="$ac_config_files guile/pre-inst-guile"
+
+-ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile"
++ac_config_files="$ac_config_files Makefile doc/Makefile doc/credentials/Makefile doc/credentials/openpgp/Makefile doc/credentials/srp/Makefile doc/credentials/x509/Makefile doc/cyclo/Makefile doc/doxygen/Doxyfile doc/examples/Makefile doc/manpages/Makefile doc/reference/Makefile doc/scripts/Makefile gl/Makefile gl/tests/Makefile guile/Makefile guile/modules/Makefile guile/src/Makefile guile/tests/Makefile src/Makefile src/cfg/Makefile src/cfg/platon/Makefile src/cfg/platon/str/Makefile tests/Makefile tests/key-id/Makefile tests/openpgp-certs/Makefile tests/safe-renegotiation/Makefile tests/pathlen/Makefile tests/pkcs1-padding/Makefile tests/pkcs12-decode/Makefile tests/pkcs8-decode/Makefile tests/rsa-md5-collision/Makefile tests/sha2/Makefile tests/userid/Makefile"
+
+ cat >confcache <<\_ACEOF
+ # This file is a shell script that caches the results of configure
+@@ -29782,6 +29782,7 @@ do
+ "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;;
+ "tests/key-id/Makefile") CONFIG_FILES="$CONFIG_FILES tests/key-id/Makefile" ;;
+ "tests/openpgp-certs/Makefile") CONFIG_FILES="$CONFIG_FILES tests/openpgp-certs/Makefile" ;;
++ "tests/safe-renegotiation/Makefile") CONFIG_FILES="$CONFIG_FILES tests/safe-renegotiation/Makefile" ;;
+ "tests/pathlen/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pathlen/Makefile" ;;
+ "tests/pkcs1-padding/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs1-padding/Makefile" ;;
+ "tests/pkcs12-decode/Makefile") CONFIG_FILES="$CONFIG_FILES tests/pkcs12-decode/Makefile" ;;
+--- a/doc/gnutls-api.texi 2010-03-15
++++ b/doc/gnutls-api.texi 2013-09-26
+@@ -3307,6 +3307,20 @@ This function will initialize the tempor
+ @strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, or an negative error code.
+ @end deftypefun
+
++@subheading gnutls_safe_renegotiation_status
++@anchor{gnutls_safe_renegotiation_status}
++@deftypefun {int} {gnutls_safe_renegotiation_status} (gnutls_session_t @var{session})
++@var{session}: is a @code{gnutls_session_t} structure.
++
++Can be used to check whether safe renegotiation is being used
++in the current session.
++
++@strong{Returns:} 0 when safe renegotiation is not used and non zero when
++safe renegotiation is used.
++
++@strong{Since:} 2.10.0
++@end deftypefun
++
+ @subheading gnutls_server_name_get
+ @anchor{gnutls_server_name_get}
+ @deftypefun {int} {gnutls_server_name_get} (gnutls_session_t @var{session}, void * @var{data}, size_t * @var{data_length}, unsigned int * @var{type}, unsigned int @var{indx})
+--- a/doc/gnutls.texi 2009-06-02
++++ b/doc/gnutls.texi 2013-09-26
+@@ -565,6 +565,7 @@ also supports @acronym{X.509} and @acron
+ * Selecting cryptographic key sizes::
+ * On SSL 2 and older protocols::
+ * On Record Padding::
++* Safe Renegotiation::
+ @end menu
+
+ @node TLS layers
+@@ -1202,6 +1203,94 @@ here are some links:
+
+ @url{http://thread.gmane.org/gmane.ietf.tls/3079}
+
++@node Safe Renegotiation
++@section Safe Renegotiation
++@cindex renegotiation
++
++Some application protocols and implementations uses the TLS
++renegotiation feature in a manner that enables attackers to insert
++content of his choice in the beginning of a TLS session.
++
++One easy to understand vulnerability is HTTPS when servers request
++client certificates optionally for certain parts of a web site. The
++attack works by having the attacker simulate a client and connect to a
++server, with server-only authentication, and send some data intended
++to cause harm. When the proper client attempts to contact the server,
++the attacker hijacks that connection and uses the TLS renegotiation
++feature with the server and splices in the client connection to the
++already established connection between the attacker and server. The
++attacker will not be able to read the data exchanged between the
++client and the server. However, the server will (incorrectly) assume
++that the data sent by the attacker was sent by the now authenticated
++client. The result is a prefix plain-text injection attack.
++
++The above is just one example. Other vulnerabilities exists that do
++not rely on the TLS renegotiation to change the client's authenticated
++status (either TLS or application layer).
++
++While fixing these application protocols and implementations would be
++one natural reaction, an extension to TLS has been designed that
++cryptographically binds together any renegotiated handshakes with the
++initial negotiation. When the extension is used, the attack is
++detected and the session can be terminated. The extension is
++specified in @xcite{RFC5746}.
++
++GnuTLS supports the safe renegotiation extension. The default
++behavior is as follows. Clients will attempt to negotiate the safe
++renegotiation extension when talking to servers. Servers will accept
++the extension when presented by clients. Clients and servers will
++permit an initial handshake to complete even when the other side does
++not support the safe renegotiation extension. Clients and servers
++will refuse renegotiation attempts when the extension has not been
++negotiated.
++
++Note that permitting clients to connect to servers even when the safe
++renegotiation extension is not negotiated open up for some attacks.
++Changing this default behaviour would prevent interoperability against
++the majority of deployed servers out there. We will reconsider this
++default behaviour in the future when more servers have been upgraded.
++Note that it is easy to configure clients to always require the safe
++renegotiation extension from servers (see below on the
++%SAFE_RENEGOTIATION priority string).
++
++To modify the default behaviour, we have introduced some new priority
++strings. The priority strings can be used by applications
++(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority}
++parameter to @code{gnutls-cli} and @code{gnutls-serv}).
++
++The @code{%UNSAFE_RENEGOTIATION} priority string permits
++(re-)handshakes even when the safe renegotiation extension was not
++negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will
++prevent renegotiation with clients and servers not supporting the
++extension. This is secure for servers but leaves clients vulnerable
++to some attacks, but this is a tradeoff between security and compatibility
++with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes
++clients and servers require the extension for every handshake. The latter
++is the most secure option for clients, at the cost of not being able
++to connect to legacy servers. Servers will also deny clients that
++do not support the extension from connecting.
++
++It is possible to disable use of the extension completely, in both
++clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION}
++priority string however we strongly recommend you to only do this for
++debugging and test purposes.
++
++The default values if the flags above are not specified are:
++@table @code
++
++@item Server:
++%PARTIAL_RENEGOTIATION
++
++@item Client:
++%PARTIAL_RENEGOTIATION
++
++@end table
++
++For applications we have introduced a new API related to safe
++renegotiation. The @ref{gnutls_safe_renegotiation_status} function is
++used to check if the extension has been negotiated on a session, and
++can be used both by clients and servers.
++
+ @node Authentication methods
+ @chapter Authentication Methods
+
+@@ -4179,6 +4268,11 @@ Pasi Eronen and Hannes Tschofenig, "Pre-
+ TLS", December 2005, Available from
+ @url{http://www.ietf.org/rfc/rfc4279.txt}.
+
++@item @anchor{RFC5746}[RFC5746]
++E. Rescorla, M. Ray, S. Dispensa, and N. Oskov, "Transport Layer
++Security (TLS) Renegotiation Indication Extension", February 2010,
++available from @url{http://www.ietf.org/rfc/rfc5746}.
++
+ @item @anchor{TOMSRP}[TOMSRP]
+ Tom Wu, "The Stanford SRP Authentication Project", Available at
+ @url{http://srp.stanford.edu/}.
+--- a/doc/manpages/gnutls-cli.1 2009-06-02
++++ b/doc/manpages/gnutls-cli.1 2013-09-26
+@@ -75,6 +75,15 @@ Special keywords:
+ "%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client
+ hello. This is to avoid buggy servers from terminating connection.
+ .IP
++"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones.
++.IP
++"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not
++supporting the safe renegotiation extension. (default)
++.IP
++"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most
++secure and recommended option for clients. However this will prevent from
++connecting to legacy servers.
++.IP
+ To avoid collisions in order to specify a compression algorithm in
+ this string you have to prefix it with "COMP-", protocol versions
+ with "VERS-" and certificate types with "CTYPE-". All other
+--- a/doc/manpages/gnutls-serv.1 2009-06-02
++++ b/doc/manpages/gnutls-serv.1 2013-09-26
+@@ -75,6 +75,15 @@ Special keywords:
+ .IP
+ '%COMPAT' will enable compatibility features for a server.
+ .IP
++"%UNSAFE_RENEGOTIATION" Permits (re-)handshakes even unsafe ones.
++.IP
++"%PARTIAL_RENEGOTIATION" Prevents renegotiation with clients and servers not
++supporting the safe renegotiation extension. (default)
++.IP
++"%SAFE_RENEGOTIATION" will enable safe renegotiation. This is the most
++secure and recommended option for clients. However this will prevent from
++connecting to legacy servers.
++.IP
+ To avoid collisions in order to specify a compression algorithm in
+ this string you have to prefix it with "COMP-", protocol versions
+ with "VERS-" and certificate types with "CTYPE-". All other
+--- a/doc/manpages/gnutls_priority_init.3 2010-03-15
++++ b/doc/manpages/gnutls_priority_init.3 2013-09-26
+@@ -67,6 +67,21 @@ compression methods.
+
+ "%COMPAT" will enable compatibility features for a server.
+
++"%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now
++the default for clients, but will change once more servers support the safe renegotiation
++TLS fix).
++
++"%SAFE_RENEGOTIATION" will allow safe renegotiation only (this is the
++default for servers \- that will reject clients trying to perform an
++unsafe renegotiation).
++
++"%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if
++renegotiation wasn't requested. Only valid for server side and implies
++"%SAFE_RENEGOTIATION".
++
++"%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use
++unless you know what you are doing. Testing purposes only.
++
+ "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello.
+
+ "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA\-MD5 signatures in
+--- /dev/null 2013-09-26
++++ b/doc/manpages/gnutls_safe_renegotiation_status.3 2013-09-26
+@@ -0,0 +1,41 @@
++.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
++.TH "gnutls_safe_renegotiation_status" 3 "2.9.11" "gnutls" "gnutls"
++.SH NAME
++gnutls_safe_renegotiation_status \- API function
++.SH SYNOPSIS
++.B #include <gnutls/gnutls.h>
++.sp
++.BI "int gnutls_safe_renegotiation_status(gnutls_session_t " session ");"
++.SH ARGUMENTS
++.IP "gnutls_session_t session" 12
++is a \fBgnutls_session_t\fP structure.
++.SH "DESCRIPTION"
++Can be used to check whether safe renegotiation is being used
++in the current session.
++.SH "RETURNS"
++0 when safe renegotiation is not used and non zero when
++safe renegotiation is used.
++.SH "SINCE"
++2.10.0
++.SH "REPORTING BUGS"
++Report bugs to <bug-gnutls@gnu.org>.
++GnuTLS home page: http://www.gnu.org/software/gnutls/
++General help using GNU software: http://www.gnu.org/gethelp/
++.SH COPYRIGHT
++Copyright \(co 2008 Free Software Foundation.
++.br
++Copying and distribution of this file, with or without modification,
++are permitted in any medium without royalty provided the copyright
++notice and this notice are preserved.
++.SH "SEE ALSO"
++The full documentation for
++.B gnutls
++is maintained as a Texinfo manual. If the
++.B info
++and
++.B gnutls
++programs are properly installed at your site, the command
++.IP
++.B info gnutls
++.PP
++should give you access to the complete manual.
+--- a/doc/manpages/Makefile.in 2010-03-15
++++ b/doc/manpages/Makefile.in 2013-09-26
+@@ -525,7 +525,6 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+ PACKAGE_NAME = @PACKAGE_NAME@
+ PACKAGE_STRING = @PACKAGE_STRING@
+ PACKAGE_TARNAME = @PACKAGE_TARNAME@
+-PACKAGE_URL = @PACKAGE_URL@
+ PACKAGE_VERSION = @PACKAGE_VERSION@
+ PATH_SEPARATOR = @PATH_SEPARATOR@
+ PKG_CONFIG = @PKG_CONFIG@
+@@ -684,7 +683,8 @@ APIMANS = gnutls_crypto_single_cipher_re
+ gnutls_crypto_bigint_register2.3 gnutls_crypto_pk_register2.3 \
+ gnutls_crypto_cipher_register2.3 gnutls_crypto_mac_register2.3 \
+ gnutls_crypto_digest_register2.3 gnutls_oprfi_enable_client.3 \
+- gnutls_oprfi_enable_server.3 gnutls_server_name_get.3 \
++ gnutls_oprfi_enable_server.3 \
++ gnutls_safe_renegotiation_status.3 gnutls_server_name_get.3 \
+ gnutls_server_name_set.3 gnutls_alert_get_name.3 \
+ gnutls_alert_send.3 gnutls_error_to_alert.3 \
+ gnutls_alert_send_appropriate.3 gnutls_alert_get.3 \
+--- /dev/null 2013-09-26
++++ b/lib/ext_safe_renegotiation.c 2013-09-26
+@@ -0,0 +1,139 @@
++/*
++ * Copyright (C) 2009 Free Software Foundation
++ *
++ * Author: Steve Dispensa (<dispensa@phonefactor.com>)
++ *
++ * This file is part of GNUTLS.
++ *
++ * The GNUTLS library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public License
++ * as published by the Free Software Foundation; either version 2.1 of
++ * the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
++ * USA
++ *
++ */
++
++#include <gnutls_int.h>
++#include <ext_safe_renegotiation.h>
++#include <gnutls_errors.h>
++
++int
++_gnutls_safe_renegotiation_recv_params (gnutls_session_t session,
++ const opaque * data, size_t _data_size)
++{
++ tls_ext_st *ext = &session->security_parameters.extensions;
++ int len = data[0];
++ ssize_t data_size = _data_size;
++
++ DECR_LEN (data_size, len+1 /* count the first byte and payload */);
++
++ if (session->internals.priorities.safe_renegotiation == SR_DISABLED)
++ {
++ gnutls_assert ();
++ return 0;
++ }
++
++ /* It is not legal to receive this extension on a renegotiation and
++ * not receive it on the initial negotiation.
++ */
++ if (session->internals.initial_negotiation_completed != 0 &&
++ session->internals.connection_using_safe_renegotiation == 0)
++ {
++ gnutls_assert();
++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
++ }
++
++ if (len > sizeof (ext->ri_extension_data))
++ {
++ gnutls_assert();
++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
++ }
++
++ if (len > 0)
++ memcpy (ext->ri_extension_data, &data[1], len);
++ ext->ri_extension_data_len = len;
++
++ /* "safe renegotiation received" means on *this* handshake; "connection using
++ * safe renegotiation" means that the initial hello received on the connection
++ * indicated safe renegotiation.
++ */
++ session->internals.safe_renegotiation_received = 1;
++ session->internals.connection_using_safe_renegotiation = 1;
++
++ return 0;
++}
++
++int
++_gnutls_safe_renegotiation_send_params (gnutls_session_t session,
++ opaque * data, size_t _data_size)
++{
++ /* The format of this extension is a one-byte length of verify data followed
++ * by the verify data itself. Note that the length byte does not include
++ * itself; IOW, empty verify data is represented as a length of 0. That means
++ * the minimum extension is one byte: 0x00.
++ */
++ ssize_t data_size = _data_size;
++ tls_ext_st *ext = &session->security_parameters.extensions;
++
++
++ if (session->internals.priorities.safe_renegotiation == SR_DISABLED)
++ {
++ gnutls_assert();
++ return 0;
++ }
++
++ data[0] = 0;
++
++ /* Always offer the extension if we're a client */
++ if (session->internals.connection_using_safe_renegotiation ||
++ session->security_parameters.entity == GNUTLS_CLIENT)
++ {
++ DECR_LEN (data_size, 1);
++ data[0] = ext->client_verify_data_len;
++
++ DECR_LEN (data_size, ext->client_verify_data_len);
++
++ if (ext->client_verify_data_len > 0)
++ memcpy(&data[1],
++ ext->client_verify_data,
++ ext->client_verify_data_len);
++
++ if (session->security_parameters.entity == GNUTLS_SERVER)
++ {
++ data[0] += ext->server_verify_data_len;
++
++ DECR_LEN (data_size, ext->server_verify_data_len);
++
++ if (ext->server_verify_data_len > 0)
++ memcpy(&data[1 + ext->client_verify_data_len],
++ ext->server_verify_data,
++ ext->server_verify_data_len);
++ }
++ }
++ else
++ return 0;
++
++ return 1 + data[0]; /* don't forget the length byte */
++}
++
++/**
++ * gnutls_safe_renegotiation_status:
++ * @session: is a #gnutls_session_t structure.
++ *
++ * Can be used to check whether safe renegotiation is being used
++ * in the current session. Returns 0 when not and non zero when
++ * used.
++ **/
++int gnutls_safe_renegotiation_status (gnutls_session_t session)
++{
++ return session->internals.connection_using_safe_renegotiation;
++}
+--- /dev/null 2013-09-26
++++ b/lib/ext_safe_renegotiation.h 2013-09-26
+@@ -0,0 +1,33 @@
++/*
++ * Copyright (C) 2009 Free Software Foundation
++ *
++ * Author: Steve Dispensa (<dispensa@phonefactor.com>)
++ *
++ * This file is part of GNUTLS.
++ *
++ * The GNUTLS library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public License
++ * as published by the Free Software Foundation; either version 2.1 of
++ * the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
++ * USA
++ *
++ */
++
++#ifndef EXT_SAFE_RENEGOTIATION_H
++# define EXT_SAFE_RENEGOTIATION_H
++
++int _gnutls_safe_renegotiation_recv_params (gnutls_session_t state,
++ const opaque * data, size_t data_size);
++int _gnutls_safe_renegotiation_send_params (gnutls_session_t state,
++ opaque * data, size_t);
++
++#endif /* EXT_SAFE_RENEGOTIATION_H */
+--- a/lib/gnutls_alert.c 2009-06-02
++++ b/lib/gnutls_alert.c 2013-09-26
+@@ -180,6 +180,10 @@ gnutls_error_to_alert (int err, int *lev
+ ret = GNUTLS_A_ILLEGAL_PARAMETER;
+ _level = GNUTLS_AL_FATAL;
+ break;
++ case GNUTLS_E_UNKNOWN_SRP_USERNAME:
++ ret = GNUTLS_A_UNKNOWN_PSK_IDENTITY;
++ _level = GNUTLS_AL_FATAL;
++ break;
+ case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND:
+ case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND:
+ case GNUTLS_E_ASN1_DER_ERROR:
+@@ -199,6 +203,7 @@ gnutls_error_to_alert (int err, int *lev
+ case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
+ case GNUTLS_E_NO_CIPHER_SUITES:
+ case GNUTLS_E_NO_COMPRESSION_ALGORITHMS:
++ case GNUTLS_E_SAFE_RENEGOTIATION_FAILED:
+ ret = GNUTLS_A_HANDSHAKE_FAILURE;
+ _level = GNUTLS_AL_FATAL;
+ break;
+@@ -212,6 +217,7 @@ gnutls_error_to_alert (int err, int *lev
+ _level = GNUTLS_AL_FATAL;
+ break;
+ case GNUTLS_E_REHANDSHAKE:
++ case GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED:
+ ret = GNUTLS_A_NO_RENEGOTIATION;
+ _level = GNUTLS_AL_WARNING;
+ break;
+--- a/lib/gnutls_algorithms.c 2009-08-12
++++ b/lib/gnutls_algorithms.c 2013-09-26
+@@ -457,6 +457,10 @@ typedef struct
+ #define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x88 }
+ #endif
+
++/* Safe renegotiation */
++
++#define GNUTLS_RENEGO_PROTECTION_REQUEST { GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR, GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR }
++
+ #define CIPHER_SUITES_COUNT sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1
+
+ static const gnutls_cipher_suite_entry cs_algorithms[] = {
+@@ -624,6 +628,9 @@ static const gnutls_cipher_suite_entry c
+ GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1),
+ #endif
++ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RENEGO_PROTECTION_REQUEST,
++ GNUTLS_CIPHER_UNKNOWN, GNUTLS_KX_UNKNOWN,
++ GNUTLS_MAC_UNKNOWN, GNUTLS_SSL3),
+ {0, {{0, 0}}, 0, 0, 0, 0}
+ };
+
+--- a/lib/gnutls_algorithms.h 2009-06-02
++++ b/lib/gnutls_algorithms.h 2013-09-26
+@@ -27,6 +27,9 @@
+
+ #include "gnutls_auth.h"
+
++#define GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR 0x00
++#define GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR 0xFF
++
+ /* Functions for version handling. */
+ gnutls_protocol_t _gnutls_version_lowest (gnutls_session_t session);
+ gnutls_protocol_t _gnutls_version_max (gnutls_session_t session);
+--- a/lib/gnutls_constate.c 2009-11-06
++++ b/lib/gnutls_constate.c 2013-09-26
+@@ -380,6 +380,17 @@ _gnutls_set_write_keys (gnutls_session_t
+ export_flag);
+ }
+
++#define CPY_EXTENSIONS \
++ memcpy(dst->extensions.server_names, src->extensions.server_names, sizeof(src->extensions.server_names)); \
++ dst->extensions.server_names_size = src->extensions.server_names_size; \
++ memcpy(dst->extensions.srp_username, src->extensions.srp_username, sizeof(src->extensions.srp_username)); \
++ dst->extensions.gnutls_ia_enable = src->extensions.gnutls_ia_enable; \
++ dst->extensions.gnutls_ia_peer_enable = src->extensions.gnutls_ia_peer_enable; \
++ dst->extensions.gnutls_ia_allowskip = src->extensions.gnutls_ia_allowskip; \
++ dst->extensions.gnutls_ia_peer_allowskip = src->extensions.gnutls_ia_peer_allowskip; \
++ dst->extensions.do_recv_supplemental = src->extensions.do_recv_supplemental; \
++ dst->extensions.do_send_supplemental = src->extensions.do_send_supplemental
++
+ #define CPY_COMMON dst->entity = src->entity; \
+ dst->kx_algorithm = src->kx_algorithm; \
+ memcpy( &dst->current_cipher_suite, &src->current_cipher_suite, sizeof(cipher_suite_st)); \
+@@ -393,8 +404,8 @@ _gnutls_set_write_keys (gnutls_session_t
+ dst->max_record_recv_size = src->max_record_recv_size; \
+ dst->max_record_send_size = src->max_record_send_size; \
+ dst->version = src->version; \
+- memcpy( &dst->extensions, &src->extensions, sizeof(tls_ext_st)); \
+- memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE);
++ CPY_EXTENSIONS; \
++ memcpy( &dst->inner_secret, &src->inner_secret, GNUTLS_MASTER_SIZE)
+
+ static void
+ _gnutls_cpy_read_security_parameters (security_parameters_st *
+--- a/lib/gnutls_errors.c 2009-06-02
++++ b/lib/gnutls_errors.c 2013-09-26
+@@ -220,9 +220,15 @@ static const gnutls_error_entry error_al
+ GNUTLS_E_OPENPGP_GETKEY_FAILED, 1),
+ ERROR_ENTRY (N_("Could not find OpenPGP subkey."),
+ GNUTLS_E_OPENPGP_SUBKEY_ERROR, 1),
++ ERROR_ENTRY (N_("Safe renegotiation failed."),
++ GNUTLS_E_SAFE_RENEGOTIATION_FAILED, 1),
++ ERROR_ENTRY (N_("Unsafe renegotiation denied."),
++ GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED, 1),
+
+ ERROR_ENTRY (N_("The SRP username supplied is illegal."),
+ GNUTLS_E_ILLEGAL_SRP_USERNAME, 1),
++ ERROR_ENTRY (N_("The SRP username supplied is unknown."),
++ GNUTLS_E_UNKNOWN_SRP_USERNAME, 1),
+
+ ERROR_ENTRY (N_("The OpenPGP fingerprint is not supported."),
+ GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1),
+--- a/lib/gnutls_extensions.c 2009-06-08
++++ b/lib/gnutls_extensions.c 2013-09-26
+@@ -35,6 +35,7 @@
+ #include <ext_server_name.h>
+ #include <ext_oprfi.h>
+ #include <ext_srp.h>
++#include <ext_safe_renegotiation.h>
+ #include <gnutls_num.h>
+
+ typedef struct
+@@ -133,7 +134,7 @@ _gnutls_parse_extensions (gnutls_session
+ type = _gnutls_read_uint16 (&data[pos]);
+ pos += 2;
+
+- _gnutls_debug_log ("EXT[%p]: Received extension '%s/%d'\n", session,
++ _gnutls_debug_log ("EXT[%p]: Found extension '%s/%d'\n", session,
+ _gnutls_extension_get_name (type), type);
+
+ if ((ret = _gnutls_extension_list_check (session, type)) < 0)
+@@ -153,6 +154,8 @@ _gnutls_parse_extensions (gnutls_session
+ ext_recv = _gnutls_ext_func_recv (type, parse_type);
+ if (ext_recv == NULL)
+ continue;
++
++
+ if ((ret = ext_recv (session, sdata, size)) < 0)
+ {
+ gnutls_assert ();
+@@ -170,7 +173,7 @@ _gnutls_parse_extensions (gnutls_session
+ * This list is used to check whether the (later) received
+ * extensions are the ones we requested.
+ */
+-static void
++void
+ _gnutls_extension_list_add (gnutls_session_t session, uint16_t type)
+ {
+
+@@ -192,7 +195,7 @@ _gnutls_extension_list_add (gnutls_sessi
+
+ int
+ _gnutls_gen_extensions (gnutls_session_t session, opaque * data,
+- size_t data_size)
++ size_t data_size, gnutls_ext_parse_type_t parse_type)
+ {
+ int size;
+ uint16_t pos = 0;
+@@ -223,6 +226,9 @@ _gnutls_gen_extensions (gnutls_session_t
+
+ if (p->send_func == NULL)
+ continue;
++
++ if (parse_type != GNUTLS_EXT_ANY && p->parse_type != parse_type)
++ continue;
+
+ size = p->send_func (session, sdata, sdata_size);
+ if (size > 0)
+@@ -304,6 +310,14 @@ _gnutls_ext_init (void)
+ if (ret != GNUTLS_E_SUCCESS)
+ return ret;
+
++ ret = gnutls_ext_register (GNUTLS_EXTENSION_SAFE_RENEGOTIATION,
++ "SAFE_RENEGOTIATION",
++ GNUTLS_EXT_MANDATORY,
++ _gnutls_safe_renegotiation_recv_params,
++ _gnutls_safe_renegotiation_send_params);
++ if (ret != GNUTLS_E_SUCCESS)
++ return ret;
++
+ #ifdef ENABLE_OPRFI
+ ret = gnutls_ext_register (GNUTLS_EXTENSION_OPAQUE_PRF_INPUT,
+ "OPAQUE_PRF_INPUT",
+--- a/lib/gnutls_extensions.h 2009-06-02
++++ b/lib/gnutls_extensions.h 2013-09-26
+@@ -26,6 +26,8 @@ int _gnutls_parse_extensions (gnutls_ses
+ gnutls_ext_parse_type_t parse_type,
+ const opaque *data, int data_size);
+ int _gnutls_gen_extensions (gnutls_session_t session, opaque * data,
+- size_t data_size);
++ size_t data_size, gnutls_ext_parse_type_t);
+ int _gnutls_ext_init (void);
+ void _gnutls_ext_deinit (void);
++
++void _gnutls_extension_list_add (gnutls_session_t session, uint16_t type);
+--- a/lib/gnutls_handshake.c 2009-11-02
++++ b/lib/gnutls_handshake.c 2013-09-26
+@@ -48,6 +48,7 @@
+ #include <gnutls_record.h>
+ #include <gnutls_state.h>
+ #include <ext_srp.h>
++#include <ext_safe_renegotiation.h>
+ #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
+ #include <auth_anon.h> /* for gnutls_anon_server_credentials_t */
+ #include <auth_psk.h> /* for gnutls_psk_server_credentials_t */
+@@ -119,6 +120,7 @@ resume_copy_required_values (gnutls_sess
+ sizeof (session->security_parameters.session_id));
+ session->security_parameters.session_id_size =
+ session->internals.resumed_security_parameters.session_id_size;
++
+ }
+
+ void
+@@ -404,8 +406,36 @@ _gnutls_read_client_hello (gnutls_sessio
+
+ if (ret == 0)
+ { /* resumed! */
++ /* Parse only the safe renegotiation extension
++ * We don't want to parse any other extensions since
++ * we don't want new extension values to overwrite the
++ * resumed ones.
++ */
++
++ /* move forward to extensions */
++ DECR_LEN (len, 2);
++ suite_size = _gnutls_read_uint16 (&data[pos]);
++ pos += 2;
++
++ DECR_LEN (len, suite_size);
++ pos += suite_size;
++
++ DECR_LEN (len, 1);
++ comp_size = data[pos++]; /* z is the number of compression methods */
++ DECR_LEN (len, comp_size);
++ pos += comp_size;
++
++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
++ &data[pos], len);
++ if (ret < 0)
++ {
++ gnutls_assert ();
++ return ret;
++ }
++
+ resume_copy_required_values (session);
+ session->internals.resumed = RESUME_TRUE;
++
+ return _gnutls_user_hello_func (session, adv_version);
+ }
+ else
+@@ -437,17 +467,17 @@ _gnutls_read_client_hello (gnutls_sessio
+ pos += comp_size;
+
+ /* Parse the extensions (if any)
+- */
+- if (neg_version >= GNUTLS_TLS1)
++ *
++ * Unconditionally try to parse extensions; safe renegotiation uses them in
++ * sslv3 and higher, even though sslv3 doesn't officially support them.
++ */
++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
++ &data[pos], len);
++ /* len is the rest of the parsed length */
++ if (ret < 0)
+ {
+- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
+- &data[pos], len);
+- /* len is the rest of the parsed length */
+- if (ret < 0)
+- {
+- gnutls_assert ();
+- return ret;
+- }
++ gnutls_assert ();
++ return ret;
+ }
+
+ ret = _gnutls_user_hello_func (session, adv_version);
+@@ -457,16 +487,20 @@ _gnutls_read_client_hello (gnutls_sessio
+ return ret;
+ }
+
+- if (neg_version >= GNUTLS_TLS1)
++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
++ &data[pos], len);
++ if (ret < 0)
+ {
+- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS,
+- &data[pos], len);
+- /* len is the rest of the parsed length */
+- if (ret < 0)
+- {
+- gnutls_assert ();
+- return ret;
+- }
++ gnutls_assert ();
++ return ret;
++ }
++
++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS,
++ &data[pos], len);
++ if (ret < 0)
++ {
++ gnutls_assert ();
++ return ret;
+ }
+
+ /* select an appropriate cipher suite
+@@ -531,7 +565,7 @@ _gnutls_handshake_hash_pending (gnutls_s
+ static int
+ _gnutls_send_finished (gnutls_session_t session, int again)
+ {
+- uint8_t data[36];
++ uint8_t data[MAX_VERIFY_DATA_SIZE];
+ int ret;
+ int data_size = 0;
+
+@@ -556,7 +590,7 @@ _gnutls_send_finished (gnutls_session_t
+ data_size = 36;
+ }
+ else
+- { /* TLS 1.0 */
++ { /* TLS 1.0+ */
+ ret = _gnutls_finished (session,
+ session->security_parameters.entity, data);
+ data_size = 12;
+@@ -572,6 +606,31 @@ _gnutls_send_finished (gnutls_session_t
+ session->internals.finished_func (session, data, data_size);
+ }
+
++ /* Save data for safe renegotiation.
++ */
++ if (data_size > MAX_VERIFY_DATA_SIZE)
++ {
++ gnutls_assert ();
++ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
++ }
++
++ if (session->security_parameters.entity == GNUTLS_CLIENT)
++ {
++ session->security_parameters.extensions.client_verify_data_len =
++ data_size;
++
++ memcpy (session->security_parameters.extensions.client_verify_data,
++ data, data_size);
++ }
++ else
++ {
++ session->security_parameters.extensions.server_verify_data_len =
++ data_size;
++
++ memcpy (session->security_parameters.extensions.server_verify_data,
++ data, data_size);
++ }
++
+ ret =
+ _gnutls_send_handshake (session, data_size ? data : NULL, data_size,
+ GNUTLS_HANDSHAKE_FINISHED);
+@@ -585,10 +644,11 @@ _gnutls_send_finished (gnutls_session_t
+ static int
+ _gnutls_recv_finished (gnutls_session_t session)
+ {
+- uint8_t data[36], *vrfy;
++ uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
+ int data_size;
+ int ret;
+ int vrfysize;
++ tls_ext_st *ext;
+
+ ret =
+ _gnutls_recv_handshake (session, &vrfy, &vrfysize,
+@@ -640,13 +700,38 @@ _gnutls_recv_finished (gnutls_session_t
+ }
+
+ if (memcmp (vrfy, data, data_size) != 0)
++ ret = memcmp (vrfy, data, data_size);
++ gnutls_free (vrfy);
++
++ if (ret != 0)
+ {
+ gnutls_assert ();
+- ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
++ return GNUTLS_E_ERROR_IN_FINISHED_PACKET;
+ }
+- gnutls_free (vrfy);
+
+- return ret;
++ /* Save peer's verify data for safe renegotiation */
++ if (data_size > MAX_VERIFY_DATA_SIZE)
++ {
++ gnutls_assert ();
++ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
++ }
++
++ ext = &session->security_parameters.extensions;
++
++ if (session->security_parameters.entity == GNUTLS_CLIENT)
++ {
++ memcpy (ext->server_verify_data, data, data_size);
++ ext->server_verify_data_len = data_size;
++ }
++ else
++ {
++ memcpy (ext->client_verify_data, data, data_size);
++ ext->client_verify_data_len = data_size;
++ }
++
++ session->internals.initial_negotiation_completed = 1;
++
++ return 0;
+ }
+
+ /* returns PK_RSA if the given cipher suite list only supports,
+@@ -685,7 +770,6 @@ _gnutls_server_find_pk_algos_in_ciphersu
+ return algo;
+ }
+
+-
+ /* This selects the best supported ciphersuite from the given ones. Then
+ * it adds the suite to the session and performs some checks.
