some fixes to comply with the SRP draft. The handshake is now repeated if an empty SRP username is received.

8 files changed, 22 insertions, 13 deletions

diff --git a/doc/README.autoconf b/doc/README.autoconf
index 44be0917cd..3f928aae0d 100644
--- a/doc/README.autoconf
+++ b/doc/README.autoconf
@@ -5,7 +5,7 @@ aclocal.m4:
  include(libgnutls.m4)
 
 configure.in:
- AM_PATH_LIBGNUTLS( 0.9.99,, AC_MSG_ERROR([[
+ AM_PATH_LIBGNUTLS( 1.0.0,, AC_MSG_ERROR([[
 ***
 *** libgnutls was not found. You may want to get it from
 *** ftp://ftp.gnutls.org/pub/gnutls/
@@ -18,7 +18,7 @@ aclocal.m4:
  include(libgnutls-extra.m4)
 
 configure.in:
- AM_PATH_LIBGNUTLS_EXTRA( 0.9.99,, AC_MSG_ERROR([[
+ AM_PATH_LIBGNUTLS_EXTRA( 1.0.0,, AC_MSG_ERROR([[
 ***
 *** libgnutls-extra was not found. You may want to get it from
 *** ftp://ftp.gnutls.org/pub/gnutls/
diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c
index 8476f5b5ae..d8dc35c9a4 100644
--- a/lib/gnutls_alert.c
+++ b/lib/gnutls_alert.c
@@ -154,10 +154,6 @@ int _level = -1;
 			ret = GNUTLS_A_BAD_RECORD_MAC;
 			_level = GNUTLS_AL_FATAL;
 			break;
-		case GNUTLS_E_EMPTY_SRP_USERNAME:
-			ret = GNUTLS_A_MISSING_SRP_USERNAME;
-			_level = GNUTLS_AL_FATAL;
-			break;
 		case GNUTLS_E_DECOMPRESSION_FAILED:
 			ret = GNUTLS_A_DECOMPRESSION_FAILURE;
 			_level = GNUTLS_AL_FATAL;
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index f0ec534ec0..c795ca2e60 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -138,7 +138,6 @@ static gnutls_error_entry error_algorithms[] = {
         ERROR_ENTRY("Could not get OpenPGP key.", GNUTLS_E_OPENPGP_GETKEY_FAILED, 1),
 
         ERROR_ENTRY("The SRP username supplied by the peer is illegal.", GNUTLS_E_ILLEGAL_SRP_USERNAME, 1),
-        ERROR_ENTRY("The peer advertized SRP but did not supply any SRP username.", GNUTLS_E_EMPTY_SRP_USERNAME, 1),
 
         ERROR_ENTRY("The OpenPGP fingerprint is not supported.", GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1),
         ERROR_ENTRY("The certificate has unsupported attributes.", GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE, 1),
diff --git a/lib/gnutls_errors_int.h b/lib/gnutls_errors_int.h
index 8ec8d6b855..3f64c626d7 100644
--- a/lib/gnutls_errors_int.h
+++ b/lib/gnutls_errors_int.h
@@ -86,7 +86,6 @@
 
 #define GNUTLS_E_ILLEGAL_SRP_USERNAME -90
 #define GNUTLS_E_SRP_PWD_PARSING_ERROR -91
-#define GNUTLS_E_EMPTY_SRP_USERNAME -92
 #define GNUTLS_E_NO_TEMPORARY_DH_PARAMS -93
 
 /* For certificate and key stuff
@@ -129,5 +128,6 @@
 /* _INT_ internal errors. Not exported */
 
 #define GNUTLS_E_INT_RET_0 -1251
+#define GNUTLS_E_INT_HANDSHAKE_AGAIN -1252
 
 #endif /* GNUTLS_ERRORS_IH */
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 2296914feb..65f39ff1a5 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -1884,6 +1884,10 @@ int gnutls_handshake(gnutls_session session)
 
 #define IMED_RET( str, ret) do { \
 	if (ret < 0) { \
+		if (ret == GNUTLS_E_INT_HANDSHAKE_AGAIN) { \
+			STATE = STATE0; \
+			return GNUTLS_E_AGAIN; \
+		} \
 		if (gnutls_error_is_fatal(ret)==0) return ret; \
 		gnutls_assert(); \
 		ERR( str, ret); \
diff --git a/libextra/auth_srp.c b/libextra/auth_srp.c
index 4bb8c432d3..9abd02ae60 100644
--- a/libextra/auth_srp.c
+++ b/libextra/auth_srp.c
@@ -32,6 +32,7 @@
 #include "auth_srp.h"
 #include <gnutls_str.h>
 #include <gnutls_datum.h>
+#include <gnutls_alert.h>
 
 int _gnutls_gen_srp_server_kx(gnutls_session, opaque **);
 int _gnutls_gen_srp_client_kx(gnutls_session, opaque **);
@@ -84,10 +85,18 @@ int _gnutls_gen_srp_server_kx(gnutls_session state, opaque ** data)
 
 	if (state->security_parameters.extensions.srp_username[0] == 0) {
 		/* The peer didn't send a valid SRP extension with the
-		 * SRP username.
+		 * SRP username. The draft requires that we send an
+		 * alert and start the handshake again.
 		 */
 		gnutls_assert();
-		return GNUTLS_E_EMPTY_SRP_USERNAME;
+		ret = gnutls_alert_send( state, GNUTLS_AL_WARNING,
+			GNUTLS_A_MISSING_SRP_USERNAME);
+		if (ret < 0) {
+			gnutls_assert();
+			return ret;
+		}
+
+		return GNUTLS_E_INT_HANDSHAKE_AGAIN;
 	}
 
 	if ( (ret=_gnutls_auth_info_set( state, GNUTLS_CRD_SRP, sizeof( SRP_SERVER_AUTH_INFO_INT), 1)) < 0) {
diff --git a/src/serv-gaa.c b/src/serv-gaa.c
index abb4d237e0..15876fa31d 100644
--- a/src/serv-gaa.c
+++ b/src/serv-gaa.c
@@ -463,7 +463,7 @@ int gaa_getint(char *arg)
 {
     int tmp;
     char a;
-    if(sscanf(arg, "%d%c", &tmp, &a) < 1)
+    if(sscanf(arg, "%d%c", &tmp, &a) != 1)
     {
         printf("Option %s: '%s' isn't an integer\n", gaa_current_option, arg);
         GAAERROR(-1);
@@ -489,7 +489,7 @@ float gaa_getfloat(char *arg)
 {
     float tmp;
     char a;
-    if(sscanf(arg, "%f%c", &tmp, &a) < 1)
+    if(sscanf(arg, "%f%c", &tmp, &a) != 1)
     {
         printf("Option %s: '%s' isn't a float number\n", gaa_current_option, arg);
         GAAERROR(-1);
diff --git a/src/serv.c b/src/serv.c
index a3af0a0fe5..00fa77f75b 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -250,7 +250,8 @@ int protocol_priority[PRI_MAX] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
 int kx_priority[PRI_MAX] =
     { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP,
    /* Do not use anonymous authentication, unless you know what that means */
-   GNUTLS_KX_ANON_DH, GNUTLS_KX_RSA_EXPORT, 0
+   GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP_RSA, GNUTLS_KX_ANON_DH, 
+   GNUTLS_KX_RSA_EXPORT, 0
 };
 int cipher_priority[PRI_MAX] =
     { GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC,