*** empty log message ***gnutls_1_0_7

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2004-02-25 12:01:36 +0000
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2004-02-25 12:01:36 +0000
commit: b0e62fa82305af837cef118da070bf20c1aee3c1 (patch)
tree: 251bdc707b1aaff9c46aac3b138e1c08cb28d016
parent: ceea305ea20a141b3a76616f7bd8435c6b21ece5 (diff)
download: gnutls-b0e62fa82305af837cef118da070bf20c1aee3c1.tar.gz
12 files changed, 197 insertions, 36 deletions
diff --git a/NEWS b/NEWS
index c19ff0d46a..aa36d0652c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,7 @@
-Version 1.0.7
-- Corrected the return values of gnutls_x509_crt_check_hostname().
+Version 1.0.7 (25/02/2004)
+- Implemented TLS 1.1 (and also obsoleted the TLS 1.0 CBC protection
+  hack).
+- Some updates in the documentation.
 
 Version 1.0.6 (12/02/2004)
 * Backported things from the development branch (while maintaining
diff --git a/configure.in b/configure.in
index cd84165075..2c79e5db8e 100644
--- a/configure.in
+++ b/configure.in
@@ -12,7 +12,7 @@ AC_DEFINE_UNQUOTED(T_OS, "$target_os", [OS name])
 dnl Gnutls Version
 GNUTLS_MAJOR_VERSION=1
 GNUTLS_MINOR_VERSION=0
-GNUTLS_MICRO_VERSION=6
+GNUTLS_MICRO_VERSION=7
 GNUTLS_VERSION=$GNUTLS_MAJOR_VERSION.$GNUTLS_MINOR_VERSION.$GNUTLS_MICRO_VERSION
 
 AC_DEFINE_UNQUOTED(GNUTLS_VERSION, "$GNUTLS_VERSION", [version of gnutls])
diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in
index aa1f34e8b3..e4183ee103 100644
--- a/lib/gnutls.h.in.in
+++ b/lib/gnutls.h.in.in
@@ -148,7 +148,7 @@ typedef enum gnutls_close_request { GNUTLS_SHUT_RDWR=0, GNUTLS_SHUT_WR=1 } gnutl
 
 #define GNUTLS_TLS1 GNUTLS_TLS1_0
 typedef enum gnutls_protocol_version { GNUTLS_SSL3=1, GNUTLS_TLS1_0,
-	} gnutls_protocol_version;
+	GNUTLS_TLS1_1 } gnutls_protocol_version;
 
 typedef enum gnutls_certificate_type { GNUTLS_CRT_X509=1, GNUTLS_CRT_OPENPGP 
 } gnutls_certificate_type;
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index 30c330fddf..db5876317b 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -109,6 +109,7 @@ typedef struct {
 static const gnutls_version_entry sup_versions[] = {
 	{"SSL 3.0", GNUTLS_SSL3, 3, 0, 1},
 	{"TLS 1.0", GNUTLS_TLS1, 3, 1, 1},
+	{"TLS 1.1", GNUTLS_TLS1_1, 3, 2, 1},
 	{0, 0, 0, 0, 0}
 };
 
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 3394dd7b4f..259f7a67a3 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -228,6 +228,9 @@ int length;
 		*pad = (uint8) (blocksize - (length % blocksize)) + rand;
 
 		length += *pad;
+		if ( session->security_parameters.version >= GNUTLS_TLS1_1)
+			length += blocksize; /* for the IV */
+
 		break;
 	default:
 		gnutls_assert();
@@ -312,6 +315,17 @@ int _gnutls_compressed2ciphertext(gnutls_session session,
 	}
 
 	data_ptr = cipher_data;
+	if ( block_algo==CIPHER_BLOCK &&
+		session->security_parameters.version >= GNUTLS_TLS1_1) 
+	{
+		/* copy the random IV.
+		 */
+		if (_gnutls_get_random(data_ptr, blocksize, GNUTLS_WEAK_RANDOM) < 0) {
+			gnutls_assert();
+			return GNUTLS_E_MEMORY_ERROR;
+		}
+		data_ptr += blocksize;
+	}
 
 	memcpy(data_ptr, compressed.data, compressed.size);
 	data_ptr += compressed.size;
@@ -405,6 +419,18 @@ int _gnutls_ciphertext2compressed(gnutls_session session,
 			return ret;
 		}
 
