lib/gnutls_priority.c

   1 /*
   2  * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GNUTLS.
   7  *
   8  * The GNUTLS library is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 2.1 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public
  19  * License along with this library; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
  21  * USA
  22  *
  23  */
  24
  25 /* Here lies the code of the gnutls_*_set_priority() functions.
  26  */
  27
  28 #include "gnutls_int.h"
  29 #include "gnutls_algorithms.h"
  30 #include "gnutls_errors.h"
  31 #include <gnutls_num.h>
  32
  33 static void
  34 break_comma_list (char *etag,
  35                   char **broken_etag, int *elements, int max_elements,
  36                   char sep);
  37
  38 /**
  39   * gnutls_cipher_set_priority - Sets the priority on the ciphers supported by gnutls.
  40   * @session: is a #gnutls_session_t structure.
  41   * @list: is a 0 terminated list of gnutls_cipher_algorithm_t elements.
  42   *
  43   * Sets the priority on the ciphers supported by gnutls.
  44   * Priority is higher for elements specified before others.
  45   * After specifying the ciphers you want, you must append a 0.
  46   * Note that the priority is set on the client. The server does
  47   * not use the algorithm's priority except for disabling
  48   * algorithms that were not specified.
  49   *
  50   * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
  51   **/
  52 int
  53 gnutls_cipher_set_priority (gnutls_session_t session, const int *list)
  54 {
  55   int num = 0, i;
  56
  57   while (list[num] != 0)
  58     num++;
  59   if (num > MAX_ALGOS)
  60     num = MAX_ALGOS;
  61   session->internals.priorities.cipher.algorithms = num;
  62
  63   for (i = 0; i < num; i++)
  64     {
  65       session->internals.priorities.cipher.priority[i] = list[i];
  66     }
  67
  68   return 0;
  69 }
  70
  71 inline static int
  72 _set_priority (priority_st * st, const int *list)
  73 {
  74   int num = 0, i;
  75
  76   while (list[num] != 0)
  77     num++;
  78   if (num > MAX_ALGOS)
  79     num = MAX_ALGOS;
  80   st->algorithms = num;
  81
  82   for (i = 0; i < num; i++)
  83     {
  84       st->priority[i] = list[i];
  85     }
  86
  87   return 0;
  88
  89 }
  90
  91 /**
  92   * gnutls_kx_set_priority - Sets the priority on the key exchange algorithms supported by gnutls.
  93   * @session: is a #gnutls_session_t structure.
  94   * @list: is a 0 terminated list of gnutls_kx_algorithm_t elements.
  95   *
  96   * Sets the priority on the key exchange algorithms supported by gnutls.
  97   * Priority is higher for elements specified before others.
  98   * After specifying the algorithms you want, you must append a 0.
  99   * Note that the priority is set on the client. The server does
 100   * not use the algorithm's priority except for disabling
 101   * algorithms that were not specified.
 102   *
 103   * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
 104   **/
 105 int
 106 gnutls_kx_set_priority (gnutls_session_t session, const int *list)
 107 {
 108   return _set_priority (&session->internals.priorities.kx, list);
 109 }
 110
 111 /**
 112   * gnutls_mac_set_priority - Sets the priority on the mac algorithms supported by gnutls.
 113   * @session: is a #gnutls_session_t structure.
 114   * @list: is a 0 terminated list of gnutls_mac_algorithm_t elements.
 115   *
 116   * Sets the priority on the mac algorithms supported by gnutls.
 117   * Priority is higher for elements specified before others.
 118   * After specifying the algorithms you want, you must append a 0.
 119   * Note that the priority is set on the client. The server does
 120   * not use the algorithm's priority except for disabling
 121   * algorithms that were not specified.
 122   *
 123   * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
 124   **/
 125 int
 126 gnutls_mac_set_priority (gnutls_session_t session, const int *list)
 127 {
 128   return _set_priority (&session->internals.priorities.mac, list);
 129 }
 130
 131 /**
 132   * gnutls_compression_set_priority - Sets the priority on the compression algorithms supported by gnutls.
 133   * @session: is a #gnutls_session_t structure.
