1 files changed, 352 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22947.patch b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
new file mode 100644
index 0000000000..070a328e27
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
@@ -0,0 +1,352 @@
+Backport of:
+From 259b4f2e1fd01fbc55e569ee0a507afeae34f77c Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Tue, 7 Sep 2021 13:26:42 +0200
+Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
+ pipelining
+If a server pipelines future responses within the STARTTLS response, the
+former are preserved in the pingpong cache across TLS negotiation and
+used as responses to the encrypted commands.
+This fix detects pipelined STARTTLS responses and rejects them with an
+error.
+Bug: https://curl.se/docs/CVE-2021-22947.html
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+CVE: CVE-2021-22947
+---
+ lib/ftp.c               |  3 +++
+ lib/imap.c              |  4 +++
+ lib/pop3.c              |  4 +++
+ lib/smtp.c              |  4 +++
+ tests/data/Makefile.inc |  2 ++
+ tests/data/test980      | 52 ++++++++++++++++++++++++++++++++++++
+ tests/data/test981      | 59 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test982      | 57 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test983      | 52 ++++++++++++++++++++++++++++++++++++
+ 9 files changed, 237 insertions(+)
+ create mode 100644 tests/data/test980
+ create mode 100644 tests/data/test981
+ create mode 100644 tests/data/test982
+ create mode 100644 tests/data/test983
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 91b43d8..31a34e8 100644
+--- a/lib/ftp.c
+++ b/lib/ftp.c
+@@ -2670,6 +2670,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+     case FTP_AUTH:
+       /* we have gotten the response to a previous AUTH command */
+ 
+      if(pp->cache_size)
+        return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
+
+       /* RFC2228 (page 5) says:
+        *
+        * If the server is willing to accept the named security mechanism,
+diff --git a/lib/imap.c b/lib/imap.c
+index 9880ce1..0ca700f 100644
+--- a/lib/imap.c
+++ b/lib/imap.c
+@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
+ 
+   (void)instate; /* no use for this yet */
+ 
+  /* Pipelining in response is forbidden. */
+  if(data->conn->proto.imapc.pp.cache_size)
+    return CURLE_WEIRD_SERVER_REPLY;
+
+   if(imapcode != IMAP_RESP_OK) {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied");
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 145b2b4..8a2d52e 100644
+--- a/lib/pop3.c
+++ b/lib/pop3.c
+@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
+ 
+   (void)instate; /* no use for this yet */
+ 
+  /* Pipelining in response is forbidden. */
+  if(data->conn->proto.pop3c.pp.cache_size)
+    return CURLE_WEIRD_SERVER_REPLY;
+
+   if(pop3code != '+') {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied");
+diff --git a/lib/smtp.c b/lib/smtp.c
+index e187287..66183e2 100644
+--- a/lib/smtp.c
+++ b/lib/smtp.c
+@@ -820,6 +820,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn,
+ 
+   (void)instate; /* no use for this yet */
+ 
+  /* Pipelining in response is forbidden. */
+  if(data->conn->proto.smtpc.pp.cache_size)
+    return CURLE_WEIRD_SERVER_REPLY;
+
+   if(smtpcode != 220) {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied, code %d", smtpcode);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 0fa6799..60e8176 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 \
+ \
+test980 test981 test982 test983 \
+\
+ test984 test985 test986 \
+ \
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+diff --git a/tests/data/test980 b/tests/data/test980
+new file mode 100644
+index 0000000..97567f8
+--- /dev/null
+++ b/tests/data/test980
+@@ -0,0 +1,52 @@
+<testcase>
+<info>
+<keywords>
+SMTP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+CAPA STARTTLS
+AUTH PLAIN
+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
+REPLY AUTH 535 5.7.8 Authentication credentials invalid
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+smtp
+</server>
+ <name>
+SMTP STARTTLS pipelined server response
+ </name>
+<stdin>
+mail body
+</stdin>
+ <command>
+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 8 is CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+<protocol>
+EHLO %TESTNUMBER
+STARTTLS
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/data/test981 b/tests/data/test981
+new file mode 100644
+index 0000000..2b98ce4
+--- /dev/null
+++ b/tests/data/test981
+@@ -0,0 +1,59 @@
+<testcase>
+<info>
+<keywords>
+IMAP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+CAPA STARTTLS
+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
+REPLY LOGIN A003 BAD Authentication credentials invalid
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+imap
+</server>
+ <name>
+IMAP STARTTLS pipelined server response
+ </name>
+ <command>
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
+</command>
+<file name="log/upload%TESTNUMBER">
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
+From: Fred Foobar <foobar@example.COM>
+Subject: afternoon meeting
+To: joe@example.com
+Message-Id: <B27397-0100000@example.COM>
+MIME-Version: 1.0
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
+
+Hello Joe, do you think we can meet at 3:30 tomorrow?
