2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Here lies the code of the gnutls_*_set_priority() functions.
26 #include "gnutls_int.h"
27 #include "algorithms.h"
28 #include "gnutls_errors.h"
29 #include <gnutls_num.h>
32 break_comma_list (char *etag
,
33 char **broken_etag
, int *elements
, int max_elements
,
37 * gnutls_cipher_set_priority:
38 * @session: is a #gnutls_session_t structure.
39 * @list: is a 0 terminated list of gnutls_cipher_algorithm_t elements.
41 * Sets the priority on the ciphers supported by gnutls. Priority is
42 * higher for elements specified before others. After specifying the
43 * ciphers you want, you must append a 0. Note that the priority is
44 * set on the client. The server does not use the algorithm's
45 * priority except for disabling algorithms that were not specified.
47 * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
50 gnutls_cipher_set_priority (gnutls_session_t session
, const int *list
)
54 while (list
[num
] != 0)
58 session
->internals
.priorities
.cipher
.algorithms
= num
;
60 for (i
= 0; i
< num
; i
++)
62 session
->internals
.priorities
.cipher
.priority
[i
] = list
[i
];
68 typedef void (bulk_rmadd_func
) (priority_st
* priority_list
, const int *);
71 _set_priority (priority_st
* st
, const int *list
)
75 while (list
[num
] != 0)
81 for (i
= 0; i
< num
; i
++)
83 st
->priority
[i
] = list
[i
];
90 _clear_priorities (priority_st
* st
, const int *list
)
92 memset(st
, 0, sizeof(*st
));
96 * gnutls_kx_set_priority:
97 * @session: is a #gnutls_session_t structure.
98 * @list: is a 0 terminated list of gnutls_kx_algorithm_t elements.
100 * Sets the priority on the key exchange algorithms supported by
101 * gnutls. Priority is higher for elements specified before others.
102 * After specifying the algorithms you want, you must append a 0.
103 * Note that the priority is set on the client. The server does not
104 * use the algorithm's priority except for disabling algorithms that
105 * were not specified.
107 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
110 gnutls_kx_set_priority (gnutls_session_t session
, const int *list
)
112 _set_priority (&session
->internals
.priorities
.kx
, list
);
117 * gnutls_mac_set_priority:
118 * @session: is a #gnutls_session_t structure.
119 * @list: is a 0 terminated list of gnutls_mac_algorithm_t elements.
121 * Sets the priority on the mac algorithms supported by gnutls.
122 * Priority is higher for elements specified before others. After
123 * specifying the algorithms you want, you must append a 0. Note
124 * that the priority is set on the client. The server does not use
125 * the algorithm's priority except for disabling algorithms that were
128 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
131 gnutls_mac_set_priority (gnutls_session_t session
, const int *list
)
133 _set_priority (&session
->internals
.priorities
.mac
, list
);
138 * gnutls_compression_set_priority:
139 * @session: is a #gnutls_session_t structure.
140 * @list: is a 0 terminated list of gnutls_compression_method_t elements.
142 * Sets the priority on the compression algorithms supported by
143 * gnutls. Priority is higher for elements specified before others.
144 * After specifying the algorithms you want, you must append a 0.
145 * Note that the priority is set on the client. The server does not
146 * use the algorithm's priority except for disabling algorithms that
147 * were not specified.
149 * TLS 1.0 does not define any compression algorithms except
150 * NULL. Other compression algorithms are to be considered as gnutls
153 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
156 gnutls_compression_set_priority (gnutls_session_t session
, const int *list
)
158 _set_priority (&session
->internals
.priorities
.compression
, list
);
163 * gnutls_protocol_set_priority:
164 * @session: is a #gnutls_session_t structure.
165 * @list: is a 0 terminated list of gnutls_protocol_t elements.
167 * Sets the priority on the protocol versions supported by gnutls.
168 * This function actually enables or disables protocols. Newer protocol
169 * versions always have highest priority.
171 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
174 gnutls_protocol_set_priority (gnutls_session_t session
, const int *list
)
176 _set_priority (&session
->internals
.priorities
.protocol
, list
);
178 /* set the current version to the first in the chain.
179 * This will be overridden later.
182 _gnutls_set_current_version (session
, list
[0]);
188 * gnutls_certificate_type_set_priority:
189 * @session: is a #gnutls_session_t structure.
190 * @list: is a 0 terminated list of gnutls_certificate_type_t elements.