+		/* ignore the IV in TLS 1.1.
+		 */
+		if (session->security_parameters.version >= GNUTLS_TLS1_1) {
+			ciphertext.size -= blocksize;
+			ciphertext.data += blocksize;
+			
+			if (ciphertext.size == 0) {
+				gnutls_assert();
+				return GNUTLS_E_DECRYPTION_FAILED;
+			}
+		}
+
 		pad = ciphertext.data[ciphertext.size - 1] + 1;	/* pad */
 
 		length =
diff --git a/src/cli.c b/src/cli.c
index e3aa4a60a2..560faf9d2b 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -74,7 +74,7 @@ static gnutls_srp_client_credentials srp_cred;
 static gnutls_anon_client_credentials anon_cred;
 static gnutls_certificate_credentials xcred;
 
-int protocol_priority[PRI_MAX] = { GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
+int protocol_priority[PRI_MAX] = { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
 int kx_priority[PRI_MAX] =
     { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP,
 	/* Do not use anonymous authentication, unless you know what that means */
diff --git a/src/common.c b/src/common.c
index 1bc7d45aed..8b9a411c19 100644
--- a/src/common.c
+++ b/src/common.c
@@ -490,6 +490,7 @@ void print_list(void)
 
 	printf("Protocols:");
 	printf(" TLS1.0");
+	printf(", TLS1.1");
 	printf(", SSL3.0\n");
 
 	printf("Ciphers:");
@@ -545,8 +546,10 @@ void parse_protocols(char **protocols, int protocols_size,
 		for (j = i = 0; i < protocols_size; i++) {
 			if (strncasecmp(protocols[i], "SSL", 3) == 0)
 				protocol_priority[j++] = GNUTLS_SSL3;
+			else if (strncasecmp(protocols[i], "TLS1.1", 6) == 0)
+				protocol_priority[j++] = GNUTLS_TLS1_1;
 			else if (strncasecmp(protocols[i], "TLS", 3) == 0)
-				protocol_priority[j++] = GNUTLS_TLS1;
+				protocol_priority[j++] = GNUTLS_TLS1_0;
 			else fprintf(stderr, "Unknown protocol: '%s'\n", protocols[i]);
 		}
 		protocol_priority[j] = 0;
diff --git a/src/serv.c b/src/serv.c
index 7dc7a69eb0..8128731074 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -248,7 +248,7 @@ static int generate_rsa_params(void)
    return 0;
 }
 
-int protocol_priority[PRI_MAX] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
+int protocol_priority[PRI_MAX] = { GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0 };
 int kx_priority[PRI_MAX] =
     { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP,
    /* Do not use anonymous authentication, unless you know what that means */
diff --git a/src/tests.c b/src/tests.c
index 8c80e4f322..220094a87b 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos
+ * Copyright (C) 2004 Free Software Foundation
  *
  * This file is part of GNUTLS.
  *
@@ -43,8 +44,9 @@ extern gnutls_certificate_credentials xcred;
 extern int more_info;
 static int dh_bits;
 
-extern int tls1_ok;
-extern int ssl3_ok;
+int tls1_ok = 0;
+int ssl3_ok = 0;
+int tls1_1_ok = 0;
 
 /* keep session info */
 static char *session_data = NULL;
@@ -85,7 +87,10 @@ int ret, alert;
 		}
 		session_data = malloc(session_data_size);
 		sfree = 1;
-		if (session_data==NULL) exit(1);
+		if (session_data==NULL) {
+			fprintf(stderr, "Memory error\n");
+			exit(1);
+		}
 		gnutls_session_get_data(session, session_data, &session_data_size);
 
 		session_id_size = sizeof( session_id);
@@ -163,13 +168,24 @@ static void ADD_CERTTYPE(gnutls_session session, int ctype) {
 	gnutls_certificate_type_set_priority(session, _ct_priority);
 }
 
-static void ADD_PROTOCOL(gnutls_session session, int protocol) {
+static void ADD_PROTOCOL(gnutls_session session, int protocol) 
+{
 	static int _proto_priority[] = { 0, 0 };
 	_proto_priority[0] = protocol;
 
 	gnutls_protocol_set_priority(session, _proto_priority);
 }
 
+static void ADD_PROTOCOL3(gnutls_session session, int p1, int p2, int p3)
+{
+	static int _proto_priority[] = { 0, 0, 0, 0 };
+	_proto_priority[0] = p1;
+	_proto_priority[1] = p2;
+	_proto_priority[2] = p3;
+
+	gnutls_protocol_set_priority(session, _proto_priority);
+}
+
 #ifdef ENABLE_SRP
 static int srp_detected;
 
