From de9bc9b3dc1ec01d39a7a53502066ff93a56d7a9 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Mon, 15 Mar 2010 22:51:43 +0100
Subject: Safe renegotiation is not enabled by default in client side.

---
 lib/ext_safe_renegotiation.c | 13 +++++++++++++
 lib/gnutls_priority.c        | 10 +++++++++-
 lib/gnutls_record.c          |  4 ++++
 3 files changed, 26 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/ext_safe_renegotiation.c b/lib/ext_safe_renegotiation.c
index 492e9be9b2..51c98d94e7 100644
--- a/lib/ext_safe_renegotiation.c
+++ b/lib/ext_safe_renegotiation.c
@@ -151,3 +151,16 @@ gnutls_safe_renegotiation_set (gnutls_session_t session, int value)
 {
   session->internals.priorities.unsafe_renegotiation = 1-value;
 }
+
+/**
+ * gnutls_safe_renegotiation_status:
+ * @session: is a #gnutls_session_t structure.
+ *
+ * Can be used to check whether safe renegotiation is being used
+ * in the current session. Returns 0 when not and non zero when
+ * used.
+ **/
+int gnutls_safe_renegotiation_status (gnutls_session_t session)
+{
+  return session->internals.connection_using_safe_renegotiation;
+}
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 869c525ca6..36bdc6370c 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -522,7 +522,11 @@ gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority)
  *
  * "%COMPAT" will enable compatibility features for a server.
  *
- * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation.
+ * "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now
+ * the default, but will change once more servers support the safe renegotiation
+ * TLS fix).
+ *
+ * "%SAFE_RENEGOTIATION" will allow safe renegotiation only.
  *
  * "%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if 
  * renegotiation wasn't requested. Only valid for server side.
@@ -571,6 +575,7 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
       gnutls_assert ();
       return GNUTLS_E_MEMORY_ERROR;
     }
+  (*priority_cache)->unsafe_renegotiation = 1;
 
   if (priorities == NULL)
     priorities = "NORMAL";
@@ -722,6 +727,9 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
 	  else if (strcasecmp (&broken_list[i][1],
 			       "UNSAFE_RENEGOTIATION") == 0)
 	    (*priority_cache)->unsafe_renegotiation = 1;
+	  else if (strcasecmp (&broken_list[i][1],
+			       "SAFE_RENEGOTIATION") == 0)
+	    (*priority_cache)->unsafe_renegotiation = 0;
 	  else if (strcasecmp (&broken_list[i][1],
 			       "INITIAL_SAFE_RENEGOTIATION") == 0)
 	    (*priority_cache)->initial_safe_renegotiation = 1;
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index f1cf2ac303..1ea5c2d94b 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -904,9 +904,13 @@ begin:
        _gnutls_io_read_buffered (session, &headers, header_size,
 				 -1)) != header_size)
     {
+  _gnutls_handshake_log ("XXX[]: ret: %d %s\n", ret, gnutls_strerror(ret));
+
       if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
 	return ret;
 
+  _gnutls_handshake_log ("XXX2[]: ret: %d %s\n", ret, gnutls_strerror(ret));
+
       session_invalidate (session);
       if (type == GNUTLS_ALERT)
 	{
-- 
cgit v1.2.1