| blob | 6008276b7387265b6e3ed3c543094de228da9fc6 |
1 /*
2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 /* Here lies the code of the gnutls_*_set_priority() functions.
24 */
29 #include <gnutls_num.h>
31 static void
36 /**
37 * gnutls_cipher_set_priority:
38 * @session: is a #gnutls_session_t structure.
39 * @list: is a 0 terminated list of gnutls_cipher_algorithm_t elements.
40 *
41 * Sets the priority on the ciphers supported by gnutls. Priority is
42 * higher for elements specified before others. After specifying the
43 * ciphers you want, you must append a 0. Note that the priority is
44 * set on the client. The server does not use the algorithm's
45 * priority except for disabling algorithms that were not specified.
46 *
47 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
48 **/
49 int
51 {
55 num++;
61 {
63 }
66 }
72 {
76 num++;
82 {
84 }
87 }
89 static void
91 {
93 }
95 /**
96 * gnutls_kx_set_priority:
97 * @session: is a #gnutls_session_t structure.
98 * @list: is a 0 terminated list of gnutls_kx_algorithm_t elements.
99 *
100 * Sets the priority on the key exchange algorithms supported by
101 * gnutls. Priority is higher for elements specified before others.
102 * After specifying the algorithms you want, you must append a 0.
103 * Note that the priority is set on the client. The server does not
104 * use the algorithm's priority except for disabling algorithms that
105 * were not specified.
106 *
107 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
108 **/
109 int
111 {
114 }
116 /**
117 * gnutls_mac_set_priority:
118 * @session: is a #gnutls_session_t structure.
119 * @list: is a 0 terminated list of gnutls_mac_algorithm_t elements.
120 *
121 * Sets the priority on the mac algorithms supported by gnutls.
122 * Priority is higher for elements specified before others. After
123 * specifying the algorithms you want, you must append a 0. Note
124 * that the priority is set on the client. The server does not use
125 * the algorithm's priority except for disabling algorithms that were
126 * not specified.
127 *
128 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
129 **/
130 int
132 {
135 }
137 /**
138 * gnutls_compression_set_priority:
139 * @session: is a #gnutls_session_t structure.
140 * @list: is a 0 terminated list of gnutls_compression_method_t elements.
141 *
142 * Sets the priority on the compression algorithms supported by
143 * gnutls. Priority is higher for elements specified before others.
144 * After specifying the algorithms you want, you must append a 0.
145 * Note that the priority is set on the client. The server does not
146 * use the algorithm's priority except for disabling algorithms that
147 * were not specified.
148 *
149 * TLS 1.0 does not define any compression algorithms except
150 * NULL. Other compression algorithms are to be considered as gnutls
151 * extensions.
152 *
153 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
154 **/
155 int
157 {
160 }
162 /**
163 * gnutls_protocol_set_priority:
164 * @session: is a #gnutls_session_t structure.
165 * @list: is a 0 terminated list of gnutls_protocol_t elements.
166 *
167 * Sets the priority on the protocol versions supported by gnutls.
168 * This function actually enables or disables protocols. Newer protocol
169 * versions always have highest priority.
170 *
171 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
172 **/
173 int
175 {
178 /* set the current version to the first in the chain.
179 * This will be overridden later.
180 */
185 }
187 /**
188 * gnutls_certificate_type_set_priority:
189 * @session: is a #gnutls_session_t structure.
190 * @list: is a 0 terminated list of gnutls_certificate_type_t elements.
191 *
192 * Sets the priority on the certificate types supported by gnutls.
193 * Priority is higher for elements specified before others.
194 * After specifying the types you want, you must append a 0.
195 * Note that the certificate type priority is set on the client.
196 * The server does not use the cert type priority except for disabling
197 * types that were not specified.