 134   * @list: is a 0 terminated list of gnutls_compression_method_t elements.
 135   *
 136   * Sets the priority on the compression algorithms supported by gnutls.
 137   * Priority is higher for elements specified before others.
 138   * After specifying the algorithms you want, you must append a 0.
 139   * Note that the priority is set on the client. The server does
 140   * not use the algorithm's priority except for disabling
 141   * algorithms that were not specified.
 142   *
 143   * TLS 1.0 does not define any compression algorithms except
 144   * NULL. Other compression algorithms are to be considered
 145   * as gnutls extensions.
 146   *
 147   * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
 148   **/
 149 int
 150 gnutls_compression_set_priority (gnutls_session_t session, const int *list)
 151 {
 152   return _set_priority (&session->internals.priorities.compression, list);
 153 }
 154
 155 /**
 156   * gnutls_protocol_set_priority - Sets the priority on the protocol versions supported by gnutls.
 157   * @session: is a #gnutls_session_t structure.
 158   * @list: is a 0 terminated list of gnutls_protocol_t elements.
 159   *
 160   * Sets the priority on the protocol versions supported by gnutls.
 161   * This function actually enables or disables protocols. Newer protocol
 162   * versions always have highest priority.
 163   *
 164   * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
 165   **/
 166 int
 167 gnutls_protocol_set_priority (gnutls_session_t session, const int *list)
 168 {
 169   int ret;
 170
 171   ret = _set_priority (&session->internals.priorities.protocol, list);
 172
 173   /* set the current version to the first in the chain.
 174    * This will be overridden later.
 175    */
 176   if (list)
 177     _gnutls_set_current_version (session, list[0]);
 178
 179   return ret;
 180 }
 181
 182 /**
 183   * gnutls_certificate_type_set_priority - Sets the priority on the certificate types supported by gnutls.
 184   * @session: is a #gnutls_session_t structure.
 185   * @list: is a 0 terminated list of gnutls_certificate_type_t elements.
 186   *
 187   * Sets the priority on the certificate types supported by gnutls.
 188   * Priority is higher for elements specified before others.
 189   * After specifying the types you want, you must append a 0.
 190   * Note that the certificate type priority is set on the client.
 191   * The server does not use the cert type priority except for disabling
 192   * types that were not specified.
 193   *
 194   * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
 195   **/
 196 int
 197 gnutls_certificate_type_set_priority (gnutls_session_t session,
 198                                       const int *list)
 199 {
 200 #ifdef ENABLE_OPENPGP
 201   return _set_priority (&session->internals.priorities.cert_type, list);
 202
 203 #else
 204
 205   return GNUTLS_E_UNIMPLEMENTED_FEATURE;
 206
 207 #endif
 208 }
 209
 210 static const int protocol_priority[] = {
 211   /* GNUTLS_TLS1_2, -- not finalized yet! */
 212   GNUTLS_TLS1_1,
 213   GNUTLS_TLS1_0,
 214   GNUTLS_SSL3,
 215   0
 216 };
 217
 218 static const int kx_priority_performance[] = {
 219   GNUTLS_KX_RSA,
 220   GNUTLS_KX_DHE_RSA,
 221   GNUTLS_KX_DHE_DSS,
 222   GNUTLS_KX_PSK,
 223   GNUTLS_KX_DHE_PSK,
 224   GNUTLS_KX_SRP_RSA,
 225   GNUTLS_KX_SRP_DSS,
 226   GNUTLS_KX_SRP,
 227   /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
 228    * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
 229    */
 230   0
 231 };
 232
 233 static const int kx_priority_export[] = {
 234   GNUTLS_KX_RSA,
 235   GNUTLS_KX_DHE_RSA,
 236   GNUTLS_KX_DHE_DSS,
 237   GNUTLS_KX_PSK,
 238   GNUTLS_KX_DHE_PSK,
 239   GNUTLS_KX_SRP_RSA,
 240   GNUTLS_KX_SRP_DSS,
 241   GNUTLS_KX_SRP,
 242   GNUTLS_KX_RSA_EXPORT,
 243   0
 244 };
 245
 246 static const int kx_priority_secure[] = {
 247   /* The ciphersuites that offer forward secrecy take
 248    * precendance
 249    */
 250   GNUTLS_KX_DHE_RSA,
 251   GNUTLS_KX_DHE_DSS,
 252   GNUTLS_KX_DHE_PSK,
 253   GNUTLS_KX_SRP_RSA,
 254   GNUTLS_KX_SRP_DSS,
 255   GNUTLS_KX_RSA,
 256   GNUTLS_KX_PSK,
 257   GNUTLS_KX_SRP,
 258   /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
 259    * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
 260    */
 261   0
 262 };
 263
 264 static const int cipher_priority_performance[] = {
 265   GNUTLS_CIPHER_ARCFOUR_128,
 266 #ifdef  ENABLE_CAMELLIA
 267   GNUTLS_CIPHER_CAMELLIA_128_CBC,
 268 #endif
 269   GNUTLS_CIPHER_AES_128_CBC,
 270   GNUTLS_CIPHER_3DES_CBC,
 271   GNUTLS_CIPHER_AES_256_CBC,
 272 #ifdef  ENABLE_CAMELLIA
 273   GNUTLS_CIPHER_CAMELLIA_256_CBC,
 274 #endif
 275   /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
 276   0
 277 };
 278
 279 static const int cipher_priority_normal[] = {
 280   GNUTLS_CIPHER_AES_128_CBC,
 281 #ifdef  ENABLE_CAMELLIA
 282   GNUTLS_CIPHER_CAMELLIA_128_CBC,
 283 #endif
 284   GNUTLS_CIPHER_AES_256_CBC,
 285 #ifdef  ENABLE_CAMELLIA
 286   GNUTLS_CIPHER_CAMELLIA_256_CBC,
 287 #endif
 288   GNUTLS_CIPHER_3DES_CBC,
 289   GNUTLS_CIPHER_ARCFOUR_128,
 290   /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
 291   0
 292 };
 293
 294 static const int cipher_priority_secure128[] = {
 295   GNUTLS_CIPHER_AES_128_CBC,
 296 #ifdef  ENABLE_CAMELLIA
 297   GNUTLS_CIPHER_CAMELLIA_128_CBC,
 298 #endif
 299   GNUTLS_CIPHER_3DES_CBC,
 300   GNUTLS_CIPHER_ARCFOUR_128,
 301   /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
 302   0
 303 };
 304
 305
 306 static const int cipher_priority_secure256[] = {
 307   GNUTLS_CIPHER_AES_256_CBC,
 308 #ifdef  ENABLE_CAMELLIA
 309   GNUTLS_CIPHER_CAMELLIA_256_CBC,
 310 #endif
 311   GNUTLS_CIPHER_AES_128_CBC,
 312 #ifdef  ENABLE_CAMELLIA
 313   GNUTLS_CIPHER_CAMELLIA_128_CBC,
 314 #endif
 315   GNUTLS_CIPHER_3DES_CBC,
 316   GNUTLS_CIPHER_ARCFOUR_128,
 317   /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
 318   0
 319 };
 320
 321 /* The same as cipher_priority_security_normal + arcfour-40. */
 322 static const int cipher_priority_export[] = {
 323   GNUTLS_CIPHER_AES_128_CBC,
 324   GNUTLS_CIPHER_AES_256_CBC,
 325 #ifdef  ENABLE_CAMELLIA
 326   GNUTLS_CIPHER_CAMELLIA_128_CBC,
 327   GNUTLS_CIPHER_CAMELLIA_256_CBC,
 328 #endif
 329   GNUTLS_CIPHER_3DES_CBC,
 330   GNUTLS_CIPHER_ARCFOUR_128,
 331   GNUTLS_CIPHER_ARCFOUR_40,
 332   0
 333 };
 334
 335 static const int comp_priority[] = {
 336   /* compression should be explicitely requested to be enabled */
 337   GNUTLS_COMP_NULL,
 338   0
 339 };
 340
 341
 342 static const int mac_priority_performance[] = {
 343   GNUTLS_MAC_MD5,
 344   GNUTLS_MAC_SHA1,
 345   0
 346 };
 347
 348 static const int mac_priority_secure[] = {
 349   GNUTLS_MAC_SHA1,
 350   GNUTLS_MAC_MD5,
 351   0
 352 };
 353
 354 static int cert_type_priority[] = {
 355   GNUTLS_CRT_X509,
 356   GNUTLS_CRT_OPENPGP,
 357   0
 358 };
 359
 360 typedef void (rmadd_func) (priority_st * priority_list, int alg);
 361
 362 static void
 363 prio_remove (priority_st * priority_list, int algo)
