diff options
author | Nikos <nmav@crystal.(none)> | 2007-11-10 08:17:20 +0200 |
---|---|---|
committer | Nikos <nmav@crystal.(none)> | 2007-11-10 08:17:20 +0200 |
commit | a923cc605a40cf73dbb40de0ac46978674e388fd (patch) | |
tree | f30eff0b78d48b72b12327bbac6f15bd68984572 | |
parent | 9d26503f24019ea0b2d6740706dc7bc9cea53a7f (diff) | |
download | gnutls-a923cc605a40cf73dbb40de0ac46978674e388fd.tar.gz |
backported fixes.
-rw-r--r-- | NEWS | 20 | ||||
-rwxr-xr-x | build-aux/config.rpath | 102 | ||||
-rw-r--r-- | configure.in | 8 | ||||
-rw-r--r-- | includes/gnutls/gnutls.h.in | 3 | ||||
-rw-r--r-- | lib/gnutls_dh_primes.c | 8 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 19 | ||||
-rw-r--r-- | lib/gnutls_int.h | 2 | ||||
-rw-r--r-- | lib/gnutls_record.c | 22 | ||||
-rw-r--r-- | lib/gnutls_state.c | 20 |
9 files changed, 109 insertions, 95 deletions
@@ -3,6 +3,26 @@ Copyright (C) 2004, 2005, 2006, 2007 Simon Josefsson Copyright (C) 2000, 2001, 2002, 2003, 2004 Nikos Mavroyanopoulos See the end for copying conditions. +* Version 2.0.3 (unreleased) + +** This version backports several fixes from the 2.1.x branch. + +** Fixed PKCS #3 parameter export. + +** Added gnutls_record_disable_padding() to allow servers talking to +buggy clients that complain if the TLS 1.0 record protocol padding is +used. + +** Introduced gnutls_session_enable_compatibility_mode() to allow enabling +all supported compatibility options (like disabling padding). + +** Corrected bug which did not allow a server to run without supporting +certificates. + +** API and ABI modifications: +gnutls_session_enable_compatibility_mode: ADDED +gnutls_record_disable_padding: ADDED + * Version 2.0.2 (released 2007-10-17) ** TLS authorization support removed. diff --git a/build-aux/config.rpath b/build-aux/config.rpath index c547c68825..c492a93b66 100755 --- a/build-aux/config.rpath +++ b/build-aux/config.rpath @@ -2,7 +2,7 @@ # Output a system dependent set of variables, describing how to set the # run time search path of shared libraries in an executable. # -# Copyright 1996-2007 Free Software Foundation, Inc. +# Copyright 1996-2006 Free Software Foundation, Inc. # Taken from GNU libtool, 2001 # Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996 # @@ -64,7 +64,7 @@ else ;; esac ;; - mingw* | cygwin* | pw32* | os2*) + mingw* | pw32* | os2*) ;; hpux9* | hpux10* | hpux11*) wl='-Wl,' @@ -74,7 +74,7 @@ else ;; newsos6) ;; - linux* | k*bsd*-gnu) + linux*) case $cc_basename in icc* | ecc*) wl='-Wl,' @@ -100,7 +100,7 @@ else osf3* | osf4* | osf5*) wl='-Wl,' ;; - rdos*) + sco3.2v5*) ;; solaris*) wl='-Wl,' @@ -108,14 +108,11 @@ else sunos4*) wl='-Qoption ld ' ;; - sysv4 | sysv4.2uw2* | sysv4.3*) + sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) wl='-Wl,' ;; sysv4*MP*) ;; - sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) - wl='-Wl,' - ;; unicos*) wl='-Wl,' ;; @@ -192,11 +189,11 @@ if test "$with_gnu_ld" = yes; then ld_shlibs=no fi ;; - interix[3-9]*) + interix3*) hardcode_direct=no hardcode_libdir_flag_spec='${wl}-rpath,$libdir' ;; - gnu* | linux* | k*bsd*-gnu) + linux*) if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then : else @@ -283,7 +280,7 @@ else strings "$collect2name" | grep resolve_lib_name >/dev/null then # We have reworked collect2 - : + hardcode_direct=yes else # We have old collect2 hardcode_direct=unsupported @@ -362,7 +359,7 @@ else hardcode_direct=yes hardcode_minus_L=yes ;; - freebsd* | dragonfly*) + freebsd* | kfreebsd*-gnu | dragonfly*) hardcode_libdir_flag_spec='-R$libdir' hardcode_direct=yes ;; @@ -415,22 +412,18 @@ else hardcode_libdir_separator=: ;; openbsd*) - if test -f /usr/libexec/ld.so; then - hardcode_direct=yes - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - else - case "$host_os" in - openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) - hardcode_libdir_flag_spec='-R$libdir' - ;; - *) - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - ;; - esac - fi + hardcode_direct=yes + if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + hardcode_libdir_flag_spec='${wl}-rpath,$libdir' else - ld_shlibs=no + case "$host_os" in + openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) + hardcode_libdir_flag_spec='-R$libdir' + ;; + *) + hardcode_libdir_flag_spec='${wl}-rpath,$libdir' + ;; + esac fi ;; os2*) @@ -478,7 +471,7 @@ else ld_shlibs=yes fi ;; - sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*) + sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*) ;; sysv5* | sco3.2v5* | sco5v6*) hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`' @@ -495,51 +488,33 @@ fi # Check dynamic linker characteristics # Code taken from libtool.m4's AC_LIBTOOL_SYS_DYNAMIC_LINKER. -# Unlike libtool.m4, here we don't care about _all_ names of the library, but -# only about the one the linker finds when passed -lNAME. This is the last -# element of library_names_spec in libtool.m4, or possibly two of them if the -# linker has special search rules. -library_names_spec= # the last element of library_names_spec in libtool.m4 libname_spec='lib$name' case "$host_os" in aix3*) - library_names_spec='$libname.a' ;; aix4* | aix5*) - library_names_spec='$libname$shrext' ;; amigaos*) - library_names_spec='$libname.a' ;; beos*) - library_names_spec='$libname$shrext' ;; bsdi[45]*) - library_names_spec='$libname$shrext' ;; cygwin* | mingw* | pw32*) shrext=.dll - library_names_spec='$libname.dll.a $libname.lib' ;; darwin* | rhapsody*) shrext=.dylib - library_names_spec='$libname$shrext' ;; dgux*) - library_names_spec='$libname$shrext' ;; freebsd1*) ;; + kfreebsd*-gnu) + ;; freebsd* | dragonfly*) - case "$host_os" in - freebsd[123]*) - library_names_spec='$libname$shrext$versuffix' ;; - *) - library_names_spec='$libname$shrext' ;; - esac ;; gnu*) - library_names_spec='$libname$shrext' ;; hpux9* | hpux10* | hpux11*) case $host_cpu in @@ -553,13 +528,10 @@ case "$host_os" in shrext=.sl ;; esac - library_names_spec='$libname$shrext' ;; - interix[3-9]*) - library_names_spec='$libname$shrext' + interix3*) ;; irix5* | irix6* | nonstopux*) - library_names_spec='$libname$shrext' case "$host_os" in irix5* | nonstopux*) libsuff= shlibsuff= @@ -576,59 +548,41 @@ case "$host_os" in ;; linux*oldld* | linux*aout* | linux*coff*) ;; - linux* | k*bsd*-gnu) - library_names_spec='$libname$shrext' + linux*) ;; knetbsd*-gnu) - library_names_spec='$libname$shrext' ;; netbsd*) - library_names_spec='$libname$shrext' ;; newsos6) - library_names_spec='$libname$shrext' ;; nto-qnx*) - library_names_spec='$libname$shrext' ;; openbsd*) - library_names_spec='$libname$shrext$versuffix' ;; os2*) libname_spec='$name' shrext=.dll - library_names_spec='$libname.a' ;; osf3* | osf4* | osf5*) - library_names_spec='$libname$shrext' - ;; - rdos*) ;; solaris*) - library_names_spec='$libname$shrext' ;; sunos4*) - library_names_spec='$libname$shrext$versuffix' ;; sysv4 | sysv4.3*) - library_names_spec='$libname$shrext' ;; sysv4*MP*) - library_names_spec='$libname$shrext' ;; sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) - library_names_spec='$libname$shrext' ;; uts4*) - library_names_spec='$libname$shrext' ;; esac sed_quote_subst='s/\(["`$\\]\)/\\\1/g' escaped_wl=`echo "X$wl" | sed -e 's/^X//' -e "$sed_quote_subst"` shlibext=`echo "$shrext" | sed -e 's,^\.,,'` -escaped_libname_spec=`echo "X$libname_spec" | sed -e 's/^X//' -e "$sed_quote_subst"` -escaped_library_names_spec=`echo "X$library_names_spec" | sed -e 's/^X//' -e "$sed_quote_subst"` escaped_hardcode_libdir_flag_spec=`echo "X$hardcode_libdir_flag_spec" | sed -e 's/^X//' -e "$sed_quote_subst"` LC_ALL=C sed -e 's/^\([a-zA-Z0-9_]*\)=/acl_cv_\1=/' <<EOF @@ -642,12 +596,6 @@ libext="$libext" # Shared library suffix (normally "so"). shlibext="$shlibext" -# Format of library name prefix. -libname_spec="$escaped_libname_spec" - -# Library names that the linker finds when passed -lNAME. -library_names_spec="$escaped_library_names_spec" - # Flag to hardcode \$libdir into a binary during linking. # This must work even if \$libdir does not exist. hardcode_libdir_flag_spec="$escaped_hardcode_libdir_flag_spec" diff --git a/configure.in b/configure.in index 48ada07b0e..cdb3bd678e 100644 --- a/configure.in +++ b/configure.in @@ -21,7 +21,7 @@ dnl Process this file with autoconf to produce a configure script. # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. AC_PREREQ(2.61) -AC_INIT([GnuTLS], [2.0.2], [bug-gnutls@gnu.org]) +AC_INIT([GnuTLS], [2.0.3], [bug-gnutls@gnu.org]) AC_CONFIG_AUX_DIR([build-aux]) AC_CANONICAL_TARGET @@ -35,9 +35,9 @@ AB_INIT # Interfaces changed/added/removed: CURRENT++ REVISION=0 # Interfaces added: AGE++ # Interfaces removed: AGE=0 -AC_SUBST(LT_CURRENT, 21) -AC_SUBST(LT_REVISION, 5) -AC_SUBST(LT_AGE, 8) +AC_SUBST(LT_CURRENT, 22) +AC_SUBST(LT_REVISION, 6) +AC_SUBST(LT_AGE, 9) ac_full=1 # Used when creating the Windows libgnutls-XX.def files. diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in index 535494669b..dac2404e75 100644 --- a/includes/gnutls/gnutls.h.in +++ b/includes/gnutls/gnutls.h.in @@ -366,6 +366,9 @@ extern "C" size_t gnutls_cipher_get_key_size (gnutls_cipher_algorithm_t algorithm); + void gnutls_session_enable_compatibility_mode (gnutls_session_t session); + void gnutls_record_disable_padding (gnutls_session_t session); + /* the name of the specified algorithms */ const char *gnutls_cipher_get_name (gnutls_cipher_algorithm_t algorithm); const char *gnutls_mac_get_name (gnutls_mac_algorithm_t algorithm); diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index 5f311c72ef..0312e23fb6 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -421,8 +421,8 @@ gnutls_dh_params_export_pkcs3 (gnutls_dh_params_t params, opaque *p_data, *g_data; opaque *all_data; - _gnutls_mpi_print (NULL, &g_size, params->params[1]); - _gnutls_mpi_print (NULL, &p_size, params->params[0]); + _gnutls_mpi_print_lz (NULL, &g_size, params->params[1]); + _gnutls_mpi_print_lz (NULL, &p_size, params->params[0]); all_data = gnutls_malloc (g_size + p_size); if (all_data == NULL) @@ -434,8 +434,8 @@ gnutls_dh_params_export_pkcs3 (gnutls_dh_params_t params, p_data = &all_data[0]; g_data = &all_data[p_size]; - _gnutls_mpi_print (p_data, &p_size, params->params[0]); - _gnutls_mpi_print (g_data, &g_size, params->params[1]); + _gnutls_mpi_print_lz (p_data, &p_size, params->params[0]); + _gnutls_mpi_print_lz (g_data, &g_size, params->params[1]); /* Ok. Now we have the data. Create the asn1 structures */ diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index f8d2724ff3..3787796b37 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -2801,11 +2801,11 @@ _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session, int ret = 0; cipher_suite_st *newSuite, cs; int newSuiteSize = 0, i; - gnutls_certificate_credentials_t x509_cred; + gnutls_certificate_credentials_t cert_cred; gnutls_kx_algorithm_t kx; int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0; - gnutls_kx_algorithm_t *alg; - int