+</file>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 8 is CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+<protocol>
+A001 CAPABILITY
+A002 STARTTLS
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/data/test982 b/tests/data/test982
+new file mode 100644
+index 0000000..9e07cc0
+--- /dev/null
+++ b/tests/data/test982
+@@ -0,0 +1,57 @@
+<testcase>
+<info>
+<keywords>
+POP3
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+CAPA STLS USER
+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
+REPLY PASS -ERR Authentication credentials invalid
+</servercmd>
+<data nocheck="yes">
+From: me@somewhere
+To: fake@nowhere
+
+body
+
+--
+  yours sincerely
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+pop3
+</server>
+ <name>
+POP3 STARTTLS pipelined server response
+ </name>
+ <command>
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
+ </command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 8 is CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+<protocol>
+CAPA
+STLS
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/data/test983 b/tests/data/test983
+new file mode 100644
+index 0000000..300ec45
+--- /dev/null
+++ b/tests/data/test983
+@@ -0,0 +1,52 @@
+<testcase>
+<info>
+<keywords>
+FTP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
+REPLY PASS 530 Login incorrect
+</servercmd>
+</reply>
+
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+ftp
+</server>
+ <name>
+FTP STARTTLS pipelined server response
+ </name>
+<file name="log/test%TESTNUMBER.txt">
+data
+    to
+      see
+that FTPS
+works
+  so does it?
+</file>
+ <command>
+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# 8 is CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+<protocol>
+AUTH SSL
+</protocol>
+</verify>
+</testcase>

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22947.patch b/meta/recipes-support/curl/curl/CVE-2021-22947.patch new file mode 100644 index 0000000000..070a328e27 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
@@ -0,0 +1,352 @@
	1	Backport of:
	2
	3	From 259b4f2e1fd01fbc55e569ee0a507afeae34f77c Mon Sep 17 00:00:00 2001
	4	From: Patrick Monnerat <patrick@monnerat.net>
	5	Date: Tue, 7 Sep 2021 13:26:42 +0200
	6	Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
	7	pipelining
	8
	9	If a server pipelines future responses within the STARTTLS response, the
	10	former are preserved in the pingpong cache across TLS negotiation and
	11	used as responses to the encrypted commands.
	12
	13	This fix detects pipelined STARTTLS responses and rejects them with an
	14	error.
	15
	16	Bug: https://curl.se/docs/CVE-2021-22947.html
	17	Upstream-Status: backport from 7.68.0-1ubuntu2.7
	18	Signed-off-by: Mike Crowe <mac@mcrowe.com>
	19	CVE: CVE-2021-22947
	20
	21	---
	22	lib/ftp.c \| 3 +++
	23	lib/imap.c \| 4 +++
	24	lib/pop3.c \| 4 +++
	25	lib/smtp.c \| 4 +++
	26	tests/data/Makefile.inc \| 2 ++
	27	tests/data/test980 \| 52 ++++++++++++++++++++++++++++++++++++
	28	tests/data/test981 \| 59 +++++++++++++++++++++++++++++++++++++++++
	29	tests/data/test982 \| 57 +++++++++++++++++++++++++++++++++++++++
	30	tests/data/test983 \| 52 ++++++++++++++++++++++++++++++++++++
	31	9 files changed, 237 insertions(+)
	32	create mode 100644 tests/data/test980
	33	create mode 100644 tests/data/test981
	34	create mode 100644 tests/data/test982
	35	create mode 100644 tests/data/test983
	36
	37	diff --git a/lib/ftp.c b/lib/ftp.c
	38	index 91b43d8..31a34e8 100644
	39	--- a/lib/ftp.c
	40	+++ b/lib/ftp.c
	41	@@ -2670,6 +2670,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
	42	case FTP_AUTH:
	43	/* we have gotten the response to a previous AUTH command */
	44
	45	+ if(pp->cache_size)
	46	+ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
	47	+
	48	/* RFC2228 (page 5) says:
	49	*
	50	* If the server is willing to accept the named security mechanism,
	51	diff --git a/lib/imap.c b/lib/imap.c
	52	index 9880ce1..0ca700f 100644
	53	--- a/lib/imap.c
	54	+++ b/lib/imap.c
	55	@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
	56
	57	(void)instate; /* no use for this yet */
	58
	59	+ /* Pipelining in response is forbidden. */