+ */
+@@ -700,11 +784,31 @@ _gnutls_server_select_suite (gnutls_sess
+ * supported by the peer.
+ */
+
++ /* First, check for safe renegotiation SCSV.
++ */
++ if (session->internals.priorities.safe_renegotiation != SR_DISABLED)
++ {
++ int offset;
++
++ for(offset = 0; offset < datalen; offset += 2)
++ {
++ /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
++ if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
++ data[offset+1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR)
++ {
++ _gnutls_handshake_log ("HSK[%p]: Received safe renegotiation CS\n", session);
++ session->internals.safe_renegotiation_received = 1;
++ session->internals.connection_using_safe_renegotiation = 1;
++ break;
++ }
++ }
++ }
++
+ pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites (data, datalen);
+
+ x = _gnutls_supported_ciphersuites (session, &ciphers);
+ if (x < 0)
+- { /* the case x==0 is handled within the function. */
++ { /* the case x==0 is handled within the function. */
+ gnutls_assert ();
+ return x;
+ }
+@@ -752,21 +856,21 @@ _gnutls_server_select_suite (gnutls_sess
+
+ for (j = 0; j < datalen; j += 2)
+ {
+- for (i = 0; i < x; i++)
+- {
+- if (memcmp (ciphers[i].suite, &data[j], 2) == 0)
+- {
+- memcpy (&cs.suite, &data[j], 2);
+-
+- _gnutls_handshake_log
+- ("HSK[%p]: Selected cipher suite: %s\n", session,
+- _gnutls_cipher_suite_get_name (&cs));
+- memcpy (session->security_parameters.current_cipher_suite.suite,
+- ciphers[i].suite, 2);
+- retval = 0;
+- goto finish;
+- }
+- }
++ for (i = 0; i < x; i++)
++ {
++ if (memcmp (ciphers[i].suite, &data[j], 2) == 0)
++ {
++ memcpy (&cs.suite, &data[j], 2);
++
++ _gnutls_handshake_log
++ ("HSK[%p]: Selected cipher suite: %s\n", session,
++ _gnutls_cipher_suite_get_name (&cs));
++ memcpy (session->security_parameters.current_cipher_suite.suite,
++ ciphers[i].suite, 2);
++ retval = 0;
++ goto finish;
++ }
++ }
+ }
+
+ finish:
+@@ -960,7 +1064,7 @@ _gnutls_send_handshake (gnutls_session_t
+ if (i_datasize > 0)
+ memcpy (&data[pos], i_data, i_datasize);
+
+- _gnutls_handshake_log ("HSK[%p]: %s was send [%ld bytes]\n",
++ _gnutls_handshake_log ("HSK[%p]: %s was sent [%ld bytes]\n",
+ session, _gnutls_handshake2str (type),
+ (long) datasize);
+
+@@ -1042,7 +1146,6 @@ _gnutls_recv_handshake_header (gnutls_se
+
+ if (ret < 0)
+ {
+- gnutls_assert ();
+ return ret;
+ }
+
+@@ -1525,15 +1628,26 @@ _gnutls_read_server_hello (gnutls_sessio
+ }
+ DECR_LEN (len, session_id_len);
+
+-
+ /* check if we are resuming and set the appropriate
+ * values;
+ */
+ if (_gnutls_client_check_if_resuming
+ (session, &data[pos], session_id_len) == 0)
+- return 0;
+- pos += session_id_len;
++ {
++ pos += session_id_len + 2 + 1;
++ DECR_LEN (len, 2+1);
++
++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
++ &data[pos], len);
++ if (ret < 0)
++ {
++ gnutls_assert ();
++ return ret;
++ }
++ return 0;
++ }
+
++ pos += session_id_len;
+
+ /* Check if the given cipher suite is supported and copy
+ * it to the session.
+@@ -1548,8 +1662,6 @@ _gnutls_read_server_hello (gnutls_sessio
+ }
+ pos += 2;
+
+-
+-
+ /* move to compression
+ */
+ DECR_LEN (len, 1);
+@@ -1563,32 +1675,32 @@ _gnutls_read_server_hello (gnutls_sessio
+
+ /* Parse extensions.
+ */
+- if (version >= GNUTLS_TLS1)
++ ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY,
++ &data[pos], len);
++ if (ret < 0)
+ {
+- ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY,
+- &data[pos], len);
+- /* len is the rest of the parsed length */
+- if (ret < 0)
+- {
+- gnutls_assert ();
+- return ret;
+- }
++ gnutls_assert ();
++ return ret;
+ }
++
+ return ret;
+ }
+
+
+ /* This function copies the appropriate ciphersuites to a locally allocated buffer
+- * Needed in client hello messages. Returns the new data length.
++ * Needed in client hello messages. Returns the new data length. If add_scsv is
++ * true, add the special safe renegotiation CS.
+ */
+ static int
+ _gnutls_copy_ciphersuites (gnutls_session_t session,
+- opaque * ret_data, size_t ret_data_size)
++ opaque * ret_data, size_t ret_data_size,
++ int add_scsv)
+ {
+ int ret, i;
+ cipher_suite_st *cipher_suites;
+ uint16_t cipher_num;
+ int datalen, pos;
++ uint16_t loop_max;
+
+ ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites);
+ if (ret < 0)
+@@ -1619,6 +1731,9 @@ _gnutls_copy_ciphersuites (gnutls_sessio
+ return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
+ }
+
++ if (add_scsv)
++ ++ret;
++
+ cipher_num = ret;
+
+ cipher_num *= sizeof (uint16_t); /* in order to get bytes */
+@@ -1636,11 +1751,21 @@ _gnutls_copy_ciphersuites (gnutls_sessio
+ _gnutls_write_uint16 (cipher_num, ret_data);
+ pos += 2;
+
+- for (i = 0; i < (cipher_num / 2); i++)
++ loop_max = add_scsv ? cipher_num - 2 : cipher_num;
++
++ for (i = 0; i < (loop_max / 2); i++)
+ {
+ memcpy (&ret_data[pos], cipher_suites[i].suite, 2);
+ pos += 2;
+ }
++
++ if (add_scsv)
++ {
++ /* Safe renegotiation signalling CS value is { 0x00, 0xff } */
++ ret_data[pos++] = 0x00;
++ ret_data[pos++] = 0xff;
++ }
++
+ gnutls_free (cipher_suites);
+
+ return datalen;
+@@ -1700,7 +1825,7 @@ _gnutls_send_client_hello (gnutls_sessio
+ {
+ opaque *data = NULL;
+ int extdatalen;
+- int pos = 0;
++ int pos = 0, type;
+ int datalen = 0, ret = 0;
+ opaque rnd[GNUTLS_RANDOM_SIZE];
+ gnutls_protocol_t hver;
+@@ -1807,9 +1932,21 @@ _gnutls_send_client_hello (gnutls_sessio
+
+
+ /* Copy the ciphersuites.
++ *
++ * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
++ * prevention on initial negotiation (but not renegotiation; that's
++ * handled with the RI extension below).
+ */
+- extdatalen =
+- _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata));
++ if(!session->internals.initial_negotiation_completed &&
++ session->security_parameters.entity == GNUTLS_CLIENT &&
++ gnutls_protocol_get_version (session) == GNUTLS_SSL3)
++ {
++ extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), TRUE);
++ _gnutls_extension_list_add (session, GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
++ }
++ else
++ extdatalen = _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata), FALSE);
++
+ if (extdatalen > 0)
+ {
+ datalen += extdatalen;
+@@ -1864,11 +2001,19 @@ _gnutls_send_client_hello (gnutls_sessio
+ /* Generate and copy TLS extensions.
+ */
+ if (hver >= GNUTLS_TLS1)
++ type = GNUTLS_EXT_ANY;
++ else
+ {
+- extdatalen =
+- _gnutls_gen_extensions (session, extdata, sizeof (extdata));
++ if (session->internals.initial_negotiation_completed != 0)
++ type = GNUTLS_EXT_MANDATORY;
++ else
++ type = GNUTLS_EXT_NONE;
++ }
++
++ extdatalen =
++ _gnutls_gen_extensions (session, extdata, sizeof (extdata), type);
+
+- if (extdatalen > 0)
++ if (extdatalen > 0)
+ {
+ datalen += extdatalen;
+ data = gnutls_realloc_fast (data, datalen);
+@@ -1880,13 +2025,12 @@ _gnutls_send_client_hello (gnutls_sessio
+
+ memcpy (&data[pos], extdata, extdatalen);
+ }
+- else if (extdatalen < 0)
++ else if (extdatalen < 0)
+ {
+ gnutls_assert ();
+ gnutls_free (data);
+ return extdatalen;
+ }
+- }
+ }
+
+ ret =
+@@ -1932,15 +2075,7 @@ _gnutls_send_server_hello (gnutls_sessio
+ * alert and abort.
+ */
+ gnutls_assert ();
+- ret = gnutls_alert_send (session, GNUTLS_AL_FATAL,
+- GNUTLS_A_UNKNOWN_PSK_IDENTITY);
+- if (ret < 0)
+- {
+- gnutls_assert ();
+- return ret;
+- }
+-
+- return GNUTLS_E_ILLEGAL_SRP_USERNAME;
++ return GNUTLS_E_UNKNOWN_SRP_USERNAME;
+ }
+ }
+ #endif
+@@ -1949,7 +2085,7 @@ _gnutls_send_server_hello (gnutls_sessio
+ {
+ datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3;
+ extdatalen =
+- _gnutls_gen_extensions (session, extdata, sizeof (extdata));
++ _gnutls_gen_extensions (session, extdata, sizeof (extdata), GNUTLS_EXT_ANY);
+
+ if (extdatalen < 0)
+ {
+@@ -2015,6 +2151,8 @@ _gnutls_send_hello (gnutls_session_t ses
+ {
+ int ret;
+
++ session->internals.safe_renegotiation_received = 0;
++
+ if (session->security_parameters.entity == GNUTLS_CLIENT)
+ {
+ ret = _gnutls_send_client_hello (session, again);
+@@ -2036,6 +2174,7 @@ int
+ _gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen)
+ {
+ int ret;
++ tls_ext_st *ext;
+
+ if (session->security_parameters.entity == GNUTLS_CLIENT)
+ {
+@@ -2047,7 +2186,7 @@ _gnutls_recv_hello (gnutls_session_t ses
+ }
+ }
+ else
+- { /* Server side reading a client hello */
++ { /* Server side reading a client hello */
+
+ ret = _gnutls_read_client_hello (session, data, datalen);
+ if (ret < 0)
+@@ -2057,7 +2196,90 @@ _gnutls_recv_hello (gnutls_session_t ses
+ }
+ }
+
+- return ret;
++ if (session->internals.priorities.safe_renegotiation == SR_DISABLED)
++ {
++ gnutls_assert();
++ return 0;
++ }
++
++ /* Safe renegotiation */
++ ext = &session->security_parameters.extensions;
++
++ if (session->internals.safe_renegotiation_received)
++ {
++ if ((ext->ri_extension_data_len < ext->client_verify_data_len) ||
++ (memcmp (ext->ri_extension_data,
++ ext->client_verify_data,
++ ext->client_verify_data_len)))
++ {
++ gnutls_assert();
++ _gnutls_handshake_log ("Safe renegotiation failed [1]\n");
++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
++ }
++ if (session->security_parameters.entity == GNUTLS_CLIENT)
++ {
++ if ((ext->ri_extension_data_len !=
++ ext->client_verify_data_len + ext->server_verify_data_len) ||
++ memcmp (ext->ri_extension_data + ext->client_verify_data_len,
++ ext->server_verify_data, ext->server_verify_data_len) != 0)
++ {
++ gnutls_assert();
++ _gnutls_handshake_log ("Safe renegotiation failed [2]\n");
++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
++ }
++ }
++ else /* Make sure there are 0 extra bytes */
++ {
++ if (ext->ri_extension_data_len != ext->client_verify_data_len)
++ {
++ gnutls_assert();
++ _gnutls_handshake_log ("Safe renegotiation failed [3]\n");
++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
++ }
++ }
++
++ _gnutls_handshake_log ("Safe renegotiation succeeded.\n");
++ }
++ else /* safe renegotiation not received... */
++ {
++ if (session->internals.connection_using_safe_renegotiation)
++ {
++ gnutls_assert();
++ _gnutls_handshake_log ("Peer previously asked for safe renegotiation!\n");
++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
++ }
++
++ /* Clients can't tell if it's an initial negotiation */
++ if (session->internals.initial_negotiation_completed)
++ {
++
++ if (session->internals.priorities.safe_renegotiation < SR_PARTIAL)
++ {
++ _gnutls_handshake_log ("Allowing unsafe (re)negotiation!\n");
++ }
++ else
++ {
++ gnutls_assert();
++ _gnutls_handshake_log ("Denying unsafe (re)negotiation.\n");
++ return GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED;
++ }
++ }
++ else
++ {
++ if (session->internals.priorities.safe_renegotiation < SR_SAFE)
++ {
++ _gnutls_handshake_log ("Allowing unsafe initial negotiation!\n");
++ }
++ else
++ {
++ gnutls_assert();
++ _gnutls_handshake_log ("Denying unsafe initial negotiation.\n");
++ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
++ }
++ }
++ }
++
++ return 0;
+ }
+
+ /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
+@@ -2097,6 +2319,13 @@ _gnutls_recv_hello (gnutls_session_t ses
+ * gnutls_handshake() function in order to negotiate the new
+ * parameters.
+ *
++ * Since TLS is full duplex some application data might have been
++ * sent during peer's processing of this message. In that case
++ * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
++ * is returned to clear any pending data. Care must be taken if
++ * rehandshake is mandatory to terminate if it does not start after
++ * some threshold.
++ *
+ * If the client does not wish to renegotiate parameters he will
+ * should with an alert message, thus the return code will be
+ * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
+--- a/lib/gnutls_int.h 2009-11-02
++++ b/lib/gnutls_int.h 2013-09-26
+@@ -171,7 +171,8 @@ typedef enum extensions_t
+ GNUTLS_EXTENSION_OPAQUE_PRF_INPUT = ENABLE_OPRFI,
+ #endif
+ GNUTLS_EXTENSION_SRP = 12,
+- GNUTLS_EXTENSION_INNER_APPLICATION = 37703
++ GNUTLS_EXTENSION_INNER_APPLICATION = 37703,
++ GNUTLS_EXTENSION_SAFE_RENEGOTIATION = 65281, /* aka: 0xff01 */
+ } extensions_t;
+
+ typedef enum
+@@ -282,6 +283,11 @@ typedef struct
+
+ #define MAX_SERVER_NAME_EXTENSIONS 3
+
++#define MAX_VERIFY_DATA_SIZE 36 /* in SSL 3.0, 12 in TLS 1.0 */
++
++/* If you want the extension data to be kept across resuming sessions
++ * then modify CPY_EXTENSIONS in gnutls_constate.c
++ */
+ typedef struct
+ {
+ server_name_st server_names[MAX_SERVER_NAME_EXTENSIONS];
+@@ -297,6 +303,9 @@ typedef struct
+ /* Used by extensions that enable supplemental data. */
+ int do_recv_supplemental, do_send_supplemental;
+
++ /*** Those below do not get copied when resuming session
++ ***/
++
+ /* Opaque PRF input. */
+ gnutls_oprfi_callback_func oprfi_cb;
+ void *oprfi_userdata;
+@@ -304,6 +313,15 @@ typedef struct
+ uint16_t oprfi_client_len;
+ opaque *oprfi_server;
+ uint16_t oprfi_server_len;
++
++ /* Safe renegotiation. */
++ uint8_t client_verify_data[MAX_VERIFY_DATA_SIZE];
++ size_t client_verify_data_len;
++ uint8_t server_verify_data[MAX_VERIFY_DATA_SIZE];
++ size_t server_verify_data_len;
++ uint8_t ri_extension_data[MAX_VERIFY_DATA_SIZE*2]; /* max signal is 72 bytes in s->c sslv3 */
++ size_t ri_extension_data_len;
++
+ } tls_ext_st;
+
+ /* auth_info_t structures now MAY contain malloced
+@@ -317,7 +335,7 @@ typedef struct
+ */
+
+ /* if you add anything in Security_Parameters struct, then
+- * also modify CPY_COMMON in gnutls_constate.c
++ * also modify CPY_COMMON in gnutls_constate.c.
+ */
+
+ /* Note that the security parameters structure is set up after the
+@@ -361,6 +379,7 @@ typedef struct
+ /* holds the negotiated certificate type */
+ gnutls_certificate_type_t cert_type;
+ gnutls_protocol_t version; /* moved here */
++
+ /* For TLS/IA. XXX: Move to IA credential? */
+ opaque inner_secret[GNUTLS_MASTER_SIZE];
+ } security_parameters_st;
+@@ -400,6 +419,13 @@ typedef struct
+ unsigned int algorithms;
+ } priority_st;
+
++typedef enum {
++ SR_DISABLED,
++ SR_UNSAFE,
++ SR_PARTIAL,
++ SR_SAFE,
++} safe_renegotiation_t;
++
+ /* For the external api */
+ struct gnutls_priority_st
+ {
+@@ -409,9 +435,12 @@ struct gnutls_priority_st
+ priority_st compression;
+ priority_st protocol;
+ priority_st cert_type;
++ priority_st sign_algo;
+
+ /* to disable record padding */
+- int no_padding;
++ int no_padding:1;
++ safe_renegotiation_t safe_renegotiation;
++ int allow_large_records:1;
+ int ssl3_record_version;
+ int additional_verify_flags;
+ };
+@@ -673,6 +702,10 @@ typedef struct
+ */
+ uint16_t srp_prime_bits;
+
++ int safe_renegotiation_received:1;
++ int initial_negotiation_completed:1;
++ int connection_using_safe_renegotiation:1;
++
+ /* If you add anything here, check _gnutls_handshake_internal_state_clear().
+ */
+ } internals_st;
+--- a/lib/gnutls_priority.c 2009-06-02
++++ b/lib/gnutls_priority.c 2013-09-26
+@@ -338,6 +338,27 @@ static const int comp_priority[] = {
+ 0
+ };
+
++static const int sign_priority_default[] = {
++ GNUTLS_SIGN_RSA_SHA1,
++ GNUTLS_SIGN_DSA_SHA1,
++ GNUTLS_SIGN_RSA_SHA256,
++ GNUTLS_SIGN_RSA_SHA384,
++ GNUTLS_SIGN_RSA_SHA512,
++ 0
++};
++
++static const int sign_priority_secure128[] = {
++ GNUTLS_SIGN_RSA_SHA256,
++ GNUTLS_SIGN_RSA_SHA384,
++ GNUTLS_SIGN_RSA_SHA512,
++ GNUTLS_SIGN_DSA_SHA1,
++ 0
++};
++
++static const int sign_priority_secure256[] = {
++ GNUTLS_SIGN_RSA_SHA512,
++ 0
++};
+
+ static const int mac_priority_performance[] = {
+ GNUTLS_MAC_MD5,
+@@ -425,6 +446,14 @@ gnutls_priority_set (gnutls_session_t se
+ memcpy (&session->internals.priorities, priority,
+ sizeof (struct gnutls_priority_st));
+
++ /* set the current version to the first in the chain.
++ * * This will be overridden later.
++ * */
++ if (session->internals.priorities.protocol.algorithms > 0)
++ _gnutls_set_current_version (session,
++ session->internals.priorities.protocol.
++ priority[0]);
++
+ return 0;
+ }
+
+@@ -491,6 +520,21 @@ gnutls_priority_set (gnutls_session_t se
+ *
+ * "%COMPAT" will enable compatibility features for a server.
+ *
++ * "%DISABLE_SAFE_RENEGOTIATION" will disable safe renegotiation completely. Do not use
++ * unless you know what you are doing. Testing purposes only.
++ *
++ * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now
++ * the default for clients, but will change once more servers support the safe renegotiation
++ * TLS fix).
++ *
++ * "%PARTIAL_SAFE_RENEGOTIATION" In server side it will enable safe renegotiation
++ * and will protect all clients from known attacks, but will not prevent insecure clients
++ * from connecting. In client side it will disallow from renegotiating with an insecure server
++ * but will not prevent connecting to one (this leaves the client vulnerable to attacks).
++ *
++ * "%SAFE_RENEGOTIATION" will enforce safe renegotiation. Clients and Servers will refuse
++ * to talk to an insecure peer.
++ *
+ * "%SSL3_RECORD_VERSION" will use SSL3.0 record version in client hello.
+ *
+ * "%VERIFY_ALLOW_SIGN_RSA_MD5" will allow RSA-MD5 signatures in
+@@ -523,7 +567,7 @@ gnutls_priority_init (gnutls_priority_t
+ {
+ char *broken_list[MAX_ELEMENTS];
+ int broken_list_size, i, j;
+- char *darg;
++ char *darg = NULL;
+ int algo;
+ rmadd_func *fn;
+
+@@ -533,6 +577,11 @@ gnutls_priority_init (gnutls_priority_t
+ gnutls_assert ();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
++
++ /* for now unsafe renegotiation is default on everyone. To be removed
++ * when we make it the default.
++ */
++ (*priority_cache)->safe_renegotiation = SR_PARTIAL;
+
+ if (priorities == NULL)
+ priorities = "NORMAL";
+@@ -541,9 +590,10 @@ gnutls_priority_init (gnutls_priority_t
+ if (darg == NULL)
+ {
+ gnutls_assert ();
+- return GNUTLS_E_MEMORY_ERROR;
++ goto error;
+ }
+
++
+ break_comma_list (darg, broken_list, &broken_list_size, MAX_ELEMENTS, ':');
+ /* This is our default set of protocol version, certificate types and
+ * compression methods.
+@@ -553,6 +603,7 @@ gnutls_priority_init (gnutls_priority_t
+ _set_priority (&(*priority_cache)->protocol, protocol_priority);
+ _set_priority (&(*priority_cache)->compression, comp_priority);
+ _set_priority (&(*priority_cache)->cert_type, cert_type_priority);
++ _set_priority (&(*priority_cache)->sign_algo, sign_priority_default);
+ i = 0;
+ }
+ else
+@@ -568,12 +619,16 @@ gnutls_priority_init (gnutls_priority_t
+ cipher_priority_performance);
+ _set_priority (&(*priority_cache)->kx, kx_priority_performance);
+ _set_priority (&(*priority_cache)->mac, mac_priority_performance);
++ _set_priority (&(*priority_cache)->sign_algo,
++ sign_priority_default);
+ }
+ else if (strcasecmp (broken_list[i], "NORMAL") == 0)
+ {
+ _set_priority (&(*priority_cache)->cipher, cipher_priority_normal);
+ _set_priority (&(*priority_cache)->kx, kx_priority_secure);
+ _set_priority (&(*priority_cache)->mac, mac_priority_secure);
++ _set_priority (&(*priority_cache)->sign_algo,
++ sign_priority_default);
+ }
+ else if (strcasecmp (broken_list[i], "SECURE256") == 0
+ || strcasecmp (broken_list[i], "SECURE") == 0)
+@@ -582,6 +637,8 @@ gnutls_priority_init (gnutls_priority_t
+ cipher_priority_secure256);
+ _set_priority (&(*priority_cache)->kx, kx_priority_secure);
+ _set_priority (&(*priority_cache)->mac, mac_priority_secure);
++ _set_priority (&(*priority_cache)->sign_algo,
++ sign_priority_secure256);
+ }
+ else if (strcasecmp (broken_list[i], "SECURE128") == 0)
+ {
+@@ -589,12 +646,16 @@ gnutls_priority_init (gnutls_priority_t
+ cipher_priority_secure128);
+ _set_priority (&(*priority_cache)->kx, kx_priority_secure);
+ _set_priority (&(*priority_cache)->mac, mac_priority_secure);
++ _set_priority (&(*priority_cache)->sign_algo,
++ sign_priority_secure128);
+ }
+ else if (strcasecmp (broken_list[i], "EXPORT") == 0)
+ {
+ _set_priority (&(*priority_cache)->cipher, cipher_priority_export);
+ _set_priority (&(*priority_cache)->kx, kx_priority_export);
+ _set_priority (&(*priority_cache)->mac, mac_priority_secure);
++ _set_priority (&(*priority_cache)->sign_algo,
++ sign_priority_default);
+ } /* now check if the element is something like -ALGO */
+ else if (broken_list[i][0] == '!' || broken_list[i][0] == '+'
+ || broken_list[i][0] == '-')
+@@ -619,6 +680,8 @@ gnutls_priority_init (gnutls_priority_t
+ gnutls_protocol_get_id (&broken_list[i][6])) !=
+ GNUTLS_VERSION_UNKNOWN)
+ fn (&(*priority_cache)->protocol, algo);
++ else
++ goto error;
+ } /* now check if the element is something like -ALGO */
+ else if (strncasecmp (&broken_list[i][1], "COMP-", 5) == 0)
+ {
+@@ -626,6 +689,8 @@ gnutls_priority_init (gnutls_priority_t
+ gnutls_compression_get_id (&broken_list[i][6])) !=
+ GNUTLS_COMP_UNKNOWN)
+ fn (&(*priority_cache)->compression, algo);
++ else
++ goto error;
+ } /* now check if the element is something like -ALGO */
+ else if (strncasecmp (&broken_list[i][1], "CTYPE-", 6) == 0)
+ {
+@@ -633,18 +698,34 @@ gnutls_priority_init (gnutls_priority_t
+ gnutls_certificate_type_get_id (&broken_list[i][7])) !=
+ GNUTLS_CRT_UNKNOWN)
+ fn (&(*priority_cache)->cert_type, algo);
++ else
++ goto error;
+ } /* now check if the element is something like -ALGO */
++ else if (strncasecmp (&broken_list[i][1], "SIGN-", 5) == 0)
++ {
++ if ((algo = gnutls_sign_get_id (&broken_list[i][6])) !=
++ GNUTLS_SIGN_UNKNOWN)
++ fn (&(*priority_cache)->sign_algo, algo);
++ else
++ goto error;
++ } /* now check if the element is something like -ALGO */
+ else
+ goto error;
+ }
+ else if (broken_list[i][0] == '%')
+ {
+ if (strcasecmp (&broken_list[i][1], "COMPAT") == 0)
++ {
+ (*priority_cache)->no_padding = 1;
++ (*priority_cache)->allow_large_records = 1;
++ }
+ else if (strcasecmp (&broken_list[i][1],
+ "VERIFY_ALLOW_SIGN_RSA_MD5") == 0)
++ {
++ prio_add (&(*priority_cache)->sign_algo, GNUTLS_SIGN_RSA_MD5);
+ (*priority_cache)->additional_verify_flags |=
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
++ }
+ else if (strcasecmp (&broken_list[i][1],
+ "SSL3_RECORD_VERSION") == 0)
+ (*priority_cache)->ssl3_record_version = 1;
+@@ -652,6 +733,25 @@ gnutls_priority_init (gnutls_priority_t
+ "VERIFY_ALLOW_X509_V1_CA_CRT") == 0)
+ (*priority_cache)->additional_verify_flags |=
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
++ else if (strcasecmp (&broken_list[i][1],
++ "UNSAFE_RENEGOTIATION") == 0)
++ {
++ (*priority_cache)->safe_renegotiation = SR_UNSAFE;
++ }
++ else if (strcasecmp (&broken_list[i][1], "SAFE_RENEGOTIATION") == 0)
++ {
++ (*priority_cache)->safe_renegotiation = SR_SAFE;
++ }
++ else if (strcasecmp (&broken_list[i][1],
++ "PARTIAL_RENEGOTIATION") == 0)
++ {
++ (*priority_cache)->safe_renegotiation = SR_PARTIAL;
++ }
++ else if (strcasecmp (&broken_list[i][1],
++ "DISABLE_SAFE_RENEGOTIATION") == 0)
++ {
++ (*priority_cache)->safe_renegotiation = SR_DISABLED;
++ }
+ else
+ goto error;
+ }
+@@ -672,6 +772,7 @@ error:
+ }
+ }
+ gnutls_free (darg);
++ gnutls_free(*priority_cache);
+
+ return GNUTLS_E_INVALID_REQUEST;
+
+--- a/lib/gnutls_record.c 2009-06-02
++++ b/lib/gnutls_record.c 2013-09-26
+@@ -744,6 +744,14 @@ record_check_type (gnutls_session_t sess
+ if (session->security_parameters.entity == GNUTLS_SERVER)
+ {
+ gnutls_assert ();
++ ret =
++ _gnutls_record_buffer_put (recv_type, session, (void *) data,
++ data_size);
++ if (ret < 0)
++ {
++ gnutls_assert ();
++ return ret;
++ }
+ return GNUTLS_E_REHANDSHAKE;
+ }
+
+@@ -896,9 +904,13 @@ begin:
+ _gnutls_io_read_buffered (session, &headers, header_size,
+ -1)) != header_size)
+ {
++ _gnutls_handshake_log ("XXX[]: ret: %d %s\n", ret, gnutls_strerror(ret));
++
+ if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
+ return ret;
+
++ _gnutls_handshake_log ("XXX2[]: ret: %d %s\n", ret, gnutls_strerror(ret));
++
+ session_invalidate (session);
+ if (type == GNUTLS_ALERT)
+ {
+--- a/lib/gnutls_state.c 2009-11-02
++++ b/lib/gnutls_state.c 2013-09-26
+@@ -223,6 +223,7 @@ _gnutls_handshake_internal_state_clear (
+ session->internals.adv_version_minor = 0;
+ session->internals.adv_version_minor = 0;
+ session->internals.direction = 0;
++ session->internals.safe_renegotiation_received = 0;
+
+ /* use out of band data for the last
+ * handshake messages received.
+@@ -338,6 +339,11 @@ gnutls_init (gnutls_session_t * session,
+
+ _gnutls_handshake_internal_state_clear (*session);
+
++ /* emulate old gnutls behavior for old applications that do not use the priority_*
++ * functions.
++ */
++ (*session)->internals.priorities.safe_renegotiation = SR_PARTIAL;
++
+ return 0;
+ }
+
+--- a/lib/includes/gnutls/gnutls.h.in 2009-06-02
++++ b/lib/includes/gnutls/gnutls.h.in 2013-09-26
+@@ -503,7 +503,9 @@ extern "C" {
+ {
+ GNUTLS_EXT_ANY,
+ GNUTLS_EXT_APPLICATION,
+- GNUTLS_EXT_TLS
++ GNUTLS_EXT_TLS,
++ GNUTLS_EXT_MANDATORY, /* parse even if resuming or extensions disabled */
++ GNUTLS_EXT_NONE,
+ } gnutls_ext_parse_type_t;
+
+ int gnutls_ext_register (int type,
+@@ -525,6 +527,9 @@ extern "C" {
+ void *data, size_t * data_length,
+ unsigned int *type, unsigned int indx);
+
++ /* Safe renegotiation */
++ int gnutls_safe_renegotiation_status (gnutls_session_t session);
++
+ /* Opaque PRF Input
+ * http://tools.ietf.org/id/draft-rescorla-tls-opaque-prf-input-00.txt
+ */
+@@ -1368,6 +1373,9 @@ extern "C" {
+ #define GNUTLS_E_IA_VERIFY_FAILED -104
+
+ #define GNUTLS_E_UNKNOWN_ALGORITHM -105
++#define GNUTLS_E_SAFE_RENEGOTIATION_FAILED -107
++#define GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED -108
++#define GNUTLS_E_UNKNOWN_SRP_USERNAME -109
+
+ #define GNUTLS_E_BASE64_ENCODING_ERROR -201
+ #define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202 /* obsolete */
+--- a/lib/libgnutls.map 2009-06-02
++++ b/lib/libgnutls.map 2013-09-26
+@@ -567,6 +567,12 @@ GNUTLS_2_8
+ gnutls_x509_crt_verify_hash;
+ } GNUTLS_1_4;
+
++GNUTLS_2_10
++{
++ global:
++ gnutls_safe_renegotiation_status;
++} GNUTLS_2_8;
++
+ GNUTLS_PRIVATE {
+ global:
+ # Internal symbols needed by libgnutls-extra:
+--- a/lib/Makefile.am 2009-06-02
++++ b/lib/Makefile.am 2013-09-26
+@@ -79,7 +79,7 @@ COBJECTS = gnutls_record.c gnutls_compre
+ gnutls_rsa_export.c auth_rsa_export.c ext_server_name.c \
+ auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \
+ crypto.c random.c pk-libgcrypt.c mpi-libgcrypt.c \
+- rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c
++ rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c ext_safe_renegotiation.c
+
+ if ENABLE_OPRFI
+ COBJECTS += $(OPRFI_COBJECTS)
+@@ -98,7 +98,7 @@ HFILES = debug.h gnutls_compress.h gnutl
+ gnutls_rsa_export.h ext_server_name.h auth_dh_common.h \
+ ext_srp.h gnutls_srp.h auth_srp.h auth_srp_passwd.h \
+ gnutls_helper.h auth_psk.h auth_psk_passwd.h \
+- gnutls_supplemental.h ext_oprfi.h crypto.h random.h
++ gnutls_supplemental.h ext_oprfi.h crypto.h random.h ext_safe_renegotiation.h
+
+ # Separate so we can create the documentation
+
+--- a/lib/Makefile.in 2010-03-15
++++ b/lib/Makefile.in 2013-09-26
+@@ -214,7 +214,7 @@ am__objects_4 = gnutls_record.lo gnutls_
+ ext_server_name.lo auth_dh_common.lo gnutls_helper.lo \
+ gnutls_supplemental.lo crypto.lo random.lo pk-libgcrypt.lo \
+ mpi-libgcrypt.lo rnd-libgcrypt.lo cipher-libgcrypt.lo \
+- mac-libgcrypt.lo $(am__objects_3)
++ mac-libgcrypt.lo ext_safe_renegotiation.lo $(am__objects_3)
+ am__objects_5 = ext_srp.lo gnutls_srp.lo auth_srp.lo \
+ auth_srp_passwd.lo auth_srp_sb64.lo auth_srp_rsa.lo
+ am__objects_6 = auth_psk.lo auth_psk_passwd.lo gnutls_psk.lo \
+@@ -854,6 +854,7 @@ COBJECTS = gnutls_record.c gnutls_compre
+ auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \
+ crypto.c random.c pk-libgcrypt.c mpi-libgcrypt.c \
+ rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c \
++ ext_safe_renegotiation.c \
+ $(am__append_5)
+ HFILES = debug.h gnutls_compress.h gnutls_cipher.h gnutls_buffers.h \
+ gnutls_errors.h gnutls_int.h gnutls_handshake.h gnutls_num.h \
+@@ -868,7 +869,8 @@ HFILES = debug.h gnutls_compress.h gnutl
+ gnutls_rsa_export.h ext_server_name.h auth_dh_common.h \
+ ext_srp.h gnutls_srp.h auth_srp.h auth_srp_passwd.h \
+ gnutls_helper.h auth_psk.h auth_psk_passwd.h \
+- gnutls_supplemental.h ext_oprfi.h crypto.h random.h
++ gnutls_supplemental.h ext_oprfi.h crypto.h random.h \
++ ext_safe_renegotiation.h
+
+
+ # Separate so we can create the documentation
+@@ -1058,6 +1060,7 @@ distclean-compile:
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gnutls_x509.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libgnutlsxx_la-gnutlsxx.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mac-libgcrypt.Plo@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ext_safe_renegotiation.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mpi-libgcrypt.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pk-libgcrypt.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkix_asn1_tab.Plo@am__quote@
+--- a/NEWS 2010-03-15
++++ b/NEWS 2013-09-26
+@@ -3,6 +3,23 @@ Copyright (C) 2000, 2001, 2002, 2003, 20
+ 2006, 2007, 2008, 2009, 2010 Free Software Foundation
+ See the end for copying conditions.