@@ -244,7 +260,8 @@ int test_dhe_bits( gnutls_session session) {
 	return SUCCEED;
 }
 
-int test_ssl3( gnutls_session session) {
+int test_ssl3( gnutls_session session) 
+{
 int ret;
 	ADD_ALL_CIPHERS(session);
 	ADD_ALL_COMP(session);
@@ -259,8 +276,10 @@ int ret;
 	
 	return ret;
 }
+
 static int alrm=0;
-void got_alarm(int k) {
+void got_alarm(int k) 
+{
 	alrm = 1;
 }
 	
@@ -392,7 +411,25 @@ int ret;
 }
 #endif
 
-int test_sha( gnutls_session session) {
+int test_lzo( gnutls_session session) {
+int ret;
+	gnutls_handshake_set_private_extensions( session, 1);
+
+	ADD_ALL_CIPHERS(session);
+	ADD_COMP(session, GNUTLS_COMP_LZO);
+	ADD_ALL_CERTTYPES(session);
+	ADD_ALL_PROTOCOLS(session);
+	ADD_ALL_MACS(session);
+	ADD_ALL_KX(session);
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+	ret = do_handshake( session);
+
+	return ret;
+}
+
+int test_sha( gnutls_session session) 
+{
 int ret;
 	ADD_ALL_CIPHERS(session);
 	ADD_ALL_COMP(session);
@@ -406,7 +443,23 @@ int ret;
 	return ret;
 }
 
-int test_3des( gnutls_session session) {
+int test_rmd( gnutls_session session) 
+{
+int ret;
+	ADD_ALL_CIPHERS(session);
+	ADD_ALL_COMP(session);
+	ADD_ALL_CERTTYPES(session);
+	ADD_ALL_PROTOCOLS(session);
+	ADD_MAC(session, GNUTLS_MAC_RMD160);
+	ADD_ALL_KX(session);
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+	ret = do_handshake( session);
+	return ret;
+}
+
+int test_3des( gnutls_session session) 
+{
 int ret;
 	ADD_CIPHER(session, GNUTLS_CIPHER_3DES_CBC);
 	ADD_ALL_COMP(session);
@@ -434,7 +487,22 @@ int ret;
 	return ret;
 }
 
-int test_tls1( gnutls_session session) {
+int test_arcfour_40( gnutls_session session) {
+int ret;
+	ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_40);
+	ADD_ALL_COMP(session);
+	ADD_ALL_CERTTYPES(session);
+	ADD_ALL_PROTOCOLS(session);
+	ADD_ALL_MACS(session);
+	ADD_ALL_KX(session);
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+	ret = do_handshake( session);
+	return ret;
+}
+
+int test_tls1( gnutls_session session) 
+{
 int ret;
 	ADD_ALL_CIPHERS(session);
 	ADD_ALL_COMP(session);
@@ -451,10 +519,53 @@ int ret;
 