192 * Sets the priority on the certificate types supported by gnutls.
193 * Priority is higher for elements specified before others.
194 * After specifying the types you want, you must append a 0.
195 * Note that the certificate type priority is set on the client.
196 * The server does not use the cert type priority except for disabling
197 * types that were not specified.
199 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
202 gnutls_certificate_type_set_priority (gnutls_session_t session
,
205 #ifdef ENABLE_OPENPGP
206 _set_priority (&session
->internals
.priorities
.cert_type
, list
);
210 return GNUTLS_E_UNIMPLEMENTED_FEATURE
;
215 static const int supported_ecc_normal
[] = {
216 GNUTLS_ECC_CURVE_SECP192R1
,
217 GNUTLS_ECC_CURVE_SECP224R1
,
218 GNUTLS_ECC_CURVE_SECP256R1
,
219 GNUTLS_ECC_CURVE_SECP384R1
,
220 GNUTLS_ECC_CURVE_SECP521R1
,
224 static const int supported_ecc_secure128
[] = {
225 GNUTLS_ECC_CURVE_SECP256R1
,
226 GNUTLS_ECC_CURVE_SECP384R1
,
227 GNUTLS_ECC_CURVE_SECP521R1
,
231 static const int supported_ecc_suiteb128
[] = {
232 GNUTLS_ECC_CURVE_SECP256R1
,
233 GNUTLS_ECC_CURVE_SECP384R1
,
237 static const int supported_ecc_suiteb192
[] = {
238 GNUTLS_ECC_CURVE_SECP384R1
,
242 static const int supported_ecc_secure192
[] = {
243 GNUTLS_ECC_CURVE_SECP384R1
,
244 GNUTLS_ECC_CURVE_SECP521R1
,
248 static const int protocol_priority
[] = {
257 static const int protocol_priority_suiteb
[] = {
262 static const int kx_priority_performance
[] = {
264 GNUTLS_KX_ECDHE_ECDSA
,
271 static const int kx_priority_suiteb
[] = {
272 GNUTLS_KX_ECDHE_ECDSA
,
276 static const int kx_priority_export
[] = {
278 GNUTLS_KX_ECDHE_ECDSA
,
282 GNUTLS_KX_RSA_EXPORT
,
286 static const int kx_priority_secure
[] = {
287 /* The ciphersuites that offer forward secrecy take
290 GNUTLS_KX_ECDHE_ECDSA
,
295 /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
296 * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
301 static const int cipher_priority_performance_sw
[] = {
302 GNUTLS_CIPHER_ARCFOUR_128
,
303 GNUTLS_CIPHER_AES_128_CBC
,
304 GNUTLS_CIPHER_CAMELLIA_128_CBC
,
305 GNUTLS_CIPHER_AES_256_CBC
,
306 GNUTLS_CIPHER_CAMELLIA_256_CBC
,
307 GNUTLS_CIPHER_3DES_CBC
,
308 GNUTLS_CIPHER_AES_128_GCM
,
309 GNUTLS_CIPHER_AES_256_GCM
,
313 /* If GCM and AES acceleration is available then prefer
314 * them over anything else.