+
++** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746)
++Solves the issue discussed in:
++<http://www.ietf.org/mail-archive/web/tls/current/msg03928.html> and
++<http://www.ietf.org/mail-archive/web/tls/current/msg03948.html>.
++Note that to allow connecting to unpatched servers the full protection
++is only enabled if the priority string %SAFE_RENEGOTIATION is
++specified. You can check whether protection is in place by querying
++gnutls_safe_renegotiation_status(). New error codes
++GNUTLS_E_SAFE_RENEGOTIATION_FAILED and
++GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED added.
++
++gnutls_safe_renegotiation_status: Added
++
++%UNSAFE_RENEGOTIATION: Added to priority strings
++%INITIAL_SAFE_RENEGOTIATION: Added to priority strings
++%DISABLE_SAFE_RENEGOTIATION: Added to priority strings (do not use)
++
+ * Version 2.8.6 (released 2010-03-15)
+
+ ** libgnutls: For CSRs, don't null pad integers for RSA/DSA value.
+--- a/src/cli-gaa.c 2009-06-02
++++ b/src/cli-gaa.c 2013-09-26
+@@ -129,6 +129,7 @@ void gaa_help(void)
+ printf("GNU TLS test client\nUsage: gnutls-cli [options] hostname\n\n\n");
+ __gaa_helpsingle('d', "debug", "integer ", "Enable debugging");
+ __gaa_helpsingle('r', "resume", "", "Connect, establish a session. Connect again and resume this session.");
++ __gaa_helpsingle('e', "rehandshake", "", "Connect, establish a session and rehandshake immediately.");
+ __gaa_helpsingle('s', "starttls", "", "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received.");
+ __gaa_helpsingle(0, "crlf", "", "Send CR LF instead of LF.");
+ __gaa_helpsingle(0, "x509fmtder", "", "Use DER format for certificates to read from.");
+@@ -250,6 +251,8 @@ struct _gaainfo
+ int crlf;
+ #line 20 "cli.gaa"
+ int starttls;
++#line 20 "cli.gaa"
++ int rehandshake;
+ #line 17 "cli.gaa"
+ int resume;
+ #line 14 "cli.gaa"
+@@ -342,8 +345,9 @@ static int gaa_error = 0;
+ #define GAAOPTID_x509fmtder 31
+ #define GAAOPTID_crlf 32
+ #define GAAOPTID_starttls 33
+-#define GAAOPTID_resume 34
+-#define GAAOPTID_debug 35
++#define GAAOPTID_rehandshake 34
++#define GAAOPTID_resume 35
++#define GAAOPTID_debug 36
+
+ #line 168 "gaa.skel"
+
+@@ -721,6 +725,7 @@ static int gaa_get_option_num(char *str,
+ GAA_CHECK1STR("", GAAOPTID_x509fmtder);
+ GAA_CHECK1STR("", GAAOPTID_crlf);
+ GAA_CHECK1STR("s", GAAOPTID_starttls);
++ GAA_CHECK1STR("e", GAAOPTID_rehandshake);
+ GAA_CHECK1STR("r", GAAOPTID_resume);
+
+ #line 277 "gaa.skel"
+@@ -759,6 +764,7 @@ static int gaa_get_option_num(char *str,
+ GAA_CHECKSTR("x509fmtder", GAAOPTID_x509fmtder);
+ GAA_CHECKSTR("crlf", GAAOPTID_crlf);
+ GAA_CHECKSTR("starttls", GAAOPTID_starttls);
++ GAA_CHECKSTR("rehandshake", GAAOPTID_rehandshake);
+ GAA_CHECKSTR("resume", GAAOPTID_resume);
+ GAA_CHECKSTR("debug", GAAOPTID_debug);
+
+@@ -1101,6 +1107,13 @@ static int gaa_try(int gaa_num, int gaa_
+
+ return GAA_OK;
+ break;
++ case GAAOPTID_rehandshake:
++ OK = 0;
++#line 21 "cli.gaa"
++{ gaaval->rehandshake = 1 ;};
++
++ return GAA_OK;
++ break;
+ case GAAOPTID_resume:
+ OK = 0;
+ #line 18 "cli.gaa"
+@@ -1164,7 +1177,7 @@ int gaa(int argc, char **argv, gaainfo *
+ gaaval->srp_username=NULL; gaaval->srp_passwd=NULL; gaaval->fmtder = 0; gaaval->starttls =0;
+ gaaval->debug = 0; gaaval->print_cert = 0; gaaval->verbose = 0; gaaval->psk_key = NULL;
+ gaaval->psk_username = NULL; gaaval->priorities = NULL;
+- gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; ;};
++ gaaval->opaque_prf_input = NULL; gaaval->pgp_subkey = NULL; gaaval->rehandshake = 0; ;};
+
+ }
+ inited = 1;
+--- a/src/cli-gaa.h 2009-06-02
++++ b/src/cli-gaa.h 2013-09-26
+@@ -82,6 +82,7 @@ struct _gaainfo
+ int crlf;
+ #line 20 "cli.gaa"
+ int starttls;
++ int rehandshake;
+ #line 17 "cli.gaa"
+ int resume;
+ #line 14 "cli.gaa"
+--- a/src/cli.c 2009-06-02
++++ b/src/cli.c 2013-09-26
+@@ -53,7 +53,7 @@
+ #define MAX_BUF 4096
+
+ /* global stuff here */
+-int resume, starttls, insecure;
++int resume, starttls, insecure, rehandshake;
+ const char *hostname = NULL;
+ char *service;
+ int record_max_size;
+@@ -674,6 +674,23 @@ after_handshake:
+ programs to search for when gnutls-cli has reached this point. */
+ printf ("\n- Simple Client Mode:\n\n");
+
++ if (rehandshake)
++ {
++ ret = do_handshake (&hd);
++
++ if (ret < 0)
++ {
++ fprintf (stderr, "*** ReHandshake has failed\n");
++ gnutls_perror (ret);
++ gnutls_deinit (hd.session);
++ return 1;
++ }
++ else
++ {
++ printf ("- ReHandshake was completed\n");
++ }
++ }
++
+ #ifndef _WIN32
+ signal (SIGALRM, &starttls_alarm);
+ #endif
+@@ -838,6 +855,7 @@ gaa_parser (int argc, char **argv)
+ print_cert = info.print_cert;
+ starttls = info.starttls;
+ resume = info.resume;
++ rehandshake = info.rehandshake;
+ insecure = info.insecure;
+ service = info.port;
+ record_max_size = info.record_size;
+@@ -962,6 +980,11 @@ do_handshake (socket_st * socket)
+ socket->secure = 1;
+
+ }
++ else
++ {
++ gnutls_alert_send_appropriate(socket->session, ret);
++ shutdown (socket->fd, SHUT_RDWR);
++ }
+ return ret;
+ }
+
+--- a/src/cli.gaa 2009-06-02
++++ b/src/cli.gaa 2013-09-26
+@@ -17,6 +17,9 @@ option (d, debug) INT "integer" { $debug
+ #int resume;
+ option (r, resume) { $resume = 1 } "Connect, establish a session. Connect again and resume this session."
+
++#int rehandshake;
++option (e, rehandshake) { $rehandshake = 1 } "Connect, establish a session and rehandshake immediately."
++
+ #int starttls;
+ option (s, starttls) { $starttls = 1 } "Connect, establish a plain session and start TLS when EOF or a SIGALRM is received."
+
+@@ -130,4 +133,4 @@ init { $resume=0; $port="443"; $rest_arg
+ $srp_username=NULL; $srp_passwd=NULL; $fmtder = 0; $starttls =0;
+ $debug = 0; $print_cert = 0; $verbose = 0; $psk_key = NULL;
+ $psk_username = NULL; $priorities = NULL;
+- $opaque_prf_input = NULL; $pgp_subkey = NULL; }
++ $opaque_prf_input = NULL; $pgp_subkey = NULL; $rehandshake = 0; }
+--- a/src/serv.c 2009-11-06
++++ b/src/serv.c 2013-09-26
+@@ -764,6 +764,18 @@ get_response (gnutls_session_t session,
+ }
+ else
+ {
++ fprintf(stderr, "received: %s\n", request);
++ if (request[0] == request[1] && request[0] == '*')
++ {
++ if (strncmp(request, "**REHANDSHAKE**", sizeof("**REHANDSHAKE**")-1)==0)
++ {
++ fprintf(stderr, "*** Sending rehandshake request\n");
++ gnutls_rehandshake(session);
++ }
++ *response = NULL;
++ *response_length = 0;
++ return;
++ }
+ *response = strdup (request);
+ *response_length = ((*response) ? strlen (*response) : 0);
+ }
+@@ -1177,7 +1189,7 @@ main (int argc, char **argv)
+ ret =
+ gnutls_alert_send_appropriate (j->tls_session, r);
+ }
+- while (ret == GNUTLS_E_AGAIN);
++ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+ j->http_state = HTTP_STATE_CLOSING;
+ }
+ else if (r == 0)
+@@ -1210,14 +1222,37 @@ main (int argc, char **argv)
+ }
+ else if (r <= 0)
+ {
+- j->http_state = HTTP_STATE_CLOSING;
+- if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
++ if (r == GNUTLS_E_REHANDSHAKE)
+ {
+- check_alert (j->tls_session, r);
+- fprintf (stderr, "Error while receiving data\n");
+- GERR (r);
+- }
+-
++ fprintf(stderr, "*** Received hello message\n");
++ do
++ {
++ r = gnutls_handshake (j->tls_session);
++ }
++ while (r == GNUTLS_E_INTERRUPTED || r == GNUTLS_E_AGAIN);
++ if (r < 0)
++ {
++
++ do
++ {
++ ret = gnutls_alert_send_appropriate (j->tls_session, r);
++ }
++ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
++
++ GERR (r);
++ j->http_state = HTTP_STATE_CLOSING;
++ }
++ }
++ else
++ {
++ j->http_state = HTTP_STATE_CLOSING;
++ if (r < 0 && r != GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
++ {
++ check_alert (j->tls_session, r);
++ fprintf (stderr, "Error while receiving data\n");
++ GERR (r);
++ }
++ }
+ }
+ else
+ {
+@@ -1299,7 +1334,7 @@ main (int argc, char **argv)
+ }
+ }
+
+- if (j->handshake_ok == 1)
++ if (j->handshake_ok == 1 && j->http_response != NULL)
+ {
+ /* FIXME if j->http_response == NULL? */
+ r = gnutls_record_send (j->tls_session,
+@@ -1351,6 +1386,12 @@ main (int argc, char **argv)
+ }
+ }
+ }
++ else
++ {
++ j->request_length = 0;
++ j->http_request[0] = 0;
++ j->http_state = HTTP_STATE_REQUEST;
++ }
+ }
+ }
+ lloopend (listener_list, j);
+--- a/src/tests.c 2009-06-02
++++ b/src/tests.c 2013-09-26
+@@ -45,6 +45,7 @@ extern int verbose;
+ int tls1_ok = 0;
+ int ssl3_ok = 0;
+ int tls1_1_ok = 0;
++int tls1_2_ok = 0;
+
+ /* keep session info */
+ static char *session_data = NULL;
+@@ -103,158 +104,28 @@ do_handshake (gnutls_session_t session)
+ return TEST_SUCCEED;
+ }
+
+-static int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
++char protocol_str[] = "+VERS-TLS1.0:+VERS-SSL3.0";
++char prio_str[256] = "";
+
+-static const int kx_priority[16] =
+- { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA,
+- GNUTLS_KX_ANON_DH,
+- GNUTLS_KX_RSA_EXPORT, 0
+-};
+-
+-static const int cipher_priority[16] =
+- { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128,
+- GNUTLS_CIPHER_ARCFOUR_40, 0
+-};
+-static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
+-static const int mac_priority[16] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 };
+-static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 };
+-
+-#define ADD_ALL_CIPHERS(session) gnutls_cipher_set_priority(session, cipher_priority)
+-#define ADD_ALL_COMP(session) gnutls_compression_set_priority(session, comp_priority)
+-#define ADD_ALL_MACS(session) gnutls_mac_set_priority(session, mac_priority)
+-#define ADD_ALL_KX(session) gnutls_kx_set_priority(session, kx_priority)
+-#define ADD_ALL_PROTOCOLS(session) gnutls_protocol_set_priority(session, protocol_priority)
+-#define ADD_ALL_CERTTYPES(session) gnutls_certificate_type_set_priority(session, cert_type_priority)
+-
+-static void
+-ADD_KX (gnutls_session_t session, int kx)
+-{
+- static int _kx_priority[] = { 0, 0 };
+- _kx_priority[0] = kx;
+-
+- gnutls_kx_set_priority (session, _kx_priority);
+-}
+-
+-static void
+-ADD_KX2 (gnutls_session_t session, int kx1, int kx2)
+-{
+- static int _kx_priority[] = { 0, 0, 0 };
+- _kx_priority[0] = kx1;
+- _kx_priority[1] = kx2;
+-
+- gnutls_kx_set_priority (session, _kx_priority);
+-}
+-
+-static void
+-ADD_CIPHER (gnutls_session_t session, int cipher)
+-{
+- static int _cipher_priority[] = { 0, 0 };
+- _cipher_priority[0] = cipher;
+-
+- gnutls_cipher_set_priority (session, _cipher_priority);
+-}
+-
+-static void
+-ADD_CIPHER4 (gnutls_session_t session, int cipher1, int cipher2, int cipher3,
+- int cipher4)
+-{
+- static int _cipher_priority[] = { 0, 0, 0, 0, 0 };
+- _cipher_priority[0] = cipher1;
+- _cipher_priority[1] = cipher2;
+- _cipher_priority[2] = cipher3;
+- _cipher_priority[3] = cipher4;
+-
+- gnutls_cipher_set_priority (session, _cipher_priority);
+-}
+-
+-static void
+-ADD_MAC (gnutls_session_t session, int mac)
+-{
+- static int _mac_priority[] = { 0, 0 };
+- _mac_priority[0] = mac;
+-
+- gnutls_mac_set_priority (session, _mac_priority);
+-}
+-
+-static void
+-ADD_COMP (gnutls_session_t session, int c)
+-{
+- static int _comp_priority[] = { 0, 0 };
+- _comp_priority[0] = c;
+-
+- gnutls_compression_set_priority (session, _comp_priority);
+-}
+-
+-static void
+-ADD_CERTTYPE (gnutls_session_t session, int ctype)
+-{
+- static int _ct_priority[] = { 0, 0 };
+- _ct_priority[0] = ctype;
+-
+- gnutls_certificate_type_set_priority (session, _ct_priority);
+-}
+-
+-static void
+-ADD_PROTOCOL (gnutls_session_t session, int protocol)
+-{
+- static int _proto_priority[] = { 0, 0 };
+- _proto_priority[0] = protocol;
+-
+- gnutls_protocol_set_priority (session, _proto_priority);
+-}
+-
+-static void
+-ADD_PROTOCOL3 (gnutls_session_t session, int p1, int p2, int p3)
+-{
+- static int _proto_priority[] = { 0, 0, 0, 0 };
+- _proto_priority[0] = p1;
+- _proto_priority[1] = p2;
+- _proto_priority[2] = p3;
+-
+- gnutls_protocol_set_priority (session, _proto_priority);
+-}
+-
+-#ifdef ENABLE_SRP
+-static int srp_detected;
+-
+-int
+-_test_srp_username_callback (gnutls_session_t session,
+- char **username, char **password)
+-{
+- srp_detected = 1;
+-
+- return -1;
+-}
+-
+-test_code_t
+-test_srp (gnutls_session_t session)
+-{
+- int ret;
+-
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+-
+- ADD_KX (session, GNUTLS_KX_SRP);
+- srp_detected = 0;
+-
+- gnutls_srp_set_client_credentials_function (srp_cred,
+- _test_srp_username_callback);
+-
+- gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
+-
+- ret = do_handshake (session);
+-
+- gnutls_srp_set_client_credentials_function (srp_cred, NULL);
+-
+- if (srp_detected != 0)
+- return TEST_SUCCEED;
+- else
+- return TEST_FAILED;
++#define ALL_CIPHERS "+3DES-CBC:+ARCFOUR-128:+ARCFOUR-40"
++#define ALL_COMP "+COMP-NULL"
++#define ALL_MACS "+SHA1:+MD5"
++#define ALL_CERTTYPES "+CTYPE-X509"
++#define REST "%%UNSAFE_RENEGOTIATION"
++#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+RSA-EXPORT"
++#define INIT_STR "NONE:"
++
++static inline void _gnutls_priority_set_direct(gnutls_session_t session, const char* str)
++{
++ const char* err;
++ int ret = gnutls_priority_set_direct(session, str, &err);
++
++ if (ret < 0)
++ {
++ fprintf(stderr, "Error in %s\n", err);
++ exit(1);
++ }
+ }
+-#endif
+
+ test_code_t
+ test_server (gnutls_session_t session)
+@@ -269,12 +140,8 @@ test_server (gnutls_session_t session)
+
+ buf[sizeof (buf) - 1] = 0;
+
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+@@ -318,13 +185,9 @@ test_export (gnutls_session_t session)
+ {
+ int ret;
+
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
++ sprintf(prio_str, INIT_STR "+ARCFOUR-40:+RSA-EXPORT:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+
+- ADD_KX (session, GNUTLS_KX_RSA_EXPORT);
+- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -348,13 +211,9 @@ test_export_info (gnutls_session_t sessi
+ if (verbose == 0 || export_true == 0)
+ return TEST_IGNORE;
+
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
++ sprintf(prio_str, INIT_STR "+ARCFOUR-40:+RSA-EXPORT:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+
+- ADD_KX (session, GNUTLS_KX_RSA_EXPORT);
+- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -395,13 +254,9 @@ test_dhe (gnutls_session_t session)
+ {
+ int ret;
+
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":+DHE-RSA:+DHE-DSS:" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+
+- ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -411,6 +266,37 @@ test_dhe (gnutls_session_t session)
+ return ret;
+ }
+
++
++test_code_t
++test_safe_renegotiation (gnutls_session_t session)
++{
++ int ret;
++
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":%%SAFE_RENEGOTIATION", protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
++
++ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
++
++ ret = do_handshake (session);
++
++ return ret;
++}
++
++test_code_t
++test_safe_renegotiation_scsv (gnutls_session_t session)
++{
++ int ret;
++
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%%SAFE_RENEGOTIATION");
++ _gnutls_priority_set_direct (session, prio_str);
++
++ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
++
++ ret = do_handshake (session);
++
++ return ret;
++}
++
+ test_code_t
+ test_dhe_group (gnutls_session_t session)
+ {
+@@ -421,13 +307,8 @@ test_dhe_group (gnutls_session_t session
+ if (verbose == 0 || pubkey.data == NULL)
+ return TEST_IGNORE;
+
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":+DHE-RSA:+DHE-DSS:" REST, protocol_str);
+
+- ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -463,12 +344,9 @@ test_code_t
+ test_ssl3 (gnutls_session_t session)
+ {
+ int ret;
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_PROTOCOL (session, GNUTLS_SSL3);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":" REST);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -496,12 +374,9 @@ test_bye (gnutls_session_t session)
+ signal (SIGALRM, got_alarm);
+ #endif
+
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -548,12 +423,10 @@ test_code_t
+ test_aes (gnutls_session_t session)
+ {
+ int ret;
+- ADD_CIPHER (session, GNUTLS_CIPHER_AES_128_CBC);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR "+AES-128-CBC:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST , protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -565,12 +438,10 @@ test_code_t
+ test_camellia (gnutls_session_t session)
+ {
+ int ret;
+- ADD_CIPHER (session, GNUTLS_CIPHER_CAMELLIA_128_CBC);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR "+CAMELLIA-128-CBC:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -582,12 +453,10 @@ test_code_t
+ test_openpgp1 (gnutls_session_t session)
+ {
+ int ret;
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_CERTTYPE (session, GNUTLS_CRT_OPENPGP);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":+CTYPE-OPENPGP:%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -604,18 +473,16 @@ test_code_t
+ test_unknown_ciphersuites (gnutls_session_t session)
+ {
+ int ret;
++
++
+ #ifdef ENABLE_CAMELLIA
+- ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC,
+- GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_ARCFOUR_128);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ #else
+- ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC,
+- GNUTLS_CIPHER_ARCFOUR_128, 0);
++ sprintf(prio_str, INIT_STR "+AES-128-CBC:" ALL_CIPHERS ":"ALL_COMP":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ #endif
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -626,12 +493,10 @@ test_code_t
+ test_md5 (gnutls_session_t session)
+ {
+ int ret;
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_MAC (session, GNUTLS_MAC_MD5);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR "+AES-128-CBC:" ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:+MD5:" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -643,12 +508,10 @@ test_code_t
+ test_zlib (gnutls_session_t session)
+ {
+ int ret;
+- ADD_ALL_CIPHERS (session);
+- ADD_COMP (session, GNUTLS_COMP_ZLIB);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":+COMP-ZLIB:" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -657,34 +520,25 @@ test_zlib (gnutls_session_t session)
+ #endif
+
+ test_code_t
+-test_lzo (gnutls_session_t session)
++test_sha (gnutls_session_t session)
+ {
+ int ret;
+- gnutls_handshake_set_private_extensions (session, 1);
+
+- ADD_ALL_CIPHERS (session);
+- ADD_COMP (session, GNUTLS_COMP_LZO);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR "+AES-128-CBC:" ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:+SHA1:" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+-
+ return ret;
+ }
+
+ test_code_t
+-test_sha (gnutls_session_t session)
++test_3des (gnutls_session_t session)
+ {
+ int ret;
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_MAC (session, GNUTLS_MAC_SHA1);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR "+3DES-CBC:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -692,15 +546,12 @@ test_sha (gnutls_session_t session)
+ }
+
+ test_code_t
+-test_3des (gnutls_session_t session)
++test_arcfour (gnutls_session_t session)
+ {
+ int ret;
+- ADD_CIPHER (session, GNUTLS_CIPHER_3DES_CBC);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR "+ARCFOUR-128:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -708,15 +559,13 @@ test_3des (gnutls_session_t session)
+ }
+
+ test_code_t
+-test_arcfour (gnutls_session_t session)
++test_arcfour_40 (gnutls_session_t session)
+ {
+ int ret;
+- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_128);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR "+ARCFOUR-40:" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" "+RSA-EXPORT" ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -724,36 +573,36 @@ test_arcfour (gnutls_session_t session)
+ }
+
+ test_code_t
+-test_arcfour_40 (gnutls_session_t session)
++test_tls1 (gnutls_session_t session)
+ {
+ int ret;
+- ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-TLS1.0:" ALL_MACS ":" ALL_KX ":" REST);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
++ if (ret == TEST_SUCCEED)
++ tls1_ok = 1;
++
+ return ret;
++
+ }
+
+ test_code_t
+-test_tls1 (gnutls_session_t session)
++test_tls1_2 (gnutls_session_t session)
+ {
+ int ret;
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_PROTOCOL (session, GNUTLS_TLS1);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-TLS1.2:" ALL_MACS ":" ALL_KX ":" REST);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+ if (ret == TEST_SUCCEED)
+- tls1_ok = 1;
++ tls1_2_ok = 1;
+
+ return ret;
+
+@@ -763,12 +612,10 @@ test_code_t
+ test_tls1_1 (gnutls_session_t session)
+ {
+ int ret;
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_PROTOCOL (session, GNUTLS_TLS1_1);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-TLS1.1:" ALL_MACS ":" ALL_KX ":" REST);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -786,12 +633,9 @@ test_tls1_1_fallback (gnutls_session_t s
+ if (tls1_1_ok)
+ return TEST_IGNORE;
+
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_PROTOCOL3 (session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":" REST);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -817,12 +661,9 @@ test_tls_disable (gnutls_session_t sessi
+ if (tls1_ok != 0)
+ return TEST_IGNORE;
+
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -831,8 +672,7 @@ test_tls_disable (gnutls_session_t sessi
+ /* disable TLS 1.0 */
+ if (ssl3_ok != 0)
+ {
+- protocol_priority[0] = GNUTLS_SSL3;
+- protocol_priority[1] = 0;
++ strcpy(protocol_str, "+VERS-SSL3.0");
+ }
+ }
+ return ret;
+@@ -849,12 +689,8 @@ test_rsa_pms (gnutls_session_t session)
+ * If the server is old, buggy and only supports
+ * SSL 3.0 then the handshake will fail.
+ */
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_KX (session, GNUTLS_KX_RSA);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":+RSA:" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = do_handshake (session);
+@@ -870,12 +706,8 @@ test_code_t
+ test_max_record_size (gnutls_session_t session)
+ {
+ int ret;
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+ gnutls_record_set_max_size (session, 512);
+
+@@ -894,12 +726,9 @@ test_code_t
+ test_hello_extension (gnutls_session_t session)
+ {
+ int ret;
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+ gnutls_record_set_max_size (session, 512);
+
+@@ -925,12 +754,8 @@ test_version_rollback (gnutls_session_t
+ * attacks which allow a version downgrade) and this
+ * connection will fail.
+ */
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+ _gnutls_record_set_default_version (session, 3, 0);
+
+@@ -955,12 +780,8 @@ test_version_oob (gnutls_session_t sessi
+ /* here we enable both SSL 3.0 and TLS 1.0
+ * and we connect using a 5.5 record version.
+ */
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+ _gnutls_record_set_default_version (session, 5, 5);
+
+@@ -980,12 +801,8 @@ test_rsa_pms_version_check (gnutls_sessi
+ *
+ * A normal server would abort this handshake.
+ */
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+ _gnutls_rsa_pms_set_version (session, 5, 5); /* use SSL 5.5 version */
+
+@@ -1000,12 +817,8 @@ test_anonymous (gnutls_session_t session
+ {
+ int ret;
+
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_KX (session, GNUTLS_KX_ANON_DH);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":+ANON-DH:" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+ gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
+
+ ret = do_handshake (session);
+@@ -1027,12 +840,8 @@ test_session_resume2 (gnutls_session_t s
+ if (session == NULL)
+ return TEST_IGNORE;
+
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+ gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
+@@ -1074,12 +883,8 @@ test_certificate (gnutls_session_t sessi
+ if (verbose == 0)
+ return TEST_IGNORE;
+
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+@@ -1143,12 +948,8 @@ test_server_cas (gnutls_session_t sessio
+ if (verbose == 0)
+ return TEST_IGNORE;
+
+- ADD_ALL_CIPHERS (session);
+- ADD_ALL_COMP (session);
+- ADD_ALL_CERTTYPES (session);
+- ADD_ALL_PROTOCOLS (session);
+- ADD_ALL_MACS (session);
+- ADD_ALL_KX (session);
++ sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS ":" ALL_KX ":" REST, protocol_str);
++ _gnutls_priority_set_direct (session, prio_str);
+
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+ gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
+--- a/src/tests.h 2009-06-02
++++ b/src/tests.h 2013-09-26
+@@ -3,7 +3,6 @@ typedef enum
+ TEST_SUCCEED, TEST_FAILED, TEST_UNSURE, TEST_IGNORE
+ } test_code_t;
+
+-test_code_t test_srp (gnutls_session_t state);
+ test_code_t test_server (gnutls_session_t state);
+ test_code_t test_export (gnutls_session_t state);
+ test_code_t test_export_info (gnutls_session_t state);
+@@ -21,7 +20,10 @@ test_code_t test_3des (gnutls_session_t
+ test_code_t test_arcfour (gnutls_session_t state);
+ test_code_t test_arcfour_40 (gnutls_session_t state);
+ test_code_t test_tls1 (gnutls_session_t state);
++test_code_t test_safe_renegotiation (gnutls_session_t state);
++test_code_t test_safe_renegotiation_scsv (gnutls_session_t state);
+ test_code_t test_tls1_1 (gnutls_session_t state);
++test_code_t test_tls1_2 (gnutls_session_t state);
+ test_code_t test_tls1_1_fallback (gnutls_session_t state);
+ test_code_t test_tls_disable (gnutls_session_t state);
+ test_code_t test_rsa_pms (gnutls_session_t state);
+@@ -37,6 +39,5 @@ test_code_t test_session_resume2 (gnutls
+ test_code_t test_rsa_pms_version_check (gnutls_session_t session);
+ test_code_t test_version_oob (gnutls_session_t session);
+ test_code_t test_zlib (gnutls_session_t session);
+-test_code_t test_lzo (gnutls_session_t session);
+ int _test_srp_username_callback (gnutls_session_t session,
+ char **username, char **password);
+--- a/src/tls_test.c 2009-06-02
++++ b/src/tls_test.c 2013-09-26
+@@ -79,6 +79,9 @@ typedef struct
+ } TLS_TEST;
+
+ static const TLS_TEST tls_tests[] = {
++ {"for Safe renegotiation support", test_safe_renegotiation, "yes", "no", "dunno"},
++ {"for Safe renegotiation support (SCSV)", test_safe_renegotiation_scsv, "yes", "no", "dunno"},
++ {"for TLS 1.2 support", test_tls1_2, "yes", "no", "dunno"},
+ {"for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno"},
+ {"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "failed",
+ "SSL 3.0"},
+@@ -139,14 +142,8 @@ static const TLS_TEST tls_tests[] = {
+ {"for ZLIB compression support (TLS extension)", test_zlib, "yes",
+ "no", "dunno"},
+ #endif
+- {"for LZO compression support (GnuTLS extension)", test_lzo, "yes",
+- "no", "dunno"},
+ {"for max record size (TLS extension)", test_max_record_size, "yes",
+ "no", "dunno"},
+-#ifdef ENABLE_SRP
+- {"for SRP authentication support (TLS extension)", test_srp, "yes",
+- "no", "dunno"},
+-#endif
+ {"for OpenPGP authentication support (TLS extension)", test_openpgp1,
+ "yes", "no", "dunno"},
+ {NULL, NULL, NULL, NULL, NULL}
+@@ -233,7 +230,7 @@ main (int argc, char **argv)
+
+ /* if neither of SSL3 and TLSv1 are supported, exit
+ */
+- if (i > 3 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0)
++ if (i > 6 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0)
+ {
+ fprintf (stderr,
+ "\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1\n");
+--- a/tests/Makefile.am 2010-01-24
++++ b/tests/Makefile.am 2013-09-26
+@@ -20,7 +20,7 @@
+ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+ SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode pkcs12-decode \
+- userid pathlen key-id sha2
++ userid pathlen key-id sha2 safe-renegotiation
+
+ if ENABLE_OPENPGP
+ SUBDIRS += openpgp-certs
+--- a/tests/Makefile.in 2010-03-15
++++ b/tests/Makefile.in 2013-09-26
+@@ -422,7 +422,7 @@ CTAGS = ctags
+ am__tty_colors = \
+ red=; grn=; lgn=; blu=; std=
+ DIST_SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode \
+- pkcs12-decode userid pathlen key-id sha2 openpgp-certs
++ pkcs12-decode userid pathlen key-id sha2 openpgp-certs safe-renegotiation
+ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ am__relativize = \
+ dir0=`pwd`; \
+@@ -972,7 +972,7 @@ top_build_prefix = @top_build_prefix@
+ top_builddir = @top_builddir@
+ top_srcdir = @top_srcdir@
+ SUBDIRS = . rsa-md5-collision pkcs1-padding pkcs8-decode pkcs12-decode \
+- userid pathlen key-id sha2 $(am__append_1)
++ userid pathlen key-id sha2 safe-renegotiation $(am__append_1)
+ EXTRA_DIST = libgcrypt.supp hostname-check.README
+ AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
+ AM_CPPFLAGS = -I$(top_srcdir)/gl -I$(top_builddir)/gl \
+--- a/tests/resume.c 2009-06-02
++++ b/tests/resume.c 2013-09-26
+@@ -47,6 +47,8 @@ static int wrap_db_store (void *dbf, gnu
+ static gnutls_datum_t wrap_db_fetch (void *dbf, gnutls_datum_t key);
+ static int wrap_db_delete (void *dbf, gnutls_datum_t key);
+
++pid_t child;
++
+ #define TLS_SESSION_CACHE 50
+
+ /* A very basic TLS client, with anonymous authentication.
