diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-02-25 12:01:36 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-02-25 12:01:36 +0000 |
commit | b0e62fa82305af837cef118da070bf20c1aee3c1 (patch) | |
tree | 251bdc707b1aaff9c46aac3b138e1c08cb28d016 | |
parent | ceea305ea20a141b3a76616f7bd8435c6b21ece5 (diff) | |
download | gnutls-b0e62fa82305af837cef118da070bf20c1aee3c1.tar.gz |
*** empty log message ***gnutls_1_0_7
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | configure.in | 2 | ||||
-rw-r--r-- | lib/gnutls.h.in.in | 2 | ||||
-rw-r--r-- | lib/gnutls_algorithms.c | 1 | ||||
-rw-r--r-- | lib/gnutls_cipher.c | 26 | ||||
-rw-r--r-- | src/cli.c | 2 | ||||
-rw-r--r-- | src/common.c | 5 | ||||
-rw-r--r-- | src/serv.c | 2 | ||||
-rw-r--r-- | src/tests.c | 133 | ||||
-rw-r--r-- | src/tests.h | 7 | ||||
-rw-r--r-- | src/tls_test-gaa.c | 19 | ||||
-rw-r--r-- | src/tls_test.c | 28 |
12 files changed, 197 insertions, 36 deletions
@@ -1,5 +1,7 @@ -Version 1.0.7 -- Corrected the return values of gnutls_x509_crt_check_hostname(). +Version 1.0.7 (25/02/2004) +- Implemented TLS 1.1 (and also obsoleted the TLS 1.0 CBC protection + hack). +- Some updates in the documentation. Version 1.0.6 (12/02/2004) * Backported things from the development branch (while maintaining diff --git a/configure.in b/configure.in index cd84165075..2c79e5db8e 100644 --- a/configure.in +++ b/configure.in @@ -12,7 +12,7 @@ AC_DEFINE_UNQUOTED(T_OS, "$target_os", [OS name]) dnl Gnutls Version GNUTLS_MAJOR_VERSION=1 GNUTLS_MINOR_VERSION=0 -GNUTLS_MICRO_VERSION=6 +GNUTLS_MICRO_VERSION=7 GNUTLS_VERSION=$GNUTLS_MAJOR_VERSION.$GNUTLS_MINOR_VERSION.$GNUTLS_MICRO_VERSION AC_DEFINE_UNQUOTED(GNUTLS_VERSION, "$GNUTLS_VERSION", [version of gnutls]) diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index aa1f34e8b3..e4183ee103 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -148,7 +148,7 @@ typedef enum gnutls_close_request { GNUTLS_SHUT_RDWR=0, GNUTLS_SHUT_WR=1 } gnutl #define GNUTLS_TLS1 GNUTLS_TLS1_0 typedef enum gnutls_protocol_version { GNUTLS_SSL3=1, GNUTLS_TLS1_0, - } gnutls_protocol_version; + GNUTLS_TLS1_1 } gnutls_protocol_version; typedef enum gnutls_certificate_type { GNUTLS_CRT_X509=1, GNUTLS_CRT_OPENPGP } gnutls_certificate_type; diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index 30c330fddf..db5876317b 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -109,6 +109,7 @@ typedef struct { static const gnutls_version_entry sup_versions[] = { {"SSL 3.0", GNUTLS_SSL3, 3, 0, 1}, {"TLS 1.0", GNUTLS_TLS1, 3, 1, 1}, + {"TLS 1.1", GNUTLS_TLS1_1, 3, 2, 1}, {0, 0, 0, 0, 0} }; diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index 3394dd7b4f..259f7a67a3 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -228,6 +228,9 @@ int length; *pad = (uint8) (blocksize - (length % blocksize)) + rand; length += *pad; + if ( session->security_parameters.version >= GNUTLS_TLS1_1) + length += blocksize; /* for the IV */ + break; default: gnutls_assert(); @@ -312,6 +315,17 @@ int _gnutls_compressed2ciphertext(gnutls_session session, } data_ptr = cipher_data; + if ( block_algo==CIPHER_BLOCK && + session->security_parameters.version >= GNUTLS_TLS1_1) + { + /* copy the random IV. + */ + if (_gnutls_get_random(data_ptr, blocksize, GNUTLS_WEAK_RANDOM) < 0) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + data_ptr += blocksize; + } memcpy(data_ptr, compressed.data, compressed.size); data_ptr += compressed.size; @@ -405,6 +419,18 @@ int _gnutls_ciphertext2compressed(gnutls_session session, return ret; } + /* ignore the IV in TLS 1.1. + */ + if (session->security_parameters.version >= GNUTLS_TLS1_1) { + ciphertext.size -= blocksize; + ciphertext.data += blocksize; + + if (ciphertext.size == 0) { + gnutls_assert(); + return GNUTLS_E_DECRYPTION_FAILED; + } + } + pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ length = @@ -74,7 +74,7 @@ static gnutls_srp_client_credentials srp_cred; static gnutls_anon_client_credentials anon_cred; static