316 static const int cipher_priority_performance_hw_aes
[] = {
317 GNUTLS_CIPHER_AES_128_GCM
,
318 GNUTLS_CIPHER_AES_128_CBC
,
319 GNUTLS_CIPHER_AES_256_GCM
,
320 GNUTLS_CIPHER_AES_256_CBC
,
321 GNUTLS_CIPHER_ARCFOUR_128
,
322 GNUTLS_CIPHER_CAMELLIA_128_CBC
,
323 GNUTLS_CIPHER_CAMELLIA_256_CBC
,
324 GNUTLS_CIPHER_3DES_CBC
,
328 static const int cipher_priority_normal_sw
[] = {
329 GNUTLS_CIPHER_AES_128_CBC
,
330 GNUTLS_CIPHER_CAMELLIA_128_CBC
,
331 GNUTLS_CIPHER_AES_128_GCM
,
332 GNUTLS_CIPHER_AES_256_CBC
,
333 GNUTLS_CIPHER_CAMELLIA_256_CBC
,
334 GNUTLS_CIPHER_AES_256_GCM
,
335 GNUTLS_CIPHER_3DES_CBC
,
336 GNUTLS_CIPHER_ARCFOUR_128
,
340 static const int cipher_priority_normal_hw_aes
[] = {
341 GNUTLS_CIPHER_AES_128_GCM
,
342 GNUTLS_CIPHER_AES_128_CBC
,
343 GNUTLS_CIPHER_AES_256_GCM
,
344 GNUTLS_CIPHER_AES_256_CBC
,
345 GNUTLS_CIPHER_CAMELLIA_128_CBC
,
346 GNUTLS_CIPHER_CAMELLIA_256_CBC
,
347 GNUTLS_CIPHER_3DES_CBC
,
348 GNUTLS_CIPHER_ARCFOUR_128
,
352 static const int *cipher_priority_performance
= cipher_priority_performance_sw
;
353 static const int *cipher_priority_normal
= cipher_priority_normal_sw
;
356 static const int cipher_priority_suiteb128
[] = {
357 GNUTLS_CIPHER_AES_128_GCM
,
358 GNUTLS_CIPHER_AES_256_GCM
,
362 static const int cipher_priority_suiteb192
[] = {
363 GNUTLS_CIPHER_AES_256_GCM
,
368 static const int cipher_priority_secure128
[] = {
369 GNUTLS_CIPHER_AES_128_CBC
,
370 GNUTLS_CIPHER_CAMELLIA_128_CBC
,
371 GNUTLS_CIPHER_AES_128_GCM
,
372 GNUTLS_CIPHER_AES_256_CBC
,
373 GNUTLS_CIPHER_CAMELLIA_256_CBC
,
374 GNUTLS_CIPHER_AES_256_GCM
,
379 static const int cipher_priority_secure192
[] = {
380 GNUTLS_CIPHER_AES_256_CBC
,
381 GNUTLS_CIPHER_CAMELLIA_256_CBC
,
382 GNUTLS_CIPHER_AES_256_GCM
,
386 /* The same as cipher_priority_security_normal + arcfour-40. */
387 static const int cipher_priority_export
[] = {
388 GNUTLS_CIPHER_AES_128_CBC
,
389 GNUTLS_CIPHER_AES_256_CBC
,
390 GNUTLS_CIPHER_CAMELLIA_128_CBC
,
391 GNUTLS_CIPHER_CAMELLIA_256_CBC
,
392 GNUTLS_CIPHER_AES_128_GCM
,
393 GNUTLS_CIPHER_3DES_CBC
,
394 GNUTLS_CIPHER_ARCFOUR_128
,
395 GNUTLS_CIPHER_ARCFOUR_40
,
399 static const int comp_priority
[] = {
400 /* compression should be explicitly requested to be enabled */
405 static const int sign_priority_default
[] = {
406 GNUTLS_SIGN_RSA_SHA256
,
407 GNUTLS_SIGN_DSA_SHA256
,
408 GNUTLS_SIGN_ECDSA_SHA256
,
410 GNUTLS_SIGN_RSA_SHA384
,
411 GNUTLS_SIGN_ECDSA_SHA384
,
413 GNUTLS_SIGN_RSA_SHA512
,
414 GNUTLS_SIGN_ECDSA_SHA512
,
416 GNUTLS_SIGN_RSA_SHA224
,
417 GNUTLS_SIGN_DSA_SHA224
,
418 GNUTLS_SIGN_ECDSA_SHA224
,
420 GNUTLS_SIGN_RSA_SHA1
,
421 GNUTLS_SIGN_DSA_SHA1
,
422 GNUTLS_SIGN_ECDSA_SHA1
,
426 static const int sign_priority_suiteb128
[] = {
427 GNUTLS_SIGN_ECDSA_SHA256
,
428 GNUTLS_SIGN_ECDSA_SHA384
,
432 static const int sign_priority_suiteb192
[] = {
433 GNUTLS_SIGN_ECDSA_SHA384
,
437 static const int sign_priority_secure128
[] = {
438 GNUTLS_SIGN_RSA_SHA256
,
439 GNUTLS_SIGN_DSA_SHA256
,
440 GNUTLS_SIGN_ECDSA_SHA256
,
441 GNUTLS_SIGN_RSA_SHA384
,
442 GNUTLS_SIGN_ECDSA_SHA384
,
443 GNUTLS_SIGN_RSA_SHA512
,
444 GNUTLS_SIGN_ECDSA_SHA512
,
448 static const int sign_priority_secure192
[] = {
449 GNUTLS_SIGN_RSA_SHA384
,
450 GNUTLS_SIGN_ECDSA_SHA384
,
451 GNUTLS_SIGN_RSA_SHA512
,
452 GNUTLS_SIGN_ECDSA_SHA512
,
456 static const int mac_priority_normal
[] = {
465 static const int mac_priority_suiteb128
[] = {
470 static const int mac_priority_suiteb192
[] = {
475 static const int mac_priority_secure128
[] = {
483 static const int mac_priority_secure192
[] = {
490 static const int cert_type_priority_default
[] = {
495 static const int cert_type_priority_all
[] = {
501 typedef void (rmadd_func
) (priority_st
* priority_list