 }
 
-/* Advertize both TLS 1.0 and SSL 3.0 if the connection fails,
+int test_tls1_1( gnutls_session session) 
+{
+int ret;
+	ADD_ALL_CIPHERS(session);
+	ADD_ALL_COMP(session);
+	ADD_ALL_CERTTYPES(session);
+	ADD_PROTOCOL(session, GNUTLS_TLS1_1);
+	ADD_ALL_MACS(session);
+	ADD_ALL_KX(session);
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+	ret = do_handshake( session);
+	if (ret==SUCCEED) tls1_1_ok = 1;
+
+	return ret;
+
+}
+
+int test_tls1_1_fallback( gnutls_session session) 
+{
+int ret;
+	ADD_ALL_CIPHERS(session);
+	ADD_ALL_COMP(session);
+	ADD_ALL_CERTTYPES(session);
+	ADD_PROTOCOL3(session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3);
+	ADD_ALL_MACS(session);
+	ADD_ALL_KX(session);
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+	if (tls1_1_ok) return UNSURE;
+
+	ret = do_handshake( session);
+	if (ret!=SUCCEED) return GFAILED;
+
+	if (gnutls_protocol_get_version( session)==GNUTLS_TLS1)
+		return SUCCEED;
+	else if (gnutls_protocol_get_version( session)==GNUTLS_SSL3)
+		return UNSURE;
+
+	return GFAILED;
+
+}
+
+/* Advertize both TLS 1.0 and SSL 3.0. If the connection fails,
  * but the previous SSL 3.0 test succeeded then disable TLS 1.0.
  */
-int test_tls1_2( gnutls_session session) {
+int test_tls_disable( gnutls_session session) {
 int ret;
 	ADD_ALL_CIPHERS(session);
 	ADD_ALL_COMP(session);
diff --git a/src/tests.h b/src/tests.h
index 3c97d891b9..6a4125a9a3 100644
--- a/src/tests.h
+++ b/src/tests.h
@@ -11,10 +11,14 @@ int test_ssl3( gnutls_session state);
 int test_aes( gnutls_session state);
 int test_md5( gnutls_session state);
 int test_sha( gnutls_session state);
+int test_rmd( gnutls_session state);
 int test_3des( gnutls_session state);
 int test_arcfour( gnutls_session state);
+int test_arcfour_40( gnutls_session state);
 int test_tls1( gnutls_session state);
-int test_tls1_2( gnutls_session state);
+int test_tls1_1( gnutls_session state);
+int test_tls1_1_fallback( gnutls_session state);
+int test_tls_disable( gnutls_session state);
 int test_rsa_pms( gnutls_session state);
 int test_max_record_size( gnutls_session state);
 int test_version_rollback( gnutls_session state);
@@ -28,6 +32,7 @@ int test_session_resume2( gnutls_session state);
 int test_rsa_pms_version_check( gnutls_session session);
 int test_version_oob( gnutls_session session);
 int test_zlib( gnutls_session session);
+int test_lzo( gnutls_session session);
 int _test_srp_username_callback( gnutls_session session, unsigned int times,
 	char** username, char** password);
 
diff --git a/src/tls_test-gaa.c b/src/tls_test-gaa.c
index ec5fc2acb0..f9fd4f2488 100644
--- a/src/tls_test-gaa.c
+++ b/src/tls_test-gaa.c
@@ -1,4 +1,4 @@
-/* File generated by GAA 1.6.2
+/* File generated by GAA 1.6.5
  */
 #define GAA_NO_WIN32
 #line 1 "tls_test.gaa"
@@ -681,7 +681,8 @@ typedef struct gaastrnode gaa_str_node;
 int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc)
 {
     int pos_ini;
-    char a;
+    int a;
+    char ca;
     int i = 0, len = 0, newline = 0;
 
     if(argc == 1) {
@@ -689,7 +690,8 @@ int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc)
         len = 2;
     }
     
-    if(fscanf(file,"%c", &a) != 1) return 0;
+    a = fgetc( file);
+    if (a == EOF) return 0;
 
     while(a == ' ' || a == 9 || a == '\n')
     {
@@ -698,7 +700,8 @@ int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc)
             newline=1;
             len = 2;
         }
-        if(fscanf(file,"%c", &a) != 1) return 0;
+        a = fgetc( file);
+        if (a == EOF) return 0;
     }
 
     pos_ini = ftell(file) - 1;
@@ -707,7 +710,8 @@ int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc)
     {
 
         len++;
-        if(fscanf(file,"%c", &a) != 1) a = ' ';
+        a = fgetc( file);
+        if(a==EOF) return 0; //a = ' ';
     }
 
     len += 1;
@@ -727,11 +731,12 @@ int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc)
     fseek(file,pos_ini, SEEK_SET);
     do
     {
-        if(fscanf(file, "%c", &a) != 1)
+        if(fscanf(file, "%c", &ca) != 1)
         {
             i+=2;
             break;
         }
+	a = ca;
         tmp_str->str[i] = a;
         i++;
     }
@@ -758,7 +763,7 @@ int gaa_file(char *name, gaainfo *gaaval)
     if((file = fopen(name, "r")) == NULL)
     {
         printf("Couldn't open '%s' configuration file for reading\n", name);
-        return 0;
+        return 1;
     }
     
     tmp_str = &first_str;
diff --git a/src/tls_test.c b/src/tls_test.c
index 66fb8417b0..0ace0f064c 100644
--- a/src/tls_test.c
+++ b/src/tls_test.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos
+ * Copyright (C) 2004 Free Software Foundation
  *
  * This file is part of GNUTLS.
  *
@@ -60,8 +61,9 @@ gnutls_certificate_credentials xcred;
 
 int more_info = 0;
 