+@@ -56,6 +58,12 @@ static int wrap_db_delete (void *dbf, gn
+ #define MSG "Hello TLS"
+
+ static void
++tls_log_func (int level, const char *str)
++{
++ fprintf (stderr, "%s |<%d>| %s", child ? "server" : "client", level, str);
++}
++
++static void
+ client (void)
+ {
+ int ret, sd, ii;
+@@ -70,6 +78,11 @@ client (void)
+ int t;
+ gnutls_datum session_data;
+
++ if (debug)
++ {
++ gnutls_global_set_log_function (tls_log_func);
++ gnutls_global_set_log_level (2);
++ }
+ gnutls_global_init ();
+
+ gnutls_anon_allocate_client_credentials (&anoncred);
+@@ -298,8 +311,13 @@ server (void)
+
+ /* this must be called once in the program, it is mostly for the server.
+ */
+- gnutls_global_init ();
++ if (debug)
++ {
++ gnutls_global_set_log_function (tls_log_func);
++ gnutls_global_set_log_level (2);
++ }
+
++ gnutls_global_init ();
+ gnutls_anon_allocate_server_credentials (&anoncred);
+
+ success ("Launched, generating DH parameters...\n");
+@@ -385,8 +403,6 @@ server (void)
+ void
+ doit (void)
+ {
+- pid_t child;
+-
+ global_start ();
+ if (error_count)
+ return;
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/Makefile.am 2013-09-26
+@@ -0,0 +1,37 @@
++## Process this file with automake to produce Makefile.in
++# Copyright (C) 2010 Free Software Foundation, Inc.
++#
++# This file is part of GnuTLS.
++#
++# This file is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++#
++# This file is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this file; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++
++AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
++AM_CPPFLAGS = \
++ -I$(top_srcdir)/lib/includes \
++ -I$(top_builddir)/lib/includes
++
++AM_LDFLAGS = -no-install
++LDADD = ../../lib/libgnutls.la $(LTLIBGCRYPT) $(LIBSOCKET)
++
++ctests = srn0 srn1 srn2 srn3 srn4 srn5 srn6 srn7
++
++check_PROGRAMS = $(ctests)
++TESTS = $(ctests)
++TESTS_ENVIRONMENT = $(VALGRIND)
++
++EXTRA_DIST = README params.dh
++
++dist_check_SCRIPTS = testsrn
++#TESTS = testsrn
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/Makefile.in 2013-09-26
+@@ -0,0 +1,1299 @@
++# Makefile.in generated by automake 1.11.1 from Makefile.am.
++# @configure_input@
++
++# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
++# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
++# Inc.
++# This Makefile.in is free software; the Free Software Foundation
++# gives unlimited permission to copy and/or distribute it,
++# with or without modifications, as long as this notice is preserved.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
++# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
++# PARTICULAR PURPOSE.
++
++@SET_MAKE@
++
++# Copyright (C) 2010 Free Software Foundation, Inc.
++#
++# This file is part of GnuTLS.
++#
++# This file is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++#
++# This file is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this file; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++VPATH = @srcdir@
++pkgdatadir = $(datadir)/@PACKAGE@
++pkgincludedir = $(includedir)/@PACKAGE@
++pkglibdir = $(libdir)/@PACKAGE@
++pkglibexecdir = $(libexecdir)/@PACKAGE@
++am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
++install_sh_DATA = $(install_sh) -c -m 644
++install_sh_PROGRAM = $(install_sh) -c
++install_sh_SCRIPT = $(install_sh) -c
++INSTALL_HEADER = $(INSTALL_DATA)
++transform = $(program_transform_name)
++NORMAL_INSTALL = :
++PRE_INSTALL = :
++POST_INSTALL = :
++NORMAL_UNINSTALL = :
++PRE_UNINSTALL = :
++POST_UNINSTALL = :
++build_triplet = @build@
++host_triplet = @host@
++check_PROGRAMS = $(am__EXEEXT_1)
++TESTS = $(am__EXEEXT_1)
++subdir = tests/safe-renegotiation
++DIST_COMMON = README $(dist_check_SCRIPTS) $(srcdir)/Makefile.am \
++ $(srcdir)/Makefile.in
++ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
++am__aclocal_m4_deps = $(top_srcdir)/libextra/m4/hooks.m4 \
++ $(top_srcdir)/lib/m4/hooks.m4 $(top_srcdir)/lib/gl/m4/po.m4 \
++ $(top_srcdir)/gl/m4/00gnulib.m4 $(top_srcdir)/gl/m4/alloca.m4 \
++ $(top_srcdir)/gl/m4/arpa_inet_h.m4 \
++ $(top_srcdir)/gl/m4/asm-underscore.m4 \
++ $(top_srcdir)/gl/m4/autobuild.m4 \
++ $(top_srcdir)/gl/m4/clock_time.m4 $(top_srcdir)/gl/m4/close.m4 \
++ $(top_srcdir)/gl/m4/errno_h.m4 $(top_srcdir)/gl/m4/error.m4 \
++ $(top_srcdir)/gl/m4/extensions.m4 \
++ $(top_srcdir)/gl/m4/fclose.m4 $(top_srcdir)/gl/m4/float_h.m4 \
++ $(top_srcdir)/gl/m4/fseeko.m4 \
++ $(top_srcdir)/gl/m4/getaddrinfo.m4 \
++ $(top_srcdir)/gl/m4/getdelim.m4 $(top_srcdir)/gl/m4/getline.m4 \
++ $(top_srcdir)/gl/m4/getpass.m4 $(top_srcdir)/gl/m4/gettime.m4 \
++ $(top_srcdir)/gl/m4/gettimeofday.m4 \
++ $(top_srcdir)/gl/m4/gnulib-common.m4 \
++ $(top_srcdir)/gl/m4/gnulib-comp.m4 \
++ $(top_srcdir)/gl/m4/hostent.m4 \
++ $(top_srcdir)/gl/m4/include_next.m4 \
++ $(top_srcdir)/gl/m4/inet_ntop.m4 \
++ $(top_srcdir)/gl/m4/inet_pton.m4 \
++ $(top_srcdir)/gl/m4/intmax_t.m4 \
++ $(top_srcdir)/gl/m4/inttypes_h.m4 $(top_srcdir)/gl/m4/ioctl.m4 \
++ $(top_srcdir)/gl/m4/lib-ld.m4 $(top_srcdir)/gl/m4/lib-link.m4 \
++ $(top_srcdir)/gl/m4/lib-prefix.m4 \
++ $(top_srcdir)/gl/m4/longlong.m4 $(top_srcdir)/gl/m4/lseek.m4 \
++ $(top_srcdir)/gl/m4/malloc.m4 \
++ $(top_srcdir)/gl/m4/manywarnings.m4 \
++ $(top_srcdir)/gl/m4/memchr.m4 $(top_srcdir)/gl/m4/minmax.m4 \
++ $(top_srcdir)/gl/m4/mmap-anon.m4 \
++ $(top_srcdir)/gl/m4/multiarch.m4 \
++ $(top_srcdir)/gl/m4/netdb_h.m4 \
++ $(top_srcdir)/gl/m4/netinet_in_h.m4 \
++ $(top_srcdir)/gl/m4/onceonly_2_57.m4 \
++ $(top_srcdir)/gl/m4/perror.m4 $(top_srcdir)/gl/m4/printf.m4 \
++ $(top_srcdir)/gl/m4/read-file.m4 \
++ $(top_srcdir)/gl/m4/readline.m4 $(top_srcdir)/gl/m4/realloc.m4 \
++ $(top_srcdir)/gl/m4/select.m4 $(top_srcdir)/gl/m4/servent.m4 \
++ $(top_srcdir)/gl/m4/size_max.m4 \
++ $(top_srcdir)/gl/m4/snprintf.m4 $(top_srcdir)/gl/m4/sockets.m4 \
++ $(top_srcdir)/gl/m4/socklen.m4 $(top_srcdir)/gl/m4/sockpfaf.m4 \
++ $(top_srcdir)/gl/m4/stdarg.m4 $(top_srcdir)/gl/m4/stdbool.m4 \
++ $(top_srcdir)/gl/m4/stddef_h.m4 $(top_srcdir)/gl/m4/stdint.m4 \
++ $(top_srcdir)/gl/m4/stdint_h.m4 $(top_srcdir)/gl/m4/stdio_h.m4 \
++ $(top_srcdir)/gl/m4/stdlib_h.m4 \
++ $(top_srcdir)/gl/m4/strerror.m4 \
++ $(top_srcdir)/gl/m4/string_h.m4 \
++ $(top_srcdir)/gl/m4/sys_ioctl_h.m4 \
++ $(top_srcdir)/gl/m4/sys_select_h.m4 \
++ $(top_srcdir)/gl/m4/sys_socket_h.m4 \
++ $(top_srcdir)/gl/m4/sys_stat_h.m4 \
++ $(top_srcdir)/gl/m4/sys_time_h.m4 \
++ $(top_srcdir)/gl/m4/time_h.m4 $(top_srcdir)/gl/m4/timespec.m4 \
++ $(top_srcdir)/gl/m4/ungetc.m4 $(top_srcdir)/gl/m4/unistd_h.m4 \
++ $(top_srcdir)/gl/m4/valgrind-tests.m4 \
++ $(top_srcdir)/gl/m4/vasnprintf.m4 \
++ $(top_srcdir)/gl/m4/version-etc.m4 \
++ $(top_srcdir)/gl/m4/warn-on-use.m4 \
++ $(top_srcdir)/gl/m4/warnings.m4 $(top_srcdir)/gl/m4/wchar_h.m4 \
++ $(top_srcdir)/gl/m4/wchar_t.m4 $(top_srcdir)/gl/m4/wint_t.m4 \
++ $(top_srcdir)/gl/m4/xsize.m4 $(top_srcdir)/m4/gtk-doc.m4 \
++ $(top_srcdir)/m4/guile.m4 $(top_srcdir)/m4/libtool.m4 \
++ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
++ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
++ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/configure.ac
++am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
++ $(ACLOCAL_M4)
++mkinstalldirs = $(install_sh) -d
++CONFIG_HEADER = $(top_builddir)/config.h
++CONFIG_CLEAN_FILES =
++CONFIG_CLEAN_VPATH_FILES =
++am__EXEEXT_1 = srn0$(EXEEXT) srn1$(EXEEXT) srn2$(EXEEXT) srn3$(EXEEXT) \
++ srn4$(EXEEXT) srn5$(EXEEXT) srn6$(EXEEXT) srn7$(EXEEXT)
++srn0_SOURCES = srn0.c
++srn0_OBJECTS = srn0.$(OBJEXT)
++srn0_LDADD = $(LDADD)
++am__DEPENDENCIES_1 =
++srn0_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \
++ $(am__DEPENDENCIES_1)
++srn1_SOURCES = srn1.c
++srn1_OBJECTS = srn1.$(OBJEXT)
++srn1_LDADD = $(LDADD)
++srn1_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \
++ $(am__DEPENDENCIES_1)
++srn2_SOURCES = srn2.c
++srn2_OBJECTS = srn2.$(OBJEXT)
++srn2_LDADD = $(LDADD)
++srn2_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \
++ $(am__DEPENDENCIES_1)
++srn3_SOURCES = srn3.c
++srn3_OBJECTS = srn3.$(OBJEXT)
++srn3_LDADD = $(LDADD)
++srn3_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \
++ $(am__DEPENDENCIES_1)
++srn4_SOURCES = srn4.c
++srn4_OBJECTS = srn4.$(OBJEXT)
++srn4_LDADD = $(LDADD)
++srn4_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \
++ $(am__DEPENDENCIES_1)
++srn5_SOURCES = srn5.c
++srn5_OBJECTS = srn5.$(OBJEXT)
++srn5_LDADD = $(LDADD)
++srn5_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \
++ $(am__DEPENDENCIES_1)
++srn6_SOURCES = srn6.c
++srn6_OBJECTS = srn6.$(OBJEXT)
++srn6_LDADD = $(LDADD)
++srn6_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \
++ $(am__DEPENDENCIES_1)
++srn7_SOURCES = srn7.c
++srn7_OBJECTS = srn7.$(OBJEXT)
++srn7_LDADD = $(LDADD)
++srn7_DEPENDENCIES = ../../lib/libgnutls.la $(am__DEPENDENCIES_1) \
++ $(am__DEPENDENCIES_1)
++DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
++depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
++am__depfiles_maybe = depfiles
++am__mv = mv -f
++COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
++ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
++LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
++ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
++ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
++CCLD = $(CC)
++LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
++ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
++ $(LDFLAGS) -o $@
++SOURCES = srn0.c srn1.c srn2.c srn3.c srn4.c srn5.c srn6.c srn7.c
++DIST_SOURCES = srn0.c srn1.c srn2.c srn3.c srn4.c srn5.c srn6.c srn7.c
++ETAGS = etags
++CTAGS = ctags
++am__tty_colors = \
++red=; grn=; lgn=; blu=; std=
++DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
++ACLOCAL = @ACLOCAL@
++ALLOCA = @ALLOCA@
++ALLOCA_H = @ALLOCA_H@
++AMTAR = @AMTAR@
++APPLE_UNIVERSAL_BUILD = @APPLE_UNIVERSAL_BUILD@
++AR = @AR@
++AS = @AS@
++ASM_SYMBOL_PREFIX = @ASM_SYMBOL_PREFIX@
++AUTOCONF = @AUTOCONF@
++AUTOHEADER = @AUTOHEADER@
++AUTOMAKE = @AUTOMAKE@
++AWK = @AWK@
++BITSIZEOF_PTRDIFF_T = @BITSIZEOF_PTRDIFF_T@
++BITSIZEOF_SIG_ATOMIC_T = @BITSIZEOF_SIG_ATOMIC_T@
++BITSIZEOF_SIZE_T = @BITSIZEOF_SIZE_T@
++BITSIZEOF_WCHAR_T = @BITSIZEOF_WCHAR_T@
++BITSIZEOF_WINT_T = @BITSIZEOF_WINT_T@
++CC = @CC@
++CCDEPMODE = @CCDEPMODE@
++CFLAGS = @CFLAGS@
++CONFIG_INCLUDE = @CONFIG_INCLUDE@
++CPP = @CPP@
++CPPFLAGS = @CPPFLAGS@
++CXX = @CXX@
++CXXCPP = @CXXCPP@
++CXXDEPMODE = @CXXDEPMODE@
++CXXFLAGS = @CXXFLAGS@
++CYGPATH_W = @CYGPATH_W@
++DEFS = @DEFS@
++DEPDIR = @DEPDIR@
++DLLTOOL = @DLLTOOL@
++DLL_VERSION = @DLL_VERSION@
++DSYMUTIL = @DSYMUTIL@
++DUMPBIN = @DUMPBIN@
++ECHO_C = @ECHO_C@
++ECHO_N = @ECHO_N@
++ECHO_T = @ECHO_T@
++EGREP = @EGREP@
++EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@
++EMULTIHOP_VALUE = @EMULTIHOP_VALUE@
++ENOLINK_HIDDEN = @ENOLINK_HIDDEN@
++ENOLINK_VALUE = @ENOLINK_VALUE@
++EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@
++EOVERFLOW_VALUE = @EOVERFLOW_VALUE@
++ERRNO_H = @ERRNO_H@
++EXEEXT = @EXEEXT@
++FGREP = @FGREP@
++FLOAT_H = @FLOAT_H@
++GAA = @GAA@
++GETADDRINFO_LIB = @GETADDRINFO_LIB@
++GNULIB_ACCEPT = @GNULIB_ACCEPT@
++GNULIB_ACCEPT4 = @GNULIB_ACCEPT4@
++GNULIB_ATOLL = @GNULIB_ATOLL@
++GNULIB_BIND = @GNULIB_BIND@
++GNULIB_BTOWC = @GNULIB_BTOWC@
++GNULIB_CALLOC_POSIX = @GNULIB_CALLOC_POSIX@
++GNULIB_CANONICALIZE_FILE_NAME = @GNULIB_CANONICALIZE_FILE_NAME@
++GNULIB_CHOWN = @GNULIB_CHOWN@
++GNULIB_CLOSE = @GNULIB_CLOSE@
++GNULIB_CONNECT = @GNULIB_CONNECT@
++GNULIB_DPRINTF = @GNULIB_DPRINTF@
++GNULIB_DUP2 = @GNULIB_DUP2@
++GNULIB_DUP3 = @GNULIB_DUP3@
++GNULIB_ENVIRON = @GNULIB_ENVIRON@
++GNULIB_EUIDACCESS = @GNULIB_EUIDACCESS@
++GNULIB_FACCESSAT = @GNULIB_FACCESSAT@
++GNULIB_FCHDIR = @GNULIB_FCHDIR@
++GNULIB_FCHMODAT = @GNULIB_FCHMODAT@
++GNULIB_FCHOWNAT = @GNULIB_FCHOWNAT@
++GNULIB_FCLOSE = @GNULIB_FCLOSE@
++GNULIB_FFLUSH = @GNULIB_FFLUSH@
++GNULIB_FOPEN = @GNULIB_FOPEN@
++GNULIB_FPRINTF = @GNULIB_FPRINTF@
++GNULIB_FPRINTF_POSIX = @GNULIB_FPRINTF_POSIX@
++GNULIB_FPURGE = @GNULIB_FPURGE@
++GNULIB_FPUTC = @GNULIB_FPUTC@
++GNULIB_FPUTS = @GNULIB_FPUTS@
++GNULIB_FREOPEN = @GNULIB_FREOPEN@
++GNULIB_FSEEK = @GNULIB_FSEEK@
++GNULIB_FSEEKO = @GNULIB_FSEEKO@
++GNULIB_FSTATAT = @GNULIB_FSTATAT@
++GNULIB_FSYNC = @GNULIB_FSYNC@
++GNULIB_FTELL = @GNULIB_FTELL@
++GNULIB_FTELLO = @GNULIB_FTELLO@
++GNULIB_FTRUNCATE = @GNULIB_FTRUNCATE@
++GNULIB_FUTIMENS = @GNULIB_FUTIMENS@
++GNULIB_FWRITE = @GNULIB_FWRITE@
++GNULIB_GETADDRINFO = @GNULIB_GETADDRINFO@
++GNULIB_GETCWD = @GNULIB_GETCWD@
++GNULIB_GETDELIM = @GNULIB_GETDELIM@
++GNULIB_GETDOMAINNAME = @GNULIB_GETDOMAINNAME@
++GNULIB_GETDTABLESIZE = @GNULIB_GETDTABLESIZE@
++GNULIB_GETGROUPS = @GNULIB_GETGROUPS@
++GNULIB_GETHOSTNAME = @GNULIB_GETHOSTNAME@
++GNULIB_GETLINE = @GNULIB_GETLINE@
++GNULIB_GETLOADAVG = @GNULIB_GETLOADAVG@
++GNULIB_GETLOGIN = @GNULIB_GETLOGIN@
++GNULIB_GETLOGIN_R = @GNULIB_GETLOGIN_R@
++GNULIB_GETPAGESIZE = @GNULIB_GETPAGESIZE@
++GNULIB_GETPEERNAME = @GNULIB_GETPEERNAME@
++GNULIB_GETSOCKNAME = @GNULIB_GETSOCKNAME@
++GNULIB_GETSOCKOPT = @GNULIB_GETSOCKOPT@
++GNULIB_GETSUBOPT = @GNULIB_GETSUBOPT@
++GNULIB_GETTIMEOFDAY = @GNULIB_GETTIMEOFDAY@
++GNULIB_GETUSERSHELL = @GNULIB_GETUSERSHELL@
++GNULIB_GRANTPT = @GNULIB_GRANTPT@
++GNULIB_INET_NTOP = @GNULIB_INET_NTOP@
++GNULIB_INET_PTON = @GNULIB_INET_PTON@
++GNULIB_IOCTL = @GNULIB_IOCTL@
++GNULIB_LCHMOD = @GNULIB_LCHMOD@
++GNULIB_LCHOWN = @GNULIB_LCHOWN@
++GNULIB_LINK = @GNULIB_LINK@
++GNULIB_LINKAT = @GNULIB_LINKAT@
++GNULIB_LISTEN = @GNULIB_LISTEN@
++GNULIB_LSEEK = @GNULIB_LSEEK@
++GNULIB_LSTAT = @GNULIB_LSTAT@
++GNULIB_MALLOC_POSIX = @GNULIB_MALLOC_POSIX@
++GNULIB_MBRLEN = @GNULIB_MBRLEN@
++GNULIB_MBRTOWC = @GNULIB_MBRTOWC@
++GNULIB_MBSCASECMP = @GNULIB_MBSCASECMP@
++GNULIB_MBSCASESTR = @GNULIB_MBSCASESTR@
++GNULIB_MBSCHR = @GNULIB_MBSCHR@
++GNULIB_MBSCSPN = @GNULIB_MBSCSPN@
++GNULIB_MBSINIT = @GNULIB_MBSINIT@
++GNULIB_MBSLEN = @GNULIB_MBSLEN@
++GNULIB_MBSNCASECMP = @GNULIB_MBSNCASECMP@
++GNULIB_MBSNLEN = @GNULIB_MBSNLEN@
++GNULIB_MBSNRTOWCS = @GNULIB_MBSNRTOWCS@
++GNULIB_MBSPBRK = @GNULIB_MBSPBRK@
++GNULIB_MBSPCASECMP = @GNULIB_MBSPCASECMP@
++GNULIB_MBSRCHR = @GNULIB_MBSRCHR@
++GNULIB_MBSRTOWCS = @GNULIB_MBSRTOWCS@
++GNULIB_MBSSEP = @GNULIB_MBSSEP@
++GNULIB_MBSSPN = @GNULIB_MBSSPN@
++GNULIB_MBSSTR = @GNULIB_MBSSTR@
++GNULIB_MBSTOK_R = @GNULIB_MBSTOK_R@
++GNULIB_MEMCHR = @GNULIB_MEMCHR@
++GNULIB_MEMMEM = @GNULIB_MEMMEM@
++GNULIB_MEMPCPY = @GNULIB_MEMPCPY@
++GNULIB_MEMRCHR = @GNULIB_MEMRCHR@
++GNULIB_MKDIRAT = @GNULIB_MKDIRAT@
++GNULIB_MKDTEMP = @GNULIB_MKDTEMP@
++GNULIB_MKFIFO = @GNULIB_MKFIFO@
++GNULIB_MKFIFOAT = @GNULIB_MKFIFOAT@
++GNULIB_MKNOD = @GNULIB_MKNOD@
++GNULIB_MKNODAT = @GNULIB_MKNODAT@
++GNULIB_MKOSTEMP = @GNULIB_MKOSTEMP@
++GNULIB_MKOSTEMPS = @GNULIB_MKOSTEMPS@
++GNULIB_MKSTEMP = @GNULIB_MKSTEMP@
++GNULIB_MKSTEMPS = @GNULIB_MKSTEMPS@
++GNULIB_MKTIME = @GNULIB_MKTIME@
++GNULIB_NANOSLEEP = @GNULIB_NANOSLEEP@
++GNULIB_OBSTACK_PRINTF = @GNULIB_OBSTACK_PRINTF@
++GNULIB_OBSTACK_PRINTF_POSIX = @GNULIB_OBSTACK_PRINTF_POSIX@
++GNULIB_PERROR = @GNULIB_PERROR@
++GNULIB_PIPE2 = @GNULIB_PIPE2@
++GNULIB_POPEN = @GNULIB_POPEN@
++GNULIB_PREAD = @GNULIB_PREAD@
++GNULIB_PRINTF = @GNULIB_PRINTF@
++GNULIB_PRINTF_POSIX = @GNULIB_PRINTF_POSIX@
++GNULIB_PTSNAME = @GNULIB_PTSNAME@
++GNULIB_PUTC = @GNULIB_PUTC@
++GNULIB_PUTCHAR = @GNULIB_PUTCHAR@
++GNULIB_PUTENV = @GNULIB_PUTENV@
++GNULIB_PUTS = @GNULIB_PUTS@
++GNULIB_PWRITE = @GNULIB_PWRITE@
++GNULIB_RANDOM_R = @GNULIB_RANDOM_R@
++GNULIB_RAWMEMCHR = @GNULIB_RAWMEMCHR@
++GNULIB_READLINK = @GNULIB_READLINK@
++GNULIB_READLINKAT = @GNULIB_READLINKAT@
++GNULIB_REALLOC_POSIX = @GNULIB_REALLOC_POSIX@
++GNULIB_REALPATH = @GNULIB_REALPATH@
++GNULIB_RECV = @GNULIB_RECV@
++GNULIB_RECVFROM = @GNULIB_RECVFROM@
++GNULIB_REMOVE = @GNULIB_REMOVE@
++GNULIB_RENAME = @GNULIB_RENAME@
++GNULIB_RENAMEAT = @GNULIB_RENAMEAT@
++GNULIB_RMDIR = @GNULIB_RMDIR@
++GNULIB_RPMATCH = @GNULIB_RPMATCH@
++GNULIB_SELECT = @GNULIB_SELECT@
++GNULIB_SEND = @GNULIB_SEND@
++GNULIB_SENDTO = @GNULIB_SENDTO@
++GNULIB_SETENV = @GNULIB_SETENV@
++GNULIB_SETSOCKOPT = @GNULIB_SETSOCKOPT@
++GNULIB_SHUTDOWN = @GNULIB_SHUTDOWN@
++GNULIB_SLEEP = @GNULIB_SLEEP@
++GNULIB_SNPRINTF = @GNULIB_SNPRINTF@
++GNULIB_SOCKET = @GNULIB_SOCKET@
++GNULIB_SPRINTF_POSIX = @GNULIB_SPRINTF_POSIX@
++GNULIB_STAT = @GNULIB_STAT@
++GNULIB_STDIO_H_SIGPIPE = @GNULIB_STDIO_H_SIGPIPE@
++GNULIB_STPCPY = @GNULIB_STPCPY@
++GNULIB_STPNCPY = @GNULIB_STPNCPY@
++GNULIB_STRCASESTR = @GNULIB_STRCASESTR@
++GNULIB_STRCHRNUL = @GNULIB_STRCHRNUL@
++GNULIB_STRDUP = @GNULIB_STRDUP@
++GNULIB_STRERROR = @GNULIB_STRERROR@
++GNULIB_STRNCAT = @GNULIB_STRNCAT@
++GNULIB_STRNDUP = @GNULIB_STRNDUP@
++GNULIB_STRNLEN = @GNULIB_STRNLEN@
++GNULIB_STRPBRK = @GNULIB_STRPBRK@
++GNULIB_STRPTIME = @GNULIB_STRPTIME@
++GNULIB_STRSEP = @GNULIB_STRSEP@
++GNULIB_STRSIGNAL = @GNULIB_STRSIGNAL@
++GNULIB_STRSTR = @GNULIB_STRSTR@
++GNULIB_STRTOD = @GNULIB_STRTOD@
++GNULIB_STRTOK_R = @GNULIB_STRTOK_R@
++GNULIB_STRTOLL = @GNULIB_STRTOLL@
++GNULIB_STRTOULL = @GNULIB_STRTOULL@
++GNULIB_STRVERSCMP = @GNULIB_STRVERSCMP@
++GNULIB_SYMLINK = @GNULIB_SYMLINK@
++GNULIB_SYMLINKAT = @GNULIB_SYMLINKAT@
++GNULIB_TIMEGM = @GNULIB_TIMEGM@
++GNULIB_TIME_R = @GNULIB_TIME_R@
++GNULIB_TMPFILE = @GNULIB_TMPFILE@
++GNULIB_TTYNAME_R = @GNULIB_TTYNAME_R@
++GNULIB_UNISTD_H_GETOPT = @GNULIB_UNISTD_H_GETOPT@
++GNULIB_UNISTD_H_SIGPIPE = @GNULIB_UNISTD_H_SIGPIPE@
++GNULIB_UNLINK = @GNULIB_UNLINK@
++GNULIB_UNLINKAT = @GNULIB_UNLINKAT@
++GNULIB_UNLOCKPT = @GNULIB_UNLOCKPT@
++GNULIB_UNSETENV = @GNULIB_UNSETENV@
++GNULIB_USLEEP = @GNULIB_USLEEP@
++GNULIB_UTIMENSAT = @GNULIB_UTIMENSAT@
++GNULIB_VASPRINTF = @GNULIB_VASPRINTF@
++GNULIB_VDPRINTF = @GNULIB_VDPRINTF@
++GNULIB_VFPRINTF = @GNULIB_VFPRINTF@
++GNULIB_VFPRINTF_POSIX = @GNULIB_VFPRINTF_POSIX@
++GNULIB_VPRINTF = @GNULIB_VPRINTF@
++GNULIB_VPRINTF_POSIX = @GNULIB_VPRINTF_POSIX@
++GNULIB_VSNPRINTF = @GNULIB_VSNPRINTF@
++GNULIB_VSPRINTF_POSIX = @GNULIB_VSPRINTF_POSIX@
++GNULIB_WCRTOMB = @GNULIB_WCRTOMB@
++GNULIB_WCSNRTOMBS = @GNULIB_WCSNRTOMBS@
++GNULIB_WCSRTOMBS = @GNULIB_WCSRTOMBS@
++GNULIB_WCTOB = @GNULIB_WCTOB@
++GNULIB_WCWIDTH = @GNULIB_WCWIDTH@
++GNULIB_WRITE = @GNULIB_WRITE@
++GREP = @GREP@
++GTKDOC_CHECK = @GTKDOC_CHECK@
++GTKDOC_MKPDF = @GTKDOC_MKPDF@
++GTKDOC_REBASE = @GTKDOC_REBASE@
++GUILE = @GUILE@
++GUILE_CFLAGS = @GUILE_CFLAGS@
++GUILE_CONFIG = @GUILE_CONFIG@
++GUILE_LDFLAGS = @GUILE_LDFLAGS@
++GUILE_SITE = @GUILE_SITE@
++GUILE_TOOLS = @GUILE_TOOLS@
++HAVE_ACCEPT4 = @HAVE_ACCEPT4@
++HAVE_ARPA_INET_H = @HAVE_ARPA_INET_H@
++HAVE_ATOLL = @HAVE_ATOLL@
++HAVE_BTOWC = @HAVE_BTOWC@
++HAVE_CALLOC_POSIX = @HAVE_CALLOC_POSIX@
++HAVE_CANONICALIZE_FILE_NAME = @HAVE_CANONICALIZE_FILE_NAME@
++HAVE_CHOWN = @HAVE_CHOWN@
++HAVE_DECL_ENVIRON = @HAVE_DECL_ENVIRON@
++HAVE_DECL_FPURGE = @HAVE_DECL_FPURGE@
++HAVE_DECL_FREEADDRINFO = @HAVE_DECL_FREEADDRINFO@
++HAVE_DECL_GAI_STRERROR = @HAVE_DECL_GAI_STRERROR@
++HAVE_DECL_GETADDRINFO = @HAVE_DECL_GETADDRINFO@
++HAVE_DECL_GETDELIM = @HAVE_DECL_GETDELIM@
++HAVE_DECL_GETLINE = @HAVE_DECL_GETLINE@
++HAVE_DECL_GETLOADAVG = @HAVE_DECL_GETLOADAVG@
++HAVE_DECL_GETLOGIN_R = @HAVE_DECL_GETLOGIN_R@
++HAVE_DECL_GETNAMEINFO = @HAVE_DECL_GETNAMEINFO@
++HAVE_DECL_GETPAGESIZE = @HAVE_DECL_GETPAGESIZE@
++HAVE_DECL_GETUSERSHELL = @HAVE_DECL_GETUSERSHELL@
++HAVE_DECL_INET_NTOP = @HAVE_DECL_INET_NTOP@
++HAVE_DECL_INET_PTON = @HAVE_DECL_INET_PTON@
++HAVE_DECL_MEMMEM = @HAVE_DECL_MEMMEM@
++HAVE_DECL_MEMRCHR = @HAVE_DECL_MEMRCHR@
++HAVE_DECL_OBSTACK_PRINTF = @HAVE_DECL_OBSTACK_PRINTF@
++HAVE_DECL_SNPRINTF = @HAVE_DECL_SNPRINTF@
++HAVE_DECL_STRDUP = @HAVE_DECL_STRDUP@
++HAVE_DECL_STRNDUP = @HAVE_DECL_STRNDUP@
++HAVE_DECL_STRNLEN = @HAVE_DECL_STRNLEN@
++HAVE_DECL_STRSIGNAL = @HAVE_DECL_STRSIGNAL@
++HAVE_DECL_STRTOK_R = @HAVE_DECL_STRTOK_R@
++HAVE_DECL_VSNPRINTF = @HAVE_DECL_VSNPRINTF@
++HAVE_DECL_WCTOB = @HAVE_DECL_WCTOB@
++HAVE_DECL_WCWIDTH = @HAVE_DECL_WCWIDTH@
++HAVE_DPRINTF = @HAVE_DPRINTF@
++HAVE_DUP2 = @HAVE_DUP2@
++HAVE_DUP3 = @HAVE_DUP3@
++HAVE_EUIDACCESS = @HAVE_EUIDACCESS@
++HAVE_FACCESSAT = @HAVE_FACCESSAT@
++HAVE_FCHDIR = @HAVE_FCHDIR@
++HAVE_FCHMODAT = @HAVE_FCHMODAT@
++HAVE_FCHOWNAT = @HAVE_FCHOWNAT@
++HAVE_FSEEKO = @HAVE_FSEEKO@
++HAVE_FSTATAT = @HAVE_FSTATAT@
++HAVE_FSYNC = @HAVE_FSYNC@
++HAVE_FTELLO = @HAVE_FTELLO@
++HAVE_FTRUNCATE = @HAVE_FTRUNCATE@
++HAVE_FUTIMENS = @HAVE_FUTIMENS@
++HAVE_GETDOMAINNAME = @HAVE_GETDOMAINNAME@
++HAVE_GETDTABLESIZE = @HAVE_GETDTABLESIZE@
++HAVE_GETGROUPS = @HAVE_GETGROUPS@
++HAVE_GETHOSTNAME = @HAVE_GETHOSTNAME@
++HAVE_GETLOGIN = @HAVE_GETLOGIN@
++HAVE_GETPAGESIZE = @HAVE_GETPAGESIZE@
++HAVE_GETSUBOPT = @HAVE_GETSUBOPT@
++HAVE_GETTIMEOFDAY = @HAVE_GETTIMEOFDAY@
++HAVE_GRANTPT = @HAVE_GRANTPT@
++HAVE_INTTYPES_H = @HAVE_INTTYPES_H@
++HAVE_LCHMOD = @HAVE_LCHMOD@
++HAVE_LCHOWN = @HAVE_LCHOWN@
++HAVE_LIBGCRYPT = @HAVE_LIBGCRYPT@
++HAVE_LIBTASN1 = @HAVE_LIBTASN1@
++HAVE_LINK = @HAVE_LINK@
++HAVE_LINKAT = @HAVE_LINKAT@
++HAVE_LOCALTIME_R = @HAVE_LOCALTIME_R@
++HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@
++HAVE_LSTAT = @HAVE_LSTAT@
++HAVE_MALLOC_POSIX = @HAVE_MALLOC_POSIX@
++HAVE_MBRLEN = @HAVE_MBRLEN@
++HAVE_MBRTOWC = @HAVE_MBRTOWC@
++HAVE_MBSINIT = @HAVE_MBSINIT@
++HAVE_MBSLEN = @HAVE_MBSLEN@
++HAVE_MBSNRTOWCS = @HAVE_MBSNRTOWCS@
++HAVE_MBSRTOWCS = @HAVE_MBSRTOWCS@
++HAVE_MEMCHR = @HAVE_MEMCHR@
++HAVE_MEMPCPY = @HAVE_MEMPCPY@
++HAVE_MKDIRAT = @HAVE_MKDIRAT@
++HAVE_MKDTEMP = @HAVE_MKDTEMP@
++HAVE_MKFIFO = @HAVE_MKFIFO@
++HAVE_MKFIFOAT = @HAVE_MKFIFOAT@
++HAVE_MKNOD = @HAVE_MKNOD@
++HAVE_MKNODAT = @HAVE_MKNODAT@
++HAVE_MKOSTEMP = @HAVE_MKOSTEMP@
++HAVE_MKOSTEMPS = @HAVE_MKOSTEMPS@
++HAVE_MKSTEMP = @HAVE_MKSTEMP@
++HAVE_MKSTEMPS = @HAVE_MKSTEMPS@
++HAVE_NANOSLEEP = @HAVE_NANOSLEEP@
++HAVE_NETDB_H = @HAVE_NETDB_H@
++HAVE_NETINET_IN_H = @HAVE_NETINET_IN_H@
++HAVE_OS_H = @HAVE_OS_H@
++HAVE_PIPE2 = @HAVE_PIPE2@
++HAVE_PREAD = @HAVE_PREAD@
++HAVE_PTSNAME = @HAVE_PTSNAME@
++HAVE_PWRITE = @HAVE_PWRITE@
++HAVE_RANDOM_H = @HAVE_RANDOM_H@
++HAVE_RANDOM_R = @HAVE_RANDOM_R@
++HAVE_RAWMEMCHR = @HAVE_RAWMEMCHR@
++HAVE_READLINK = @HAVE_READLINK@
++HAVE_READLINKAT = @HAVE_READLINKAT@
++HAVE_REALLOC_POSIX = @HAVE_REALLOC_POSIX@
++HAVE_REALPATH = @HAVE_REALPATH@
++HAVE_RENAMEAT = @HAVE_RENAMEAT@
++HAVE_RPMATCH = @HAVE_RPMATCH@
++HAVE_SA_FAMILY_T = @HAVE_SA_FAMILY_T@
++HAVE_SETENV = @HAVE_SETENV@
++HAVE_SIGNED_SIG_ATOMIC_T = @HAVE_SIGNED_SIG_ATOMIC_T@