, unsigned int alg
);
504 prio_remove (priority_st
* priority_list
, unsigned int algo
)
507 int pos
= -1; /* the position of the cipher to remove */
509 while (priority_list
->priority
[i
] != 0)
511 if (priority_list
->priority
[i
] == algo
)
518 priority_list
->priority
[pos
] = priority_list
->priority
[i
- 1];
519 priority_list
->priority
[i
- 1] = 0;
520 priority_list
->algorithms
--;
527 prio_add (priority_st
* priority_list
, unsigned int algo
)
530 while (priority_list
->priority
[i
] != 0)
532 if (algo
== priority_list
->priority
[i
])
533 return; /* if it exists */
539 priority_list
->priority
[i
] = algo
;
540 priority_list
->algorithms
++;
548 * gnutls_priority_set:
549 * @session: is a #gnutls_session_t structure.
550 * @priority: is a #gnutls_priority_t structure.
552 * Sets the priorities to use on the ciphers, key exchange methods,
553 * macs and compression methods.
555 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
558 gnutls_priority_set (gnutls_session_t session
, gnutls_priority_t priority
)
560 if (priority
== NULL
)
563 return GNUTLS_E_NO_CIPHER_SUITES
;
566 memcpy (&session
->internals
.priorities
, priority
,
567 sizeof (struct gnutls_priority_st
));
569 /* set the current version to the first in the chain.
570 * This will be overridden later.
572 if (session
->internals
.priorities
.protocol
.algorithms
> 0)
573 _gnutls_set_current_version (session
,
574 session
->internals
.priorities
.protocol
.
577 if (session
->internals
.priorities
.protocol
.algorithms
== 0 ||
578 session
->internals
.priorities
.cipher
.algorithms
== 0 ||
579 session
->internals
.priorities
.mac
.algorithms
== 0 ||
580 session
->internals
.priorities
.kx
.algorithms
== 0 ||
581 session
->internals
.priorities
.compression
.algorithms
== 0)
582 return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET
);
588 #define MAX_ELEMENTS 48
591 * gnutls_priority_init:
592 * @priority_cache: is a #gnutls_prioritity_t structure.
593 * @priorities: is a string describing priorities
594 * @err_pos: In case of an error this will have the position in the string the error occured
596 * Sets priorities for the ciphers, key exchange methods, macs and
597 * compression methods.
599 * The #priorities option allows you to specify a colon
600 * separated list of the cipher priorities to enable.
601 * Some keywords are defined to provide quick access
602 * to common preferences.
604 * "PERFORMANCE" means all the "secure" ciphersuites are enabled,
605 * limited to 128 bit ciphers and sorted by terms of speed
608 * "NORMAL" means all "secure" ciphersuites. The 256-bit ciphers are
609 * included as a fallback only. The ciphers are sorted by security
612 * "SECURE128" means all "secure" ciphersuites of security level 128-bit
615 * "SECURE192" means all "secure" ciphersuites of security level 192-bit
618 * "SUITEB128" means all the NSA SuiteB ciphersuites with security level
621 * "SUITEB192" means all the NSA SuiteB ciphersuites with security level
624 * "EXPORT" means all ciphersuites are enabled, including the
625 * low-security 40 bit ciphers.
627 * "NONE" means nothing is enabled. This disables even protocols and
628 * compression methods.
630 * Special keywords are "!", "-" and "+".
631 * "!" or "-" appended with an algorithm will remove this algorithm.
632 * "+" appended with an algorithm will add this algorithm.
634 * Check the GnuTLS manual section "Priority strings" for detailed
639 * "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
641 * "NORMAL:-ARCFOUR-128" means normal ciphers except for ARCFOUR-128.
643 * "SECURE:-VERS-SSL3.0:+COMP-DEFLATE" means that only secure ciphers are
644 * enabled, SSL3.0 is disabled, and libz compression enabled.