	60	+ if(data->conn->proto.imapc.pp.cache_size)
	61	+ return CURLE_WEIRD_SERVER_REPLY;
	62	+
	63	if(imapcode != IMAP_RESP_OK) {
	64	if(data->set.use_ssl != CURLUSESSL_TRY) {
	65	failf(data, "STARTTLS denied");
	66	diff --git a/lib/pop3.c b/lib/pop3.c
	67	index 145b2b4..8a2d52e 100644
	68	--- a/lib/pop3.c
	69	+++ b/lib/pop3.c
	70	@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
	71
	72	(void)instate; /* no use for this yet */
	73
	74	+ /* Pipelining in response is forbidden. */
	75	+ if(data->conn->proto.pop3c.pp.cache_size)
	76	+ return CURLE_WEIRD_SERVER_REPLY;
	77	+
	78	if(pop3code != '+') {
	79	if(data->set.use_ssl != CURLUSESSL_TRY) {
	80	failf(data, "STARTTLS denied");
	81	diff --git a/lib/smtp.c b/lib/smtp.c
	82	index e187287..66183e2 100644
	83	--- a/lib/smtp.c
	84	+++ b/lib/smtp.c
	85	@@ -820,6 +820,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn,
	86
	87	(void)instate; /* no use for this yet */
	88
	89	+ /* Pipelining in response is forbidden. */
	90	+ if(data->conn->proto.smtpc.pp.cache_size)
	91	+ return CURLE_WEIRD_SERVER_REPLY;
	92	+
	93	if(smtpcode != 220) {
	94	if(data->set.use_ssl != CURLUSESSL_TRY) {
	95	failf(data, "STARTTLS denied, code %d", smtpcode);
	96	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
	97	index 0fa6799..60e8176 100644
	98	--- a/tests/data/Makefile.inc
	99	+++ b/tests/data/Makefile.inc
	100	@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
	101	test954 test955 test956 test957 test958 test959 test960 test961 test962 \
	102	test963 test964 test965 test966 test967 test968 test969 \
	103	\
	104	+test980 test981 test982 test983 \
	105	+\
	106	test984 test985 test986 \
	107	\
	108	test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
	109	diff --git a/tests/data/test980 b/tests/data/test980
	110	new file mode 100644
	111	index 0000000..97567f8
	112	--- /dev/null
	113	+++ b/tests/data/test980
	114	@@ -0,0 +1,52 @@
	115	+<testcase>
	116	+<info>
	117	+<keywords>
	118	+SMTP
	119	+STARTTLS
	120	+</keywords>
	121	+</info>
	122	+
	123	+#
	124	+# Server-side
	125	+<reply>
	126	+<servercmd>
	127	+CAPA STARTTLS
	128	+AUTH PLAIN
	129	+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
	130	+REPLY AUTH 535 5.7.8 Authentication credentials invalid
	131	+</servercmd>
	132	+</reply>
	133	+
	134	+#
	135	+# Client-side
	136	+<client>
	137	+<features>
	138	+SSL
	139	+</features>
	140	+<server>
	141	+smtp
	142	+</server>
	143	+ <name>
	144	+SMTP STARTTLS pipelined server response
	145	+ </name>
	146	+<stdin>
	147	+mail body
	148	+</stdin>
	149	+ <command>
	150	+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
	151	+</command>
	152	+</client>
	153	+
	154	+#
	155	+# Verify data after the test has been "shot"
	156	+<verify>
	157	+# 8 is CURLE_WEIRD_SERVER_REPLY
	158	+<errorcode>
	159	+8
	160	+</errorcode>
	161	+<protocol>
	162	+EHLO %TESTNUMBER
	163	+STARTTLS
	164	+</protocol>
	165	+</verify>
	166	+</testcase>
	167	diff --git a/tests/data/test981 b/tests/data/test981
	168	new file mode 100644
	169	index 0000000..2b98ce4
	170	--- /dev/null
	171	+++ b/tests/data/test981
	172	@@ -0,0 +1,59 @@
	173	+<testcase>
	174	+<info>
	175	+<keywords>
	176	+IMAP
	177	+STARTTLS
	178	+</keywords>
	179	+</info>
	180	+
	181	+#
	182	+# Server-side
	183	+<reply>
	184	+<servercmd>
	185	+CAPA STARTTLS
	186	+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
	187	+REPLY LOGIN A003 BAD Authentication credentials invalid
	188	+</servercmd>
	189	+</reply>
	190	+
	191	+#
	192	+# Client-side
	193	+<client>
	194	+<features>
	195	+SSL
	196	+</features>
	197	+<server>
	198	+imap
	199	+</server>
	200	+ <name>
	201	+IMAP STARTTLS pipelined server response
	202	+ </name>
	203	+ <command>
	204	+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
	205	+</command>
	206	+<file name="log/upload%TESTNUMBER">
	207	+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
	208	+From: Fred Foobar <foobar@example.COM>
	209	+Subject: afternoon meeting
	210	+To: joe@example.com
	211	+Message-Id: <B27397-0100000@example.COM>
	212	+MIME-Version: 1.0
	213	+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
	214	+
	215	+Hello Joe, do you think we can meet at 3:30 tomorrow?