 364 {
 365   int i = 0;
 366   int pos = -1;                 /* the position of the cipher to remove */
 367
 368   while (priority_list->priority[i] != 0)
 369     {
 370       if (priority_list->priority[i] == algo)
 371         pos = i;
 372       i++;
 373     }
 374
 375   if (pos >= 0)
 376     {
 377       priority_list->priority[pos] = priority_list->priority[i - 1];
 378       priority_list->priority[i - 1] = 0;
 379       priority_list->algorithms--;
 380     }
 381
 382   return;
 383 }
 384
 385 static void
 386 prio_add (priority_st * priority_list, int algo)
 387 {
 388   register int i = 0;
 389   while (priority_list->priority[i] != 0)
 390     {
 391       if (algo == priority_list->priority[i])
 392         return;                 /* if it exists */
 393       i++;
 394     }
 395
 396   if (i < MAX_ALGOS)
 397     {
 398       priority_list->priority[i] = algo;
 399       priority_list->algorithms++;
 400     }
 401
 402   return;
 403 }
 404
 405
 406 /**
 407   * gnutls_priority_set - Sets priorities for the cipher suites supported by gnutls.
 408   * @session: is a #gnutls_session_t structure.
 409   * @priority: is a #gnutls_priority_t structure.
 410   *
 411   * Sets the priorities to use on the ciphers, key exchange methods,
 412   * macs and compression methods.
 413   *
 414   * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
 415   **/
 416 int
 417 gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority)
 418 {
 419   if (priority == NULL)
 420     {
 421       gnutls_assert();
 422       return GNUTLS_E_NO_CIPHER_SUITES;
 423     }
 424
 425   memcpy (&session->internals.priorities, priority,
 426           sizeof (struct gnutls_priority_st));
 427
 428   return 0;
 429 }
 430
 431
 432 #define MAX_ELEMENTS 48
 433
 434 /**
 435   * gnutls_priority_init - Sets priorities for the cipher suites supported by gnutls.
 436   * @priority_cache: is a #gnutls_prioritity_t structure.
 437   * @priorities: is a string describing priorities
 438   * @err_pos: In case of an error this will have the position in the string the error occured
 439   *
 440   * Sets priorities for the ciphers, key exchange methods, macs and
 441   * compression methods. This is to avoid using the
 442   * gnutls_*_priority() functions.
 443   *
 444   * The #priorities option allows you to specify a semi-colon
 445   * separated list of the cipher priorities to enable.
 446   *
 447   * Unless the first keyword is "NONE" the defaults are:
 448   * Protocols: TLS1.1, TLS1.0, and SSL3.0.
 449   * Compression: NULL.
 450   * Certificate types: X.509, OpenPGP.
 451   *
 452   * You can also use predefined sets of ciphersuites: "PERFORMANCE"
 453   * all the "secure" ciphersuites are enabled, limited to 128 bit
 454   * ciphers and sorted by terms of speed performance.
 455   *
 456   * "NORMAL" option enables all "secure" ciphersuites. The 256-bit ciphers
 457   * are included as a fallback only. The ciphers are sorted by security margin.
 458   *
 459   * "SECURE128" flag enables all "secure" ciphersuites with ciphers up to
 460   * 128 bits, sorted by security margin.
 461   *
 462   * "SECURE256" flag enables all "secure" ciphersuites including the 256 bit
 463   * ciphers, sorted by security margin.
 464   *
 465   * "EXPORT" all the ciphersuites are enabled, including the
 466   * low-security 40 bit ciphers.
 467   *
 468   * "NONE" nothing is enabled. This disables even protocols and
 469   * compression methods.