646 * "NONE:+VERS-TLS-ALL:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1",
648 * "NONE:+VERS-TLS-ALL:+AES-128-CBC:+ECDHE-RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1:+CURVE-SECP256R1",
650 * "NORMAL:%COMPAT" is the most compatible mode.
652 * Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
653 * %GNUTLS_E_SUCCESS on success, or an error code.
656 gnutls_priority_init (gnutls_priority_t
* priority_cache
,
657 const char *priorities
, const char **err_pos
)
659 char *broken_list
[MAX_ELEMENTS
];
660 int broken_list_size
= 0, i
= 0, j
;
664 bulk_rmadd_func
*bulk_fn
;
666 *priority_cache
= gnutls_calloc (1, sizeof (struct gnutls_priority_st
));
667 if (*priority_cache
== NULL
)
670 return GNUTLS_E_MEMORY_ERROR
;
673 /* for now unsafe renegotiation is default on everyone. To be removed
674 * when we make it the default.
676 (*priority_cache
)->sr
= SR_PARTIAL
;
677 (*priority_cache
)->ssl3_record_version
= 1;
679 if (priorities
== NULL
)
680 priorities
= "NORMAL";
682 darg
= gnutls_strdup (priorities
);
689 break_comma_list (darg
, broken_list
, &broken_list_size
, MAX_ELEMENTS
, ':');
690 /* This is our default set of protocol version, certificate types and
691 * compression methods.
693 if (strcasecmp (broken_list
[0], "NONE") != 0)
695 _set_priority (&(*priority_cache
)->protocol
, protocol_priority
);
696 _set_priority (&(*priority_cache
)->compression
, comp_priority
);
697 _set_priority (&(*priority_cache
)->cert_type
, cert_type_priority_default
);
698 _set_priority (&(*priority_cache
)->sign_algo
, sign_priority_default
);
699 _set_priority (&(*priority_cache
)->supported_ecc
, supported_ecc_normal
);
707 for (; i
< broken_list_size
; i
++)
709 if (strcasecmp (broken_list
[i
], "PERFORMANCE") == 0)
711 _set_priority (&(*priority_cache
)->cipher
,
712 cipher_priority_performance
);
713 _set_priority (&(*priority_cache
)->kx
, kx_priority_performance
);
714 _set_priority (&(*priority_cache
)->mac
, mac_priority_normal
);
715 _set_priority (&(*priority_cache
)->sign_algo
,
716 sign_priority_default
);
717 _set_priority (&(*priority_cache
)->supported_ecc
, supported_ecc_normal
);
719 else if (strcasecmp (broken_list
[i
], "NORMAL") == 0)
721 _set_priority (&(*priority_cache
)->cipher
, cipher_priority_normal
);
722 _set_priority (&(*priority_cache
)->kx
, kx_priority_secure
);
723 _set_priority (&(*priority_cache
)->mac
, mac_priority_normal
);
724 _set_priority (&(*priority_cache
)->sign_algo
,
725 sign_priority_default
);
726 _set_priority (&(*priority_cache
)->supported_ecc
, supported_ecc_normal
);
728 else if (strcasecmp (broken_list
[i
], "SECURE256") == 0
729 || strcasecmp (broken_list
[i
], "SECURE192") == 0)
731 _set_priority (&(*priority_cache
)->cipher
,
732 cipher_priority_secure192
);
733 _set_priority (&(*priority_cache
)->kx
, kx_priority_secure
);
734 _set_priority (&(*priority_cache
)->mac
, mac_priority_secure192
);
735 _set_priority (&(*priority_cache
)->sign_algo
,
736 sign_priority_secure192
);
737 _set_priority (&(*priority_cache
)->supported_ecc
, supported_ecc_secure192
);
739 else if (strcasecmp (broken_list
[i
], "SECURE128") == 0
740 || strcasecmp (broken_list
[i
], "SECURE") == 0)
742 _set_priority (&(*priority_cache
)->cipher
,
743 cipher_priority_secure128
);
744 _set_priority (&(*priority_cache