	216	+</file>
	217	+</client>
	218	+
	219	+#
	220	+# Verify data after the test has been "shot"
	221	+<verify>
	222	+# 8 is CURLE_WEIRD_SERVER_REPLY
	223	+<errorcode>
	224	+8
	225	+</errorcode>
	226	+<protocol>
	227	+A001 CAPABILITY
	228	+A002 STARTTLS
	229	+</protocol>
	230	+</verify>
	231	+</testcase>
	232	diff --git a/tests/data/test982 b/tests/data/test982
	233	new file mode 100644
	234	index 0000000..9e07cc0
	235	--- /dev/null
	236	+++ b/tests/data/test982
	237	@@ -0,0 +1,57 @@
	238	+<testcase>
	239	+<info>
	240	+<keywords>
	241	+POP3
	242	+STARTTLS
	243	+</keywords>
	244	+</info>
	245	+
	246	+#
	247	+# Server-side
	248	+<reply>
	249	+<servercmd>
	250	+CAPA STLS USER
	251	+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
	252	+REPLY PASS -ERR Authentication credentials invalid
	253	+</servercmd>
	254	+<data nocheck="yes">
	255	+From: me@somewhere
	256	+To: fake@nowhere
	257	+
	258	+body
	259	+
	260	+--
	261	+ yours sincerely
	262	+</data>
	263	+</reply>
	264	+
	265	+#
	266	+# Client-side
	267	+<client>
	268	+<features>
	269	+SSL
	270	+</features>
	271	+<server>
	272	+pop3
	273	+</server>
	274	+ <name>
	275	+POP3 STARTTLS pipelined server response
	276	+ </name>
	277	+ <command>
	278	+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
	279	+ </command>
	280	+</client>
	281	+
	282	+#
	283	+# Verify data after the test has been "shot"
	284	+<verify>
	285	+# 8 is CURLE_WEIRD_SERVER_REPLY
	286	+<errorcode>
	287	+8
	288	+</errorcode>
	289	+<protocol>
	290	+CAPA
	291	+STLS
	292	+</protocol>
	293	+</verify>
	294	+</testcase>
	295	diff --git a/tests/data/test983 b/tests/data/test983
	296	new file mode 100644
	297	index 0000000..300ec45
	298	--- /dev/null
	299	+++ b/tests/data/test983
	300	@@ -0,0 +1,52 @@
	301	+<testcase>
	302	+<info>
	303	+<keywords>
	304	+FTP
	305	+STARTTLS
	306	+</keywords>
	307	+</info>
	308	+
	309	+#
	310	+# Server-side
	311	+<reply>
	312	+<servercmd>
	313	+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
	314	+REPLY PASS 530 Login incorrect
	315	+</servercmd>
	316	+</reply>
	317	+
	318	+# Client-side
	319	+<client>
	320	+<features>
	321	+SSL
	322	+</features>
	323	+<server>
	324	+ftp
	325	+</server>
	326	+ <name>
	327	+FTP STARTTLS pipelined server response
	328	+ </name>
	329	+<file name="log/test%TESTNUMBER.txt">
	330	+data
	331	+ to
	332	+ see
	333	+that FTPS
	334	+works
	335	+ so does it?
	336	+</file>
	337	+ <command>
	338	+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
	339	+</command>
	340	+</client>
	341	+
	342	+# Verify data after the test has been "shot"
	343	+<verify>
	344	+# 8 is CURLE_WEIRD_SERVER_REPLY
	345	+<errorcode>
	346	+8
	347	+</errorcode>
	348	+<protocol>
	349	+AUTH SSL
	350	+</protocol>
	351	+</verify>
	352	+</testcase>