 470   *
 471   * Special keywords:
 472   * '!' or '-' appended with an algorithm will remove this algorithm.
 473   * '+' appended with an algorithm will add this algorithm.
 474   * '%COMPAT' will enable compatibility features for a server.
 475   *
 476   * To avoid collisions in order to specify a compression algorithm in
 477   * this string you have to prefix it with "COMP-", protocol versions
 478   * with "VERS-" and certificate types with "CTYPE-". All other
 479   * algorithms don't need a prefix.
 480   *
 481   * For key exchange algorithms when in NORMAL or SECURE levels the
 482   * perfect forward secrecy algorithms take precendence of the other
 483   * protocols.  In all cases all the supported key exchange algorithms
 484   * are enabled (except for the RSA-EXPORT which is only enabled in
 485   * EXPORT level).
 486   *
 487   * Note that although one can select very long key sizes (such as 256 bits)
 488   * for symmetric algorithms, to actually increase security the public key
 489   * algorithms have to use longer key sizes as well.
 490   *
 491   * Examples: "NORMAL:!AES-128-CBC",
 492   * "EXPORT:!VERS-TLS1.0:+COMP-DEFLATE:+CTYPE-OPENPGP",
 493   * "NONE:+VERS-TLS1.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL", "NORMAL",
 494   * "NORMAL:%COMPAT".
 495   *
 496   * Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
 497   * %GNUTLS_E_SUCCESS on success, or an error code.
 498   **/
 499 int
 500 gnutls_priority_init (gnutls_priority_t * priority_cache,
 501                       const char *priorities, const char **err_pos)
 502 {
 503   char *broken_list[MAX_ELEMENTS];
 504   int broken_list_size, i, j;
 505   char *darg;
 506   int algo;
 507   rmadd_func *fn;
 508
 509   *priority_cache = gnutls_calloc (1, sizeof (struct gnutls_priority_st));
 510   if (*priority_cache == NULL)
 511     {
 512       gnutls_assert ();
 513       return GNUTLS_E_MEMORY_ERROR;
 514     }
 515
 516   if (priorities == NULL)
 517     priorities = "NORMAL";
 518
 519   darg = gnutls_strdup (priorities);
 520   if (darg == NULL)
 521     {
 522       gnutls_assert ();
 523       return GNUTLS_E_MEMORY_ERROR;
 524     }
 525
 526   break_comma_list (darg, broken_list, &broken_list_size, MAX_ELEMENTS, ':');
 527   /* This is our default set of protocol version, certificate types and
 528    * compression methods.
 529    */
 530   if (strcasecmp (broken_list[0], "NONE") != 0)
 531     {
 532       _set_priority (&(*priority_cache)->protocol, protocol_priority);
 533       _set_priority (&(*priority_cache)->compression, comp_priority);
 534       _set_priority (&(*priority_cache)->cert_type, cert_type_priority);
 535       i = 0;
 536     }
 537     else
 538     {
 539       i = 1;
 540     }
 541
 542   for (; i < broken_list_size; i++)
 543     {
 544       if (strcasecmp (broken_list[i], "PERFORMANCE") == 0)
 545         {
 546           _set_priority (&(*priority_cache)->cipher,
 547                          cipher_priority_performance);
 548           _set_priority (&(*priority_cache)->kx, kx_priority_performance);
 549           _set_priority (&(*priority_cache)->mac, mac_priority_performance);
 550         }
 551       else if (strcasecmp (broken_list[i], "NORMAL") == 0)
 552         {
 553           _set_priority (&(*priority_cache)->cipher, cipher_priority_normal);
 554           _set_priority (&(*priority_cache)->kx, kx_priority_secure);
 555           _set_priority (&(*priority_cache)->mac, mac_priority_secure);
 556         }
 557       else if (strcasecmp (broken_list[i], "SECURE256") == 0 || strcasecmp (broken_list[i], "SECURE") == 0)
 558         {
 559           _set_priority (&(*priority_cache)->cipher, cipher_priority_secure256);
 560           _set_priority (&(*priority_cache)->kx, kx_priority_secure);
 561           _set_priority (&(*priority_cache)->mac, mac_priority_secure);
 562         }
 563       else if (strcasecmp (broken_list[i], "SECURE128") == 0)
 564         {
 565           _set_priority (&(*priority_cache)->cipher, cipher_priority_secure128);
 566           _set_priority (&(*priority_cache)->kx, kx_priority_secure);
 567           _set_priority (&(*priority_cache)->mac, mac_priority_secure);
 568         }
 569       else if (strcasecmp (broken_list[i], "EXPORT") == 0)
 570         {
 571           _set_priority (&(*priority_cache)->cipher, cipher_priority_export);
 572           _set_priority (&(*priority_cache)->kx, kx_priority_export);
 573           _set_priority (&(*priority_cache)->mac, mac_priority_secure);
 574         }                       /* now check if the element is something like -ALGO */
 575       else if (broken_list[i][0] == '!' || broken_list[i][0] == '+'
 576                || broken_list[i][0] == '-')
 577         {
 578           if (broken_list[i][0] == '+')
 579             fn = prio_add;
 580           else
 581             fn = prio_remove;
 582
 583           if ((algo =
 584                gnutls_mac_get_id (&broken_list[i][1])) != GNUTLS_MAC_UNKNOWN)
 585             fn (&(*priority_cache)->mac, algo);
 586           else if ((algo = gnutls_cipher_get_id (&broken_list[i][1])) !=
 587                    GNUTLS_CIPHER_UNKNOWN)
 588             fn (&(*priority_cache)->cipher, algo);
 589           else if ((algo = gnutls_kx_get_id (&broken_list[i][1])) !=
 590                    GNUTLS_KX_UNKNOWN)
 591             fn (&(*priority_cache)->kx, algo);
 592           else if (strncasecmp (&broken_list[i][1], "VERS-", 5) == 0)
 593             {
 594               if ((algo =
 595                    gnutls_protocol_get_id (&broken_list[i][6])) !=
 596                   GNUTLS_VERSION_UNKNOWN)
 597                 fn (&(*priority_cache)->protocol, algo);
 598             }                   /* now check if the element is something like -ALGO */
 599           else if (strncasecmp (&broken_list[i][1], "COMP-", 5) == 0)
 600             {
 601               if ((algo =
 602                    gnutls_compression_get_id (&broken_list[i][6])) !=
 603                   GNUTLS_COMP_UNKNOWN)
 604                 fn (&(*priority_cache)->compression, algo);
 605             }                   /* now check if the element is something like -ALGO */
 606           else if (strncasecmp (&broken_list[i][1], "CTYPE-", 6) == 0)
 607             {
 608               if ((algo =
 609                    gnutls_certificate_type_get_id (&broken_list[i][7])) !=
 610                   GNUTLS_CRT_UNKNOWN)
 611                 fn (&(*priority_cache)->cert_type, algo);
 612             }                   /* now check if the element is something like -ALGO */
 613           else
 614             goto error;
 615         }
 616       else if (broken_list[i][0] == '%')
 617         {
 618           if (strcasecmp (&broken_list[i][1], "COMPAT") == 0)
 619             (*priority_cache)->no_padding = 1;
 620           else
 621             goto error;
 622         }
 623       else
 624         goto error;
 625     }
 626
 627   gnutls_free (darg);
 628   return 0;
 629
 630 error:
 631   if (err_pos != NULL && i < broken_list_size)
 632     {
 633       *err_pos = priorities;
 634       for (j = 0; j < i; j++)
 635         {
 636           (*err_pos) += strlen (broken_list[j]) + 1;
 637         }
 638     }
 639   gnutls_free (darg);
 640
 641   return GNUTLS_E_INVALID_REQUEST;
 642
 643 }
 644
 645 /**
 646   * gnutls_priority_deinit - Deinitialize the priorities cache for the cipher suites supported by gnutls.
 647   * @priority_cache: is a #gnutls_prioritity_t structure.
 648   *
 649   * Deinitializes the priority cache.
 650   *
 651   **/
 652 void
 653 gnutls_priority_deinit (gnutls_priority_t priority_cache)
 654 {
 655   gnutls_free (priority_cache);
 656 }
 657
 658
 659 /**
 660   * gnutls_priority_set_direct - Sets priorities for the cipher suites supported by gnutls.
 661   * @session: is a #gnutls_session_t structure.
 662   * @priorities: is a string describing priorities
 663   * @err_pos: In case of an error this will have the position in the string the error occured
 664   *
 665   * Sets the priorities to use on the ciphers, key exchange methods,
 666   * macs and compression methods. This function avoids keeping a
 667   * priority cache and is used to directly set string priorities to a
 668   * TLS session.  For documentation check the gnutls_priority_init().
 669   *
 670   * Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
 671   * %GNUTLS_E_SUCCESS on success, or an error code.
 672   **/
 673 int
 674 gnutls_priority_set_direct (gnutls_session_t session, const char *priorities,
 675                             const char **err_pos)
 676 {
 677   gnutls_priority_t prio;
 678   int ret;
 679
 680   ret = gnutls_priority_init (&prio, priorities, err_pos);
 681   if (ret < 0)
 682     {
 683       gnutls_assert ();
 684       return ret;
 685     }
 686
 687   ret = gnutls_priority_set (session, prio);
 688   if (ret < 0)
 689     {
 690       gnutls_assert ();
 691       return ret;
 692     }
 693
 694   gnutls_priority_deinit (prio);
 695
 696   return 0;
 697 }
 698
 699 /* Breaks a list of "xxx", "yyy", to a character array, of
 700  * MAX_COMMA_SEP_ELEMENTS size; Note that the given string is modified.
 701   */
 702 static void
 703 break_comma_list (char *etag,
 704                   char **broken_etag, int *elements, int max_elements,
 705                   char sep)
 706 {
 707   char *p = etag;
 708   if (sep == 0)
 709     sep = ',';
 710
 711   *elements = 0;
 712
 713   do
 714     {
 715       broken_etag[*elements] = p;
 716
 717       (*elements)++;
 718
 719       p = strchr (p, sep);
 720       if (p)
 721         {
 722           *p = 0;
 723           p++;                  /* move to next entry and skip white
 724                                  * space.
 725                                  */
 726           while (*p == ' ')
 727             p++;
 728         }
 729     }
 730   while (p != NULL && *elements < max_elements);
 731 }
 732
 733 /**
 734  * gnutls_set_default_priority - Sets some default priority on the cipher suites supported by gnutls.
 735  * @session: is a #gnutls_session_t structure.
 736  *
 737  * Sets some default priority on the ciphers, key exchange methods,
 738  * macs and compression methods.
 739  *
 740  * This is the same as calling:
 741  *
 742  * gnutls_priority_set_direct (session, "NORMAL", NULL);
 743  *
 744  * This function is kept around for backwards compatibility, but
 745  * because of its wide use it is still fully supported.  If you wish
 746  * to allow users to provide a string that specify which ciphers to
 747  * use (which is recommended), you should use
 748  * gnutls_priority_set_direct() or gnutls_priority_set() instead.
 749  *
 750  * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
 751  **/
 752 int
 753 gnutls_set_default_priority (gnutls_session_t session)
 754 {
 755   return gnutls_priority_set_direct (session, "NORMAL", NULL);
 756 }
 757
 758 /**
 759  * gnutls_set_default_export_priority - Sets some default priority on the cipher suites supported by gnutls.
 760  * @session: is a #gnutls_session_t structure.
 761  *
 762  * Sets some default priority on the ciphers, key exchange methods, macs
 763  * and compression methods.  This function also includes weak algorithms.
 764  *
 765  * This is the same as calling:
 766  *
 767  * gnutls_priority_set_direct (session, "EXPORT", NULL);
 768  *
 769  * This function is kept around for backwards compatibility, but
 770  * because of its wide use it is still fully supported.  If you wish
 771  * to allow users to provide a string that specify which ciphers to
 772  * use (which is recommended), you should use
 773  * gnutls_priority_set_direct() or gnutls_priority_set() instead.
 774  *
 775  * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
 776  **/
 777 int
 778 gnutls_set_default_export_priority (gnutls_session_t session)
 779 {
 780   return gnutls_priority_set_direct (session, "EXPORT", NULL);
 781 }