)->kx
, kx_priority_secure
);
745 _set_priority (&(*priority_cache
)->mac
, mac_priority_secure128
);
746 _set_priority (&(*priority_cache
)->sign_algo
,
747 sign_priority_secure128
);
748 _set_priority (&(*priority_cache
)->supported_ecc
, supported_ecc_secure128
);
750 else if (strcasecmp (broken_list
[i
], "SUITEB128") == 0)
752 _set_priority (&(*priority_cache
)->protocol
, protocol_priority_suiteb
);
753 _set_priority (&(*priority_cache
)->cipher
,
754 cipher_priority_suiteb128
);
755 _set_priority (&(*priority_cache
)->kx
, kx_priority_suiteb
);
756 _set_priority (&(*priority_cache
)->mac
, mac_priority_suiteb128
);
757 _set_priority (&(*priority_cache
)->sign_algo
,
758 sign_priority_suiteb128
);
759 _set_priority (&(*priority_cache
)->supported_ecc
, supported_ecc_suiteb128
);
761 else if (strcasecmp (broken_list
[i
], "SUITEB192") == 0)
763 _set_priority (&(*priority_cache
)->protocol
, protocol_priority_suiteb
);
764 _set_priority (&(*priority_cache
)->cipher
,
765 cipher_priority_suiteb192
);
766 _set_priority (&(*priority_cache
)->kx
, kx_priority_suiteb
);
767 _set_priority (&(*priority_cache
)->mac
, mac_priority_suiteb192
);
768 _set_priority (&(*priority_cache
)->sign_algo
,
769 sign_priority_suiteb192
);
770 _set_priority (&(*priority_cache
)->supported_ecc
, supported_ecc_suiteb192
);
772 else if (strcasecmp (broken_list
[i
], "EXPORT") == 0)
774 _set_priority (&(*priority_cache
)->cipher
, cipher_priority_export
);
775 _set_priority (&(*priority_cache
)->kx
, kx_priority_export
);
776 _set_priority (&(*priority_cache
)->mac
, mac_priority_secure128
);
777 _set_priority (&(*priority_cache
)->sign_algo
,
778 sign_priority_default
);
779 _set_priority (&(*priority_cache
)->supported_ecc
, supported_ecc_normal
);
780 } /* now check if the element is something like -ALGO */
781 else if (broken_list
[i
][0] == '!' || broken_list
[i
][0] == '+'
782 || broken_list
[i
][0] == '-')
784 if (broken_list
[i
][0] == '+')
787 bulk_fn
= _set_priority
;
792 bulk_fn
= _clear_priorities
;
796 gnutls_mac_get_id (&broken_list
[i
][1])) != GNUTLS_MAC_UNKNOWN
)
797 fn (&(*priority_cache
)->mac
, algo
);
798 else if ((algo
= gnutls_cipher_get_id (&broken_list
[i
][1])) !=
799 GNUTLS_CIPHER_UNKNOWN
)
800 fn (&(*priority_cache
)->cipher
, algo
);
801 else if ((algo
= gnutls_kx_get_id (&broken_list
[i
][1])) !=
803 fn (&(*priority_cache
)->kx
, algo
);
804 else if (strncasecmp (&broken_list
[i
][1], "VERS-", 5) == 0)
806 if (strncasecmp (&broken_list
[i
][1], "VERS-TLS-ALL", 12) == 0)
808 bulk_fn (&(*priority_cache
)->protocol
,
814 gnutls_protocol_get_id (&broken_list
[i
][6])) !=
815 GNUTLS_VERSION_UNKNOWN
)
816 fn (&(*priority_cache
)->protocol
, algo
);
821 } /* now check if the element is something like -ALGO */
822 else if (strncasecmp (&broken_list
[i
][1], "COMP-", 5) == 0)
824 if (strncasecmp (&broken_list
[i
][1], "COMP-ALL", 8) == 0)
826 bulk_fn (&(*priority_cache
)->compression
,
832 gnutls_compression_get_id (&broken_list
[i
][6])) !=
834 fn (&(*priority_cache
)->compression
, algo
);
838 } /* now check if the element is something like -ALGO */
839 else if (strncasecmp (&broken_list
[i
][1], "CURVE-", 6) == 0)
841 if (strncasecmp (&broken_list
[i
][1], "CURVE-ALL", 9) == 0)
843 bulk_fn (&(*priority_cache
)->supported_ecc
,