-int tls1_ok = 0;
-int ssl3_ok = 0;
+extern int tls1_ok;
+extern int tls1_1_ok;
+extern int ssl3_ok;
 
 static void tls_log_func( int level, const char* str)
 {
@@ -79,6 +81,8 @@ typedef struct {
 } TLS_TEST;
 
 static const TLS_TEST tls_tests[] = {
+	{ "for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno" },
+	{ "fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "", "SSL 3.0" },
 	{ "for TLS 1.0 support", test_tls1, "yes", "no", "dunno" },
 	{ "for SSL 3.0 support", test_ssl3, "yes", "no", "dunno" },
 	{ "for version rollback bug in RSA PMS", test_rsa_pms, "no", "yes", "dunno" },
@@ -86,7 +90,7 @@ static const TLS_TEST tls_tests[] = {
 
 	/* this test will disable TLS 1.0 if the server is 
 	 * buggy */
-	{ "whether we need to disable TLS 1.0", test_tls1_2, "no", "yes", "dunno" },
+	{ "whether we need to disable TLS 1.0", test_tls_disable, "no", "yes", "dunno" },
 
 	{ "whether the server ignores the RSA PMS version", test_rsa_pms_version_check, "yes", "no", "dunno"},
 	{ "whether the server can accept Hello Extensions", test_hello_extension, "yes", "no", "dunno"},
@@ -105,20 +109,23 @@ static const TLS_TEST tls_tests[] = {
 #endif
 	{ "for ephemeral Diffie Hellman support", test_dhe, "yes", "no", "dunno" },
 	{ "for ephemeral Diffie Hellman prime size", test_dhe_bits, "", "N/A", "N/A" },
-	{ "for AES cipher support", test_aes, "yes", "no", "dunno"},
+	{ "for AES cipher support (TLS extension)", test_aes, "yes", "no", "dunno"},
 	{ "for 3DES cipher support", test_3des, "yes", "no", "dunno"},
-	{ "for ARCFOUR cipher support", test_arcfour, "yes", "no", "dunno"},
+	{ "for ARCFOUR 128 cipher support", test_arcfour, "yes", "no", "dunno"},
+	{ "for ARCFOUR 40 cipher support", test_arcfour_40, "yes", "no", "dunno"},
 	{ "for MD5 MAC support", test_md5, "yes", "no", "dunno"},
 	{ "for SHA1 MAC support", test_sha, "yes", "no", "dunno"},
+	{ "for RIPEMD160 MAC support (TLS extension)", test_rmd, "yes", "no", "dunno"},
 #ifdef HAVE_LIBZ
-	{ "for ZLIB compression support", test_zlib, "yes", "no", "dunno"},
+	{ "for ZLIB compression support (TLS extension)", test_zlib, "yes", "no", "dunno"},
 #endif
+	{ "for LZO compression support (GnuTLS extension)", test_lzo, "yes", "no", "dunno"},
 	{ "for max record size (TLS extension)", test_max_record_size, "yes", "no", "dunno" },
 #ifdef ENABLE_SRP
 	{ "for SRP authentication support (TLS extension)", test_srp, "yes", "no", "dunno" },
 #endif
 	{ "for OpenPGP authentication support (TLS extension)", test_openpgp1, "yes", "no", "dunno" },
-	{ NULL }
+	{ NULL, NULL, NULL, NULL, NULL }
 };
 
 static int tt = 0;
@@ -146,8 +153,6 @@ int main(int argc, char **argv)
 	gnutls_session state;
 	char buffer[MAX_BUF + 1];
 	struct hostent *server_host;
-	int ssl3_ok = 0;
-	int tls1_ok = 0;
 
 	gaa_parser(argc, argv);
 
@@ -210,7 +215,10 @@ int main(int argc, char **argv)
 
 		/* if neither of SSL3 and TLSv1 are supported, exit
 		 */
-		if (i > 1 && tls1_ok == 0 && ssl3_ok == 0) break;
+		if (i > 3 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) {
+			fprintf(stderr, "%d %d %d\n", tls1_1_ok,tls1_ok,ssl3_ok);
+			break;
+		}
 
 		CONNECT();
 		gnutls_init(&state, GNUTLS_CLIENT);
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2004-02-25 12:01:36 +0000
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2004-02-25 12:01:36 +0000
commit	b0e62fa82305af837cef118da070bf20c1aee3c1 (patch)
tree	251bdc707b1aaff9c46aac3b138e1c08cb28d016
parent	ceea305ea20a141b3a76616f7bd8435c6b21ece5 (diff)
download	gnutls-b0e62fa82305af837cef118da070bf20c1aee3c1.tar.gz