++HAVE_SIGNED_WCHAR_T = @HAVE_SIGNED_WCHAR_T@
++HAVE_SIGNED_WINT_T = @HAVE_SIGNED_WINT_T@
++HAVE_SLEEP = @HAVE_SLEEP@
++HAVE_STDINT_H = @HAVE_STDINT_H@
++HAVE_STPCPY = @HAVE_STPCPY@
++HAVE_STPNCPY = @HAVE_STPNCPY@
++HAVE_STRCASESTR = @HAVE_STRCASESTR@
++HAVE_STRCHRNUL = @HAVE_STRCHRNUL@
++HAVE_STRPBRK = @HAVE_STRPBRK@
++HAVE_STRPTIME = @HAVE_STRPTIME@
++HAVE_STRSEP = @HAVE_STRSEP@
++HAVE_STRTOD = @HAVE_STRTOD@
++HAVE_STRTOLL = @HAVE_STRTOLL@
++HAVE_STRTOULL = @HAVE_STRTOULL@
++HAVE_STRUCT_ADDRINFO = @HAVE_STRUCT_ADDRINFO@
++HAVE_STRUCT_RANDOM_DATA = @HAVE_STRUCT_RANDOM_DATA@
++HAVE_STRUCT_SOCKADDR_STORAGE = @HAVE_STRUCT_SOCKADDR_STORAGE@
++HAVE_STRUCT_TIMEVAL = @HAVE_STRUCT_TIMEVAL@
++HAVE_STRVERSCMP = @HAVE_STRVERSCMP@
++HAVE_SYMLINK = @HAVE_SYMLINK@
++HAVE_SYMLINKAT = @HAVE_SYMLINKAT@
++HAVE_SYS_BITYPES_H = @HAVE_SYS_BITYPES_H@
++HAVE_SYS_INTTYPES_H = @HAVE_SYS_INTTYPES_H@
++HAVE_SYS_IOCTL_H = @HAVE_SYS_IOCTL_H@
++HAVE_SYS_LOADAVG_H = @HAVE_SYS_LOADAVG_H@
++HAVE_SYS_PARAM_H = @HAVE_SYS_PARAM_H@
++HAVE_SYS_SELECT_H = @HAVE_SYS_SELECT_H@
++HAVE_SYS_SOCKET_H = @HAVE_SYS_SOCKET_H@
++HAVE_SYS_TIME_H = @HAVE_SYS_TIME_H@
++HAVE_SYS_TYPES_H = @HAVE_SYS_TYPES_H@
++HAVE_TIMEGM = @HAVE_TIMEGM@
++HAVE_TTYNAME_R = @HAVE_TTYNAME_R@
++HAVE_UNISTD_H = @HAVE_UNISTD_H@
++HAVE_UNLINKAT = @HAVE_UNLINKAT@
++HAVE_UNLOCKPT = @HAVE_UNLOCKPT@
++HAVE_UNSETENV = @HAVE_UNSETENV@
++HAVE_UNSIGNED_LONG_LONG_INT = @HAVE_UNSIGNED_LONG_LONG_INT@
++HAVE_USLEEP = @HAVE_USLEEP@
++HAVE_UTIMENSAT = @HAVE_UTIMENSAT@
++HAVE_VASPRINTF = @HAVE_VASPRINTF@
++HAVE_VDPRINTF = @HAVE_VDPRINTF@
++HAVE_WCHAR_H = @HAVE_WCHAR_H@
++HAVE_WCHAR_T = @HAVE_WCHAR_T@
++HAVE_WCRTOMB = @HAVE_WCRTOMB@
++HAVE_WCSNRTOMBS = @HAVE_WCSNRTOMBS@
++HAVE_WCSRTOMBS = @HAVE_WCSRTOMBS@
++HAVE_WINSOCK2_H = @HAVE_WINSOCK2_H@
++HAVE_WINT_T = @HAVE_WINT_T@
++HAVE_WS2TCPIP_H = @HAVE_WS2TCPIP_H@
++HAVE__BOOL = @HAVE__BOOL@
++HOSTENT_LIB = @HOSTENT_LIB@
++HTML_DIR = @HTML_DIR@
++INCLUDE_NEXT = @INCLUDE_NEXT@
++INCLUDE_NEXT_AS_FIRST_DIRECTIVE = @INCLUDE_NEXT_AS_FIRST_DIRECTIVE@
++INET_NTOP_LIB = @INET_NTOP_LIB@
++INET_PTON_LIB = @INET_PTON_LIB@
++INSTALL = @INSTALL@
++INSTALL_DATA = @INSTALL_DATA@
++INSTALL_PROGRAM = @INSTALL_PROGRAM@
++INSTALL_SCRIPT = @INSTALL_SCRIPT@
++INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
++LD = @LD@
++LDFLAGS = @LDFLAGS@
++LIBGCRYPT = @LIBGCRYPT@
++LIBGCRYPT_PREFIX = @LIBGCRYPT_PREFIX@
++LIBINTL = @LIBINTL@
++LIBOBJS = @LIBOBJS@
++LIBREADLINE = @LIBREADLINE@
++LIBS = @LIBS@
++LIBSOCKET = @LIBSOCKET@
++LIBTASN1 = @LIBTASN1@
++LIBTASN1_PREFIX = @LIBTASN1_PREFIX@
++LIBTESTS_LIBDEPS = @LIBTESTS_LIBDEPS@
++LIBTOOL = @LIBTOOL@
++LIB_CLOCK_GETTIME = @LIB_CLOCK_GETTIME@
++LIPO = @LIPO@
++LN_S = @LN_S@
++LTALLOCA = @LTALLOCA@
++LTLIBGCRYPT = @LTLIBGCRYPT@
++LTLIBINTL = @LTLIBINTL@
++LTLIBOBJS = @LTLIBOBJS@
++LTLIBREADLINE = @LTLIBREADLINE@
++LTLIBTASN1 = @LTLIBTASN1@
++LT_AGE = @LT_AGE@
++LT_CURRENT = @LT_CURRENT@
++LT_REVISION = @LT_REVISION@
++LZO_LIBS = @LZO_LIBS@
++MAKEINFO = @MAKEINFO@
++MKDIR_P = @MKDIR_P@
++NETINET_IN_H = @NETINET_IN_H@
++NEXT_ARPA_INET_H = @NEXT_ARPA_INET_H@
++NEXT_AS_FIRST_DIRECTIVE_ARPA_INET_H = @NEXT_AS_FIRST_DIRECTIVE_ARPA_INET_H@
++NEXT_AS_FIRST_DIRECTIVE_ERRNO_H = @NEXT_AS_FIRST_DIRECTIVE_ERRNO_H@
++NEXT_AS_FIRST_DIRECTIVE_FLOAT_H = @NEXT_AS_FIRST_DIRECTIVE_FLOAT_H@
++NEXT_AS_FIRST_DIRECTIVE_NETDB_H = @NEXT_AS_FIRST_DIRECTIVE_NETDB_H@
++NEXT_AS_FIRST_DIRECTIVE_NETINET_IN_H = @NEXT_AS_FIRST_DIRECTIVE_NETINET_IN_H@
++NEXT_AS_FIRST_DIRECTIVE_STDARG_H = @NEXT_AS_FIRST_DIRECTIVE_STDARG_H@
++NEXT_AS_FIRST_DIRECTIVE_STDDEF_H = @NEXT_AS_FIRST_DIRECTIVE_STDDEF_H@
++NEXT_AS_FIRST_DIRECTIVE_STDINT_H = @NEXT_AS_FIRST_DIRECTIVE_STDINT_H@
++NEXT_AS_FIRST_DIRECTIVE_STDIO_H = @NEXT_AS_FIRST_DIRECTIVE_STDIO_H@
++NEXT_AS_FIRST_DIRECTIVE_STDLIB_H = @NEXT_AS_FIRST_DIRECTIVE_STDLIB_H@
++NEXT_AS_FIRST_DIRECTIVE_STRING_H = @NEXT_AS_FIRST_DIRECTIVE_STRING_H@
++NEXT_AS_FIRST_DIRECTIVE_SYS_IOCTL_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_IOCTL_H@
++NEXT_AS_FIRST_DIRECTIVE_SYS_SELECT_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_SELECT_H@
++NEXT_AS_FIRST_DIRECTIVE_SYS_SOCKET_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_SOCKET_H@
++NEXT_AS_FIRST_DIRECTIVE_SYS_STAT_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_STAT_H@
++NEXT_AS_FIRST_DIRECTIVE_SYS_TIME_H = @NEXT_AS_FIRST_DIRECTIVE_SYS_TIME_H@
++NEXT_AS_FIRST_DIRECTIVE_TIME_H = @NEXT_AS_FIRST_DIRECTIVE_TIME_H@
++NEXT_AS_FIRST_DIRECTIVE_UNISTD_H = @NEXT_AS_FIRST_DIRECTIVE_UNISTD_H@
++NEXT_AS_FIRST_DIRECTIVE_WCHAR_H = @NEXT_AS_FIRST_DIRECTIVE_WCHAR_H@
++NEXT_ERRNO_H = @NEXT_ERRNO_H@
++NEXT_FLOAT_H = @NEXT_FLOAT_H@
++NEXT_NETDB_H = @NEXT_NETDB_H@
++NEXT_NETINET_IN_H = @NEXT_NETINET_IN_H@
++NEXT_STDARG_H = @NEXT_STDARG_H@
++NEXT_STDDEF_H = @NEXT_STDDEF_H@
++NEXT_STDINT_H = @NEXT_STDINT_H@
++NEXT_STDIO_H = @NEXT_STDIO_H@
++NEXT_STDLIB_H = @NEXT_STDLIB_H@
++NEXT_STRING_H = @NEXT_STRING_H@
++NEXT_SYS_IOCTL_H = @NEXT_SYS_IOCTL_H@
++NEXT_SYS_SELECT_H = @NEXT_SYS_SELECT_H@
++NEXT_SYS_SOCKET_H = @NEXT_SYS_SOCKET_H@
++NEXT_SYS_STAT_H = @NEXT_SYS_STAT_H@
++NEXT_SYS_TIME_H = @NEXT_SYS_TIME_H@
++NEXT_TIME_H = @NEXT_TIME_H@
++NEXT_UNISTD_H = @NEXT_UNISTD_H@
++NEXT_WCHAR_H = @NEXT_WCHAR_H@
++NM = @NM@
++NMEDIT = @NMEDIT@
++OBJDUMP = @OBJDUMP@
++OBJEXT = @OBJEXT@
++OTOOL = @OTOOL@
++OTOOL64 = @OTOOL64@
++PACKAGE = @PACKAGE@
++PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
++PACKAGE_NAME = @PACKAGE_NAME@
++PACKAGE_STRING = @PACKAGE_STRING@
++PACKAGE_TARNAME = @PACKAGE_TARNAME@
++PACKAGE_URL = @PACKAGE_URL@
++PACKAGE_VERSION = @PACKAGE_VERSION@
++PATH_SEPARATOR = @PATH_SEPARATOR@
++PKG_CONFIG = @PKG_CONFIG@
++PMCCABE = @PMCCABE@
++PRAGMA_SYSTEM_HEADER = @PRAGMA_SYSTEM_HEADER@
++PTHREAD_H_DEFINES_STRUCT_TIMESPEC = @PTHREAD_H_DEFINES_STRUCT_TIMESPEC@
++PTRDIFF_T_SUFFIX = @PTRDIFF_T_SUFFIX@
++RANLIB = @RANLIB@
++REPLACE_BTOWC = @REPLACE_BTOWC@
++REPLACE_CANONICALIZE_FILE_NAME = @REPLACE_CANONICALIZE_FILE_NAME@
++REPLACE_CHOWN = @REPLACE_CHOWN@
++REPLACE_CLOSE = @REPLACE_CLOSE@
++REPLACE_DPRINTF = @REPLACE_DPRINTF@
++REPLACE_DUP = @REPLACE_DUP@
++REPLACE_DUP2 = @REPLACE_DUP2@
++REPLACE_FCHOWNAT = @REPLACE_FCHOWNAT@
++REPLACE_FCLOSE = @REPLACE_FCLOSE@
++REPLACE_FFLUSH = @REPLACE_FFLUSH@
++REPLACE_FOPEN = @REPLACE_FOPEN@
++REPLACE_FPRINTF = @REPLACE_FPRINTF@
++REPLACE_FPURGE = @REPLACE_FPURGE@
++REPLACE_FREOPEN = @REPLACE_FREOPEN@
++REPLACE_FSEEK = @REPLACE_FSEEK@
++REPLACE_FSEEKO = @REPLACE_FSEEKO@
++REPLACE_FSTAT = @REPLACE_FSTAT@
++REPLACE_FSTATAT = @REPLACE_FSTATAT@
++REPLACE_FTELL = @REPLACE_FTELL@
++REPLACE_FTELLO = @REPLACE_FTELLO@
++REPLACE_FUTIMENS = @REPLACE_FUTIMENS@
++REPLACE_GETCWD = @REPLACE_GETCWD@
++REPLACE_GETDELIM = @REPLACE_GETDELIM@
++REPLACE_GETGROUPS = @REPLACE_GETGROUPS@
++REPLACE_GETLINE = @REPLACE_GETLINE@
++REPLACE_GETPAGESIZE = @REPLACE_GETPAGESIZE@
++REPLACE_GETTIMEOFDAY = @REPLACE_GETTIMEOFDAY@
++REPLACE_IOCTL = @REPLACE_IOCTL@
++REPLACE_LCHOWN = @REPLACE_LCHOWN@
++REPLACE_LINK = @REPLACE_LINK@
++REPLACE_LINKAT = @REPLACE_LINKAT@
++REPLACE_LOCALTIME_R = @REPLACE_LOCALTIME_R@
++REPLACE_LSEEK = @REPLACE_LSEEK@
++REPLACE_LSTAT = @REPLACE_LSTAT@
++REPLACE_MBRLEN = @REPLACE_MBRLEN@
++REPLACE_MBRTOWC = @REPLACE_MBRTOWC@
++REPLACE_MBSINIT = @REPLACE_MBSINIT@
++REPLACE_MBSNRTOWCS = @REPLACE_MBSNRTOWCS@
++REPLACE_MBSRTOWCS = @REPLACE_MBSRTOWCS@
++REPLACE_MBSTATE_T = @REPLACE_MBSTATE_T@
++REPLACE_MEMCHR = @REPLACE_MEMCHR@
++REPLACE_MEMMEM = @REPLACE_MEMMEM@
++REPLACE_MKDIR = @REPLACE_MKDIR@
++REPLACE_MKFIFO = @REPLACE_MKFIFO@
++REPLACE_MKNOD = @REPLACE_MKNOD@
++REPLACE_MKSTEMP = @REPLACE_MKSTEMP@
++REPLACE_MKTIME = @REPLACE_MKTIME@
++REPLACE_NANOSLEEP = @REPLACE_NANOSLEEP@
++REPLACE_NULL = @REPLACE_NULL@
++REPLACE_OBSTACK_PRINTF = @REPLACE_OBSTACK_PRINTF@
++REPLACE_PERROR = @REPLACE_PERROR@
++REPLACE_POPEN = @REPLACE_POPEN@
++REPLACE_PREAD = @REPLACE_PREAD@
++REPLACE_PRINTF = @REPLACE_PRINTF@
++REPLACE_PUTENV = @REPLACE_PUTENV@
++REPLACE_PWRITE = @REPLACE_PWRITE@
++REPLACE_READLINK = @REPLACE_READLINK@
++REPLACE_REALPATH = @REPLACE_REALPATH@
++REPLACE_REMOVE = @REPLACE_REMOVE@
++REPLACE_RENAME = @REPLACE_RENAME@
++REPLACE_RENAMEAT = @REPLACE_RENAMEAT@
++REPLACE_RMDIR = @REPLACE_RMDIR@
++REPLACE_SELECT = @REPLACE_SELECT@
++REPLACE_SETENV = @REPLACE_SETENV@
++REPLACE_SLEEP = @REPLACE_SLEEP@
++REPLACE_SNPRINTF = @REPLACE_SNPRINTF@
++REPLACE_SPRINTF = @REPLACE_SPRINTF@
++REPLACE_STAT = @REPLACE_STAT@
++REPLACE_STDIO_WRITE_FUNCS = @REPLACE_STDIO_WRITE_FUNCS@
++REPLACE_STPNCPY = @REPLACE_STPNCPY@
++REPLACE_STRCASESTR = @REPLACE_STRCASESTR@
++REPLACE_STRDUP = @REPLACE_STRDUP@
++REPLACE_STRERROR = @REPLACE_STRERROR@
++REPLACE_STRNCAT = @REPLACE_STRNCAT@
++REPLACE_STRNDUP = @REPLACE_STRNDUP@
++REPLACE_STRNLEN = @REPLACE_STRNLEN@
++REPLACE_STRSIGNAL = @REPLACE_STRSIGNAL@
++REPLACE_STRSTR = @REPLACE_STRSTR@
++REPLACE_STRTOD = @REPLACE_STRTOD@
++REPLACE_STRTOK_R = @REPLACE_STRTOK_R@
++REPLACE_SYMLINK = @REPLACE_SYMLINK@
++REPLACE_TIMEGM = @REPLACE_TIMEGM@
++REPLACE_TMPFILE = @REPLACE_TMPFILE@
++REPLACE_TTYNAME_R = @REPLACE_TTYNAME_R@
++REPLACE_UNLINK = @REPLACE_UNLINK@
++REPLACE_UNLINKAT = @REPLACE_UNLINKAT@
++REPLACE_UNSETENV = @REPLACE_UNSETENV@
++REPLACE_USLEEP = @REPLACE_USLEEP@
++REPLACE_UTIMENSAT = @REPLACE_UTIMENSAT@
++REPLACE_VASPRINTF = @REPLACE_VASPRINTF@
++REPLACE_VDPRINTF = @REPLACE_VDPRINTF@
++REPLACE_VFPRINTF = @REPLACE_VFPRINTF@
++REPLACE_VPRINTF = @REPLACE_VPRINTF@
++REPLACE_VSNPRINTF = @REPLACE_VSNPRINTF@
++REPLACE_VSPRINTF = @REPLACE_VSPRINTF@
++REPLACE_WCRTOMB = @REPLACE_WCRTOMB@
++REPLACE_WCSNRTOMBS = @REPLACE_WCSNRTOMBS@
++REPLACE_WCSRTOMBS = @REPLACE_WCSRTOMBS@
++REPLACE_WCTOB = @REPLACE_WCTOB@
++REPLACE_WCWIDTH = @REPLACE_WCWIDTH@
++REPLACE_WRITE = @REPLACE_WRITE@
++SED = @SED@
++SERVENT_LIB = @SERVENT_LIB@
++SET_MAKE = @SET_MAKE@
++SHELL = @SHELL@
++SIG_ATOMIC_T_SUFFIX = @SIG_ATOMIC_T_SUFFIX@
++SIZE_T_SUFFIX = @SIZE_T_SUFFIX@
++STDARG_H = @STDARG_H@
++STDBOOL_H = @STDBOOL_H@
++STDDEF_H = @STDDEF_H@
++STDINT_H = @STDINT_H@
++STRIP = @STRIP@
++SYS_IOCTL_H_HAVE_WINSOCK2_H = @SYS_IOCTL_H_HAVE_WINSOCK2_H@
++SYS_IOCTL_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS = @SYS_IOCTL_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS@
++SYS_TIME_H_DEFINES_STRUCT_TIMESPEC = @SYS_TIME_H_DEFINES_STRUCT_TIMESPEC@
++TIME_H_DEFINES_STRUCT_TIMESPEC = @TIME_H_DEFINES_STRUCT_TIMESPEC@
++UNDEFINE_STRTOK_R = @UNDEFINE_STRTOK_R@
++UNISTD_H_HAVE_WINSOCK2_H = @UNISTD_H_HAVE_WINSOCK2_H@
++UNISTD_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS = @UNISTD_H_HAVE_WINSOCK2_H_AND_USE_SOCKETS@
++VALGRIND = @VALGRIND@
++VERSION = @VERSION@
++WARN_CFLAGS = @WARN_CFLAGS@
++WCHAR_T_SUFFIX = @WCHAR_T_SUFFIX@
++WERROR_CFLAGS = @WERROR_CFLAGS@
++WINT_T_SUFFIX = @WINT_T_SUFFIX@
++WSTACK_CFLAGS = @WSTACK_CFLAGS@
++abs_aux_dir = @abs_aux_dir@
++abs_builddir = @abs_builddir@
++abs_srcdir = @abs_srcdir@
++abs_top_builddir = @abs_top_builddir@
++abs_top_srcdir = @abs_top_srcdir@
++ac_ct_CC = @ac_ct_CC@
++ac_ct_CXX = @ac_ct_CXX@
++ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
++am__include = @am__include@
++am__leading_dot = @am__leading_dot@
++am__quote = @am__quote@
++am__tar = @am__tar@
++am__untar = @am__untar@
++bindir = @bindir@
++build = @build@
++build_alias = @build_alias@
++build_cpu = @build_cpu@
++build_os = @build_os@
++build_vendor = @build_vendor@
++builddir = @builddir@
++datadir = @datadir@
++datarootdir = @datarootdir@
++docdir = @docdir@
++dvidir = @dvidir@
++exec_prefix = @exec_prefix@
++gl_LIBOBJS = @gl_LIBOBJS@
++gl_LTLIBOBJS = @gl_LTLIBOBJS@
++gltests_LIBOBJS = @gltests_LIBOBJS@
++gltests_LTLIBOBJS = @gltests_LTLIBOBJS@
++gltests_WITNESS = @gltests_WITNESS@
++guile_snarf = @guile_snarf@
++host = @host@
++host_alias = @host_alias@
++host_cpu = @host_cpu@
++host_os = @host_os@
++host_vendor = @host_vendor@
++htmldir = @htmldir@
++includedir = @includedir@
++infodir = @infodir@
++install_sh = @install_sh@
++libdir = @libdir@
++libexecdir = @libexecdir@
++localedir = @localedir@
++localstatedir = @localstatedir@
++mandir = @mandir@
++mkdir_p = @mkdir_p@
++oldincludedir = @oldincludedir@
++pdfdir = @pdfdir@
++prefix = @prefix@
++program_transform_name = @program_transform_name@
++psdir = @psdir@
++sbindir = @sbindir@
++sharedstatedir = @sharedstatedir@
++srcdir = @srcdir@
++subdirs = @subdirs@
++sysconfdir = @sysconfdir@
++target_alias = @target_alias@
++top_build_prefix = @top_build_prefix@
++top_builddir = @top_builddir@
++top_srcdir = @top_srcdir@
++AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
++AM_CPPFLAGS = \
++ -I$(top_srcdir)/lib/includes \
++ -I$(top_builddir)/lib/includes
++
++AM_LDFLAGS = -no-install
++LDADD = ../../lib/libgnutls.la $(LTLIBGCRYPT) $(LIBSOCKET)
++ctests = srn0 srn1 srn2 srn3 srn4 srn5 srn6 srn7
++TESTS_ENVIRONMENT = $(VALGRIND)
++EXTRA_DIST = README params.dh
++dist_check_SCRIPTS = testsrn
++all: all-am
++
++.SUFFIXES:
++.SUFFIXES: .c .lo .o .obj
++$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
++ @for dep in $?; do \
++ case '$(am__configure_deps)' in \
++ *$$dep*) \
++ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
++ && { if test -f $@; then exit 0; else break; fi; }; \
++ exit 1;; \
++ esac; \
++ done; \
++ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile'; \
++ $(am__cd) $(top_srcdir) && \
++ $(AUTOMAKE) --gnu tests/safe-renegotiation/Makefile
++.PRECIOUS: Makefile
++Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
++ @case '$?' in \
++ *config.status*) \
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
++ *) \
++ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
++ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
++ esac;
++
++$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
++
++$(top_srcdir)/configure: $(am__configure_deps)
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
++$(ACLOCAL_M4): $(am__aclocal_m4_deps)
++ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
++$(am__aclocal_m4_deps):
++
++clean-checkPROGRAMS:
++ @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
++ echo " rm -f" $$list; \
++ rm -f $$list || exit $$?; \
++ test -n "$(EXEEXT)" || exit 0; \
++ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
++ echo " rm -f" $$list; \
++ rm -f $$list
++srn0$(EXEEXT): $(srn0_OBJECTS) $(srn0_DEPENDENCIES)
++ @rm -f srn0$(EXEEXT)
++ $(LINK) $(srn0_OBJECTS) $(srn0_LDADD) $(LIBS)
++srn1$(EXEEXT): $(srn1_OBJECTS) $(srn1_DEPENDENCIES)
++ @rm -f srn1$(EXEEXT)
++ $(LINK) $(srn1_OBJECTS) $(srn1_LDADD) $(LIBS)
++srn2$(EXEEXT): $(srn2_OBJECTS) $(srn2_DEPENDENCIES)
++ @rm -f srn2$(EXEEXT)
++ $(LINK) $(srn2_OBJECTS) $(srn2_LDADD) $(LIBS)
++srn3$(EXEEXT): $(srn3_OBJECTS) $(srn3_DEPENDENCIES)
++ @rm -f srn3$(EXEEXT)
++ $(LINK) $(srn3_OBJECTS) $(srn3_LDADD) $(LIBS)
++srn4$(EXEEXT): $(srn4_OBJECTS) $(srn4_DEPENDENCIES)
++ @rm -f srn4$(EXEEXT)
++ $(LINK) $(srn4_OBJECTS) $(srn4_LDADD) $(LIBS)
++srn5$(EXEEXT): $(srn5_OBJECTS) $(srn5_DEPENDENCIES)
++ @rm -f srn5$(EXEEXT)
++ $(LINK) $(srn5_OBJECTS) $(srn5_LDADD) $(LIBS)
++srn6$(EXEEXT): $(srn6_OBJECTS) $(srn6_DEPENDENCIES)
++ @rm -f srn6$(EXEEXT)
++ $(LINK) $(srn6_OBJECTS) $(srn6_LDADD) $(LIBS)
++srn7$(EXEEXT): $(srn7_OBJECTS) $(srn7_DEPENDENCIES)
++ @rm -f srn7$(EXEEXT)
++ $(LINK) $(srn7_OBJECTS) $(srn7_LDADD) $(LIBS)
++
++mostlyclean-compile:
++ -rm -f *.$(OBJEXT)
++
++distclean-compile:
++ -rm -f *.tab.c
++
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn0.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn1.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn2.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn3.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn4.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn5.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn6.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srn7.Po@am__quote@
++
++.c.o:
++@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@ $(COMPILE) -c $<
++
++.c.obj:
++@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
++
++.c.lo:
++@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
++
++mostlyclean-libtool:
++ -rm -f *.lo
++
++clean-libtool:
++ -rm -rf .libs _libs
++
++ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
++ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
++ unique=`for i in $$list; do \
++ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
++ done | \
++ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
++ END { if (nonempty) { for (i in files) print i; }; }'`; \
++ mkid -fID $$unique
++tags: TAGS
++
++TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
++ $(TAGS_FILES) $(LISP)
++ set x; \
++ here=`pwd`; \
++ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
++ unique=`for i in $$list; do \
++ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
++ done | \
++ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
++ END { if (nonempty) { for (i in files) print i; }; }'`; \
++ shift; \
++ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
++ test -n "$$unique" || unique=$$empty_fix; \
++ if test $$# -gt 0; then \
++ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
++ "$$@" $$unique; \
++ else \
++ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
++ $$unique; \
++ fi; \
++ fi
++ctags: CTAGS
++CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
++ $(TAGS_FILES) $(LISP)
++ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
++ unique=`for i in $$list; do \
++ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
++ done | \
++ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
++ END { if (nonempty) { for (i in files) print i; }; }'`; \
++ test -z "$(CTAGS_ARGS)$$unique" \
++ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
++ $$unique
++
++GTAGS:
++ here=`$(am__cd) $(top_builddir) && pwd` \
++ && $(am__cd) $(top_srcdir) \
++ && gtags -i $(GTAGS_ARGS) "$$here"
++
++distclean-tags:
++ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
++
++check-TESTS: $(TESTS)
++ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
++ srcdir=$(srcdir); export srcdir; \
++ list=' $(TESTS) '; \
++ $(am__tty_colors); \
++ if test -n "$$list"; then \
++ for tst in $$list; do \
++ if test -f ./$$tst; then dir=./; \
++ elif test -f $$tst; then dir=; \
++ else dir="$(srcdir)/"; fi; \
++ if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
++ all=`expr $$all + 1`; \
++ case " $(XFAIL_TESTS) " in \
++ *[\ \ ]$$tst[\ \ ]*) \
++ xpass=`expr $$xpass + 1`; \
++ failed=`expr $$failed + 1`; \
++ col=$$red; res=XPASS; \
++ ;; \
++ *) \
++ col=$$grn; res=PASS; \
++ ;; \
++ esac; \
++ elif test $$? -ne 77; then \
++ all=`expr $$all + 1`; \
++ case " $(XFAIL_TESTS) " in \
++ *[\ \ ]$$tst[\ \ ]*) \
++ xfail=`expr $$xfail + 1`; \
++ col=$$lgn; res=XFAIL; \
++ ;; \
++ *) \
++ failed=`expr $$failed + 1`; \
++ col=$$red; res=FAIL; \
++ ;; \
++ esac; \
++ else \
++ skip=`expr $$skip + 1`; \
++ col=$$blu; res=SKIP; \
++ fi; \
++ echo "$${col}$$res$${std}: $$tst"; \
++ done; \
++ if test "$$all" -eq 1; then \
++ tests="test"; \
++ All=""; \
++ else \
++ tests="tests"; \
++ All="All "; \
++ fi; \
++ if test "$$failed" -eq 0; then \
++ if test "$$xfail" -eq 0; then \
++ banner="$$All$$all $$tests passed"; \
++ else \
++ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
++ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
++ fi; \
++ else \
++ if test "$$xpass" -eq 0; then \
++ banner="$$failed of $$all $$tests failed"; \
++ else \
++ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
++ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
++ fi; \
++ fi; \
++ dashes="$$banner"; \
++ skipped=""; \
++ if test "$$skip" -ne 0; then \
++ if test "$$skip" -eq 1; then \
++ skipped="($$skip test was not run)"; \
++ else \
++ skipped="($$skip tests were not run)"; \
++ fi; \
++ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
++ dashes="$$skipped"; \
++ fi; \
++ report=""; \
++ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
++ report="Please report to $(PACKAGE_BUGREPORT)"; \
++ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
++ dashes="$$report"; \
++ fi; \
++ dashes=`echo "$$dashes" | sed s/./=/g`; \
++ if test "$$failed" -eq 0; then \
++ echo "$$grn$$dashes"; \
++ else \
++ echo "$$red$$dashes"; \
++ fi; \
++ echo "$$banner"; \
++ test -z "$$skipped" || echo "$$skipped"; \
++ test -z "$$report" || echo "$$report"; \
++ echo "$$dashes$$std"; \
++ test "$$failed" -eq 0; \
++ else :; fi
++
++distdir: $(DISTFILES)
++ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
++ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
++ list='$(DISTFILES)'; \
++ dist_files=`for file in $$list; do echo $$file; done | \
++ sed -e "s|^$$srcdirstrip/||;t" \
++ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
++ case $$dist_files in \
++ */*) $(MKDIR_P) `echo "$$dist_files" | \
++ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
++ sort -u` ;; \
++ esac; \
++ for file in $$dist_files; do \
++ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
++ if test -d $$d/$$file; then \
++ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
++ if test -d "$(distdir)/$$file"; then \
++ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
++ fi; \
++ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
++ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
++ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
++ fi; \
++ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
++ else \
++ test -f "$(distdir)/$$file" \
++ || cp -p $$d/$$file "$(distdir)/$$file" \
++ || exit 1; \
++ fi; \
++ done
++check-am: all-am
++ $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \
++ $(dist_check_SCRIPTS)
++ $(MAKE) $(AM_MAKEFLAGS) check-TESTS
++check: check-am
++all-am: Makefile
++installdirs:
++install: install-am
++install-exec: install-exec-am
++install-data: install-data-am
++uninstall: uninstall-am
++
++install-am: all-am
++ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
++
++installcheck: installcheck-am
++install-strip:
++ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
++ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
++ `test -z '$(STRIP)' || \
++ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
++mostlyclean-generic:
++
++clean-generic:
++
++distclean-generic:
++ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
++ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
++
++maintainer-clean-generic:
++ @echo "This command is intended for maintainers to use"
++ @echo "it deletes files that may require special tools to rebuild."