gnutls_certificate_credentials xcred; -int protocol_priority[PRI_MAX] = { GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; +int protocol_priority[PRI_MAX] = { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; int kx_priority[PRI_MAX] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, /* Do not use anonymous authentication, unless you know what that means */ diff --git a/src/common.c b/src/common.c index 1bc7d45aed..8b9a411c19 100644 --- a/src/common.c +++ b/src/common.c @@ -490,6 +490,7 @@ void print_list(void) printf("Protocols:"); printf(" TLS1.0"); + printf(", TLS1.1"); printf(", SSL3.0\n"); printf("Ciphers:"); @@ -545,8 +546,10 @@ void parse_protocols(char **protocols, int protocols_size, for (j = i = 0; i < protocols_size; i++) { if (strncasecmp(protocols[i], "SSL", 3) == 0) protocol_priority[j++] = GNUTLS_SSL3; + else if (strncasecmp(protocols[i], "TLS1.1", 6) == 0) + protocol_priority[j++] = GNUTLS_TLS1_1; else if (strncasecmp(protocols[i], "TLS", 3) == 0) - protocol_priority[j++] = GNUTLS_TLS1; + protocol_priority[j++] = GNUTLS_TLS1_0; else fprintf(stderr, "Unknown protocol: '%s'\n", protocols[i]); } protocol_priority[j] = 0; diff --git a/src/serv.c b/src/serv.c index 7dc7a69eb0..8128731074 100644 --- a/src/serv.c +++ b/src/serv.c @@ -248,7 +248,7 @@ static int generate_rsa_params(void) return 0; } -int protocol_priority[PRI_MAX] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; +int protocol_priority[PRI_MAX] = { GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0 }; int kx_priority[PRI_MAX] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, /* Do not use anonymous authentication, unless you know what that means */ diff --git a/src/tests.c b/src/tests.c index 8c80e4f322..220094a87b 100644 --- a/src/tests.c +++ b/src/tests.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * @@ -43,8 +44,9 @@ extern gnutls_certificate_credentials xcred; extern int more_info; static int dh_bits; -extern int tls1_ok; -extern int ssl3_ok; +int tls1_ok = 0; +int ssl3_ok = 0; +int tls1_1_ok = 0; /* keep session info */ static char *session_data = NULL; @@ -85,7 +87,10 @@ int ret, alert; } session_data = malloc(session_data_size); sfree = 1; - if (session_data==NULL) exit(1); + if (session_data==NULL) { + fprintf(stderr, "Memory error\n"); + exit(1); + } gnutls_session_get_data(session, session_data, &session_data_size); session_id_size = sizeof( session_id); @@ -163,13 +168,24 @@ static void ADD_CERTTYPE(gnutls_session session, int ctype) { gnutls_certificate_type_set_priority(session, _ct_priority); } -static void ADD_PROTOCOL(gnutls_session session, int protocol) { +static void ADD_PROTOCOL(gnutls_session session, int protocol) +{ static int _proto_priority[] = { 0, 0 }; _proto_priority[0] = protocol; gnutls_protocol_set_priority(session, _proto_priority); } +static void ADD_PROTOCOL3(gnutls_session session, int p1, int p2, int p3) +{ + static int _proto_priority[] = { 0, 0, 0, 0 }; + _proto_priority[0] = p1; + _proto_priority[1] = p2; + _proto_priority[2] = p3; + + gnutls_protocol_set_priority(session, _proto_priority); +} + #ifdef ENABLE_SRP static int srp_detected; @@ -244,7 +260,8 @@ int test_dhe_bits( gnutls_session session) { return SUCCEED; } -int test_ssl3( gnutls_session session) { +int test_ssl3( gnutls_session session) +{ int ret; ADD_ALL_CIPHERS(session); ADD_ALL_COMP(session); @@ -259,8 +276,10 @@ int ret; return ret; } + static int alrm=0; -void got_alarm(int k) { +void got_alarm(int k) +{ alrm = 1; } @@ -392,7 +411,25 @@ int ret; } #endif -int test_sha( gnutls_session session) { +int test_lzo( gnutls_session session) { +int ret; + gnutls_handshake_set_private_extensions( session, 1); + + ADD_ALL_CIPHERS(session); + ADD_COMP(session, GNUTLS_COMP_LZO); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake( session); + + return ret; +} + +int test_sha( gnutls_session session) +{ int ret; ADD_ALL_CIPHERS(session); ADD_ALL_COMP(session); @@ -406,7 +443,23 @@ int ret; return