198 *
199 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
200 **/
201 int
204 {
205 #ifdef ENABLE_OPENPGP
208 #else
212 #endif
213 }
216 GNUTLS_ECC_CURVE_SECP192R1,
217 GNUTLS_ECC_CURVE_SECP224R1,
218 GNUTLS_ECC_CURVE_SECP256R1,
219 GNUTLS_ECC_CURVE_SECP384R1,
220 GNUTLS_ECC_CURVE_SECP521R1,
221 0
222 };
225 GNUTLS_ECC_CURVE_SECP256R1,
226 GNUTLS_ECC_CURVE_SECP384R1,
227 GNUTLS_ECC_CURVE_SECP521R1,
228 0
229 };
232 GNUTLS_ECC_CURVE_SECP256R1,
233 GNUTLS_ECC_CURVE_SECP384R1,
234 0
235 };
238 GNUTLS_ECC_CURVE_SECP384R1,
239 0
240 };
243 GNUTLS_ECC_CURVE_SECP384R1,
244 GNUTLS_ECC_CURVE_SECP521R1,
245 0
246 };
249 GNUTLS_TLS1_2,
250 GNUTLS_TLS1_1,
251 GNUTLS_TLS1_0,
252 GNUTLS_SSL3,
253 GNUTLS_DTLS1_0,
254 0
255 };
258 GNUTLS_TLS1_2,
259 0
260 };
263 GNUTLS_KX_RSA,
264 GNUTLS_KX_ECDHE_ECDSA,
265 GNUTLS_KX_ECDHE_RSA,
266 GNUTLS_KX_DHE_RSA,
267 GNUTLS_KX_DHE_DSS,
268 0
269 };
272 GNUTLS_KX_ECDHE_ECDSA,
273 0
274 };
277 GNUTLS_KX_RSA,
278 GNUTLS_KX_ECDHE_ECDSA,
279 GNUTLS_KX_ECDHE_RSA,
280 GNUTLS_KX_DHE_RSA,
281 GNUTLS_KX_DHE_DSS,
282 GNUTLS_KX_RSA_EXPORT,
283 0
284 };
287 /* The ciphersuites that offer forward secrecy take
288 * precedence
289 */
290 GNUTLS_KX_ECDHE_ECDSA,
291 GNUTLS_KX_ECDHE_RSA,
292 GNUTLS_KX_DHE_RSA,
293 GNUTLS_KX_DHE_DSS,
294 GNUTLS_KX_RSA,
295 /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
296 * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
297 */
298 0
299 };
302 GNUTLS_CIPHER_ARCFOUR_128,
303 GNUTLS_CIPHER_AES_128_CBC,
304 GNUTLS_CIPHER_CAMELLIA_128_CBC,
305 GNUTLS_CIPHER_AES_256_CBC,
306 GNUTLS_CIPHER_CAMELLIA_256_CBC,
307 GNUTLS_CIPHER_3DES_CBC,
308 GNUTLS_CIPHER_AES_128_GCM,
309 GNUTLS_CIPHER_AES_256_GCM,
310 0
311 };
313 /* If GCM and AES acceleration is available then prefer
314 * them over anything else.