++clean: clean-am
++
++clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
++ mostlyclean-am
++
++distclean: distclean-am
++ -rm -rf ./$(DEPDIR)
++ -rm -f Makefile
++distclean-am: clean-am distclean-compile distclean-generic \
++ distclean-tags
++
++dvi: dvi-am
++
++dvi-am:
++
++html: html-am
++
++html-am:
++
++info: info-am
++
++info-am:
++
++install-data-am:
++
++install-dvi: install-dvi-am
++
++install-dvi-am:
++
++install-exec-am:
++
++install-html: install-html-am
++
++install-html-am:
++
++install-info: install-info-am
++
++install-info-am:
++
++install-man:
++
++install-pdf: install-pdf-am
++
++install-pdf-am:
++
++install-ps: install-ps-am
++
++install-ps-am:
++
++installcheck-am:
++
++maintainer-clean: maintainer-clean-am
++ -rm -rf ./$(DEPDIR)
++ -rm -f Makefile
++maintainer-clean-am: distclean-am maintainer-clean-generic
++
++mostlyclean: mostlyclean-am
++
++mostlyclean-am: mostlyclean-compile mostlyclean-generic \
++ mostlyclean-libtool
++
++pdf: pdf-am
++
++pdf-am:
++
++ps: ps-am
++
++ps-am:
++
++uninstall-am:
++
++.MAKE: check-am install-am install-strip
++
++.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \
++ clean-checkPROGRAMS clean-generic clean-libtool ctags \
++ distclean distclean-compile distclean-generic \
++ distclean-libtool distclean-tags distdir dvi dvi-am html \
++ html-am info info-am install install-am install-data \
++ install-data-am install-dvi install-dvi-am install-exec \
++ install-exec-am install-html install-html-am install-info \
++ install-info-am install-man install-pdf install-pdf-am \
++ install-ps install-ps-am install-strip installcheck \
++ installcheck-am installdirs maintainer-clean \
++ maintainer-clean-generic mostlyclean mostlyclean-compile \
++ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
++ tags uninstall uninstall-am
++
++#TESTS = testsrn
++
++# Tell versions [3.59,3.63) of GNU make to not export all variables.
++# Otherwise a system limit (for SysV at least) may be exceeded.
++.NOEXPORT:
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/params.dh 2013-09-26
+@@ -0,0 +1,35 @@
++
++Generator: 05
++
++Prime: c9:e9:2d:fc:94:15:1a:10:4f:3c:b5:16
++ 7e:34:10:7d:eb:3d:d5:7d:61:ff:b0:ce
++ da:7f:6e:0c:ea:db:b4:87:f6:c6:34:a8
++ 3c:f8:84:52:14:59:ab:17:5c:d0:f0:86
++ c4:02:93:dc:09:83:57:16:98:21:d0:42
++ 8e:33:fc:48:69:e6:04:0d:4e:50:09:33
++ 2e:28:60:4f:05:08:7c:ce:2f:a6:1a:4c
++ 41:d1:a3:dd:f6:37:56:44:1d:b0:54:af
++ f7:4a:a0:c2:19:5d:ce:62:b0:7a:1b:e1
++ 5c:7f:bb:4d:7e:9e:28:48:00:a4:9a:86
++ 3e:6e:6e:9c:57:41:c7:ec:bf:7f:09:fc
++ da:25:c2:1e:e0:52:dc:65:8c:40:a3:6e
++ bd:99:4e:0b:1a:04:e0:23:20:46:5a:d0
++ 3f:b3:a4:d6:76:73:b7:cc:61:33:11:54
++ a6:32:ff:94:08:d5:66:36:fd:99:69:21
++ cc:28:5d:11:52:32:48:b6:a5:b5:c3:b0
++ 21:3f:f9:69:25:83:b1:3d:79:a6:ed:ae
++ db:95:62:fc:72:ca:ad:46:fc:b6:b1:ea
++ 98:68:97:ba:f2:54:aa:86:ed:62:b1:78
++ 5f:d5:19:80:ce:41:ee:98:a1:71:9f:fa
++ 5b:6b:d8:5e:7e:b3:18:0a:f0:4c:96:76
++ 6c:0c:b0:a3
++
++
++-----BEGIN DH PARAMETERS-----
++MIIBCAKCAQEAyekt/JQVGhBPPLUWfjQQfes91X1h/7DO2n9uDOrbtIf2xjSoPPiE
++UhRZqxdc0PCGxAKT3AmDVxaYIdBCjjP8SGnmBA1OUAkzLihgTwUIfM4vphpMQdGj
++3fY3VkQdsFSv90qgwhldzmKwehvhXH+7TX6eKEgApJqGPm5unFdBx+y/fwn82iXC
++HuBS3GWMQKNuvZlOCxoE4CMgRlrQP7Ok1nZzt8xhMxFUpjL/lAjVZjb9mWkhzChd
++EVIySLaltcOwIT/5aSWDsT15pu2u25Vi/HLKrUb8trHqmGiXuvJUqobtYrF4X9UZ
++gM5B7pihcZ/6W2vYXn6zGArwTJZ2bAywowIBBQ==
++-----END DH PARAMETERS-----
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/README 2013-09-26
+@@ -0,0 +1,93 @@
++Testing safe renegotiation is relatively complex, here is a summary of
++what we test and what how we believe it should work.
++
++ Client setting
++ Server setting
++ Initial handshake outcome
++ Rehandshake outcome
++srn0.c
++
++ This tests that the safe renegotiation extension is negotiated
++ properly by default on initial connections and on rehandshaked
++ connections. Consequently, it also verifies that rehandshaked
++ connections work with the extension enabled.
++
++ NORMAL
++ NORMAL
++ OK
++ OK
++
++srn1.c
++
++ This tests that clients without support for safe renegotiation is
++ able to handshake against servers with support, but not able to
++ rehandshake (server will refuse rehandshake).
++
++ NORMAL:%DISABLE_SAFE_RENEGOTIATION
++ NORMAL
++ OK
++ Server refuses
++
++srn2.c
++
++ This tests that clients with support for safe renegotiation is able
++ to handshake against servers without support, but not able to
++ rehandshake (client will refuse rehandshake).
++
++ NORMAL
++ NORMAL:%DISABLE_SAFE_RENEGOTIATION
++ OK
++ Client refuses
++
++srn3.c
++
++ This tests that a %SAFE_RENEGOTIATION client will reject handshakes
++ against servers that do not support the extension (server uses
++ %DISABLE_SAFE_RENEGOTIATION).
++
++ NORMAL:%SAFE_RENEGOTIATION
++ NORMAL:%DISABLE_SAFE_RENEGOTIATION
++ Client refuses
++ N/A
++
++srn4.c
++
++ This tests that a %SAFE_RENEGOTIATION server will reject handshakes
++ against clients that do not support the extension.
++
++ NORMAL:%DISABLE_SAFE_RENEGOTIATION
++ NORMAL:%SAFE_RENEGOTIATION
++ Server refuses
++ N/A
++
++srn5.c
++
++ This tests that a client with a permissive policy
++ (%UNSAFE_RENEGOTIATION) is able to handshake and rehandshake with a
++ server with no support for the extension.
++
++ NORMAL:%DISABLE_SAFE_RENEGOTIATION
++ NORMAL:%UNSAFE_RENEGOTIATION
++ OK
++ OK
++
++srn6.c
++
++ This tests that a server with a permissive policy
++ (%UNSAFE_RENEGOTIATION) is able to handshake and rehandshake with a
++ client with no support for the extension.
++
++ NORMAL:%UNSAFE_RENEGOTIATION
++ NORMAL:%DISABLE_SAFE_RENEGOTIATION
++ OK
++ OK
++
++srn7.c
++
++ This tests that clients and servers in %SAFE_RENEGOTIATION mode are
++ able to handshake and rehandshake.
++
++ NORMAL:%SAFE_RENEGOTIATION
++ NORMAL:%SAFE_RENEGOTIATION
++ OK
++ OK
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/srn0.c 2013-09-26
+@@ -0,0 +1,338 @@
++/*
++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc.
++ *
++ * Author: Simon Josefsson
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++/* Code based on ../mini-x509-rehandshake.c.
++ *
++ * This tests that the safe renegotiation extension is negotiated
++ * properly by default on initial connections and on rehandshaked
++ * connections. Consequently, it also verifies that rehandshaked
++ * connections work with the extension enabled.
++ */
++
++#ifdef HAVE_CONFIG_H
++# include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++#include <gnutls/gnutls.h>
++
++static void
++tls_log_func (int level, const char *str)
++{
++ fprintf (stderr, "|<%d>| %s", level, str);
++}
++
++static char *to_server;
++static size_t to_server_len;
++
++static char *to_client;
++static size_t to_client_len;
++
++static ssize_t
++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_client_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_client, len);
++
++ memmove (to_client, to_client + len, to_client_len - len);
++ to_client_len -= len;
++
++ return len;
++}
++
++static ssize_t
++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_server_len + len;
++ char *tmp;
++
++ tmp = realloc (to_server, newlen);
++ if (!tmp)
++ abort ();
++ to_server = tmp;
++
++ memcpy (to_server + to_server_len, data, len);
++ to_server_len = newlen;
++
++ return len;
++}
++
++static ssize_t
++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_server_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_server, len);
++
++ memmove (to_server, to_server + len, to_server_len - len);
++ to_server_len -= len;
++
++ return len;
++}
++
++static ssize_t
++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_client_len + len;
++ char *tmp;
++
++ tmp = realloc (to_client, newlen);
++ if (!tmp)
++ abort ();
++ to_client = tmp;
++
++ memcpy (to_client + to_client_len, data, len);
++ to_client_len = newlen;
++
++ return len;
++}
++
++static unsigned char server_cert_pem[] =
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++ sizeof (server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++ "-----BEGIN RSA PRIVATE KEY-----\n"
++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++ "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++ sizeof (server_key_pem)
++};
++
++int
++main (int argc, char *argv[])
++{
++ int debug_level = argc - 1;
++ int exit_code = EXIT_SUCCESS;
++ /* Server stuff. */
++ gnutls_certificate_credentials_t serverx509cred;
++ gnutls_session_t server;
++ int sret = GNUTLS_E_AGAIN;
++ /* Client stuff. */
++ gnutls_certificate_credentials_t clientx509cred;
++ gnutls_session_t client;
++ int cret = GNUTLS_E_AGAIN;
++
++ /* General init. */
++ gnutls_global_init ();
++ gnutls_global_set_log_function (tls_log_func);
++ gnutls_global_set_log_level (debug_level);
++
++ /* Init server */
++ gnutls_certificate_allocate_credentials (&serverx509cred);
++ gnutls_certificate_set_x509_key_mem (serverx509cred,
++ &server_cert, &server_key,
++ GNUTLS_X509_FMT_PEM);
++ gnutls_init (&server, GNUTLS_SERVER);
++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
++ gnutls_priority_set_direct (server, "NORMAL", NULL);
++ gnutls_transport_set_push_function (server, server_push);
++ gnutls_transport_set_pull_function (server, server_pull);
++
++ /* Init client */
++ gnutls_certificate_allocate_credentials (&clientx509cred);
++ gnutls_init (&client, GNUTLS_CLIENT);
++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
++ gnutls_priority_set_direct (client, "NORMAL", NULL);
++ gnutls_transport_set_push_function (client, client_push);
++ gnutls_transport_set_pull_function (client, client_pull);
++
++ /* Check that initially no session use the extension. */
++ if (gnutls_safe_renegotiation_status (server)
++ || gnutls_safe_renegotiation_status (client))
++ {
++ puts ("Client or server using extension before handshake?");
++ abort ();
++ }
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
++ exit_code = EXIT_FAILURE;
++
++ if (!gnutls_safe_renegotiation_status (client) ||
++ !gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0, "Session not using safe renegotiation!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ sret = gnutls_rehandshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_rehandshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++
++ {
++ ssize_t n;
++ char b[1];
++ n = gnutls_record_recv (client, b, 1);
++ if (n != GNUTLS_E_REHANDSHAKE)
++ abort ();
++ }
++
++ cret = GNUTLS_E_AGAIN;
++ sret = GNUTLS_E_AGAIN;
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
++ exit_code = 1;
++
++ if (!gnutls_safe_renegotiation_status (client) ||
++ !gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0,
++ "Rehandshaked session not using safe renegotiation!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ gnutls_bye (client, GNUTLS_SHUT_RDWR);
++ gnutls_bye (server, GNUTLS_SHUT_RDWR);
++
++ gnutls_deinit (client);
++ gnutls_deinit (server);
++
++ free (to_server);
++ free (to_client);
++
++ gnutls_certificate_free_credentials (serverx509cred);
++
++ gnutls_global_deinit ();
++
++ if (debug_level > 0)
++ {
++ if (exit_code == 0)
++ puts ("Self-test successful");
++ else
++ puts ("Self-test failed");
++ }
++
++ return exit_code;
++}
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/srn1.c 2013-09-26
+@@ -0,0 +1,341 @@
++/*
++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc.
++ *
++ * Author: Simon Josefsson
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++/* Code based on ./srn0.c.
++ *
++ * This tests that clients without support for safe renegotiation is
++ * able to handshake against servers with support, but not able to
++ * rehandshake (server will refuse rehandshake).
++ */
++
++#ifdef HAVE_CONFIG_H
++# include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++#include <gnutls/gnutls.h>
++
++static void
++tls_log_func (int level, const char *str)
++{
++ fprintf (stderr, "|<%d>| %s", level, str);
++}
++
++static char *to_server;
++static size_t to_server_len;
++
++static char *to_client;
++static size_t to_client_len;
++
++static ssize_t
++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_client_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_client, len);
++
++ memmove (to_client, to_client + len, to_client_len - len);
++ to_client_len -= len;
++
++ return len;
++}
++
++static ssize_t
++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_server_len + len;
++ char *tmp;
++
++ tmp = realloc (to_server, newlen);
++ if (!tmp)
++ abort ();
++ to_server = tmp;
++
++ memcpy (to_server + to_server_len, data, len);
++ to_server_len = newlen;
++
++ return len;
++}
++
++static ssize_t
++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_server_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_server, len);
++
++ memmove (to_server, to_server + len, to_server_len - len);
++ to_server_len -= len;
++
++ return len;
++}
++
++static ssize_t
++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_client_len + len;
++ char *tmp;
++
++ tmp = realloc (to_client, newlen);
++ if (!tmp)
++ abort ();
++ to_client = tmp;
++
++ memcpy (to_client + to_client_len, data, len);
++ to_client_len = newlen;
++
++ return len;
++}
++
++static unsigned char server_cert_pem[] =
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++ sizeof (server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++ "-----BEGIN RSA PRIVATE KEY-----\n"
++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++ "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++ sizeof (server_key_pem)
++};
++
++int
++main (int argc, char *argv[])
++{
++ int debug_level = argc - 1;
++ int exit_code = EXIT_SUCCESS;
++ /* Server stuff. */
++ gnutls_certificate_credentials_t serverx509cred;
++ gnutls_session_t server;
++ int sret = GNUTLS_E_AGAIN;
++ /* Client stuff. */
++ gnutls_certificate_credentials_t clientx509cred;
++ gnutls_session_t client;
++ int cret = GNUTLS_E_AGAIN;
++
++ /* General init. */
++ gnutls_global_init ();
++ gnutls_global_set_log_function (tls_log_func);
++ gnutls_global_set_log_level (debug_level);
++
++ /* Init server */
++ gnutls_certificate_allocate_credentials (&serverx509cred);
++ gnutls_certificate_set_x509_key_mem (serverx509cred,
++ &server_cert, &server_key,
++ GNUTLS_X509_FMT_PEM);
++ gnutls_init (&server, GNUTLS_SERVER);
++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
++ gnutls_priority_set_direct (server, "NORMAL", NULL);
++ gnutls_transport_set_push_function (server, server_push);
++ gnutls_transport_set_pull_function (server, server_pull);
++
++ /* Init client */
++ gnutls_certificate_allocate_credentials (&clientx509cred);
++ gnutls_init (&client, GNUTLS_CLIENT);
++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
++ gnutls_priority_set_direct (client, "NORMAL:%DISABLE_SAFE_RENEGOTIATION",
++ NULL);
++ gnutls_transport_set_push_function (client, client_push);
++ gnutls_transport_set_pull_function (client, client_pull);
++
++ /* Check that initially no session use the extension. */
++ if (gnutls_safe_renegotiation_status (server)
++ || gnutls_safe_renegotiation_status (client))
++ {
++ puts ("Client or server using extension before handshake?");
++ abort ();
++ }
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
++ exit_code = EXIT_FAILURE;
++
++ if (gnutls_safe_renegotiation_status (client) ||
++ gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0, "Session using safe renegotiation but shouldn't?!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ sret = gnutls_rehandshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_rehandshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++
++ {
++ ssize_t n;
++ char b[1];
++ n = gnutls_record_recv (client, b, 1);
++ if (n != GNUTLS_E_REHANDSHAKE)
++ abort ();
++ }
++
++ cret = GNUTLS_E_AGAIN;
++ sret = GNUTLS_E_AGAIN;
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED)
++ break;
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_SUCCESS
++ && sret != GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED)
++ exit_code = 1;
++
++ if (gnutls_safe_renegotiation_status (client) ||
++ gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0, "Rehandshaked worked and uses safe reneg?!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ gnutls_bye (client, GNUTLS_SHUT_RDWR);
++ gnutls_bye (server, GNUTLS_SHUT_RDWR);
++
++ gnutls_deinit (client);
++ gnutls_deinit (server);
++
++ free (to_server);
++ free (to_client);
++
++ gnutls_certificate_free_credentials (serverx509cred);
++
++ gnutls_global_deinit ();
++
++ if (debug_level > 0)
++ {
++ if (exit_code == 0)
++ puts ("Self-test successful");
++ else
++ puts ("Self-test failed");
++ }
++
++ return exit_code;
++}
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/srn2.c 2013-09-26
+@@ -0,0 +1,341 @@
++/*
++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc.
++ *
++ * Author: Simon Josefsson
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++/* Code based on ./srn1.c.
++ *
++ * This tests that clients with support for safe renegotiation is able
++ * to handshake against servers without support, but not able to
++ * rehandshake (client will refuse rehandshake).
++ */
++
++#ifdef HAVE_CONFIG_H
++# include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++#include <gnutls/gnutls.h>
++
++static void
++tls_log_func (int level, const char *str)
++{
++ fprintf (stderr, "|<%d>| %s", level, str);
++}
++
++static char *to_server;
++static size_t to_server_len;
++
++static char *to_client;
++static size_t to_client_len;
++
++static ssize_t
++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_client_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_client, len);
++
++ memmove (to_client, to_client + len, to_client_len - len);
++ to_client_len -= len;
++
++ return len;
++}
++
++static ssize_t
++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_server_len + len;
++ char *tmp;
++
++ tmp = realloc (to_server, newlen);
++ if (!tmp)
++ abort ();
++ to_server = tmp;
++
++ memcpy (to_server + to_server_len, data, len);
++ to_server_len = newlen;
++
++ return len;
++}
++
++static ssize_t
++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_server_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_server, len);
++
++ memmove (to_server, to_server + len, to_server_len - len);
++ to_server_len -= len;
++
++ return len;
++}
++
++static ssize_t
++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_client_len + len;
++ char *tmp;
++
++ tmp = realloc (to_client, newlen);
++ if (!tmp)
++ abort ();
++ to_client = tmp;
++
++ memcpy (to_client + to_client_len, data, len);
++ to_client_len = newlen;
++
++ return len;
++}
++
++static unsigned char server_cert_pem[] =
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++ sizeof (server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++ "-----BEGIN RSA PRIVATE KEY-----\n"
++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++ "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++ sizeof (server_key_pem)
++};
++
++int
++main (int argc, char *argv[])
++{
++ int debug_level = argc - 1;
++ int exit_code = EXIT_SUCCESS;
++ /* Server stuff. */
++ gnutls_certificate_credentials_t serverx509cred;
++ gnutls_session_t server;
++ int sret = GNUTLS_E_AGAIN;
++ /* Client stuff. */
++ gnutls_certificate_credentials_t clientx509cred;
++ gnutls_session_t client;
++ int cret = GNUTLS_E_AGAIN;
++
++ /* General init. */
++ gnutls_global_init ();
++ gnutls_global_set_log_function (tls_log_func);
++ gnutls_global_set_log_level (debug_level);
++
++ /* Init server */
++ gnutls_certificate_allocate_credentials (&serverx509cred);
++ gnutls_certificate_set_x509_key_mem (serverx509cred,
++ &server_cert, &server_key,
++ GNUTLS_X509_FMT_PEM);
++ gnutls_init (&server, GNUTLS_SERVER);
++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
++ gnutls_priority_set_direct (server, "NORMAL:%DISABLE_SAFE_RENEGOTIATION",
++ NULL);
++ gnutls_transport_set_push_function (server, server_push);
++ gnutls_transport_set_pull_function (server, server_pull);
++
++ /* Init client */
++ gnutls_certificate_allocate_credentials (&clientx509cred);
++ gnutls_init (&client, GNUTLS_CLIENT);
++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
++ gnutls_priority_set_direct (client, "NORMAL", NULL);
++ gnutls_transport_set_push_function (client, client_push);
++ gnutls_transport_set_pull_function (client, client_pull);
++
++ /* Check that initially no session use the extension. */
++ if (gnutls_safe_renegotiation_status (server)
++ || gnutls_safe_renegotiation_status (client))
++ {
++ puts ("Client or server using extension before handshake?");
++ abort ();
++ }
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
++ exit_code = EXIT_FAILURE;
++
++ if (gnutls_safe_renegotiation_status (client) ||
++ gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0, "Session using safe renegotiation but shouldn't?!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ sret = gnutls_rehandshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_rehandshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++
++ {
++ ssize_t n;
++ char b[1];
++ n = gnutls_record_recv (client, b, 1);
++ if (n != GNUTLS_E_REHANDSHAKE)
++ abort ();
++ }
++
++ cret = GNUTLS_E_AGAIN;
++ sret = GNUTLS_E_AGAIN;
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (cret == GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED)
++ break;
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED
++ && sret != GNUTLS_E_SUCCESS)
++ exit_code = 1;
++
++ if (gnutls_safe_renegotiation_status (client) ||
++ gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0, "Rehandshaked worked and uses safe reneg?!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ gnutls_bye (client, GNUTLS_SHUT_RDWR);
++ gnutls_bye (server, GNUTLS_SHUT_RDWR);
++
++ gnutls_deinit (client);
++ gnutls_deinit (server);
++
++ free (to_server);
++ free (to_client);
++
++ gnutls_certificate_free_credentials (serverx509cred);
++
++ gnutls_global_deinit ();
++
++ if (debug_level > 0)
++ {
++ if (exit_code == 0)
++ puts ("Self-test successful");
++ else
++ puts ("Self-test failed");
++ }
++
++ return exit_code;
++}
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/srn3.c 2013-09-26
+@@ -0,0 +1,264 @@
++/*
++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc.
++ *
++ * Author: Simon Josefsson
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++/* Code based on ../mini-x509.c.
++ *
++ * This tests that a %SAFE_RENEGOTIATION client will reject handshakes
++ * against servers that do not support the extension (server uses
++ * %DISABLE_SAFE_RENEGOTIATION).
++ */
++
++#ifdef HAVE_CONFIG_H
++# include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++#include <gnutls/gnutls.h>
++
++static void
++tls_log_func (int level, const char *str)
++{
++ fprintf (stderr, "|<%d>| %s", level, str);
++}
++
++static char *to_server;
++static size_t to_server_len;
++
++static char *to_client;
++static size_t to_client_len;
++
++static ssize_t
++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_client_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_client, len);
++
++ memmove (to_client, to_client + len, to_client_len - len);
++ to_client_len -= len;
++
++ return len;
++}
++
++static ssize_t
++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_server_len + len;
++ char *tmp;
++
++ tmp = realloc (to_server, newlen);
++ if (!tmp)
++ abort ();
++ to_server = tmp;
++
++ memcpy (to_server + to_server_len, data, len);
++ to_server_len = newlen;
++
++ return len;
++}
++
++static ssize_t
++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_server_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_server, len);
++
++ memmove (to_server, to_server + len, to_server_len - len);
++ to_server_len -= len;
++
++ return len;
++}
++
++static ssize_t
++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_client_len + len;
++ char *tmp;
++
++ tmp = realloc (to_client, newlen);
++ if (!tmp)
++ abort ();
++ to_client = tmp;
++
++ memcpy (to_client + to_client_len, data, len);
++ to_client_len = newlen;
++
++ return len;
++}
++
++static unsigned char server_cert_pem[] =
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++ sizeof (server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++ "-----BEGIN RSA PRIVATE KEY-----\n"
++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++ "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++ sizeof (server_key_pem)
++};
++
++int
++main (int argc, char *argv[])
++{
++ int debug_level = argc - 1;
++ int exit_code = EXIT_SUCCESS;
++ /* Server stuff. */
++ gnutls_certificate_credentials_t serverx509cred;
++ gnutls_session_t server;
++ int sret = GNUTLS_E_AGAIN;
++ /* Client stuff. */
++ gnutls_certificate_credentials_t clientx509cred;
++ gnutls_session_t client;
++ int cret = GNUTLS_E_AGAIN;
++
++ /* General init. */
++ gnutls_global_init ();
++ gnutls_global_set_log_function (tls_log_func);
++ gnutls_global_set_log_level (debug_level);
++
++ /* Init server */
++ gnutls_certificate_allocate_credentials (&serverx509cred);
++ gnutls_certificate_set_x509_key_mem (serverx509cred,
++ &server_cert, &server_key,
++ GNUTLS_X509_FMT_PEM);
++ gnutls_init (&server, GNUTLS_SERVER);
++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
++ gnutls_priority_set_direct (server, "NORMAL:%DISABLE_SAFE_RENEGOTIATION",
++ NULL);
++ gnutls_transport_set_push_function (server, server_push);
++ gnutls_transport_set_pull_function (server, server_pull);
++
++ /* Init client */
++ gnutls_certificate_allocate_credentials (&clientx509cred);
++ gnutls_init (&client, GNUTLS_CLIENT);
++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
++ gnutls_priority_set_direct (client, "NORMAL:%SAFE_RENEGOTIATION", NULL);
++ gnutls_transport_set_push_function (client, client_push);
++ gnutls_transport_set_pull_function (client, client_pull);
++
++ /* Check that initially no session use the extension. */
++ if (gnutls_safe_renegotiation_status (server)
++ || gnutls_safe_renegotiation_status (client))
++ {
++ puts ("Client or server using extension before handshake?");
++ abort ();
++ }
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while ((cret == GNUTLS_E_AGAIN || cret == GNUTLS_E_SUCCESS)
++ && (sret == GNUTLS_E_AGAIN || sret == GNUTLS_E_SUCCESS));
++
++ if (cret != GNUTLS_E_SAFE_RENEGOTIATION_FAILED && sret != GNUTLS_E_SUCCESS)
++ exit_code = EXIT_FAILURE;
++
++ gnutls_bye (client, GNUTLS_SHUT_RDWR);
++ gnutls_bye (server, GNUTLS_SHUT_RDWR);
++
++ gnutls_deinit (client);
++ gnutls_deinit (server);
++
++ free (to_server);
++ free (to_client);
++
++ gnutls_certificate_free_credentials (serverx509cred);
++
++ gnutls_global_deinit ();
++
++ if (debug_level > 0)
++ {
++ if (exit_code == 0)
++ puts ("Self-test successful");
++ else
++ puts ("Self-test failed");
++ }
++
++ return exit_code;
++}
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/srn4.c 2013-09-26
+@@ -0,0 +1,263 @@
++/*
++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc.
++ *
++ * Author: Simon Josefsson
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++/* Code based on ../mini-x509.c.
++ *
++ * This tests that a %SAFE_RENEGOTIATION server will reject handshakes
++ * against clients that do not support the extension.
++ */
++
++#ifdef HAVE_CONFIG_H
++# include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++#include <gnutls/gnutls.h>
++
++static void
++tls_log_func (int level, const char *str)
++{
++ fprintf (stderr, "|<%d>| %s", level, str);
++}
++
++static char *to_server;
++static size_t to_server_len;
++
++static char *to_client;
++static size_t to_client_len;
++
++static ssize_t
++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_client_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_client, len);
++
++ memmove (to_client, to_client + len, to_client_len - len);
++ to_client_len -= len;
++
++ return len;
++}
++
++static ssize_t
++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_server_len + len;
++ char *tmp;
++
++ tmp = realloc (to_server, newlen);
++ if (!tmp)
++ abort ();
++ to_server = tmp;
++
++ memcpy (to_server + to_server_len, data, len);
++ to_server_len = newlen;
++
++ return len;
++}
++
++static ssize_t
++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_server_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_server, len);
++
++ memmove (to_server, to_server + len, to_server_len - len);
++ to_server_len -= len;
++
++ return len;
++}
++
++static ssize_t
++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_client_len + len;
++ char *tmp;
++
++ tmp = realloc (to_client, newlen);
++ if (!tmp)
++ abort ();
++ to_client = tmp;
++
++ memcpy (to_client + to_client_len, data, len);
++ to_client_len = newlen;
++
++ return len;
++}
++
++static unsigned char server_cert_pem[] =
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++ sizeof (server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++ "-----BEGIN RSA PRIVATE KEY-----\n"
++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++ "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++ sizeof (server_key_pem)
++};
++
++int
++main (int argc, char *argv[])
++{
++ int debug_level = argc - 1;
++ int exit_code = EXIT_SUCCESS;
++ /* Server stuff. */
++ gnutls_certificate_credentials_t serverx509cred;
++ gnutls_session_t server;
++ int sret = GNUTLS_E_AGAIN;
++ /* Client stuff. */
++ gnutls_certificate_credentials_t clientx509cred;
++ gnutls_session_t client;
++ int cret = GNUTLS_E_AGAIN;
++
++ /* General init. */
++ gnutls_global_init ();
++ gnutls_global_set_log_function (tls_log_func);
++ gnutls_global_set_log_level (debug_level);
++
++ /* Init server */
++ gnutls_certificate_allocate_credentials (&serverx509cred);
++ gnutls_certificate_set_x509_key_mem (serverx509cred,
++ &server_cert, &server_key,
++ GNUTLS_X509_FMT_PEM);
++ gnutls_init (&server, GNUTLS_SERVER);
++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
++ gnutls_priority_set_direct (server, "NORMAL:%SAFE_RENEGOTIATION", NULL);
++ gnutls_transport_set_push_function (server, server_push);
++ gnutls_transport_set_pull_function (server, server_pull);
++
++ /* Init client */
++ gnutls_certificate_allocate_credentials (&clientx509cred);
++ gnutls_init (&client, GNUTLS_CLIENT);
++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
++ gnutls_priority_set_direct (client, "NORMAL:%DISABLE_SAFE_RENEGOTIATION",
++ NULL);
++ gnutls_transport_set_push_function (client, client_push);
++ gnutls_transport_set_pull_function (client, client_pull);
++
++ /* Check that initially no session use the extension. */
++ if (gnutls_safe_renegotiation_status (server)
++ || gnutls_safe_renegotiation_status (client))
++ {
++ puts ("Client or server using extension before handshake?");
++ abort ();
++ }
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while ((cret == GNUTLS_E_AGAIN || cret == GNUTLS_E_SUCCESS)
++ && (sret == GNUTLS_E_AGAIN || sret == GNUTLS_E_SUCCESS));
++
++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SAFE_RENEGOTIATION_FAILED)
++ exit_code = EXIT_FAILURE;
++
++ gnutls_bye (client, GNUTLS_SHUT_RDWR);
++ gnutls_bye (server, GNUTLS_SHUT_RDWR);
++
++ gnutls_deinit (client);
++ gnutls_deinit (server);
++
++ free (to_server);
++ free (to_client);
++
++ gnutls_certificate_free_credentials (serverx509cred);
++
++ gnutls_global_deinit ();
++
++ if (debug_level > 0)
++ {
++ if (exit_code == 0)
++ puts ("Self-test successful");
++ else
++ puts ("Self-test failed");
++ }
++
++ return exit_code;
++}
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/srn5.c 2013-09-26
+@@ -0,0 +1,337 @@
++/*
++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc.
++ *
++ * Author: Simon Josefsson
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++/* Code based on ./srn0.c.
++ *
++ * This tests that a client with a permissive policy
++ * (%UNSAFE_RENEGOTIATION) is able to handshake and rehandshake with a
++ * server with no support for the extension.
++ */
++
++#ifdef HAVE_CONFIG_H
++# include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++#include <gnutls/gnutls.h>
++
++static void
++tls_log_func (int level, const char *str)
++{
++ fprintf (stderr, "|<%d>| %s", level, str);
++}
++
++static char *to_server;
++static size_t to_server_len;
++
++static char *to_client;
++static size_t to_client_len;
++
++static ssize_t
++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_client_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_client, len);
++
++ memmove (to_client, to_client + len, to_client_len - len);
++ to_client_len -= len;
++
++ return len;
++}
++
++static ssize_t
++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_server_len + len;
++ char *tmp;
++
++ tmp = realloc (to_server, newlen);
++ if (!tmp)
++ abort ();
++ to_server = tmp;
++
++ memcpy (to_server + to_server_len, data, len);
++ to_server_len = newlen;
++
++ return len;
++}
++
++static ssize_t
++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_server_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_server, len);
++
++ memmove (to_server, to_server + len, to_server_len - len);
++ to_server_len -= len;
++
++ return len;
++}
++
++static ssize_t
++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_client_len + len;
++ char *tmp;
++
++ tmp = realloc (to_client, newlen);
++ if (!tmp)
++ abort ();
++ to_client = tmp;
++
++ memcpy (to_client + to_client_len, data, len);
++ to_client_len = newlen;
++
++ return len;
++}
++
++static unsigned char server_cert_pem[] =
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++ sizeof (server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++ "-----BEGIN RSA PRIVATE KEY-----\n"
++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++ "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++ sizeof (server_key_pem)
++};
++
++int
++main (int argc, char *argv[])
++{
++ int debug_level = argc - 1;
++ int exit_code = EXIT_SUCCESS;
++ /* Server stuff. */
++ gnutls_certificate_credentials_t serverx509cred;
++ gnutls_session_t server;
++ int sret = GNUTLS_E_AGAIN;
++ /* Client stuff. */
++ gnutls_certificate_credentials_t clientx509cred;
++ gnutls_session_t client;
++ int cret = GNUTLS_E_AGAIN;
++
++ /* General init. */
++ gnutls_global_init ();
++ gnutls_global_set_log_function (tls_log_func);
++ gnutls_global_set_log_level (debug_level);
++
++ /* Init server */
++ gnutls_certificate_allocate_credentials (&serverx509cred);
++ gnutls_certificate_set_x509_key_mem (serverx509cred,
++ &server_cert, &server_key,
++ GNUTLS_X509_FMT_PEM);
++ gnutls_init (&server, GNUTLS_SERVER);
++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
++ gnutls_priority_set_direct (server, "NORMAL:%DISABLE_SAFE_RENEGOTIATION",
++ NULL);
++ gnutls_transport_set_push_function (server, server_push);
++ gnutls_transport_set_pull_function (server, server_pull);
++
++ /* Init client */
++ gnutls_certificate_allocate_credentials (&clientx509cred);
++ gnutls_init (&client, GNUTLS_CLIENT);
++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
++ gnutls_priority_set_direct (client, "NORMAL:%UNSAFE_RENEGOTIATION", NULL);
++ gnutls_transport_set_push_function (client, client_push);
++ gnutls_transport_set_pull_function (client, client_pull);
++
++ /* Check that initially no session use the extension. */
++ if (gnutls_safe_renegotiation_status (server)
++ || gnutls_safe_renegotiation_status (client))
++ {
++ puts ("Client or server using extension before handshake?");
++ abort ();
++ }
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
++ exit_code = EXIT_FAILURE;
++
++ if (gnutls_safe_renegotiation_status (client) ||
++ gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0, "Session using safe renegotiation?!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ sret = gnutls_rehandshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_rehandshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++
++ {
++ ssize_t n;
++ char b[1];
++ n = gnutls_record_recv (client, b, 1);
++ if (n != GNUTLS_E_REHANDSHAKE)
++ abort ();
++ }
++
++ cret = GNUTLS_E_AGAIN;
++ sret = GNUTLS_E_AGAIN;
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
++ exit_code = 1;
++
++ if (gnutls_safe_renegotiation_status (client) ||
++ gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0, "Rehandshaked using safe renegotiation?!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ gnutls_bye (client, GNUTLS_SHUT_RDWR);
++ gnutls_bye (server, GNUTLS_SHUT_RDWR);
++
++ gnutls_deinit (client);
++ gnutls_deinit (server);
++
++ free (to_server);
++ free (to_client);
++
++ gnutls_certificate_free_credentials (serverx509cred);
++
++ gnutls_global_deinit ();
++
++ if (debug_level > 0)
++ {
++ if (exit_code == 0)
++ puts ("Self-test successful");
++ else
++ puts ("Self-test failed");
++ }
++
++ return exit_code;
++}
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/srn6.c 2013-09-26
+@@ -0,0 +1,337 @@
++/*
++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc.
++ *
++ * Author: Simon Josefsson
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++/* Code based on ./srn5.c.
++ *
++ * This tests that a server with a permissive policy
++ * (%UNSAFE_RENEGOTIATION) is able to handshake and rehandshake with a
++ * client with no support for the extension.
++ */
++
++#ifdef HAVE_CONFIG_H
++# include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++#include <gnutls/gnutls.h>
++
++static void
++tls_log_func (int level, const char *str)
++{
++ fprintf (stderr, "|<%d>| %s", level, str);
++}
++
++static char *to_server;
++static size_t to_server_len;
++
++static char *to_client;
++static size_t to_client_len;
++
++static ssize_t
++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_client_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_client, len);
++
++ memmove (to_client, to_client + len, to_client_len - len);
++ to_client_len -= len;
++
++ return len;
++}
++
++static ssize_t
++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_server_len + len;
++ char *tmp;
++
++ tmp = realloc (to_server, newlen);
++ if (!tmp)
++ abort ();
++ to_server = tmp;
++
++ memcpy (to_server + to_server_len, data, len);
++ to_server_len = newlen;
++
++ return len;
++}
++
++static ssize_t
++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_server_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_server, len);
++
++ memmove (to_server, to_server + len, to_server_len - len);
++ to_server_len -= len;
++
++ return len;
++}
++
++static ssize_t
++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_client_len + len;
++ char *tmp;
++
++ tmp = realloc (to_client, newlen);
++ if (!tmp)
++ abort ();
++ to_client = tmp;
++
++ memcpy (to_client + to_client_len, data, len);
++ to_client_len = newlen;
++
++ return len;
++}
++
++static unsigned char server_cert_pem[] =
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++ sizeof (server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++ "-----BEGIN RSA PRIVATE KEY-----\n"
++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++ "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++ sizeof (server_key_pem)
++};
++
++int
++main (int argc, char *argv[])
++{
++ int debug_level = argc - 1;
++ int exit_code = EXIT_SUCCESS;
++ /* Server stuff. */
++ gnutls_certificate_credentials_t serverx509cred;
++ gnutls_session_t server;
++ int sret = GNUTLS_E_AGAIN;
++ /* Client stuff. */
++ gnutls_certificate_credentials_t clientx509cred;
++ gnutls_session_t client;
++ int cret = GNUTLS_E_AGAIN;
++
++ /* General init. */
++ gnutls_global_init ();
++ gnutls_global_set_log_function (tls_log_func);
++ gnutls_global_set_log_level (debug_level);
++
++ /* Init server */
++ gnutls_certificate_allocate_credentials (&serverx509cred);
++ gnutls_certificate_set_x509_key_mem (serverx509cred,
++ &server_cert, &server_key,
++ GNUTLS_X509_FMT_PEM);
++ gnutls_init (&server, GNUTLS_SERVER);
++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
++ gnutls_priority_set_direct (server, "NORMAL:%UNSAFE_RENEGOTIATION", NULL);
++ gnutls_transport_set_push_function (server, server_push);
++ gnutls_transport_set_pull_function (server, server_pull);
++
++ /* Init client */
++ gnutls_certificate_allocate_credentials (&clientx509cred);
++ gnutls_init (&client, GNUTLS_CLIENT);
++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
++ gnutls_priority_set_direct (client, "NORMAL:%DISABLE_SAFE_RENEGOTIATION",
++ NULL);
++ gnutls_transport_set_push_function (client, client_push);
++ gnutls_transport_set_pull_function (client, client_pull);
++
++ /* Check that initially no session use the extension. */
++ if (gnutls_safe_renegotiation_status (server)
++ || gnutls_safe_renegotiation_status (client))
++ {
++ puts ("Client or server using extension before handshake?");
++ abort ();
++ }
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
++ exit_code = EXIT_FAILURE;
++
++ if (gnutls_safe_renegotiation_status (client) ||
++ gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0, "Session using safe renegotiation?!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ sret = gnutls_rehandshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_rehandshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++
++ {
++ ssize_t n;
++ char b[1];
++ n = gnutls_record_recv (client, b, 1);
++ if (n != GNUTLS_E_REHANDSHAKE)
++ abort ();
++ }
++
++ cret = GNUTLS_E_AGAIN;
++ sret = GNUTLS_E_AGAIN;
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
++ exit_code = 1;
++
++ if (gnutls_safe_renegotiation_status (client) ||
++ gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0, "Rehandshaked using safe renegotiation?!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ gnutls_bye (client, GNUTLS_SHUT_RDWR);
++ gnutls_bye (server, GNUTLS_SHUT_RDWR);
++
++ gnutls_deinit (client);
++ gnutls_deinit (server);
++
++ free (to_server);
++ free (to_client);
++
++ gnutls_certificate_free_credentials (serverx509cred);
++
++ gnutls_global_deinit ();
++
++ if (debug_level > 0)
++ {
++ if (exit_code == 0)
++ puts ("Self-test successful");
++ else
++ puts ("Self-test failed");
++ }
++
++ return exit_code;
++}
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/srn7.c 2013-09-26
+@@ -0,0 +1,336 @@
++/*
++ * Copyright (C) 2008, 2010 Free Software Foundation, Inc.
++ *
++ * Author: Simon Josefsson
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++/* Code based on ../srn0.c.
++ *
++ * This tests that clients and servers in %SAFE_RENEGOTIATION mode are
++ * able to handshake and rehandshake.
++ */
++
++#ifdef HAVE_CONFIG_H
++# include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++#include <gnutls/gnutls.h>
++
++static void
++tls_log_func (int level, const char *str)
++{
++ fprintf (stderr, "|<%d>| %s", level, str);
++}
++
++static char *to_server;
++static size_t to_server_len;
++
++static char *to_client;
++static size_t to_client_len;
++
++static ssize_t
++client_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_client_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_client, len);
++
++ memmove (to_client, to_client + len, to_client_len - len);
++ to_client_len -= len;
++
++ return len;
++}
++
++static ssize_t
++client_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_server_len + len;
++ char *tmp;
++
++ tmp = realloc (to_server, newlen);
++ if (!tmp)
++ abort ();
++ to_server = tmp;
++
++ memcpy (to_server + to_server_len, data, len);
++ to_server_len = newlen;
++
++ return len;
++}
++
++static ssize_t
++server_pull (gnutls_transport_ptr_t tr, void *data, size_t len)
++{
++ if (to_server_len < len)
++ {
++ gnutls_transport_set_global_errno (EAGAIN);
++ return -1;
++ }
++
++ memcpy (data, to_server, len);
++
++ memmove (to_server, to_server + len, to_server_len - len);
++ to_server_len -= len;
++
++ return len;
++}
++
++static ssize_t
++server_push (gnutls_transport_ptr_t tr, const void *data, size_t len)
++{
++ size_t newlen = to_client_len + len;
++ char *tmp;
++
++ tmp = realloc (to_client, newlen);
++ if (!tmp)
++ abort ();
++ to_client = tmp;
++
++ memcpy (to_client + to_client_len, data, len);
++ to_client_len = newlen;
++
++ return len;
++}
++
++static unsigned char server_cert_pem[] =
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++ sizeof (server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++ "-----BEGIN RSA PRIVATE KEY-----\n"
++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++ "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++ sizeof (server_key_pem)
++};
++
++int
++main (int argc, char *argv[])
++{
++ int debug_level = argc - 1;
++ int exit_code = EXIT_SUCCESS;
++ /* Server stuff. */
++ gnutls_certificate_credentials_t serverx509cred;
++ gnutls_session_t server;
++ int sret = GNUTLS_E_AGAIN;
++ /* Client stuff. */
++ gnutls_certificate_credentials_t clientx509cred;
++ gnutls_session_t client;
++ int cret = GNUTLS_E_AGAIN;
++
++ /* General init. */
++ gnutls_global_init ();
++ gnutls_global_set_log_function (tls_log_func);
++ gnutls_global_set_log_level (debug_level);
++
++ /* Init server */
++ gnutls_certificate_allocate_credentials (&serverx509cred);
++ gnutls_certificate_set_x509_key_mem (serverx509cred,
++ &server_cert, &server_key,
++ GNUTLS_X509_FMT_PEM);
++ gnutls_init (&server, GNUTLS_SERVER);
++ gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
++ gnutls_priority_set_direct (server, "NORMAL:%SAFE_RENEGOTIATION", NULL);
++ gnutls_transport_set_push_function (server, server_push);
++ gnutls_transport_set_pull_function (server, server_pull);
++
++ /* Init client */
++ gnutls_certificate_allocate_credentials (&clientx509cred);
++ gnutls_init (&client, GNUTLS_CLIENT);
++ gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
++ gnutls_priority_set_direct (client, "NORMAL:%SAFE_RENEGOTIATION", NULL);
++ gnutls_transport_set_push_function (client, client_push);
++ gnutls_transport_set_pull_function (client, client_pull);
++
++ /* Check that initially no session use the extension. */
++ if (gnutls_safe_renegotiation_status (server)
++ || gnutls_safe_renegotiation_status (client))
++ {
++ puts ("Client or server using extension before handshake?");
++ abort ();
++ }
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
++ exit_code = EXIT_FAILURE;
++
++ if (!gnutls_safe_renegotiation_status (client) ||
++ !gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0, "Session not using safe renegotiation!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ sret = gnutls_rehandshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "gnutls_rehandshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++
++ {
++ ssize_t n;
++ char b[1];
++ n = gnutls_record_recv (client, b, 1);
++ if (n != GNUTLS_E_REHANDSHAKE)
++ abort ();
++ }
++
++ cret = GNUTLS_E_AGAIN;
++ sret = GNUTLS_E_AGAIN;
++
++ do
++ {
++ static int max_iter = 0;
++ if (max_iter++ > 10)
++ abort ();
++
++ if (cret == GNUTLS_E_AGAIN)
++ {
++ cret = gnutls_handshake (client);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (client)...\n");
++ tls_log_func (0, gnutls_strerror (cret));
++ tls_log_func (0, "\n");
++ }
++ }
++
++ if (sret == GNUTLS_E_AGAIN)
++ {
++ sret = gnutls_handshake (server);
++ if (debug_level > 0)
++ {
++ tls_log_func (0, "second gnutls_handshake (server)...\n");
++ tls_log_func (0, gnutls_strerror (sret));
++ tls_log_func (0, "\n");
++ }
++ }
++ }
++ while (
++ /* Not done: */
++ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
++ /* No error: */
++ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
++
++ if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
++ exit_code = 1;
++
++ if (!gnutls_safe_renegotiation_status (client) ||
++ !gnutls_safe_renegotiation_status (server))
++ {
++ tls_log_func (0,
++ "Rehandshaked session not using safe renegotiation!\n");
++ exit_code = EXIT_FAILURE;
++ }
++
++ gnutls_bye (client, GNUTLS_SHUT_RDWR);
++ gnutls_bye (server, GNUTLS_SHUT_RDWR);
++
++ gnutls_deinit (client);
++ gnutls_deinit (server);
++
++ free (to_server);
++ free (to_client);
++
++ gnutls_certificate_free_credentials (serverx509cred);
++
++ gnutls_global_deinit ();
++
++ if (debug_level > 0)
++ {
++ if (exit_code == 0)
++ puts ("Self-test successful");
++ else
++ puts ("Self-test failed");
++ }
++
++ return exit_code;
++}
+--- /dev/null 2013-09-26
++++ b/tests/safe-renegotiation/testsrn 2013-09-26
+@@ -0,0 +1,103 @@
++#!/bin/sh
++
++# Copyright (C) 2010 Free Software Foundation, Inc.
++#
++# Author: Nikos Mavrogiannopoulos
++#
++# This file is part of GnuTLS.
++#
++# GnuTLS is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 3 of the License, or (at
++# your option) any later version.
++#
++# GnuTLS is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with GnuTLS; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++
++srcdir="${srcdir:-.}"
++SERV="${SERV:-../../src/gnutls-serv$EXEEXT} -q"
++CLI="${CLI:-../../src/gnutls-cli$EXEEXT}"
++PORT="${PORT:-5558}"
++unset RETCODE
++
++fail() {
++ echo "Failure: $1" >&2
++ RETCODE=${RETCODE:-${2:-1}}
++}
++
++echo "Checking Safe renegotiation"
++
++$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%PARTIAL_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
++pid=$!
++
++# give the server a chance to initialize
++sleep 2
++
++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NONE:+AES-128-CBC:+MD5:+SHA1:+VERS-SSL3.0:+ANON-DH:+COMP-NULL:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
++ fail "0. Renegotiation should have succeeded!"
++
++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
++ fail "1. Safe rehandshake should have succeeded!"
++
++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
++ fail "2. Unsafe rehandshake should have succeeded!"
++
++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
++ fail "3. Unsafe negotiation should have succeeded!"
++
++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
++ fail "4. Unsafe renegotiation should have failed!"
++
++
++kill $pid
++wait
++
++$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
++pid=$!
++
++# give the server a chance to initialize
++sleep 2
++
++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
++ fail "5. Safe rehandshake should have succeeded!"
++
++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
++ fail "6. Unsafe rehandshake should have succeeded!"
++
++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
++ fail "7. Unsafe negotiation should have failed!"
++
++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
++ fail "8. Unsafe renegotiation should have failed!"
++
++kill $pid
++wait
++
++$SERV -p $PORT --echo --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION --dhparams $srcdir/params.dh >/dev/null 2>&1 &
++pid=$!
++
++# give the server a chance to initialize
++sleep 2
++
++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 && \
++ fail "9. Initial connection should have failed!"
++
++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%UNSAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
++ fail "10. Unsafe connection should have succeeded!"
++
++$CLI -p $PORT 127.0.0.1 --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
++ fail "11. Unsafe negotiation should have succeeded!"
++
++$CLI -p $PORT 127.0.0.1 --rehandshake --priority NORMAL:+ANON-DH:%DISABLE_SAFE_RENEGOTIATION </dev/null >/dev/null 2>&1 || \
++ fail "12. Unsafe renegotiation should have succeeded!"
++
++kill $pid
++wait
++
++exit ${RETCODE:-0}
+--- a/tests/simple.c 2009-06-02
++++ b/tests/simple.c 2013-09-26
+@@ -50,7 +50,7 @@ doit (void)
+
+ for (i = 0; algs[i]; i++)
+ {
+- printf ("pk_list[%d] = %d = %s = %d\n", i, algs[i],
++ printf ("pk_list[%d] = %d = %s = %d\n", (int)i, algs[i],
+ gnutls_pk_algorithm_get_name (algs[i]),
+ gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i])));
+ if (gnutls_pk_get_id (gnutls_pk_algorithm_get_name (algs[i]))
+@@ -76,7 +76,7 @@ doit (void)
+
+ for (i = 0; algs[i]; i++)
+ {
+- printf ("sign_list[%d] = %d = %s = %d\n", i, algs[i],
++ printf ("sign_list[%d] = %d = %s = %d\n", (int)i, algs[i],
+ gnutls_sign_algorithm_get_name (algs[i]),
+ gnutls_sign_get_id (gnutls_sign_algorithm_get_name
+ (algs[i])));
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2011-4128.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2011-4128.diff
new file mode 100644
index 00000000..56a04ac6
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2011-4128.diff
@@ -0,0 +1,36 @@
+From 949b53faed849109787a9972149874f7dfe63029 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Sun, 29 Sep 2013
+Subject: CVE-2011-4128 [GNUTLS-SA-2011-2]
+
+gnutls_session_get_data: fix possible buffer overflow
+
+This is a backport adaptation for use with GnuTLS 2.8.6.
+
+Relevant upstream commits:
+--------------------------
+https://gitorious.org/gnutls/gnutls/commit/190cef6eed37d0
+https://gitorious.org/gnutls/gnutls/commit/e82ef4545e9e98
+
+---
+ gnutls_session.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/lib/gnutls_session.c 2013-09-27
++++ b/lib/gnutls_session.c 2013-09-27
+@@ -64,13 +64,14 @@ gnutls_session_get_data (gnutls_session_
+ gnutls_assert ();
+ return ret;
+ }
+- *session_data_size = psession.size;
+
+ if (psession.size > *session_data_size)
+ {
++ *session_data_size = psession.size;
+ ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
+ goto error;
+ }
++ *session_data_size = psession.size;
+
+ if (session_data != NULL)
+ memcpy (session_data, psession.data, psession.size);
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff
new file mode 100644
index 00000000..4fc4f45b
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1569.diff
@@ -0,0 +1,62 @@
+From d62dfe61dcf118aa397c39b3b23d8459c150c3b7 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Thu, 3 Oct 2013
+Subject: CVE-2012-1569 [GNUTLS-SA-2012-3]
+
+asn1_get_length_der() in decoding.c in GNU Libtasn1 before 2.12
+does not properly handle certain large length values. This can be
+exploited by attackers to cause a DoS or other impacts via a
+crafted ASN.1 structure.
+
+Fix adapted for use with libtasn1 embedded in GnuTLS 2.8.6.
+
+Relevant upstream patch:
+------------------------
+http://article.gmane.org/gmane.comp.gnu.libtasn1.general/54
+
+---
+ decoding.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/lib/minitasn1/decoding.c
++++ b/lib/minitasn1/decoding.c
+@@ -55,12 +55,13 @@ _asn1_error_description_tag_error (ASN1_TYPE node, char *ErrorDescription)
+ * Extract a length field from DER data.
+ *
+ * Return value: Return the decoded length value, or -1 on indefinite
+- * length, or -2 when the value was too big.
++ * length, or -2 when the value was too big to fit in a int, or -4
++ * when the decoded length value plus @len would exceed @der_len.
+ **/
+ signed long
+ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ {
+- unsigned long ans;
++ int ans;
+ int k, punt;
+
+ *len = 0;
+@@ -83,7 +84,7 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ ans = 0;
+ while (punt <= k && punt < der_len)
+ {
+- unsigned long last = ans;
++ int last = ans;
+
+ ans = ans * 256 + der[punt++];
+ if (ans < last)
+@@ -93,10 +94,13 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ }
+ else
+ { /* indefinite length method */
+- ans = -1;
++ *len = punt;
++ return -1;
+ }
+
+ *len = punt;
++ if (ans + *len < ans || ans + *len > der_len)
++ return -4;
+ return ans;
+ }
+ }
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1573.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1573.diff
new file mode 100644
index 00000000..53a8af0e
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2012-1573.diff
@@ -0,0 +1,39 @@
+From c8cf27468841f2ad51b287176b440c6608edc6ba Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Sun, 29 Sep 2013
+Subject: CVE-2012-1573 [GNUTLS-SA-2012-2]
+
+Address a TLS record handling vulnerability in GnuTLS.
+
+This is a backport adaptation for use with GnuTLS 2.8.6.
+
+Relevant upstream commit:
+-------------------------
+https://gitorious.org/gnutls/gnutls/commit/42221486806137
+
+---
+ gnutls_cipher.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/lib/gnutls_cipher.c 2013-09-27
++++ b/lib/gnutls_cipher.c 2013-09-27
+@@ -501,14 +501,13 @@ _gnutls_ciphertext2compressed (gnutls_se
+ {
+ ciphertext.size -= blocksize;
+ ciphertext.data += blocksize;
+-
+- if (ciphertext.size == 0)
+- {
+- gnutls_assert ();
+- return GNUTLS_E_DECRYPTION_FAILED;
+- }
+ }
+
++ if (ciphertext.size < hash_size)
++ {
++ gnutls_assert ();
++ return GNUTLS_E_DECRYPTION_FAILED;
++ }
+ pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
+
+ if ((int) pad > (int) ciphertext.size - hash_size)
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2013-1619_CVE-2013-2116.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2013-1619_CVE-2013-2116.diff
new file mode 100644
index 00000000..b5541e11
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2013-1619_CVE-2013-2116.diff
@@ -0,0 +1,381 @@
+From 24b8c5e02c81e73c2c04022de72a1d354e333e6d Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Sun, 29 Sep 2013
+Subject: CVE-2013-1619 and CVE-2013-2116 [GNUTLS-SA-2013-1,GNUTLS-SA-2013-2]
+
+Fix to avoid a timing attack in TLS CBC record parsing (aka Lucky 13).
+
+For background, see http://www.isg.rhul.ac.uk/tls/Lucky13.html
+
+The fix for CVE-2013-2116 is folded into this patch since it addresses
+a problem introduced by the fix for CVE-2013-1619.
+
+This is a backport adaptation for use with GnuTLS 2.8.6.
+
+Relevant upstream commits:
+--------------------------
+https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e
+https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9
+https://gitorious.org/gnutls/gnutls/commit/32a7367601a3fd
+https://gitorious.org/gnutls/gnutls/commit/63a331df6aa0ec
+
+---
+ gnutls_algorithms.c | 14 +++++
+ gnutls_algorithms.h | 3 +
+ gnutls_cipher.c | 132 ++++++++++++++++++++++++++++++++--------------------
+ gnutls_hash_int.h | 21 ++++++++
+ 4 files changed, 121 insertions(+), 49 deletions(-)
+
+--- a/lib/gnutls_cipher.c 2013-09-27
++++ b/lib/gnutls_cipher.c 2013-09-27
+@@ -287,6 +287,26 @@ calc_enc_length (gnutls_session_t sessio
+ return length;
+ }
+
++#define PREAMBLE_SIZE 16
++static inline int make_preamble(opaque* uint64_data, opaque type, uint16_t c_length, opaque ver, opaque* preamble)
++{
++ opaque minor = _gnutls_version_get_minor (ver);
++ opaque major = _gnutls_version_get_major (ver);
++ opaque *p = preamble;
++
++ memcpy(p, uint64_data, 8);
++ p+=8;
++ *p=type; p++;
++ if (_gnutls_version_has_variable_padding (ver))
++ { /* TLS 1.0 or higher */
++ *p = major; p++;
++ *p = minor; p++;
++ }
++ memcpy(p, &c_length, 2);
++ p+=2;
++ return p-preamble;
++}
++
+ /* This is the actual encryption
+ * Encrypts the given compressed datum, and puts the result to cipher_data,
+ * which has cipher_size size.
+@@ -304,11 +324,11 @@ _gnutls_compressed2ciphertext (gnutls_se
+ int length, ret;
+ digest_hd_st td;
+ uint8_t type = _type;
+- uint8_t major, minor;
++ opaque preamble[PREAMBLE_SIZE];
++ int preamble_size;
+ int hash_size =
+ _gnutls_hash_get_algo_len (session->security_parameters.
+ write_mac_algorithm);
+- gnutls_protocol_t ver;
+ int blocksize =
+ _gnutls_cipher_get_block_size (session->security_parameters.
+ write_bulk_cipher_algorithm);
+@@ -316,40 +336,27 @@ _gnutls_compressed2ciphertext (gnutls_se
+ _gnutls_cipher_is_block (session->security_parameters.
+ write_bulk_cipher_algorithm);
+ opaque *data_ptr;
+-
+-
+- ver = gnutls_protocol_get_version (session);
+- minor = _gnutls_version_get_minor (ver);
+- major = _gnutls_version_get_major (ver);
+-
++ int ver = gnutls_protocol_get_version (session);
+
+ /* Initialize MAC */
+- ret = mac_init (&td, session->security_parameters.write_mac_algorithm,
+- session->connection_state.write_mac_secret.data,
+- session->connection_state.write_mac_secret.size, ver);
+-
+- if (ret < 0
+- && session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL)
+- {
+- gnutls_assert ();
+- return ret;
+- }
+
+ c_length = _gnutls_conv_uint16 (compressed.size);
+
+ if (session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL)
+ { /* actually when the algorithm in not the NULL one */
+- _gnutls_hmac (&td,
+- UINT64DATA (session->connection_state.
+- write_sequence_number), 8);
+-
+- _gnutls_hmac (&td, &type, 1);
+- if (ver >= GNUTLS_TLS1)
+- { /* TLS 1.0 or higher */
+- _gnutls_hmac (&td, &major, 1);
+- _gnutls_hmac (&td, &minor, 1);
+- }
+- _gnutls_hmac (&td, &c_length, 2);
++ digest_hd_st td;
++
++ ret = mac_init (&td, session->security_parameters.write_mac_algorithm,
++ session->connection_state.write_mac_secret.data,
++ session->connection_state.write_mac_secret.size, ver);
++
++ if (ret < 0)
++ {
++ gnutls_assert ();
++ return ret;
++ }
++ preamble_size = make_preamble( UINT64DATA (session->connection_state.write_sequence_number), type, c_length, ver, preamble);
++ _gnutls_hmac (&td, preamble, preamble_size);
+ _gnutls_hmac (&td, compressed.data, compressed.size);
+ mac_deinit (&td, MAC, ver);
+ }
+@@ -418,6 +425,49 @@ _gnutls_compressed2ciphertext (gnutls_se
+ return length;
+ }
+
++static void dummy_wait(gnutls_session_t session, gnutls_datum_t* plaintext,
++ unsigned pad_failed, unsigned int pad, unsigned total, int ver)
++{
++ /* this hack is only needed on CBC ciphers */
++ if (_gnutls_cipher_is_block (session->security_parameters.read_bulk_cipher_algorithm) == CIPHER_BLOCK)
++ {
++ uint8_t MAC[MAX_HASH_SIZE];
++ unsigned len;
++ digest_hd_st td;
++ int ret;
++
++ ret = mac_init (&td, session->security_parameters.read_mac_algorithm,
++ session->connection_state.read_mac_secret.data,
++ session->connection_state.read_mac_secret.size, ver);
++
++ if (ret < 0)
++ return;
++
++ /* force an additional hash compression function evaluation to prevent timing
++ * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
++ */
++ if (pad_failed == 0 && pad > 0)
++ {
++ len = _gnutls_get_hash_block_len(session->security_parameters.read_mac_algorithm);
++ if (len > 0)
++ {
++ /* This is really specific to the current hash functions.
++ * It should be removed once a protocol fix is in place.
++ */
++ if ((pad+total) % len > len-9 && total % len <= len-9)
++ {
++ if (len < plaintext->size)
++ _gnutls_hmac (&td, plaintext->data, len);
++ else
++ _gnutls_hmac (&td, plaintext->data, plaintext->size);
++ }
++ }
++ }
++
++ mac_deinit (&td, MAC, ver);
++ }
++}
++
+ /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
+ * Returns the actual compressed packet size.
+ */
+@@ -429,38 +479,22 @@ _gnutls_ciphertext2compressed (gnutls_se
+ {
+ uint8_t MAC[MAX_HASH_SIZE];
+ uint16_t c_length;
+- uint8_t pad;
++ unsigned int pad = 0;
+ int length;
+ digest_hd_st td;
+ uint16_t blocksize;
+ int ret, i, pad_failed = 0;
+- uint8_t major, minor;
+- gnutls_protocol_t ver;
++ opaque preamble[PREAMBLE_SIZE];
++ int preamble_size = 0;
++ int ver = gnutls_protocol_get_version (session);
+ int hash_size =
+ _gnutls_hash_get_algo_len (session->security_parameters.
+ read_mac_algorithm);
+
+- ver = gnutls_protocol_get_version (session);
+- minor = _gnutls_version_get_minor (ver);
+- major = _gnutls_version_get_major (ver);
+-
+ blocksize =
+ _gnutls_cipher_get_block_size (session->security_parameters.
+ read_bulk_cipher_algorithm);
+
+- /* initialize MAC
+- */
+- ret = mac_init (&td, session->security_parameters.read_mac_algorithm,
+- session->connection_state.read_mac_secret.data,
+- session->connection_state.read_mac_secret.size, ver);
+-
+- if (ret < 0
+- && session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL)
+- {
+- gnutls_assert ();
+- return GNUTLS_E_INTERNAL_ERROR;
+- }
+-
+ /* actual decryption (inplace)
+ */
+ switch (_gnutls_cipher_is_block
+@@ -508,31 +542,25 @@ _gnutls_ciphertext2compressed (gnutls_se
+ gnutls_assert ();
+ return GNUTLS_E_DECRYPTION_FAILED;
+ }
+- pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
+-
+- if ((int) pad > (int) ciphertext.size - hash_size)
+- {
+- gnutls_assert ();
+- _gnutls_record_log
+- ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
+- session, pad, ciphertext.size, hash_size);
+- /* We do not fail here. We check below for the
+- * the pad_failed. If zero means success.
+- */
+- pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+- }
+-
+- length = ciphertext.size - hash_size - pad;
+-
+- /* Check the pading bytes (TLS 1.x)
++ pad = ciphertext.data[ciphertext.size - 1]; /* pad */
++ if (pad+1 > ciphertext.size-hash_size)
++ pad_failed = GNUTLS_E_DECRYPTION_FAILED;
++
++ /* Check the pading bytes (TLS 1.x).
++ * Note that we access all 256 bytes of ciphertext for padding check
++ * because there is a timing channel in that memory access (in certain CPUs
+ */
+ if (ver >= GNUTLS_TLS1 && pad_failed == 0)
+ for (i = 2; i < pad; i++)
+ {
+- if (ciphertext.data[ciphertext.size - i] !=
+- ciphertext.data[ciphertext.size - 1])
++ if (ciphertext.data[ciphertext.size - i] != pad)
+ pad_failed = GNUTLS_E_DECRYPTION_FAILED;
+ }
++
++ if (pad_failed)
++ pad = 0;
++ length = ciphertext.size - hash_size - pad - 1;
++
+ break;
+ default:
+ gnutls_assert ();
+@@ -548,17 +576,20 @@ _gnutls_ciphertext2compressed (gnutls_se
+ */
+ if (session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL)
+ {
+- _gnutls_hmac (&td,
+- UINT64DATA (session->connection_state.