844 supported_ecc_normal
);
849 _gnutls_ecc_curve_get_id (&broken_list
[i
][7])) !=
850 GNUTLS_ECC_CURVE_INVALID
)
851 fn (&(*priority_cache
)->supported_ecc
, algo
);
855 } /* now check if the element is something like -ALGO */
856 else if (strncasecmp (&broken_list
[i
][1], "CTYPE-", 6) == 0)
858 if (strncasecmp (&broken_list
[i
][1], "CTYPE-ALL", 9) == 0)
860 bulk_fn (&(*priority_cache
)->cert_type
,
861 cert_type_priority_all
);
866 gnutls_certificate_type_get_id (&broken_list
[i
][7])) !=
868 fn (&(*priority_cache
)->cert_type
, algo
);
872 } /* now check if the element is something like -ALGO */
873 else if (strncasecmp (&broken_list
[i
][1], "SIGN-", 5) == 0)
875 if (strncasecmp (&broken_list
[i
][1], "SIGN-ALL", 8) == 0)
877 bulk_fn (&(*priority_cache
)->sign_algo
,
878 sign_priority_default
);
883 gnutls_sign_get_id (&broken_list
[i
][6])) !=
885 fn (&(*priority_cache
)->sign_algo
, algo
);
890 else if (strncasecmp (&broken_list
[i
][1], "MAC-ALL", 7) == 0)
892 bulk_fn (&(*priority_cache
)->mac
,
893 mac_priority_normal
);
895 else if (strncasecmp (&broken_list
[i
][1], "CIPHER-ALL", 10) == 0)
897 bulk_fn (&(*priority_cache
)->cipher
,
898 cipher_priority_normal
);
900 else if (strncasecmp (&broken_list
[i
][1], "KX-ALL", 6) == 0)
902 bulk_fn (&(*priority_cache
)->kx
,
908 else if (broken_list
[i
][0] == '%')
910 if (strcasecmp (&broken_list
[i
][1], "COMPAT") == 0)
912 (*priority_cache
)->no_padding
= 1;
913 (*priority_cache
)->allow_large_records
= 1;
915 else if (strcasecmp (&broken_list
[i
][1], "NO_EXTENSIONS") == 0)
917 (*priority_cache
)->no_extensions
= 1;
919 else if (strcasecmp (&broken_list
[i
][1],
920 "VERIFY_ALLOW_SIGN_RSA_MD5") == 0)
922 prio_add (&(*priority_cache
)->sign_algo
, GNUTLS_SIGN_RSA_MD5
);
923 (*priority_cache
)->additional_verify_flags
|=
924 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
;
926 else if (strcasecmp (&broken_list
[i
][1],
927 "SSL3_RECORD_VERSION") == 0)
928 (*priority_cache
)->ssl3_record_version
= 1;
929 else if (strcasecmp (&broken_list
[i
][1],
930 "LATEST_RECORD_VERSION") == 0)
931 (*priority_cache
)->ssl3_record_version
= 0;
932 else if (strcasecmp (&broken_list
[i
][1],
933 "VERIFY_ALLOW_X509_V1_CA_CRT") == 0)
934 (*priority_cache
)->additional_verify_flags
|=
935 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
;
936 else if (strcasecmp (&broken_list
[i
][1],
937 "UNSAFE_RENEGOTIATION") == 0)
939 (*priority_cache
)->sr
= SR_UNSAFE
;
941 else if (strcasecmp (&broken_list
[i
][1], "SAFE_RENEGOTIATION") == 0)
943 (*priority_cache
)->sr
= SR_SAFE
;
945 else if (strcasecmp (&broken_list
[i
][1],
946 "PARTIAL_RENEGOTIATION") == 0)
948 (*priority_cache
)->sr
= SR_PARTIAL
;
950 else if (strcasecmp (&broken_list
[i
][1],
951 "DISABLE_SAFE_RENEGOTIATION") == 0)
953 (*priority_cache
)->sr
= SR_DISABLED
;
955 else if (strcasecmp (&broken_list
[i
][1],
956 "SERVER_PRECEDENCE") == 0)
958 (*priority_cache
)->server_precedence
= 1;
971 if (err_pos
!= NULL
&& i
< broken_list_size
)
973 *err_pos
= priorities
;
974 for (j
= 0; j
< i
; j
++)
976 (*err_pos
) += strlen (broken_list
[j
]) + 1;
980 gnutls_free (*priority_cache
);
982 return GNUTLS_E_INVALID_REQUEST
;
987 * gnutls_priority_deinit:
988 * @priority_cache: is a #gnutls_prioritity_t structure.
990 * Deinitializes the priority cache.