315 */
317 GNUTLS_CIPHER_AES_128_GCM,
318 GNUTLS_CIPHER_AES_128_CBC,
319 GNUTLS_CIPHER_AES_256_GCM,
320 GNUTLS_CIPHER_AES_256_CBC,
321 GNUTLS_CIPHER_ARCFOUR_128,
322 GNUTLS_CIPHER_CAMELLIA_128_CBC,
323 GNUTLS_CIPHER_CAMELLIA_256_CBC,
324 GNUTLS_CIPHER_3DES_CBC,
325 0
326 };
329 GNUTLS_CIPHER_AES_128_CBC,
330 GNUTLS_CIPHER_CAMELLIA_128_CBC,
331 GNUTLS_CIPHER_AES_128_GCM,
332 GNUTLS_CIPHER_AES_256_CBC,
333 GNUTLS_CIPHER_CAMELLIA_256_CBC,
334 GNUTLS_CIPHER_AES_256_GCM,
335 GNUTLS_CIPHER_3DES_CBC,
336 GNUTLS_CIPHER_ARCFOUR_128,
337 0
338 };
341 GNUTLS_CIPHER_AES_128_GCM,
342 GNUTLS_CIPHER_AES_128_CBC,
343 GNUTLS_CIPHER_AES_256_GCM,
344 GNUTLS_CIPHER_AES_256_CBC,
345 GNUTLS_CIPHER_CAMELLIA_128_CBC,
346 GNUTLS_CIPHER_CAMELLIA_256_CBC,
347 GNUTLS_CIPHER_3DES_CBC,
348 GNUTLS_CIPHER_ARCFOUR_128,
349 0
350 };
357 GNUTLS_CIPHER_AES_128_GCM,
358 GNUTLS_CIPHER_AES_256_GCM,
359 0
360 };
363 GNUTLS_CIPHER_AES_256_GCM,
364 0
365 };
369 GNUTLS_CIPHER_AES_128_CBC,
370 GNUTLS_CIPHER_CAMELLIA_128_CBC,
371 GNUTLS_CIPHER_AES_128_GCM,
372 GNUTLS_CIPHER_AES_256_CBC,
373 GNUTLS_CIPHER_CAMELLIA_256_CBC,
374 GNUTLS_CIPHER_AES_256_GCM,
375 0
376 };
380 GNUTLS_CIPHER_AES_256_CBC,
381 GNUTLS_CIPHER_CAMELLIA_256_CBC,
382 GNUTLS_CIPHER_AES_256_GCM,
383 0
384 };
386 /* The same as cipher_priority_security_normal + arcfour-40. */
388 GNUTLS_CIPHER_AES_128_CBC,
389 GNUTLS_CIPHER_AES_256_CBC,
390 GNUTLS_CIPHER_CAMELLIA_128_CBC,
391 GNUTLS_CIPHER_CAMELLIA_256_CBC,
392 GNUTLS_CIPHER_AES_128_GCM,
393 GNUTLS_CIPHER_3DES_CBC,
394 GNUTLS_CIPHER_ARCFOUR_128,
395 GNUTLS_CIPHER_ARCFOUR_40,
396 0
397 };
400 /* compression should be explicitly requested to be enabled */
401 GNUTLS_COMP_NULL,
402 0
403 };
406 GNUTLS_SIGN_RSA_SHA256,
407 GNUTLS_SIGN_DSA_SHA256,
408 GNUTLS_SIGN_ECDSA_SHA256,
410 GNUTLS_SIGN_RSA_SHA384,
411 GNUTLS_SIGN_ECDSA_SHA384,
413 GNUTLS_SIGN_RSA_SHA512,
414 GNUTLS_SIGN_ECDSA_SHA512,
416 GNUTLS_SIGN_RSA_SHA224,
417 GNUTLS_SIGN_DSA_SHA224,
418 GNUTLS_SIGN_ECDSA_SHA224,
420 GNUTLS_SIGN_RSA_SHA1,
421 GNUTLS_SIGN_DSA_SHA1,
422 GNUTLS_SIGN_ECDSA_SHA1,
423 0
424 };
427 GNUTLS_SIGN_ECDSA_SHA256,
428 GNUTLS_SIGN_ECDSA_SHA384,
429 0
430 };
433 GNUTLS_SIGN_ECDSA_SHA384,
434 0
435 };
438 GNUTLS_SIGN_RSA_SHA256,
439 GNUTLS_SIGN_DSA_SHA256,
440 GNUTLS_SIGN_ECDSA_SHA256,
441 GNUTLS_SIGN_RSA_SHA384,
442 GNUTLS_SIGN_ECDSA_SHA384,
443 GNUTLS_SIGN_RSA_SHA512,
444 GNUTLS_SIGN_ECDSA_SHA512,
445 0
446 };
449 GNUTLS_SIGN_RSA_SHA384,
450 GNUTLS_SIGN_ECDSA_SHA384,
451 GNUTLS_SIGN_RSA_SHA512,
452 GNUTLS_SIGN_ECDSA_SHA512,
453 0
454 };
457 GNUTLS_MAC_SHA1,
458 GNUTLS_MAC_SHA256,
459 GNUTLS_MAC_SHA384,
460 GNUTLS_MAC_AEAD,
461 GNUTLS_MAC_MD5,
462 0
463 };
466 GNUTLS_MAC_AEAD,
467 0
468 };
471 GNUTLS_MAC_AEAD,
472 0
473 };
476 GNUTLS_MAC_SHA1,
477 GNUTLS_MAC_SHA256,
478 GNUTLS_MAC_SHA384,
479 GNUTLS_MAC_AEAD,
480 0
481 };
484 GNUTLS_MAC_SHA256,
485 GNUTLS_MAC_SHA384,
486 GNUTLS_MAC_AEAD,
487 0
488 };
491 GNUTLS_CRT_X509,
492 0
493 };
496 GNUTLS_CRT_X509,
497 GNUTLS_CRT_OPENPGP,
498 0
499 };
503 static void
505 {
510 {
513 i++;
514 }
517 {
521 }
524 }
526 static void
528 {
531 {
534 i++;
535 }
538 {
541 }
544 }
547 /**
548 * gnutls_priority_set:
549 * @session: is a #gnutls_session_t structure.
550 * @priority: is a #gnutls_priority_t structure.
551 *
552 * Sets the priorities to use on the ciphers, key exchange methods,
553 * macs and compression methods.
554 *
555 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
556 **/
557 int
559 {
561 {
564 }
569 /* set the current version to the first in the chain.
570 * This will be overridden later.
571 */
585 }
588 #define MAX_ELEMENTS 48
590 /**
591 * gnutls_priority_init:
592 * @priority_cache: is a #gnutls_prioritity_t structure.
593 * @priorities: is a string describing priorities
594 * @err_pos: In case of an error this will have the position in the string the error occured
595 *
596 * Sets priorities for the ciphers, key exchange methods, macs and
597 * compression methods.
598 *
599 * The #priorities option allows you to specify a colon
600 * separated list of the cipher priorities to enable.
601 * Some keywords are defined to provide quick access
602 * to common preferences.
603 *
604 * "PERFORMANCE" means all the "secure" ciphersuites are enabled,
605 * limited to 128 bit ciphers and sorted by terms of speed
606 * performance.
607 *
608 * "NORMAL" means all "secure" ciphersuites. The 256-bit ciphers are
609 * included as a fallback only. The ciphers are sorted by security
610 * margin.
611 *
612 * "SECURE128" means all "secure" ciphersuites of security level 128-bit
613 * or more.
614 *
615 * "SECURE192" means all "secure" ciphersuites of security level 192-bit
616 * or more.
617 *
618 * "SUITEB128" means all the NSA SuiteB ciphersuites with security level
619 * of 128.
620 *
621 * "SUITEB192" means all the NSA SuiteB ciphersuites with security level
622 * of 192.
623 *
624 * "EXPORT" means all ciphersuites are enabled, including the
625 * low-security 40 bit ciphers.
626 *
627 * "NONE" means nothing is enabled. This disables even protocols and
628 * compression methods.
629 *
630 * Special keywords are "!", "-" and "+".
631 * "!" or "-" appended with an algorithm will remove this algorithm.
632 * "+" appended with an algorithm will add this algorithm.
633 *
634 * Check the GnuTLS manual section "Priority strings" for detailed
635 * information.
636 *
637 * Examples:
638 *
639 * "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
640 *
641 * "NORMAL:-ARCFOUR-128" means normal ciphers except for ARCFOUR-128.
642 *
643 * "SECURE:-VERS-SSL3.0:+COMP-DEFLATE" means that only secure ciphers are
644 * enabled, SSL3.0 is disabled, and libz compression enabled.
645 *
646 * "NONE:+VERS-TLS-ALL:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1",
647 *
648 * "NONE:+VERS-TLS-ALL:+AES-128-CBC:+ECDHE-RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1:+CURVE-SECP256R1",
649 *
650 * "NORMAL:%COMPAT" is the most compatible mode.
651 *
652 * Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
653 * %GNUTLS_E_SUCCESS on success, or an error code.
654 **/
655 int
658 {
668 {
671 }
673 /* for now unsafe renegotiation is default on everyone. To be removed
674 * when we make it the default.
675 */
684 {
687 }
690 /* This is our default set of protocol version, certificate types and
691 * compression methods.
692 */
694 {
701 }
702 else
703 {
705 }
708 {
710 {
712 cipher_priority_performance);
716 sign_priority_default);
718 }
720 {
725 sign_priority_default);
727 }
730 {
732 cipher_priority_secure192);
736 sign_priority_secure192);
738 }
741 {
743 cipher_priority_secure128);
747 sign_priority_secure128);
749 }
751 {
754 cipher_priority_suiteb128);
758 sign_priority_suiteb128);
760 }
762 {
765 cipher_priority_suiteb192);
769 sign_priority_suiteb192);
771 }
773 {
778 sign_priority_default);
783 {
785 {
788 }
789 else
790 {
793 }
799 GNUTLS_CIPHER_UNKNOWN)
802 GNUTLS_KX_UNKNOWN)
805 {
807 {
809 protocol_priority);
810 }
811 else
812 {
815 GNUTLS_VERSION_UNKNOWN)
817 else
820 }
823 {
825 {
827 comp_priority);
828 }
829 else
830 {
833 GNUTLS_COMP_UNKNOWN)
835 else
837 }
840 {
842 {
844 supported_ecc_normal);
845 }
846 else
847 {
850 GNUTLS_ECC_CURVE_INVALID)
852 else
854 }
857 {
859 {
861 cert_type_priority_all);
862 }
863 else
864 {
867 GNUTLS_CRT_UNKNOWN)
869 else
871 }
874 {
876 {
878 sign_priority_default);
879 }
880 else
881 {
884 GNUTLS_SIGN_UNKNOWN)
886 else
888 }
889 }
891 {
893 mac_priority_normal);
894 }
896 {
898 cipher_priority_normal);
899 }
901 {
903 kx_priority_secure);
904 }
905 else
907 }
909 {
911 {
915 }
917 {
919 }
922 {
925 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
926 }
936 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
939 {
941 }
943 {
945 }
948 {
950 }
953 {
955 }
958 {
960 }
961 else
963 }
964 else
966 }
971 error:
973 {
976 {
978 }
979 }
985 }
987 /**
988 * gnutls_priority_deinit:
989 * @priority_cache: is a #gnutls_prioritity_t structure.
990 *
991 * Deinitializes the priority cache.
992 **/
993 void
995 {
997 }
1000 /**
1001 * gnutls_priority_set_direct:
1002 * @session: is a #gnutls_session_t structure.
1003 * @priorities: is a string describing priorities
1004 * @err_pos: In case of an error this will have the position in the string the error occured
1005 *
1006 * Sets the priorities to use on the ciphers, key exchange methods,
1007 * macs and compression methods. This function avoids keeping a
1008 * priority cache and is used to directly set string priorities to a
1009 * TLS session. For documentation check the gnutls_priority_init().
1010 *
1011 * Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
1012 * %GNUTLS_E_SUCCESS on success, or an error code.
1013 **/
1014 int
1017 {
1018 gnutls_priority_t prio;
1023 {
1026 }
1030 {
1033 }
1038 }
1040 /* Breaks a list of "xxx", "yyy", to a character array, of
1041 * MAX_COMMA_SEP_ELEMENTS size; Note that the given string is modified.
1042 */
1043 static void
1047 {
1054 do
1055 {
1062 {
1065 * space.
1066 */
1068 p++;
1069 }
1070 }
1072 }
1074 /**
1075 * gnutls_set_default_priority:
1076 * @session: is a #gnutls_session_t structure.
1077 *
1078 * Sets some default priority on the ciphers, key exchange methods,
1079 * macs and compression methods.
1080 *
1081 * This is the same as calling:
1082 *
1083 * gnutls_priority_set_direct (session, "NORMAL", NULL);
1084 *
1085 * This function is kept around for backwards compatibility, but
1086 * because of its wide use it is still fully supported. If you wish
1087 * to allow users to provide a string that specify which ciphers to
1088 * use (which is recommended), you should use
1089 * gnutls_priority_set_direct() or gnutls_priority_set() instead.
1090 *
1091 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1092 **/
1093 int
1095 {
1097 }
1099 /**
1100 * gnutls_set_default_export_priority:
1101 * @session: is a #gnutls_session_t structure.
1102 *
1103 * Sets some default priority on the ciphers, key exchange methods, macs
1104 * and compression methods. This function also includes weak algorithms.
1105 *
1106 * This is the same as calling:
1107 *
1108 * gnutls_priority_set_direct (session, "EXPORT", NULL);
1109 *
1110 * This function is kept around for backwards compatibility, but
1111 * because of its wide use it is still fully supported. If you wish
1112 * to allow users to provide a string that specify which ciphers to
1113 * use (which is recommended), you should use
1114 * gnutls_priority_set_direct() or gnutls_priority_set() instead.
1115 *
1116 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1117 **/
1118 int
1120 {
1122 }
1124 /* Increases the priority of AES-GCM as it is much faster
1125 * than anything else if hardware support is there.
1126 */
1128 {
1131 }
1133 /**
1134 * gnutls_priority_ecc_curve_list:
1135 * @pcache: is a #gnutls_prioritity_t structure.
1136 * @list: will point to an integer list
1137 *
1138 * Get a list of available elliptic curves in the priority
1139 * structure.
1140 *
1141 * Returns: the number of curves, or an error code.
1142 * Since: 3.0
1143 **/
1144 int
1146 {
1152 }
1154 /**
1155 * gnutls_priority_compression_list:
1156 * @pcache: is a #gnutls_prioritity_t structure.
1157 * @list: will point to an integer list
1158 *
1159 * Get a list of available compression method in the priority
1160 * structure.
1161 *
1162 * Returns: the number of methods, or an error code.
1163 * Since: 3.0
1164 **/
1165 int
1167 {
1173 }
1175 /**
1176 * gnutls_priority_protocol_list:
1177 * @pcache: is a #gnutls_prioritity_t structure.
1178 * @list: will point to an integer list
1179 *
1180 * Get a list of available TLS version numbers in the priority
1181 * structure.
1182 *
1183 * Returns: the number of protocols, or an error code.
1184 * Since: 3.0
1185 **/
1186 int
1188 {
1194 }
1196 /**
1197 * gnutls_priority_sign_list:
1198 * @pcache: is a #gnutls_prioritity_t structure.
1199 * @list: will point to an integer list
1200 *
1201 * Get a list of available signature algorithms in the priority
1202 * structure.
1203 *
1204 * Returns: the number of algorithms, or an error code.
1205 * Since: 3.0
1206 **/
1207 int
1209 {
1215 }
1217 /**
1218 * gnutls_priority_certificate_type_list:
1219 * @pcache: is a #gnutls_prioritity_t structure.
1220 * @list: will point to an integer list
1221 *
1222 * Get a list of available certificate types in the priority
1223 * structure.
1224 *
1225 * Returns: the number of certificate types, or an error code.
1226 * Since: 3.0
1227 **/
1228 int
1230 {
1236 }