alg_size; + gnutls_kx_algorithm_t *alg = NULL; + int alg_size = 0; /* if we should use a specific certificate, * we should remove all algorithms that are not supported @@ -2813,29 +2813,30 @@ _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session, * method (CERTIFICATE). */ - x509_cred = + cert_cred = (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL); - /* if x509_cred==NULL we should remove all X509 ciphersuites + /* If there are certificate credentials, find an appropriate certificate + * or disable them; */ - if (session->security_parameters.entity == GNUTLS_SERVER - && x509_cred != NULL) + && cert_cred != NULL) { ret = _gnutls_server_select_cert (session, requested_pk_algo); if (ret < 0) { gnutls_assert (); - return ret; + _gnutls_x509_log("Could not find an appropriate certificate: %s\n", gnutls_strerror(ret)); + cert_cred = NULL; } } /* get all the key exchange algorithms that are * supported by the X509 certificate parameters. */ - if ((ret = + if (cert_cred != NULL && (ret = _gnutls_selected_cert_supported_kx (session, &alg, &alg_size)) < 0) { gnutls_assert (); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 69156c0161..8c3928549a 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -447,6 +447,8 @@ typedef struct /* sockets internals */ int lowat; + + int no_padding; /* These buffers are used in the handshake * protocol only. freed using _gnutls_handshake_io_buffer_clear(); diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index 0db66a9163..990526edd7 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -393,7 +393,7 @@ _gnutls_send_int (gnutls_session_t session, content_type_t type, cipher_size = _gnutls_encrypt (session, headers, RECORD_HEADER_SIZE, data, - data2send_size, cipher, cipher_size, type, 1); + data2send_size, cipher, cipher_size, type, (session->internals.no_padding==0)?1:0); if (cipher_size <= 0) { gnutls_assert (); @@ -1211,3 +1211,23 @@ gnutls_record_set_max_size (gnutls_session_t session, size_t size) return 0; } + +/** + * gnutls_record_disable_padding - Used to disabled padding in TLS 1.0 and above + * @session: is a #gnutls_session_t structure. + * + * Used to disabled padding in TLS 1.0 and above. Normally you do not need + * to use this function, but there are buggy clients that complain if a + * server pads the encrypted data. This of course will disable protection + * against statistical attacks on the data. + * + * Normally only servers that require maximum compatibility with everything + * out there, need to call this function. + * + **/ +void gnutls_record_disable_padding (gnutls_session_t session) + { + session->internals.no_padding = 1; + } + +
\ No newline at end of file diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 7e07e6773d..08f3049cbb 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -1209,3 +1209,23 @@ _gnutls_rsa_pms_set_version (gnutls_session_t session, session->internals.rsa_pms_version[0] = major; session->internals.rsa_pms_version[1] = minor; } + + +/** + * gnutls_session_enable_compatibility_mode - Used to disable certain features in TLS in order to honour compatibility + * @session: is a #gnutls_session_t structure. + * + * This function can be used to disable certain (security) features in TLS + * in order to maintain maximum compatibility with buggy clients. It is + * equivalent to calling: + * gnutls_record_disable_padding() + + * Normally only servers that require maximum compatibility with everything + * out there, need to call this function. + * + **/ +void +gnutls_session_enable_compatibility_mode (gnutls_session_t session) +{ + gnutls_record_disable_padding( session); +} |