ret; } -int test_3des( gnutls_session session) { +int test_rmd( gnutls_session session) +{ +int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_MAC(session, GNUTLS_MAC_RMD160); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake( session); + return ret; +} + +int test_3des( gnutls_session session) +{ int ret; ADD_CIPHER(session, GNUTLS_CIPHER_3DES_CBC); ADD_ALL_COMP(session); @@ -434,7 +487,22 @@ int ret; return ret; } -int test_tls1( gnutls_session session) { +int test_arcfour_40( gnutls_session session) { +int ret; + ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_40); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake( session); + return ret; +} + +int test_tls1( gnutls_session session) +{ int ret; ADD_ALL_CIPHERS(session); ADD_ALL_COMP(session); @@ -451,10 +519,53 @@ int ret; } -/* Advertize both TLS 1.0 and SSL 3.0 if the connection fails, +int test_tls1_1( gnutls_session session) +{ +int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_PROTOCOL(session, GNUTLS_TLS1_1); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake( session); + if (ret==SUCCEED) tls1_1_ok = 1; + + return ret; + +} + +int test_tls1_1_fallback( gnutls_session session) +{ +int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_PROTOCOL3(session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + if (tls1_1_ok) return UNSURE; + + ret = do_handshake( session); + if (ret!=SUCCEED) return GFAILED; + + if (gnutls_protocol_get_version( session)==GNUTLS_TLS1) + return SUCCEED; + else if (gnutls_protocol_get_version( session)==GNUTLS_SSL3) + return UNSURE; + + return GFAILED; + +} + +/* Advertize both TLS 1.0 and SSL 3.0. If the connection fails, * but the previous SSL 3.0 test succeeded then disable TLS 1.0. */ -int test_tls1_2( gnutls_session session) { +int test_tls_disable( gnutls_session session) { int ret; ADD_ALL_CIPHERS(session); ADD_ALL_COMP(session); diff --git a/src/tests.h b/src/tests.h index 3c97d891b9..6a4125a9a3 100644 --- a/src/tests.h +++ b/src/tests.h @@ -11,10 +11,14 @@ int test_ssl3( gnutls_session state); int test_aes( gnutls_session state); int test_md5( gnutls_session state); int test_sha( gnutls_session state); +int test_rmd( gnutls_session state); int test_3des( gnutls_session state); int test_arcfour( gnutls_session state); +int test_arcfour_40( gnutls_session state); int test_tls1( gnutls_session state); -int test_tls1_2( gnutls_session state); +int test_tls1_1( gnutls_session state); +int test_tls1_1_fallback( gnutls_session state); +int test_tls_disable( gnutls_session state); int test_rsa_pms( gnutls_session state); int test_max_record_size( gnutls_session state); int test_version_rollback( gnutls_session state); @@ -28,6 +32,7 @@ int test_session_resume2( gnutls_session state); int test_rsa_pms_version_check( gnutls_session session); int test_version_oob( gnutls_session session); int test_zlib( gnutls_session session); +int test_lzo( gnutls_session session); int _test_srp_username_callback( gnutls_session session, unsigned int times, char** username, char** password); diff --git a/src/tls_test-gaa.c b/src/tls_test-gaa.c index ec5fc2acb0..f9fd4f2488 100644 --- a/src/tls_test-gaa.c +++ b/src/tls_test-gaa.c @@ -1,4 +1,4 @@ -/* File generated by GAA 1.6.2 +/* File generated by GAA 1.6.5 */ #define GAA_NO_WIN32 #line 1 "tls_test.gaa" @@ -681,7 +681,8 @@ typedef struct gaastrnode gaa_str_node; int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc) { int pos_ini; - char a; + int a; + char ca; int i = 0, len = 0, newline = 0; if(argc == 1) { @@ -689,7 +690,8 @@ int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc) len = 2; } - if(fscanf(file,"%c", &a) != 1) return 0; + a = fgetc( file); + if (a == EOF) return 0; while(a == ' ' || a == 9 || a == '\n') { @@ -698,7 +700,8 @@ int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc) newline=1; len = 2; } - if(fscanf(file,"%c", &a) != 1) return 0; + a = fgetc( file); + if (a == EOF) return 0; } pos_ini = ftell(file) - 1; @@ -707,7 +710,8 @@ int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc) { len++; - if(fscanf(file,"%c", &a) != 1) a = ' '; + a = fgetc( file); + if(a==EOF) return 0; //a = ' '; } len += 1; @@ -727,11 +731,12 @@ int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc) fseek(file,pos_ini, SEEK_SET); do { - if(fscanf(file, "%c", &a) != 1) + if(fscanf(file, "%c", &ca) != 1) { i+=2; break; } + a = ca; tmp_str->str[i] = a; i++; } @@ -758,7 +763,7 @@ int gaa_file(char *name, gaainfo *gaaval) if((file = fopen(name, "r")) == NULL) { printf("Couldn't open '%s' configuration file for reading\n", name); - return 0; + return 1; } tmp_str = &first_str; diff --git a/src/tls_test.c b/src/tls_test.c index 66fb8417b0..0ace0f064c 100644 --- a/src/tls_test.c +++ b/src/tls_test.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * @@ -60,8 +61,9 @@ gnutls_certificate_credentials xcred; int more_info = 0; -int tls1_ok = 0; -int ssl3_ok = 0; +extern int tls1_ok; +extern int tls1_1_ok; +extern int ssl3_ok; static void tls_log_func( int level, const char* str) { @@ -79,6 +81,8 @@ typedef struct { } TLS_TEST; static const TLS_TEST tls_tests[] = { + { "for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno" }, + { "fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "", "SSL 3.0" }, { "for TLS 1.0 support", test_tls1, "yes", "no", "dunno" }, { "for SSL 3.0 support", test_ssl3, "yes", "no", "dunno" }, { "for version rollback bug in RSA PMS", test_rsa_pms, "no", "yes", "dunno" }, @@ -86,7 +90,7 @@ static const TLS_TEST tls_tests[] = { /* this test will disable TLS 1.0 if the server is * buggy */ - { "whether we need to disable TLS 1.0", test_tls1_2, "no", "yes", "dunno" }, + { "whether we need to disable TLS 1.0", test_tls_disable, "no", "yes", "dunno" }, { "whether the server ignores the RSA PMS version", test_rsa_pms_version_check, "yes", "no", "dunno"}, { "whether the server can accept Hello Extensions", test_hello_extension, "yes", "no", "dunno"}, @@ -105,20 +109,23 @@ static const TLS_TEST tls_tests[] = { #endif { "for ephemeral Diffie Hellman support", test_dhe, "yes", "no", "dunno" }, { "for ephemeral Diffie Hellman prime size", test_dhe_bits, "", "N/A", "N/A" }, - { "for AES cipher support", test_aes, "yes", "no", "dunno"}, + { "for AES cipher support (TLS extension)", test_aes, "yes", "no", "dunno"}, { "for 3DES cipher support", test_3des, "yes", "no", "dunno"}, - { "for ARCFOUR cipher support", test_arcfour, "yes", "no", "dunno"}, + { "for ARCFOUR 128 cipher support", test_arcfour, "yes", "no", "dunno"}, + { "for ARCFOUR 40 cipher support", test_arcfour_40, "yes", "no", "dunno"}, { "for MD5 MAC support", test_md5, "yes", "no", "dunno"}, { "for SHA1 MAC support", test_sha, "yes", "no", "dunno"}, + { "for RIPEMD160 MAC support (TLS extension)", test_rmd, "yes", "no", "dunno"}, #ifdef HAVE_LIBZ - { "for ZLIB compression support", test_zlib, "yes", "no", "dunno"}, + { "for ZLIB compression support (TLS extension)", test_zlib, "yes", "no", "dunno"}, #endif + { "for LZO compression support (GnuTLS extension)", test_lzo, "yes", "no", "dunno"}, { "for max record size (TLS extension)", test_max_record_size, "yes", "no", "dunno" }, #ifdef ENABLE_SRP { "for SRP authentication support (TLS extension)", test_srp, "yes", "no", "dunno" }, #endif { "for OpenPGP authentication support (TLS extension)", test_openpgp1, "yes", "no", "dunno" }, - { NULL } + { NULL, NULL, NULL, NULL, NULL } }; static int tt = 0; @@ -146,8 +153,6 @@ int main(int argc, char **argv) gnutls_session state; char buffer[MAX_BUF + 1]; struct hostent *server_host; - int ssl3_ok = 0; - int tls1_ok = 0; gaa_parser(argc, argv); @@ -210,7 +215,10 @@ int main(int argc, char **argv) /* if neither of SSL3 and TLSv1 are supported, exit */ - if (i > 1 && tls1_ok == 0 && ssl3_ok == 0) break; + if (i > 3 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) { + fprintf(stderr, "%d %d %d\n", tls1_1_ok,tls1_ok,ssl3_ok); + break; + } CONNECT(); gnutls_init(&state, GNUTLS_CLIENT); |