diff options
| -rw-r--r-- | NEWS | 8 | ||||
| -rw-r--r-- | doc/manpages/gnutls-cli.1 | 5 | ||||
| -rw-r--r-- | doc/manpages/gnutls-serv.1 | 5 | ||||
| -rw-r--r-- | lib/ext_safe_renegotiation.c | 13 | ||||
| -rw-r--r-- | lib/gnutls_priority.c | 10 | ||||
| -rw-r--r-- | lib/gnutls_record.c | 4 |
6 files changed, 37 insertions, 8 deletions
@@ -12,9 +12,10 @@ unless GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS flag is specified. Solves the issue discussed in: <http://www.ietf.org/mail-archive/web/tls/current/msg03928.html> and <http://www.ietf.org/mail-archive/web/tls/current/msg03948.html>. -Note that the TLS client implemented here will reject any connections -to unsafe servers unless the priority string %UNSAFE_RENEGOTIATION is -specified. +Note that to allow connecting to unpatched servers the full protection +is only enabled if the priority string %SAFE_RENEGOTIATION is +specified. You can check whether protection is in place by querying +gnutls_safe_renegotiation_status(). ** libgnutls: When checking openpgp self signature also check the signatures ** of all subkeys. @@ -56,6 +57,7 @@ Daniel Nylander, Tao Wei, and Aron Xu. ** doc: The GTK-DOC manual is significantly improved. ** API and ABI modifications: +gnutls_safe_renegotiation_status: Added gnutls_cipher_decrypt: Added gnutls_cipher_deinit: Added gnutls_cipher_encrypt: Added diff --git a/doc/manpages/gnutls-cli.1 b/doc/manpages/gnutls-cli.1 index 6ca8da4266..4e1f48372e 100644 --- a/doc/manpages/gnutls-cli.1 +++ b/doc/manpages/gnutls-cli.1 @@ -78,8 +78,9 @@ Special keywords: "%SSL3_RECORD_VERSION" force SSL3.0 record version in the first client hello. This is to avoid buggy servers from terminating connection. .IP -"%UNSAFE_RENEGOTIATION" will enable unsafe renegotiation (default -behaviour at 2.8.5 and earlier releases) +"%UNSAFE_RENEGOTIATION" will enable unsafe renegotiation (default) +.IP +"%SAFE_RENEGOTIATION" will enable safe renegotiation. .IP To avoid collisions in order to specify a compression algorithm in this string you have to prefix it with "COMP-", protocol versions diff --git a/doc/manpages/gnutls-serv.1 b/doc/manpages/gnutls-serv.1 index b056583695..710dfc3d19 100644 --- a/doc/manpages/gnutls-serv.1 +++ b/doc/manpages/gnutls-serv.1 @@ -75,8 +75,9 @@ Special keywords: .IP "%COMPAT" will enable compatibility features for a server. .IP -"%UNSAFE_RENEGOTIATION" will enable unsafe renegotiation (default -behaviour at 2.8.5 and earlier releases) +"%UNSAFE_RENEGOTIATION" will enable unsafe renegotiation (default). +.IP +"%SAFE_RENEGOTIATION" will enable safe renegotiation. .IP "%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if renegotiation wasn't requested. diff --git a/lib/ext_safe_renegotiation.c b/lib/ext_safe_renegotiation.c index 492e9be9b2..51c98d94e7 100644 --- a/lib/ext_safe_renegotiation.c +++ b/lib/ext_safe_renegotiation.c @@ -151,3 +151,16 @@ gnutls_safe_renegotiation_set (gnutls_session_t session, int value) { session->internals.priorities.unsafe_renegotiation = 1-value; } + +/** + * gnutls_safe_renegotiation_status: + * @session: is a #gnutls_session_t structure. + * + * Can be used to check whether safe renegotiation is being used + * in the current session. Returns 0 when not and non zero when + * used. + **/ +int gnutls_safe_renegotiation_status (gnutls_session_t session) +{ + return session->internals.connection_using_safe_renegotiation; +} diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 869c525ca6..36bdc6370c 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -522,7 +522,11 @@ gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority) * * "%COMPAT" will enable compatibility features for a server. * - * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation. + * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now + * the default, but will change once more servers support the safe renegotiation + * TLS fix). + * + * "%SAFE_RENEGOTIATION" will allow safe renegotiation only. * * "%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if * renegotiation wasn't requested. Only valid for server side. @@ -571,6 +575,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache, gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } + (*priority_cache)->unsafe_renegotiation = 1; if (priorities == NULL) priorities = "NORMAL"; @@ -723,6 +728,9 @@ gnutls_priority_init (gnutls_priority_t * priority_cache, "UNSAFE_RENEGOTIATION") == 0) (*priority_cache)->unsafe_renegotiation = 1; else if (strcasecmp (&broken_list[i][1], + "SAFE_RENEGOTIATION") == 0) + (*priority_cache)->unsafe_renegotiation = 0; + else if (strcasecmp (&broken_list[i][1], "INITIAL_SAFE_RENEGOTIATION") == 0) (*priority_cache)->initial_safe_renegotiation = 1; else if (strcasecmp (&broken_list[i][1], diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index f1cf2ac303..1ea5c2d94b 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -904,9 +904,13 @@ begin: _gnutls_io_read_buffered (session, &headers, header_size, -1)) != header_size) { + _gnutls_handshake_log ("XXX[]: ret: %d %s\n", ret, gnutls_strerror(ret)); + if (ret < 0 && gnutls_error_is_fatal (ret) == 0) return ret; + _gnutls_handshake_log ("XXX2[]: ret: %d %s\n", ret, gnutls_strerror(ret)); + session_invalidate (session); if (type == GNUTLS_ALERT) { |