+- read_sequence_number), 8);
+-
+- _gnutls_hmac (&td, &type, 1);
+- if (ver >= GNUTLS_TLS1)
+- { /* TLS 1.x */
+- _gnutls_hmac (&td, &major, 1);
+- _gnutls_hmac (&td, &minor, 1);
+- }
+- _gnutls_hmac (&td, &c_length, 2);
++ digest_hd_st td;
++
++ ret = mac_init (&td, session->security_parameters.read_mac_algorithm,
++ session->connection_state.read_mac_secret.data,
++ session->connection_state.read_mac_secret.size, ver);
++
++ if (ret < 0)
++ {
++ gnutls_assert ();
++ return GNUTLS_E_INTERNAL_ERROR;
++ }
++
++ preamble_size = make_preamble( UINT64DATA (session->connection_state.read_sequence_number), type, c_length, ver, preamble);
++ _gnutls_hmac (&td, preamble, preamble_size);
+
+ if (length > 0)
+ _gnutls_hmac (&td, ciphertext.data, length);
+@@ -566,16 +597,14 @@ _gnutls_ciphertext2compressed (gnutls_se
+ mac_deinit (&td, MAC, ver);
+ }
+
+- /* This one was introduced to avoid a timing attack against the TLS
+- * 1.0 protocol.
+- */
+- if (pad_failed != 0)
+- return pad_failed;
+-
+ /* HMAC was not the same.
+ */
+- if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0)
++ if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0 || pad_failed != 0)
+ {
++ gnutls_datum_t compressed = {compress_data, compress_size};
++ /* HMAC was not the same. */
++ dummy_wait(session, &compressed, pad_failed, pad, length+preamble_size, ver);
++
+ gnutls_assert ();
+ return GNUTLS_E_DECRYPTION_FAILED;
+ }
+--- a/lib/gnutls_hash_int.h 2013-09-27
++++ b/lib/gnutls_hash_int.h 2013-09-27
+@@ -92,4 +92,25 @@ void _gnutls_mac_deinit_ssl3_handshake (
+
+ int _gnutls_hash_copy (digest_hd_st* dst_handle, digest_hd_st * src_handle);
+
++/* We shouldn't need to know that, but a work-around in decoding
++ * TLS record padding requires that.
++ */
++inline static size_t
++_gnutls_get_hash_block_len (gnutls_digest_algorithm_t algo)
++{
++ switch (algo)
++ {
++ case GNUTLS_DIG_MD5:
++ case GNUTLS_DIG_SHA1:
++ case GNUTLS_DIG_RMD160:
++ case GNUTLS_DIG_SHA256:
++ case GNUTLS_DIG_SHA384:
++ case GNUTLS_DIG_SHA512:
++ case GNUTLS_DIG_SHA224:
++ return 64;
++ default:
++ return 0;
++ }
++}
++
+ #endif /* GNUTLS_HASH_INT_H */
+--- a/lib/gnutls_algorithms.c 2013-09-27
++++ b/lib/gnutls_algorithms.c 2013-09-27
+@@ -1185,6 +1185,20 @@ _gnutls_version_is_supported (gnutls_ses
+ return 1;
+ }
+
++/* This function determines if the version specified can have
++ non-minimal padding. */
++int _gnutls_version_has_variable_padding (gnutls_protocol_t version)
++{
++ switch(version) {
++ case GNUTLS_TLS1_0:
++ case GNUTLS_TLS1_1:
++ case GNUTLS_TLS1_2:
++ return 1;
++ default:
++ return 0;
++ }
++}
++
+ /* Type to KX mappings */
+ gnutls_kx_algorithm_t
+ _gnutls_map_kx_get_kx (gnutls_credentials_type_t type, int server)
+--- a/lib/gnutls_algorithms.h 2013-09-27
++++ b/lib/gnutls_algorithms.h 2013-09-27
+@@ -41,6 +41,9 @@ int _gnutls_version_get_major (gnutls_pr
+ int _gnutls_version_get_minor (gnutls_protocol_t ver);
+ gnutls_protocol_t _gnutls_version_get (int major, int minor);
+
++/* Functions for feature checks */
++int _gnutls_version_has_variable_padding (gnutls_protocol_t version);
++
+ /* Functions for MACs. */
+ int _gnutls_mac_is_ok (gnutls_mac_algorithm_t algorithm);
+ gnutls_mac_algorithm_t _gnutls_x509_oid2mac_algorithm (const char *oid);
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2014-0092.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-0092.diff
new file mode 100644
index 00000000..dc37370b
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-0092.diff
@@ -0,0 +1,108 @@
+From 27892001331da24704fca8fa39041289ff7d3cd9 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Mon, 03 Mar 2014
+Subject: CVE-2014-0092 (GNUTLS-SA-2014-2)
+
+Fix vulnerabilities in the certificate verification code path.
+The vulnerabilities can be exploited such that specially-crafted
+certificates can bypass certificate validation checks.
+
+This is a backport adaptation for use with GnuTLS 2.8.6.
+
+Relevant upstream commit:
+-------------------------
+https://gitorious.org/gnutls/gnutls/commit/6aa26f78150ccb
+
+---
+ lib/x509/verify.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/lib/x509/verify.c
++++ b/lib/x509/verify.c
+@@ -112,7 +112,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -121,7 +121,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -129,7 +129,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ result =
+@@ -137,7 +137,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
+ if (result < 0)
+ {
+ gnutls_assert ();
+- goto cleanup;
++ goto fail;
+ }
+
+ /* If the subject certificate is the same as the issuer
+@@ -177,6 +177,7 @@ check_if_ca (gnutls_x509_crt_t cert, gnu
+ else
+ gnutls_assert ();
+
++fail:
+ result = 0;
+
+ cleanup:
+@@ -269,7 +270,7 @@ _gnutls_verify_certificate2 (gnutls_x509
+ gnutls_datum_t cert_signed_data = { NULL, 0 };
+ gnutls_datum_t cert_signature = { NULL, 0 };
+ gnutls_x509_crt_t issuer;
+- int ret, issuer_version, result;
++ int ret, issuer_version, result = 0;
+
+ if (output)
+ *output = 0;
+@@ -299,7 +300,7 @@ _gnutls_verify_certificate2 (gnutls_x509
+ if (issuer_version < 0)
+ {
+ gnutls_assert ();
+- return issuer_version;
++ return 0;
+ }
+
+ if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
+@@ -320,6 +321,7 @@ _gnutls_verify_certificate2 (gnutls_x509
+ if (result < 0)
+ {
+ gnutls_assert ();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -328,6 +330,7 @@ _gnutls_verify_certificate2 (gnutls_x509
+ if (result < 0)
+ {
+ gnutls_assert ();
++ result = 0;
+ goto cleanup;
+ }
+
+@@ -337,6 +340,8 @@ _gnutls_verify_certificate2 (gnutls_x509
+ if (ret < 0)
+ {
+ gnutls_assert ();
++ result = 0;
++ goto cleanup;
+ }
+ else if (ret == 0)
+ {
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3466.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3466.diff
new file mode 100644
index 00000000..41758bec
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3466.diff
@@ -0,0 +1,312 @@
+From aa7c26454d148c3ce29e428c23f4611b6f366f5c Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@zoho.com>
+Date: Mon, 2 Jun 2014
+Subject: CVE-2014-3466
+
+This is a backport adaptation for use with GnuTLS 2.8.6.
+
+Relevant upstream commit(s):
+-------------------------
+https://gitorious.org/gnutls/gnutls/commit/688ea6428a432c
+https://gitorious.org/gnutls/gnutls/commit/a7be326f0e33cf
+
+---
+ lib/gnutls_handshake.c | 2
+ tests/Makefile.am | 2
+ tests/long-session-id.c | 268 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 270 insertions(+), 2 deletions(-)
+
+--- a/lib/gnutls_handshake.c
++++ b/lib/gnutls_handshake.c
+@@ -1618,7 +1618,7 @@ _gnutls_read_server_hello (gnutls_sessio
+ DECR_LEN (len, 1);
+ session_id_len = data[pos++];
+
+- if (len < session_id_len)
++ if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -56,7 +56,8 @@
+ ctests = simple gc set_pkcs12_cred certder mpi \
+ certificate_set_x509_crl dn parse_ca moredn crypto_rng mini \
+ finished hostname-check cve-2008-4989 pkcs12_s2k chainverify \
+- crq_key_id x509sign-verify cve-2009-1415 cve-2009-1416 mini-eagain
++ crq_key_id x509sign-verify cve-2009-1415 cve-2009-1416 \
++ mini-eagain long-session-id
+
+ if ENABLE_OPENSSL
+ ctests += openssl
+--- /dev/null
++++ b/tests/long-session-id.c
+@@ -0,0 +1,268 @@
++/*
++ * Copyright (C) 2012 Free Software Foundation, Inc.
++ *
++ * Author: Nikos Mavrogiannopoulos
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++
++#if defined(_WIN32)
++
++int main()
++{
++ exit(77);
++}
++
++#else
++
++#include <string.h>
++#include <sys/types.h>
++#include <netinet/in.h>
++#include <sys/socket.h>
++#include <sys/wait.h>
++#include <arpa/inet.h>
++#include <unistd.h>
++#include <gnutls/gnutls.h>
++#include <signal.h>
++
++static int debug = 0;
++static void terminate(int);
++
++/* This program tests the robustness of record
++ * decoding.
++ */
++
++static void client_log_func(int level, const char *str)
++{
++ fprintf(stderr, "client|<%d>| %s", level, str);
++}
++
++static unsigned char server_cert_pem[] =
++ "-----BEGIN CERTIFICATE-----\n"
++ "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
++ "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
++ "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
++ "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
++ "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
++ "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
++ "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
++ "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
++ "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
++ "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
++ "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
++ "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
++ "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t server_cert = { server_cert_pem,
++ sizeof(server_cert_pem)
++};
++
++static unsigned char server_key_pem[] =
++ "-----BEGIN RSA PRIVATE KEY-----\n"
++ "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
++ "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
++ "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
++ "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
++ "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
++ "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
++ "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
++ "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
++ "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
++ "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
++ "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
++ "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
++ "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
++ "-----END RSA PRIVATE KEY-----\n";
++
++const gnutls_datum_t server_key = { server_key_pem,
++ sizeof(server_key_pem)
++};
++
++
++/* A very basic TLS client, with anonymous authentication.
++ */
++
++static void client(int fd, const char *prio)
++{
++ int ret;
++ gnutls_anon_client_credentials_t anoncred;
++ gnutls_certificate_credentials_t x509_cred;
++ gnutls_session_t session;
++ /* Need to enable anonymous KX specifically. */
++
++ gnutls_global_init();
++
++ if (debug) {
++ gnutls_global_set_log_function(client_log_func);
++ gnutls_global_set_log_level(7);
++ }
++
++ gnutls_anon_allocate_client_credentials(&anoncred);
++ gnutls_certificate_allocate_credentials(&x509_cred);
++
++ /* Initialize TLS session
++ */
++ gnutls_init(&session, GNUTLS_CLIENT);
++
++ /* Use default priorities */
++ gnutls_priority_set_direct(session, prio, NULL);
++
++ /* put the anonymous credentials to the current session
++ */
++ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
++ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
++
++ gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd);
++
++ /* Perform the TLS handshake
++ */
++ do {
++ ret = gnutls_handshake(session);
++ }
++ while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
++
++ if (ret < 0) {
++ fprintf(stderr, "client: Handshake failed (expected)\n");
++ gnutls_perror(ret);
++ exit(0);
++ } else {
++ if (debug)
++ fprintf(stderr, "client: Handshake was completed\n");
++ }
++
++ close(fd);
++
++ gnutls_deinit(session);
++
++ gnutls_anon_free_client_credentials(anoncred);
++ gnutls_certificate_free_credentials(x509_cred);
++
++ gnutls_global_deinit();
++}
++
++
++/* These are global */
++pid_t child;
++
++static void terminate(int ret)
++{
++ kill(child, SIGTERM);
++ exit(ret);
++}
++
++static void server(int fd, const char *prio)
++{
++ int ret;
++ uint8_t id[255];
++ uint8_t buffer[] = "\x16\x03\x00\x01\x25"
++ "\x02\x00\x01\x21"
++ "\x03\x00"/*Server Version */
++ /*Random*/"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00"
++ /*SessionID*/"\xfe";
++
++ ret = read(fd, id, sizeof(id));
++ if (ret < 0) {
++ abort();
++ }
++
++ ret = write(fd, buffer, sizeof(buffer));
++ if (ret < 0) {
++ return;
++ }
++
++ memset(id, 0xff, sizeof(id));
++ ret = write(fd, id, sizeof(id));
++ if (ret < 0) {
++ return;
++ }
++
++ memset(id, 0xff, sizeof(id));
++ ret = write(fd, id, sizeof(id));
++ if (ret < 0) {
++ return;
++ }
++ sleep(3);
++
++ return;
++}
++
++static void start(const char *prio)
++{
++ int fd[2];
++ int ret;
++
++ ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
++ if (ret < 0) {
++ perror("socketpair");
++ exit(1);
++ }
++
++ child = fork();
++ if (child < 0) {
++ perror("fork");
++ exit(1);
++ }
++
++ if (child) {
++ /* parent */
++ close(fd[1]);
++ server(fd[0], prio);
++ kill(child, SIGTERM);
++ } else {
++ close(fd[0]);
++ client(fd[1], prio);
++ exit(0);
++ }
++}
++
++static void ch_handler(int sig)
++{
++ int status, ret = 0;
++ wait(&status);
++ if (WEXITSTATUS(status) != 0 ||
++ (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV)) {
++ if (WIFSIGNALED(status)) {
++ fprintf(stderr, "Child died with sigsegv\n");
++ ret = 1;
++ } else {
++ fprintf(stderr, "Child died with status %d\n",
++ WEXITSTATUS(status));
++ }
++ terminate(ret);
++ }
++ return;
++}
++
++int main(int argc, char **argv)
++{
++ signal(SIGCHLD, ch_handler);
++
++ if (argc > 1)
++ debug = 1;
++
++ start("NORMAL");
++ return 0;
++}
++
++#endif /* _WIN32 */
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3467.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3467.diff
new file mode 100644
index 00000000..26427ef8
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3467.diff
@@ -0,0 +1,45 @@
+From b91a75fb2a91a1c7c1a068b25ee073f308f2c7ca Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@zoho.com>
+Date: Mon, 2 Jun 2014
+Subject: CVE-2014-3467
+
+This is a backport adaptation for use with GnuTLS 2.8.6.
+
+Relevant upstream commit(s):
+-------------------------
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=ff3b5c68cc32e3
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=51612fca32dda4
+
+---
+ lib/minitasn1/decoding.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/lib/minitasn1/decoding.c
++++ b/lib/minitasn1/decoding.c
+@@ -135,7 +135,7 @@ asn1_get_tag_der (const unsigned char *d
+ /* Long form */
+ punt = 1;
+ ris = 0;
+- while (punt <= der_len && der[punt] & 128)
++ while (punt < der_len && der[punt] & 128)
+ {
+ int last = ris;
+ ris = ris * 128 + (der[punt++] & 0x7F);
+@@ -245,7 +245,7 @@ _asn1_get_time_der (const unsigned char
+ if (der_len <= 0 || str == NULL)
+ return ASN1_DER_ERROR;
+ str_len = asn1_get_length_der (der, der_len, &len_len);
+- if (str_len < 0 || str_size < str_len)
++ if (str_len <= 0 || str_size < str_len)
+ return ASN1_DER_ERROR;
+ memcpy (str, der + len_len, str_len);
+ str[str_len] = 0;
+@@ -273,7 +273,7 @@ _asn1_get_objectid_der (const unsigned c
+ return ASN1_GENERIC_ERROR;
+ len = asn1_get_length_der (der, der_len, &len_len);
+
+- if (len < 0 || len > der_len || len_len > der_len)
++ if (len <= 0 || len > der_len || len_len > der_len)
+ return ASN1_DER_ERROR;
+
+ val1 = der[len_len] / 40;
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3468.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3468.diff
new file mode 100644
index 00000000..72124727
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3468.diff
@@ -0,0 +1,45 @@
+From 38cb901f92d8977ca74f324cb04d53a4870458a6 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@zoho.com>
+Date: Mon, 2 Jun 2014
+Subject: CVE-2014-3468
+
+This is a backport adaptation for use with GnuTLS 2.8.6.
+
+Relevant upstream commit(s):
+-------------------------
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=1c3ccb3e040bf1
+
+---
+ lib/minitasn1/decoding.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/lib/minitasn1/decoding.c
++++ b/lib/minitasn1/decoding.c
+@@ -210,7 +210,7 @@ asn1_get_octet_der (const unsigned char
+ int *ret_len, unsigned char *str, int str_size,
+ int *str_len)
+ {
+- int len_len;
++ int len_len = 0;
+
+ if (der_len <= 0)
+ return ASN1_GENERIC_ERROR;
+@@ -335,7 +335,7 @@ asn1_get_bit_der (const unsigned char *d
+ int *ret_len, unsigned char *str, int str_size,
+ int *bit_len)
+ {
+- int len_len, len_byte;
++ int len_len = 0, len_byte;
+
+ if (der_len <= 0)
+ return ASN1_GENERIC_ERROR;
+@@ -346,6 +346,9 @@ asn1_get_bit_der (const unsigned char *d
+ *ret_len = len_byte + len_len + 1;
+ *bit_len = len_byte * 8 - der[len_len];
+
++ if (*bit_len <= 0)
++ return ASN1_DER_ERROR;
++
+ if (str_size >= len_byte)
+ memcpy (str, der + len_len + 1, len_byte);
+ else
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3469.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3469.diff
new file mode 100644
index 00000000..37b97c74
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3469.diff
@@ -0,0 +1,122 @@
+From b2477c9d1d2b550abade87651382880d370d2803 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@zoho.com>
+Date: Mon, 2 Jun 2014
+Subject: CVE-2014-3469
+
+This is a backport adaptation for use with GnuTLS 2.8.6.
+
+Relevant upstream commit(s):
+-------------------------
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=a8b3e14f84174e
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=3d6a02f19ff15a
+http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=53958290ab731c
+
+---
+ lib/minitasn1/decoding.c | 11 ++++++++---
+ lib/minitasn1/element.c | 27 ++++++++++++++++++---------
+ 2 files changed, 26 insertions(+), 12 deletions(-)
+
+--- a/lib/minitasn1/decoding.c
++++ b/lib/minitasn1/decoding.c
+@@ -215,7 +215,6 @@ asn1_get_octet_der (const unsigned char
+ if (der_len <= 0)
+ return ASN1_GENERIC_ERROR;
+
+- /* if(str==NULL) return ASN1_SUCCESS; */
+ *str_len = asn1_get_length_der (der, der_len, &len_len);
+
+ if (*str_len < 0)
+@@ -223,7 +222,10 @@ asn1_get_octet_der (const unsigned char
+
+ *ret_len = *str_len + len_len;
+ if (str_size >= *str_len)
+- memcpy (str, der + len_len, *str_len);
++ {
++ if (*str_len > 0 && str != NULL)
++ memcpy (str, der + len_len, *str_len);
++ }
+ else
+ {
+ return ASN1_MEM_ERROR;
+@@ -350,7 +352,10 @@ asn1_get_bit_der (const unsigned char *d
+ return ASN1_DER_ERROR;
+
+ if (str_size >= len_byte)
+- memcpy (str, der + len_len + 1, len_byte);
++ {
++ if (len_byte > 0 && str)
++ memcpy (str, der + len_len + 1, len_byte);
++ }
+ else
+ {
+ return ASN1_MEM_ERROR;
+--- a/lib/minitasn1/element.c
++++ b/lib/minitasn1/element.c
+@@ -113,8 +113,11 @@ _asn1_convert_integer (const unsigned ch
+ /* VALUE_OUT is too short to contain the value conversion */
+ return ASN1_MEM_ERROR;
+
+- for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
+- value_out[k2 - k] = val[k2];
++ if (value_out != NULL)
++ {
++ for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
++ value_out[k2 - k] = val[k2];
++ }
+
+ #if 0
+ printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len);
+@@ -623,7 +626,8 @@ asn1_write_value (asn1_node node_root, c
+ if (ptr_size < data_size) { \
+ return ASN1_MEM_ERROR; \
+ } else { \
+- memcpy( ptr, data, data_size); \
++ if (ptr && data_size > 0) \
++ memcpy( ptr, data, data_size); \
+ }
+
+ #define PUT_STR_VALUE( ptr, ptr_size, data) \
+@@ -632,16 +626,19 @@ asn1_write_value (asn1_node node_root, c
+ return ASN1_MEM_ERROR; \
+ } else { \
+ /* this strcpy is checked */ \
+- strcpy(ptr, data); \
++ if (ptr) { \
++ strcpy(ptr, data); \
++ } \
+ }
+
+ #define ADD_STR_VALUE( ptr, ptr_size, data) \
+- *len = (int) strlen(data) + 1; \
+- if (ptr_size < (int) strlen(ptr)+(*len)) { \
++ *len += strlen(data); \
++ if (ptr_size < (int) *len) { \
++ (*len)++; \
+ return ASN1_MEM_ERROR; \
+ } else { \
+ /* this strcat is checked */ \
+- strcat(ptr, data); \
++ if (ptr) strcat (ptr, data); \
+ }
+
+ /**
+@@ -803,7 +810,9 @@ asn1_read_value (asn1_node root, const c
+ case TYPE_OBJECT_ID:
+ if (node->type & CONST_ASSIGN)
+ {
+- value[0] = 0;
++ *len = 0;
++ if (value)
++ value[0] = 0;
+ p = node->down;
+ while (p)
+ {
+@@ -817,7 +826,7 @@ asn1_read_value (asn1_node root, const c
+ }
+ p = p->right;
+ }
+- *len = strlen (value) + 1;
++ (*len)++;
+ }
+ else if ((node->type & CONST_DEFAULT) && (node->value == NULL))
+ {
diff --git a/patches/source/gnutls/gnutls-2.8.6_ipv6.diff b/patches/source/gnutls/gnutls-2.8.6_ipv6.diff
new file mode 100644
index 00000000..ea32a20a
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_ipv6.diff
@@ -0,0 +1,51 @@
+From 2040d99b1844c60375e76148ea306637efd53383 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Sun, 29 Sep 2013
+Subject: Fix binding of IPV6 address in gnutls-serv
+
+On Linux with /proc/sys/net/ipv6/bindv6only == 0 (which is now the
+default), gnutls-serv cannot listen on ipv6.
+
+Fix adapted for use with GnuTLS 2.8.6.
+
+Relevant upstream commits:
+--------------------------
+https://gitorious.org/gnutls/gnutls/commit/1c315602306afc
+https://gitorious.org/gnutls/gnutls/commit/9c1536d514dd83
+
+---
+ serv.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/src/serv.c 2013-09-29
++++ b/src/serv.c 2013-09-29
+@@ -677,6 +677,11 @@ listen_socket (const char *name, int lis
+
+ for (ptr = res; ptr != NULL; ptr = ptr->ai_next)
+ {
++#ifndef HAVE_IPV6
++ if (ptr->ai_family != AF_INET)
++ continue;
++#endif
++
+ /* Print what we are doing. */
+ {
+ char topbuf[512];
+@@ -694,6 +699,17 @@ listen_socket (const char *name, int lis
+ continue;
+ }
+
++#if defined(HAVE_IPV6) && !defined(_WIN32)
++ if (ptr->ai_family == AF_INET6)
++ {
++ yes = 1;
++ /* avoid listen on ipv6 addresses failing
++ * because already listening on ipv4 addresses: */
++ setsockopt (s, IPPROTO_IPV6, IPV6_V6ONLY,
++ (const void *) &yes, sizeof (yes));
++ }
++#endif
++
+ yes = 1;
+ if (setsockopt (s, SOL_SOCKET, SO_REUSEADDR,
+ (const void *) &yes, sizeof (yes)) < 0)
diff --git a/patches/source/gnutls/gnutls-2.8.6_libgcrypt150-fix.diff b/patches/source/gnutls/gnutls-2.8.6_libgcrypt150-fix.diff
new file mode 100644
index 00000000..29923091
--- /dev/null
+++ b/patches/source/gnutls/gnutls-2.8.6_libgcrypt150-fix.diff
@@ -0,0 +1,162 @@
+From 816ad8cf6e3707a4dc1f67a5aa06530c895273d5 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Sun, 29 Sep 2013
+Subject: Fix problem when using libgcrypt 1.5.0+
+
+Fix GnuTLS to not rely on a bug present in libgcrypt before 1.5.0
+in gcry_sexp_nth_mpi().
+
+Relevant discussion:
+--------------------
+https://lists.gnu.org/archive/html/gnutls-devel/2011-07/msg00006.html
+
+---
+ pk-libgcrypt.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+--- a/lib/pk-libgcrypt.c 2013-09-27
++++ b/lib/pk-libgcrypt.c 2013-09-27
+@@ -112,7 +112,7 @@ _wrap_gcry_pk_encrypt (gnutls_pk_algorit
+ goto cleanup;
+ }
+
+- res = gcry_sexp_nth_mpi (list, 1, 0);
++ res = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+ if (res == NULL)
+ {
+@@ -202,7 +202,7 @@ _wrap_gcry_pk_decrypt (gnutls_pk_algorit
+ goto cleanup;
+ }
+
+- res = gcry_sexp_nth_mpi (s_plain, 0, 0);
++ res = gcry_sexp_nth_mpi (s_plain, 0, GCRYMPI_FMT_USG);
+ if (res == NULL)
+ {
+ gnutls_assert ();
+@@ -327,7 +327,7 @@ _wrap_gcry_pk_sign (gnutls_pk_algorithm_
+ goto cleanup;
+ }
+
+- res[0] = gcry_sexp_nth_mpi (list, 1, 0);
++ res[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+ list = gcry_sexp_find_token (s_sig, "s", 0);
+@@ -338,7 +338,7 @@ _wrap_gcry_pk_sign (gnutls_pk_algorithm_
+ goto cleanup;
+ }
+
+- res[1] = gcry_sexp_nth_mpi (list, 1, 0);
++ res[1] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+ ret = _gnutls_encode_ber_rs (signature, res[0], res[1]);
+@@ -360,7 +360,7 @@ _wrap_gcry_pk_sign (gnutls_pk_algorithm_
+ goto cleanup;
+ }
+
+- res[0] = gcry_sexp_nth_mpi (list, 1, 0);
++ res[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+ ret = _gnutls_mpi_dprint (res[0], signature);
+@@ -559,7 +559,7 @@ _dsa_generate_params (bigint_t * resarr,
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+- resarr[0] = gcry_sexp_nth_mpi (list, 1, 0);
++ resarr[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+ list = gcry_sexp_find_token (key, "q", 0);
+@@ -570,7 +570,7 @@ _dsa_generate_params (bigint_t * resarr,
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+- resarr[1] = gcry_sexp_nth_mpi (list, 1, 0);
++ resarr[1] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+ list = gcry_sexp_find_token (key, "g", 0);
+@@ -581,7 +581,7 @@ _dsa_generate_params (bigint_t * resarr,
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+- resarr[2] = gcry_sexp_nth_mpi (list, 1, 0);
++ resarr[2] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+ list = gcry_sexp_find_token (key, "y", 0);
+@@ -592,7 +592,7 @@ _dsa_generate_params (bigint_t * resarr,
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+- resarr[3] = gcry_sexp_nth_mpi (list, 1, 0);
++ resarr[3] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+
+@@ -604,7 +604,7 @@ _dsa_generate_params (bigint_t * resarr,
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+- resarr[4] = gcry_sexp_nth_mpi (list, 1, 0);
++ resarr[4] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+
+ gcry_sexp_release (list);
+ gcry_sexp_release (key);
+@@ -653,7 +653,7 @@ _rsa_generate_params (bigint_t * resarr,
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+- resarr[0] = gcry_sexp_nth_mpi (list, 1, 0);
++ resarr[0] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+ list = gcry_sexp_find_token (key, "e", 0);
+@@ -664,7 +664,7 @@ _rsa_generate_params (bigint_t * resarr,
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+- resarr[1] = gcry_sexp_nth_mpi (list, 1, 0);
++ resarr[1] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+ list = gcry_sexp_find_token (key, "d", 0);
+@@ -675,7 +675,7 @@ _rsa_generate_params (bigint_t * resarr,
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+- resarr[2] = gcry_sexp_nth_mpi (list, 1, 0);
++ resarr[2] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+ list = gcry_sexp_find_token (key, "p", 0);
+@@ -686,7 +686,7 @@ _rsa_generate_params (bigint_t * resarr,
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+- resarr[3] = gcry_sexp_nth_mpi (list, 1, 0);
++ resarr[3] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+
+@@ -698,7 +698,7 @@ _rsa_generate_params (bigint_t * resarr,
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+- resarr[4] = gcry_sexp_nth_mpi (list, 1, 0);
++ resarr[4] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release (list);
+
+
+@@ -710,7 +710,7 @@ _rsa_generate_params (bigint_t * resarr,
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+- resarr[5] = gcry_sexp_nth_mpi (list, 1, 0);
++ resarr[5] = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
+
+ gcry_sexp_release (list);
+ gcry_sexp_release (key);
diff --git a/patches/source/gnutls/gnutls.SlackBuild b/patches/source/gnutls/gnutls.SlackBuild
new file mode 100755
index 00000000..50a32df8
--- /dev/null
+++ b/patches/source/gnutls/gnutls.SlackBuild
@@ -0,0 +1,145 @@
+#!/bin/sh
+
+# Copyright 2007 Robby Workman (http://rlworkman.net)
+# Copyright 2007, 2008, 2009, 2010, 2014 Patrick Volkerding, Sebeka, MN, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+PKGNAM=gnutls
+VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
+BUILD=${BUILD:-4_slack13.1}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) export ARCH=i486 ;;
+ arm*) export ARCH=arm ;;
+ # Unless $ARCH is already set, use uname -m for all other archs:
+ *) export ARCH=$( uname -m ) ;;
+ esac
+fi
+
+NUMJOBS=${NUMJOBS:-" -j7 "}
+
+if [ "$ARCH" = "i486" ]; then
+ SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "s390" ]; then
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+ SLKCFLAGS="-O2 -fPIC"
+ LIBDIRSUFFIX="64"
+else
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+fi
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp}
+PKG=$TMP/package-$PKGNAM
+rm -rf $PKG
+mkdir -p $TMP $PKG
+
+cd $TMP
+
+rm -rf $PKGNAM-$VERSION
+if [ -r $CWD/$PKGNAM-$VERSION.tar.gz ]; then
+ tar xf $CWD/$PKGNAM-$VERSION.tar.gz || exit 1
+elif [ -r $CWD/$PKGNAM-$VERSION.tar.bz2 ]; then
+ tar xf $CWD/$PKGNAM-$VERSION.tar.bz2 || exit 1
+elif [ -r $CWD/$PKGNAM-$VERSION.tar.xz ]; then
+ tar xf $CWD/$PKGNAM-$VERSION.tar.xz || exit 1
+elif [ -r $CWD/$PKGNAM-$VERSION.tar.lzma ]; then
+ tar xf $CWD/$PKGNAM-$VERSION.tar.lzma || exit 1
+else
+ exit 1
+fi
+
+
+cd $PKGNAM-$VERSION
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \;
+
+zcat $CWD/gnutls-2.8.6_CVE-2009-3555.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/gnutls-2.8.6_CVE-2011-4128.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/gnutls-2.8.6_CVE-2012-1569.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/gnutls-2.8.6_CVE-2012-1573.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/gnutls-2.8.6_CVE-2013-1619_CVE-2013-2116.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/gnutls-2.8.6_libgcrypt150-fix.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/gnutls-2.8.6_ipv6.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/gnutls-2.8.6_CVE-2014-0092.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/gnutls-2.8.6_CVE-2014-3466.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/gnutls-2.8.6_CVE-2014-3467.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/gnutls-2.8.6_CVE-2014-3468.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/gnutls-2.8.6_CVE-2014-3469.diff.gz | patch -p1 --verbose || exit 1
+
+CFLAGS="$SLKCFLAGS" \
+CXXFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --libdir=/usr/lib${LIBDIRSUFFIX} \
+ --sysconfdir=/etc \
+ --localstatedir=/var \
+ --infodir=/usr/info \
+ --mandir=/usr/man \
+ --enable-static=no \
+ --build=$ARCH-slackware-linux \
+ --host=$ARCH-slackware-linux
+
+make $NUMJOBS || make || exit 1
+make install DESTDIR=$PKG || exit 1
+
+find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
+ | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
+
+( cd $PKG/usr/man
+ find . -type f -exec gzip -9 {} \;
+ for i in $(find . -type l) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
+)
+
+( cd $PKG/usr/info
+ rm -f dir
+ gzip -9 *.info*
+)
+
+mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION
+cp -a \
+ ABOUT-NLS AUTHORS COPYING* INSTALL NEWS README* THANKS \
+ $PKG/usr/doc/$PKGNAM-$VERSION
+
+# If there's a ChangeLog, installing at least part of the recent history
+# is useful, but don't let it get totally out of control:
+if [ -r ChangeLog ]; then
+ DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION)
+ cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
+ touch -r ChangeLog $DOCSDIR/ChangeLog
+fi
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+cd $PKG
+/sbin/makepkg -l y -c n -p $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD.txz
+
diff --git a/patches/source/gnutls/slack-desc b/patches/source/gnutls/slack-desc
new file mode 100644
index 00000000..49fdb9f0
--- /dev/null
+++ b/patches/source/gnutls/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in. You must
+# make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+gnutls: gnutls (GNU TLS library)
+gnutls:
+gnutls: This is a TLS (Transport Layer Security) 1.0 and SSL (Secure Sockets
+gnutls: Layer) 3.0 implementation. In brief, GnuTLS can be described as a
+gnutls: library which offers an API to access secure communication protocols.
+gnutls: These protocols provide privacy over insecure lines, and were designed
+gnutls: to prevent eavesdropping, tampering, or message forgery.
+gnutls:
+gnutls: Homepage: http://www.gnu.org/software/gnutls/
+gnutls:
+gnutls: