search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added support for an old version of the DTLS protocol
[gnutls.git] / lib / algorithms / ciphersuites.c
blob678812e6dc074f0af9991d8268ce17f4d012ad2d
1 /*
2 * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include <gnutls_int.h>
24 #include <algorithms.h>
25 #include <gnutls_errors.h>
26 #include <x509/common.h>
27
28 /* Cipher SUITES */
29 #define ENTRY( name, block_algorithm, kx_algorithm, mac_algorithm, min_version, max_version, dtls ) \
30 { #name, name, block_algorithm, kx_algorithm, mac_algorithm, min_version, max_version, dtls, GNUTLS_MAC_SHA256}
31 #define ENTRY_PRF( name, block_algorithm, kx_algorithm, mac_algorithm, min_version, max_version, dtls, prf ) \
32 { #name, name, block_algorithm, kx_algorithm, mac_algorithm, min_version, max_version, dtls, prf}
33
34 typedef struct
35 {
36 const char *name;
37 const uint8_t id[2];
38 gnutls_cipher_algorithm_t block_algorithm;
39 gnutls_kx_algorithm_t kx_algorithm;
40 gnutls_mac_algorithm_t mac_algorithm;
41 gnutls_protocol_t min_version; /* this cipher suite is supported
42 * from 'version' and above;
43 */
44 gnutls_protocol_t max_version; /* this cipher suite is not supported after that */
45 unsigned int dtls:1; /* whether this ciphersuite is valid in DTLS */
46 gnutls_mac_algorithm_t prf;
47 } gnutls_cipher_suite_entry;
48
49 /* RSA with NULL cipher and MD5 MAC
50 * for test purposes.
51 */
52 #define GNUTLS_RSA_NULL_MD5 { 0x00, 0x01 }
53 #define GNUTLS_RSA_NULL_SHA1 { 0x00, 0x02 }
54 #define GNUTLS_RSA_NULL_SHA256 { 0x00, 0x3B }
55
56 /* ANONymous cipher suites.
57 */
58
59 #define GNUTLS_DH_ANON_3DES_EDE_CBC_SHA1 { 0x00, 0x1B }
60 #define GNUTLS_DH_ANON_ARCFOUR_MD5 { 0x00, 0x18 }
61
62 /* rfc3268: */
63 #define GNUTLS_DH_ANON_AES_128_CBC_SHA1 { 0x00, 0x34 }
64 #define GNUTLS_DH_ANON_AES_256_CBC_SHA1 { 0x00, 0x3A }
65
66 /* rfc4132 */
67 #define GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA1 { 0x00,0x46 }
68 #define GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA1 { 0x00,0x89 }
69
70 #define GNUTLS_DH_ANON_AES_128_CBC_SHA256 { 0x00, 0x6C }
71 #define GNUTLS_DH_ANON_AES_256_CBC_SHA256 { 0x00, 0x6D }
72
73 /* PSK (not in TLS 1.0)
74 * draft-ietf-tls-psk:
75 */
76 #define GNUTLS_PSK_SHA_ARCFOUR_SHA1 { 0x00, 0x8A }
77 #define GNUTLS_PSK_SHA_3DES_EDE_CBC_SHA1 { 0x00, 0x8B }
78 #define GNUTLS_PSK_SHA_AES_128_CBC_SHA1 { 0x00, 0x8C }
79 #define GNUTLS_PSK_SHA_AES_256_CBC_SHA1 { 0x00, 0x8D }
80
81 #define GNUTLS_DHE_PSK_SHA_ARCFOUR_SHA1 { 0x00, 0x8E }
82 #define GNUTLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 { 0x00, 0x8F }
83 #define GNUTLS_DHE_PSK_SHA_AES_128_CBC_SHA1 { 0x00, 0x90 }
84 #define GNUTLS_DHE_PSK_SHA_AES_256_CBC_SHA1 { 0x00, 0x91 }
85
86
87 /* SRP (rfc5054)
88 */
89 #define GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1 { 0xC0, 0x1A }
90 #define GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 { 0xC0, 0x1B }
91 #define GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 { 0xC0, 0x1C }
92
93 #define GNUTLS_SRP_SHA_AES_128_CBC_SHA1 { 0xC0, 0x1D }
94 #define GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1 { 0xC0, 0x1E }
95 #define GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1 { 0xC0, 0x1F }
96
97 #define GNUTLS_SRP_SHA_AES_256_CBC_SHA1 { 0xC0, 0x20 }
98 #define GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1 { 0xC0, 0x21 }
99 #define GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1 { 0xC0, 0x22 }
100
101 /* RSA
102 */
103 #define GNUTLS_RSA_ARCFOUR_SHA1 { 0x00, 0x05 }
104 #define GNUTLS_RSA_ARCFOUR_MD5 { 0x00, 0x04 }
105 #define GNUTLS_RSA_3DES_EDE_CBC_SHA1 { 0x00, 0x0A }
106
107 #define GNUTLS_RSA_EXPORT_ARCFOUR_40_MD5 { 0x00, 0x03 }
108
109 /* rfc3268:
110 */
111 #define GNUTLS_RSA_AES_128_CBC_SHA1 { 0x00, 0x2F }
112 #define GNUTLS_RSA_AES_256_CBC_SHA1 { 0x00, 0x35 }
113
114 /* rfc4132 */
115 #define GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 { 0x00,0x41 }
116 #define GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x84 }
117
118 #define GNUTLS_RSA_AES_128_CBC_SHA256 { 0x00, 0x3C }
119 #define GNUTLS_RSA_AES_256_CBC_SHA256 { 0x00, 0x3D }
120
121 /* DHE DSS
122 */
123
124 #define GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA1 { 0x00, 0x13 }
125
126
127 /* draft-ietf-tls-56-bit-ciphersuites-01:
128 */
129 #define GNUTLS_DHE_DSS_ARCFOUR_SHA1 { 0x00, 0x66 }
130
131
132 /* rfc3268:
133 */
134 #define GNUTLS_DHE_DSS_AES_256_CBC_SHA1 { 0x00, 0x38 }
135 #define GNUTLS_DHE_DSS_AES_128_CBC_SHA1 { 0x00, 0x32 }
136
137 /* rfc4132 */
138 #define GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 { 0x00,0x44 }
139 #define GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 { 0x00,0x87 }
140
141 #define GNUTLS_DHE_DSS_AES_128_CBC_SHA256 { 0x00, 0x40 }
142 #define GNUTLS_DHE_DSS_AES_256_CBC_SHA256 { 0x00, 0x6A }
143
144 /* DHE RSA
145 */
146 #define GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 { 0x00, 0x16 }
147
148 /* rfc3268:
149 */
150 #define GNUTLS_DHE_RSA_AES_128_CBC_SHA1 { 0x00, 0x33 }
151 #define GNUTLS_DHE_RSA_AES_256_CBC_SHA1 { 0x00, 0x39 }
152
153 /* rfc4132 */
154 #define GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 { 0x00,0x45 }
155 #define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x88 }
156
157 #define GNUTLS_DHE_RSA_AES_128_CBC_SHA256 { 0x00, 0x67 }
158 #define GNUTLS_DHE_RSA_AES_256_CBC_SHA256 { 0x00, 0x6B }
159
160 /* GCM: RFC5288 */
161 #define GNUTLS_RSA_AES_128_GCM_SHA256 { 0x00, 0x9C }
162 #define GNUTLS_DHE_RSA_AES_128_GCM_SHA256 {0x00,0x9E}
163 #define GNUTLS_DHE_DSS_AES_128_GCM_SHA256 {0x00,0xA2}
164 #define GNUTLS_DH_ANON_AES_128_GCM_SHA256 {0x00,0xA6}
165
166 /* RFC 5487 */
167 /* GCM-PSK */
168 #define GNUTLS_PSK_AES_128_GCM_SHA256 { 0x00, 0xA8 }
169 #define GNUTLS_DHE_PSK_AES_128_GCM_SHA256 { 0x00, 0xAA }
170 #define GNUTLS_PSK_WITH_AES_256_GCM_SHA384 { 0x00, 0xA9 }
171 #define GNUTLS_DHE_PSK_WITH_AES_256_GCM_SHA384 { 0x00, 0xAB }
172
173 /* PSK - SHA256 HMAC */
174 #define GNUTLS_PSK_AES_128_CBC_SHA256 { 0x00, 0xAE }
175 #define GNUTLS_DHE_PSK_AES_128_CBC_SHA256 { 0x00, 0xB2 }
176
177 #define GNUTLS_PSK_NULL_SHA256 { 0x00, 0xB0 }
178 #define GNUTLS_DHE_PSK_NULL_SHA256 { 0x00, 0xB4 }
179
180 /* ECC */
181 #define GNUTLS_ECDH_ANON_NULL_SHA1 { 0xC0, 0x15 }
182 #define GNUTLS_ECDH_ANON_3DES_EDE_CBC_SHA1 { 0xC0, 0x17 }
183 #define GNUTLS_ECDH_ANON_AES_128_CBC_SHA1 { 0xC0, 0x18 }
184 #define GNUTLS_ECDH_ANON_AES_256_CBC_SHA1 { 0xC0, 0x19 }
185
186 /* ECC-RSA */
187 #define GNUTLS_ECDHE_RSA_NULL_SHA1 { 0xC0, 0x10 }
188 #define GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 { 0xC0, 0x12 }
189 #define GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 { 0xC0, 0x13 }
190 #define GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 { 0xC0, 0x14 }
191
192 /* ECC-ECDSA */
193 #define GNUTLS_ECDHE_ECDSA_NULL_SHA1 { 0xC0, 0x06 }
194 #define GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 { 0xC0, 0x08 }
195 #define GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 { 0xC0, 0x09 }
196 #define GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 { 0xC0, 0x0A }
197
198 /* ECC with SHA2 */
199 #define GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 {0xC0,0x23}
200 #define GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 {0xC0,0x27}
201
202 /* ECC with AES-GCM */
203 #define GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 {0xC0,0x2B}
204 #define GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 {0xC0,0x2F}
205 #define GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 {0xC0,0x30}
206
207 /* SuiteB */
208 #define GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 {0xC0,0x2C}
209 #define GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 {0xC0,0x24}
210
211
212 /* ECC with PSK */
213 #define GNUTLS_ECDHE_PSK_3DES_EDE_CBC_SHA1 { 0xC0, 0x34 }
214 #define GNUTLS_ECDHE_PSK_AES_128_CBC_SHA1 { 0xC0, 0x35 }
215 #define GNUTLS_ECDHE_PSK_AES_256_CBC_SHA1 { 0xC0, 0x36 }
216 #define GNUTLS_ECDHE_PSK_AES_128_CBC_SHA256 { 0xC0, 0x37 }
217 #define GNUTLS_ECDHE_PSK_AES_256_CBC_SHA384 { 0xC0, 0x38 }
218 #define GNUTLS_ECDHE_PSK_NULL_SHA256 { 0xC0, 0x3A }
219 #define GNUTLS_ECDHE_PSK_NULL_SHA384 { 0xC0, 0x3B }
220
221 #define CIPHER_SUITES_COUNT (sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1)
222
223 static const gnutls_cipher_suite_entry cs_algorithms[] = {
224 /* DH_ANON */
225 ENTRY (GNUTLS_DH_ANON_ARCFOUR_MD5,
226 GNUTLS_CIPHER_ARCFOUR_128,
227 GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5,
228 GNUTLS_SSL3, GNUTLS_VERSION_MAX, 0),
229 ENTRY (GNUTLS_DH_ANON_3DES_EDE_CBC_SHA1,
230 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH,
231 GNUTLS_MAC_SHA1, GNUTLS_SSL3,
232 GNUTLS_VERSION_MAX, 1),
233 ENTRY (GNUTLS_DH_ANON_AES_128_CBC_SHA1,
234 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH,
235 GNUTLS_MAC_SHA1, GNUTLS_SSL3,
236 GNUTLS_VERSION_MAX, 1),
237 ENTRY (GNUTLS_DH_ANON_AES_256_CBC_SHA1,
238 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH,
239 GNUTLS_MAC_SHA1, GNUTLS_SSL3,
240 GNUTLS_VERSION_MAX, 1),
241 ENTRY (GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA1,
242 GNUTLS_CIPHER_CAMELLIA_128_CBC,
243 GNUTLS_KX_ANON_DH,
244 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
245 GNUTLS_VERSION_MAX, 1),
246 ENTRY (GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA1,
247 GNUTLS_CIPHER_CAMELLIA_256_CBC,
248 GNUTLS_KX_ANON_DH,
249 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
250 GNUTLS_VERSION_MAX, 1),
251 ENTRY (GNUTLS_DH_ANON_AES_128_CBC_SHA256,
252 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH,
253 GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
254 GNUTLS_VERSION_MAX, 1),
255 ENTRY (GNUTLS_DH_ANON_AES_256_CBC_SHA256,
256 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH,
257 GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
258 GNUTLS_VERSION_MAX, 1),
259
260 /* PSK */
261 ENTRY (GNUTLS_PSK_SHA_ARCFOUR_SHA1,
262 GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_PSK,
263 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
264 GNUTLS_VERSION_MAX, 0),
265 ENTRY (GNUTLS_PSK_SHA_3DES_EDE_CBC_SHA1,
266 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_PSK,
267 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
268 GNUTLS_VERSION_MAX, 1),
269 ENTRY (GNUTLS_PSK_SHA_AES_128_CBC_SHA1,
270 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK,
271 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
272 GNUTLS_VERSION_MAX, 1),
273 ENTRY (GNUTLS_PSK_SHA_AES_256_CBC_SHA1,
274 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_PSK,
275 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
276 GNUTLS_VERSION_MAX, 1),
277 ENTRY (GNUTLS_PSK_AES_128_CBC_SHA256,
278 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK,
279 GNUTLS_MAC_SHA256, GNUTLS_TLS1,
280 GNUTLS_VERSION_MAX, 1),
281 ENTRY (GNUTLS_PSK_AES_128_GCM_SHA256,
282 GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_PSK,
283 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
284 GNUTLS_VERSION_MAX, 1),
285 ENTRY (GNUTLS_PSK_NULL_SHA256,
286 GNUTLS_CIPHER_NULL, GNUTLS_KX_PSK,
287 GNUTLS_MAC_SHA256, GNUTLS_TLS1,
288 GNUTLS_VERSION_MAX, 1),
289
290 /* DHE-PSK */
291 ENTRY (GNUTLS_DHE_PSK_SHA_ARCFOUR_SHA1,
292 GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_DHE_PSK,
293 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
294 GNUTLS_VERSION_MAX, 0),
295 ENTRY (GNUTLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1,
296 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_PSK,
297 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
298 GNUTLS_VERSION_MAX, 1),
299 ENTRY (GNUTLS_DHE_PSK_SHA_AES_128_CBC_SHA1,
300 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_PSK,
301 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
302 GNUTLS_VERSION_MAX, 1),
303 ENTRY (GNUTLS_DHE_PSK_SHA_AES_256_CBC_SHA1,
304 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_PSK,
305 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
306 GNUTLS_VERSION_MAX, 1),
307 ENTRY (GNUTLS_DHE_PSK_AES_128_CBC_SHA256,
308 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_PSK,
309 GNUTLS_MAC_SHA256, GNUTLS_TLS1,
310 GNUTLS_VERSION_MAX, 1),
311 ENTRY (GNUTLS_DHE_PSK_AES_128_GCM_SHA256,
312 GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_PSK,
313 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
314 GNUTLS_VERSION_MAX, 1),
315 ENTRY (GNUTLS_DHE_PSK_NULL_SHA256,
316 GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK,
317 GNUTLS_MAC_SHA256, GNUTLS_TLS1,
318 GNUTLS_VERSION_MAX, 1),
319
320 /* SRP */
321 ENTRY (GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1,
322 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP,
323 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
324 GNUTLS_VERSION_MAX, 1),
325 ENTRY (GNUTLS_SRP_SHA_AES_128_CBC_SHA1,
326 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP,
327 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
328 GNUTLS_VERSION_MAX, 1),
329 ENTRY (GNUTLS_SRP_SHA_AES_256_CBC_SHA1,
330 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP,
331 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
332 GNUTLS_VERSION_MAX, 1),
333
334 ENTRY (GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1,
335 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS,
336 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
337 GNUTLS_VERSION_MAX, 1),
338
339 ENTRY (GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1,
340 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA,
341 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
342 GNUTLS_VERSION_MAX, 1),
343
344 ENTRY (GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1,
345 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_DSS,
346 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
347 GNUTLS_VERSION_MAX, 1),
348
349 ENTRY (GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1,
350 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_RSA,
351 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
352 GNUTLS_VERSION_MAX, 1),
353
354 ENTRY (GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1,
355 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_DSS,
356 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
357 GNUTLS_VERSION_MAX, 1),
358
359 ENTRY (GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1,
360 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_RSA,
361 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
362 GNUTLS_VERSION_MAX, 1),
363
364 /* DHE_DSS */
365 ENTRY (GNUTLS_DHE_DSS_ARCFOUR_SHA1,
366 GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS,
367 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
368 GNUTLS_VERSION_MAX, 0),
369 ENTRY (GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA1,
370 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS,
371 GNUTLS_MAC_SHA1, GNUTLS_SSL3,
372 GNUTLS_VERSION_MAX, 1),
373 ENTRY (GNUTLS_DHE_DSS_AES_128_CBC_SHA1,
374 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS,
375 GNUTLS_MAC_SHA1, GNUTLS_SSL3,
376 GNUTLS_VERSION_MAX, 1),
377 ENTRY (GNUTLS_DHE_DSS_AES_256_CBC_SHA1,
378 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS,
379 GNUTLS_MAC_SHA1, GNUTLS_SSL3,
380 GNUTLS_VERSION_MAX, 1),
381 ENTRY (GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA1,
382 GNUTLS_CIPHER_CAMELLIA_128_CBC,
383 GNUTLS_KX_DHE_DSS,
384 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
385 GNUTLS_VERSION_MAX, 1),
386 ENTRY (GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA1,
387 GNUTLS_CIPHER_CAMELLIA_256_CBC,
388 GNUTLS_KX_DHE_DSS,
389 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
390 GNUTLS_VERSION_MAX, 1),
391 ENTRY (GNUTLS_DHE_DSS_AES_128_CBC_SHA256,
392 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS,
393 GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
394 GNUTLS_VERSION_MAX, 1),
395 ENTRY (GNUTLS_DHE_DSS_AES_256_CBC_SHA256,
396 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS,
397 GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
398 GNUTLS_VERSION_MAX, 1),
399 /* DHE_RSA */
400 ENTRY (GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1,
401 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA,
402 GNUTLS_MAC_SHA1, GNUTLS_SSL3,
403 GNUTLS_VERSION_MAX, 1),
404 ENTRY (GNUTLS_DHE_RSA_AES_128_CBC_SHA1,
405 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA,
406 GNUTLS_MAC_SHA1, GNUTLS_SSL3,
407 GNUTLS_VERSION_MAX, 1),
408 ENTRY (GNUTLS_DHE_RSA_AES_256_CBC_SHA1,
409 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA,
410 GNUTLS_MAC_SHA1, GNUTLS_SSL3,
411 GNUTLS_VERSION_MAX, 1),
412 ENTRY (GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1,
413 GNUTLS_CIPHER_CAMELLIA_128_CBC,
414 GNUTLS_KX_DHE_RSA,
415 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
416 GNUTLS_VERSION_MAX, 1),
417 ENTRY (GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1,
418 GNUTLS_CIPHER_CAMELLIA_256_CBC,
419 GNUTLS_KX_DHE_RSA,
420 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
421 GNUTLS_VERSION_MAX, 1),
422 ENTRY (GNUTLS_DHE_RSA_AES_128_CBC_SHA256,
423 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA,
424 GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
425 GNUTLS_VERSION_MAX, 1),
426 ENTRY (GNUTLS_DHE_RSA_AES_256_CBC_SHA256,
427 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA,
428 GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
429 GNUTLS_VERSION_MAX, 1),
430 /* RSA-NULL */
431 ENTRY (GNUTLS_RSA_NULL_MD5,
432 GNUTLS_CIPHER_NULL,
433 GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3,
434 GNUTLS_VERSION_MAX, 1),
435 ENTRY (GNUTLS_RSA_NULL_SHA1,
436 GNUTLS_CIPHER_NULL,
437 GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
438 GNUTLS_VERSION_MAX, 1),
439 ENTRY (GNUTLS_RSA_NULL_SHA256,
440 GNUTLS_CIPHER_NULL,
441 GNUTLS_KX_RSA, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
442 GNUTLS_VERSION_MAX, 1),
443
444 /* RSA-EXPORT */
445 ENTRY (GNUTLS_RSA_EXPORT_ARCFOUR_40_MD5,
446 GNUTLS_CIPHER_ARCFOUR_40,
447 GNUTLS_KX_RSA_EXPORT, GNUTLS_MAC_MD5,
448 GNUTLS_SSL3, GNUTLS_TLS1_0, 0),
449
450 /* RSA */
451 ENTRY (GNUTLS_RSA_ARCFOUR_SHA1,
452 GNUTLS_CIPHER_ARCFOUR_128,
453 GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
454 GNUTLS_VERSION_MAX, 0),
455 ENTRY (GNUTLS_RSA_ARCFOUR_MD5,
456 GNUTLS_CIPHER_ARCFOUR_128,
457 GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3,
458 GNUTLS_VERSION_MAX, 0),
459 ENTRY (GNUTLS_RSA_3DES_EDE_CBC_SHA1,
460 GNUTLS_CIPHER_3DES_CBC,
461 GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
462 GNUTLS_VERSION_MAX, 1),
463 ENTRY (GNUTLS_RSA_AES_128_CBC_SHA1,
464 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA,
465 GNUTLS_MAC_SHA1, GNUTLS_SSL3,
466 GNUTLS_VERSION_MAX, 1),
467 ENTRY (GNUTLS_RSA_AES_256_CBC_SHA1,
468 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA,
469 GNUTLS_MAC_SHA1, GNUTLS_SSL3,
470 GNUTLS_VERSION_MAX, 1),
471 ENTRY (GNUTLS_RSA_CAMELLIA_128_CBC_SHA1,
472 GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_RSA,
473 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
474 GNUTLS_VERSION_MAX, 1),
475 ENTRY (GNUTLS_RSA_CAMELLIA_256_CBC_SHA1,
476 GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA,
477 GNUTLS_MAC_SHA1, GNUTLS_TLS1,
478 GNUTLS_VERSION_MAX, 1),
479 ENTRY (GNUTLS_RSA_AES_128_CBC_SHA256,
480 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA,
481 GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
482 GNUTLS_VERSION_MAX, 1),
483 ENTRY (GNUTLS_RSA_AES_256_CBC_SHA256,
484 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA,
485 GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
486 GNUTLS_VERSION_MAX, 1),
487 /* GCM */
488 ENTRY (GNUTLS_RSA_AES_128_GCM_SHA256,
489 GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_RSA,
490 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
491 GNUTLS_VERSION_MAX, 1),
492 ENTRY (GNUTLS_DHE_RSA_AES_128_GCM_SHA256,
493 GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_RSA,
494 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
495 GNUTLS_VERSION_MAX, 1),
496 ENTRY (GNUTLS_DHE_DSS_AES_128_GCM_SHA256,
497 GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_DSS,
498 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
499 GNUTLS_VERSION_MAX, 1),
500 ENTRY (GNUTLS_DH_ANON_AES_128_GCM_SHA256,
501 GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ANON_DH,
502 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
503 GNUTLS_VERSION_MAX, 1),
504 /* ECC-ANON */
505 ENTRY (GNUTLS_ECDH_ANON_NULL_SHA1,
506 GNUTLS_CIPHER_NULL, GNUTLS_KX_ANON_ECDH,
507 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
508 GNUTLS_VERSION_MAX, 1),
509 ENTRY (GNUTLS_ECDH_ANON_3DES_EDE_CBC_SHA1,
510 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_ECDH,
511 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
512 GNUTLS_VERSION_MAX, 1),
513 ENTRY (GNUTLS_ECDH_ANON_AES_128_CBC_SHA1,
514 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_ECDH,
515 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
516 GNUTLS_VERSION_MAX, 1),
517 ENTRY (GNUTLS_ECDH_ANON_AES_256_CBC_SHA1,
518 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_ECDH,
519 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
520 GNUTLS_VERSION_MAX, 1),
521 /* ECC-RSA */
522 ENTRY (GNUTLS_ECDHE_RSA_NULL_SHA1,
523 GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_RSA,
524 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
525 GNUTLS_VERSION_MAX, 1),
526 ENTRY (GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1,
527 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ECDHE_RSA,
528 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
529 GNUTLS_VERSION_MAX, 1),
530 ENTRY (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1,
531 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_RSA,
532 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
533 GNUTLS_VERSION_MAX, 1),
534 ENTRY (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1,
535 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_RSA,
536 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
537 GNUTLS_VERSION_MAX, 1),
538 /* ECDHE-ECDSA */
539 ENTRY (GNUTLS_ECDHE_ECDSA_NULL_SHA1,
540 GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_ECDSA,
541 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
542 GNUTLS_VERSION_MAX, 1),
543 ENTRY (GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1,
544 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ECDHE_ECDSA,
545 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
546 GNUTLS_VERSION_MAX, 1),
547 ENTRY (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1,
548 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_ECDSA,
549 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
550 GNUTLS_VERSION_MAX, 1),
551 ENTRY (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1,
552 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_ECDSA,
553 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
554 GNUTLS_VERSION_MAX, 1),
555 /* More ECC */
556
557 ENTRY (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256,
558 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_ECDSA,
559 GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
560 GNUTLS_VERSION_MAX, 1),
561 ENTRY (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256,
562 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_RSA,
563 GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
564 GNUTLS_VERSION_MAX, 1),
565 ENTRY (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256,
566 GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ECDHE_ECDSA,
567 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
568 GNUTLS_VERSION_MAX, 1),
569 ENTRY (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256,
570 GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ECDHE_RSA,
571 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
572 GNUTLS_VERSION_MAX, 1),
573 /* ECC - PSK */
574 ENTRY (GNUTLS_ECDHE_PSK_3DES_EDE_CBC_SHA1,
575 GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ECDHE_PSK,
576 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
577 GNUTLS_VERSION_MAX, 1),
578 ENTRY (GNUTLS_ECDHE_PSK_AES_128_CBC_SHA1,
579 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_PSK,
580 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
581 GNUTLS_VERSION_MAX, 1),
582 ENTRY (GNUTLS_ECDHE_PSK_AES_256_CBC_SHA1,
583 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_PSK,
584 GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
585 GNUTLS_VERSION_MAX, 1),
586 ENTRY (GNUTLS_ECDHE_PSK_AES_128_CBC_SHA256,
587 GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_PSK,
588 GNUTLS_MAC_SHA256, GNUTLS_TLS1_0,
589 GNUTLS_VERSION_MAX, 1),
590 ENTRY_PRF (GNUTLS_ECDHE_PSK_AES_256_CBC_SHA384,
591 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_PSK,
592 GNUTLS_MAC_SHA384, GNUTLS_TLS1_0,
593 GNUTLS_VERSION_MAX, 1, GNUTLS_MAC_SHA384),
594 ENTRY (GNUTLS_ECDHE_PSK_NULL_SHA256,
595 GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_PSK,
596 GNUTLS_MAC_SHA256, GNUTLS_TLS1_0,
597 GNUTLS_VERSION_MAX, 1),
598 ENTRY_PRF (GNUTLS_ECDHE_PSK_NULL_SHA384,
599 GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_PSK,
600 GNUTLS_MAC_SHA384, GNUTLS_TLS1_0,
601 GNUTLS_VERSION_MAX, 1, GNUTLS_MAC_SHA384),
602 ENTRY_PRF(GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384,
603 GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ECDHE_ECDSA,
604 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
605 GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
606 ENTRY_PRF(GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384,
607 GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ECDHE_RSA,
608 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
609 GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
610 ENTRY_PRF(GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384,
611 GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_ECDSA,
612 GNUTLS_MAC_SHA384, GNUTLS_TLS1_2,
613 GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
614 ENTRY_PRF(GNUTLS_PSK_WITH_AES_256_GCM_SHA384,
615 GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_PSK,
616 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
617 GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
618 ENTRY_PRF(GNUTLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
619 GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_PSK,
620 GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
621 GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
622 {0, {0, 0}, 0, 0, 0, 0, 0, 0}
623 };
624
625 #define CIPHER_SUITE_LOOP(b) \
626 const gnutls_cipher_suite_entry *p; \
627 for(p = cs_algorithms; p->name != NULL; p++) { b ; }
628
629 #define CIPHER_SUITE_ALG_LOOP(a) \
630 CIPHER_SUITE_LOOP( if( (p->id[0] == suite[0]) && (p->id[1] == suite[1])) { a; break; } )
631
632
633 /* Cipher Suite's functions */
634 gnutls_cipher_algorithm_t
635 _gnutls_cipher_suite_get_cipher_algo (const uint8_t suite[2])
636 {
637 int ret = 0;
638 CIPHER_SUITE_ALG_LOOP (ret = p->block_algorithm);
639 return ret;
640 }
641
642 gnutls_kx_algorithm_t
643 _gnutls_cipher_suite_get_kx_algo (const uint8_t suite[2])
644 {
645 int ret = 0;
646
647 CIPHER_SUITE_ALG_LOOP (ret = p->kx_algorithm);
648 return ret;
649
650 }
651
652 gnutls_mac_algorithm_t
653 _gnutls_cipher_suite_get_prf (const uint8_t suite[2])
654 {
655 int ret = 0;
656
657 CIPHER_SUITE_ALG_LOOP (ret = p->prf);
658 return ret;
659
660 }
661
662 gnutls_mac_algorithm_t
663 _gnutls_cipher_suite_get_mac_algo (const uint8_t suite[2])
664 { /* In bytes */
665 int ret = 0;
666 CIPHER_SUITE_ALG_LOOP (ret = p->mac_algorithm);
667 return ret;
668
669 }
670
671 const char *
672 _gnutls_cipher_suite_get_name (const uint8_t suite[2])
673 {
674 const char *ret = NULL;
675
676 /* avoid prefix */
677 CIPHER_SUITE_ALG_LOOP (ret = p->name + sizeof ("GNUTLS_") - 1);
678
679 return ret;
680 }
681
682
683 static const gnutls_cipher_suite_entry *
684 cipher_suite_get (gnutls_kx_algorithm_t kx_algorithm,
685 gnutls_cipher_algorithm_t cipher_algorithm,
686 gnutls_mac_algorithm_t mac_algorithm)
687 {
688 const gnutls_cipher_suite_entry *ret = NULL;
689
690 CIPHER_SUITE_LOOP (
691 if (kx_algorithm == p->kx_algorithm &&
692 cipher_algorithm == p->block_algorithm && mac_algorithm == p->mac_algorithm)
693 {
694 ret = p;
695 break;
696 }
697 );
698
699 return ret;
700 }
701
702
703 /**
704 * gnutls_cipher_suite_get_name:
705 * @kx_algorithm: is a Key exchange algorithm
706 * @cipher_algorithm: is a cipher algorithm
707 * @mac_algorithm: is a MAC algorithm
708 *
709 * Note that the full cipher suite name must be prepended by TLS or
710 * SSL depending of the protocol in use.
711 *
712 * Returns: a string that contains the name of a TLS cipher suite,
713 * specified by the given algorithms, or %NULL.
714 **/
715 const char *
716 gnutls_cipher_suite_get_name (gnutls_kx_algorithm_t kx_algorithm,
717 gnutls_cipher_algorithm_t cipher_algorithm,
718 gnutls_mac_algorithm_t mac_algorithm)
719 {
720 const gnutls_cipher_suite_entry * ce;
721
722 ce = cipher_suite_get (kx_algorithm, cipher_algorithm, mac_algorithm);
723 if (ce == NULL)
724 return NULL;
725 else
726 return ce->name + sizeof ("GNUTLS_") - 1;
727 }
728
729 /*-
730 * _gnutls_cipher_suite_get_id:
731 * @kx_algorithm: is a Key exchange algorithm
732 * @cipher_algorithm: is a cipher algorithm
733 * @mac_algorithm: is a MAC algorithm
734 * @suite: The id to be returned
735 *
736 * It fills @suite with the ID of the ciphersuite of the provided parameters.
737 *
738 * Returns: 0 on success or a negative error code otherwise.
739 -*/
740 int
741 _gnutls_cipher_suite_get_id (gnutls_kx_algorithm_t kx_algorithm,
742 gnutls_cipher_algorithm_t cipher_algorithm,
743 gnutls_mac_algorithm_t mac_algorithm, uint8_t suite[2])
744 {
745 const gnutls_cipher_suite_entry * ce;
746
747 ce = cipher_suite_get (kx_algorithm, cipher_algorithm, mac_algorithm);
748 if (ce == NULL)
749 return GNUTLS_E_INVALID_REQUEST;
750 else
751 {
752 suite[0] = ce->id[0];
753 suite[1] = ce->id[1];
754 }
755 return 0;
756 }
757
758 /**
759 * gnutls_cipher_suite_info:
760 * @idx: index of cipher suite to get information about, starts on 0.
761 * @cs_id: output buffer with room for 2 bytes, indicating cipher suite value
762 * @kx: output variable indicating key exchange algorithm, or %NULL.
763 * @cipher: output variable indicating cipher, or %NULL.
764 * @mac: output variable indicating MAC algorithm, or %NULL.
765 * @min_version: output variable indicating TLS protocol version, or %NULL.
766 *
767 * Get information about supported cipher suites. Use the function
768 * iteratively to get information about all supported cipher suites.
769 * Call with idx=0 to get information about first cipher suite, then
770 * idx=1 and so on until the function returns NULL.
771 *
772 * Returns: the name of @idx cipher suite, and set the information
773 * about the cipher suite in the output variables. If @idx is out of
774 * bounds, %NULL is returned.
775 **/
776 const char *
777 gnutls_cipher_suite_info (size_t idx,
778 unsigned char *cs_id,
779 gnutls_kx_algorithm_t * kx,
780 gnutls_cipher_algorithm_t * cipher,
781 gnutls_mac_algorithm_t * mac,
782 gnutls_protocol_t * min_version)
783 {
784 if (idx >= CIPHER_SUITES_COUNT)
785 return NULL;
786
787 if (cs_id)
788 memcpy (cs_id, cs_algorithms[idx].id, 2);
789 if (kx)
790 *kx = cs_algorithms[idx].kx_algorithm;
791 if (cipher)
792 *cipher = cs_algorithms[idx].block_algorithm;
793 if (mac)
794 *mac = cs_algorithms[idx].mac_algorithm;
795 if (min_version)
796 *min_version = cs_algorithms[idx].min_version;
797
798 return cs_algorithms[idx].name + sizeof ("GNU") - 1;
799 }
800
801
802 static inline int
803 _gnutls_cipher_suite_is_ok (const uint8_t suite[2])
804 {
805 size_t ret;
806 const char *name = NULL;
807
808 CIPHER_SUITE_ALG_LOOP (name = p->name);
809 if (name != NULL)
810 ret = 0;
811 else
812 ret = 1;
813 return ret;
814
815 }
816
817 /*-
818 * _gnutls_supported_ciphersuites:
819 * @session: a TLS session
820 * @cipher_suites: Where the ciphersuites will be stored (2bytes each)
821 * @max_cipher_suite_size: the maximum size of the @cipher_suites buffer.
822 *
823 * Returns the supported ciphersuites by this session (based on priorities)
824 * sorted by order of preference.
825 *
826 * Returns the size of the @cipher_suites buffer, or a negative value on error.
827 *
828 -*/
829 int
830 _gnutls_supported_ciphersuites (gnutls_session_t session,
831 uint8_t *cipher_suites, unsigned int max_cipher_suite_size)
832 {
833
834 unsigned int i, ret_count, j, z, k=0;
835 const gnutls_cipher_suite_entry * ce;
836 unsigned int version = gnutls_protocol_get_version( session);
837
838 for (i = 0; i < session->internals.priorities.kx.algorithms; i++)
839 for (j = 0; j < session->internals.priorities.cipher.algorithms; j++)
840 for (z = 0; z < session->internals.priorities.mac.algorithms; z++)
841 {
842 ce = cipher_suite_get(session->internals.priorities.kx.priority[i],
843 session->internals.priorities.cipher.priority[j],
844 session->internals.priorities.mac.priority[z]);
845
846 if (ce == NULL) continue;
847
848 if (!(version >= ce->min_version && version <= ce->max_version))
849 continue;
850
851 if (IS_DTLS(session) && ce->dtls==0)
852 continue;
853
854 if (k+2 > max_cipher_suite_size)
855 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
856
857 memcpy (&cipher_suites[k], ce->id, 2);
858 k+=2;
859 }
860
861 ret_count = k;
862
863 /* This function can no longer return 0 cipher suites.
864 * It returns an error code instead.
865 */
866 if (ret_count == 0)
867 {
868 gnutls_assert ();
869 return GNUTLS_E_NO_CIPHER_SUITES;
870 }
871 return ret_count;
872 }
873
874 /**
875 * gnutls_priority_get_cipher_suite:
876 * @pcache: is a #gnutls_prioritity_t structure.
877 * @idx: is an index number.
878 * @sidx: internal index of cipher suite to get information about.
879 *
880 * Provides the internal ciphersuite index to be used with
881 * gnutls_cipher_suite_info(). The index @idx provided is an
882 * index kept at the priorities structure. It might be that a valid
883 * priorities index does not correspond to a ciphersuite and in
884 * that case %GNUTLS_E_UNKNOWN_CIPHER_SUITE will be returned.
885 * Once the last available index is crossed then
886 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
887 *
888 * Returns: On success it returns %GNUTLS_E_SUCCESS (0), or a negative error value otherwise.
889 **/
890 int
891 gnutls_priority_get_cipher_suite_index (gnutls_priority_t pcache, unsigned int idx, unsigned int *sidx)
892 {
893 int mac_idx, cipher_idx, kx_idx;
894 unsigned int i;
895 unsigned int total = pcache->mac.algorithms * pcache->cipher.algorithms * pcache->kx.algorithms;
896
897 if (idx >= total)
898 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
899
900 mac_idx = idx % pcache->mac.algorithms;
901
902 idx /= pcache->mac.algorithms;
903 cipher_idx = idx % pcache->cipher.algorithms;
904
905 idx /= pcache->cipher.algorithms;
906 kx_idx = idx % pcache->kx.algorithms;
907
908 for (i=0;i<CIPHER_SUITES_COUNT;i++)
909 {
910 if (cs_algorithms[i].kx_algorithm == pcache->kx.priority[kx_idx] &&
911 cs_algorithms[i].block_algorithm == pcache->cipher.priority[cipher_idx] &&
912 cs_algorithms[i].mac_algorithm == pcache->mac.priority[mac_idx])
913 {
914 *sidx = i;
915 return 0;
916 }
917 }
918 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
919 }
Implementation of the SSL/TLS protocol