993 gnutls_priority_deinit (gnutls_priority_t priority_cache
)
995 gnutls_free (priority_cache
);
1000 * gnutls_priority_set_direct:
1001 * @session: is a #gnutls_session_t structure.
1002 * @priorities: is a string describing priorities
1003 * @err_pos: In case of an error this will have the position in the string the error occured
1005 * Sets the priorities to use on the ciphers, key exchange methods,
1006 * macs and compression methods. This function avoids keeping a
1007 * priority cache and is used to directly set string priorities to a
1008 * TLS session. For documentation check the gnutls_priority_init().
1010 * Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
1011 * %GNUTLS_E_SUCCESS on success, or an error code.
1014 gnutls_priority_set_direct (gnutls_session_t session
,
1015 const char *priorities
, const char **err_pos
)
1017 gnutls_priority_t prio
;
1020 ret
= gnutls_priority_init (&prio
, priorities
, err_pos
);
1027 ret
= gnutls_priority_set (session
, prio
);
1034 gnutls_priority_deinit (prio
);
1039 /* Breaks a list of "xxx", "yyy", to a character array, of
1040 * MAX_COMMA_SEP_ELEMENTS size; Note that the given string is modified.
1043 break_comma_list (char *etag
,
1044 char **broken_etag
, int *elements
, int max_elements
,
1055 broken_etag
[*elements
] = p
;
1059 p
= strchr (p
, sep
);
1063 p
++; /* move to next entry and skip white
1070 while (p
!= NULL
&& *elements
< max_elements
);
1074 * gnutls_set_default_priority:
1075 * @session: is a #gnutls_session_t structure.
1077 * Sets some default priority on the ciphers, key exchange methods,
1078 * macs and compression methods.
1080 * This is the same as calling:
1082 * gnutls_priority_set_direct (session, "NORMAL", NULL);
1084 * This function is kept around for backwards compatibility, but
1085 * because of its wide use it is still fully supported. If you wish
1086 * to allow users to provide a string that specify which ciphers to
1087 * use (which is recommended), you should use
1088 * gnutls_priority_set_direct() or gnutls_priority_set() instead.
1090 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1093 gnutls_set_default_priority (gnutls_session_t session
)
1095 return gnutls_priority_set_direct (session
, "NORMAL", NULL
);
1099 * gnutls_set_default_export_priority:
1100 * @session: is a #gnutls_session_t structure.
1102 * Sets some default priority on the ciphers, key exchange methods, macs
1103 * and compression methods. This function also includes weak algorithms.
1105 * This is the same as calling:
1107 * gnutls_priority_set_direct (session, "EXPORT", NULL);
1109 * This function is kept around for backwards compatibility, but
1110 * because of its wide use it is still fully supported. If you wish
1111 * to allow users to provide a string that specify which ciphers to
1112 * use (which is recommended), you should use
1113 * gnutls_priority_set_direct() or gnutls_priority_set() instead.
1115 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1118 gnutls_set_default_export_priority (gnutls_session_t session
)
1120 return gnutls_priority_set_direct (session
, "EXPORT", NULL
);
1123 /* Increases the priority of AES-GCM as it is much faster
1124 * than anything else if hardware support is there.
1126 void _gnutls_priority_prefer_aes_gcm(void)
1128 cipher_priority_performance
= cipher_priority_performance_hw_aes
;
1129 cipher_priority_normal
= cipher_priority_normal_hw_aes
;
1133 * gnutls_priority_ecc_curve_list:
1134 * @pcache: is a #gnutls_prioritity_t structure.
1135 * @list: will point to an integer list
1137 * Get a list of available elliptic curves in the priority
1140 * Returns: the number of curves, or an error code.
1144 gnutls_priority_ecc_curve_list (gnutls_priority_t pcache
, const unsigned int** list
)
1146 if (pcache
->supported_ecc
.algorithms
== 0)
1149 *list
= pcache
->supported_ecc
.priority
;
1150 return pcache
->supported_ecc
.algorithms
;
1154 * gnutls_priority_compression_list:
1155 * @pcache: is a #gnutls_prioritity_t structure.
1156 * @list: will point to an integer list
1158 * Get a list of available compression method in the priority
1161 * Returns: the number of methods, or an error code.
1165 gnutls_priority_compression_list (gnutls_priority_t pcache
, const unsigned int** list
)
1167 if (pcache
->compression
.algorithms
== 0)
1170 *list
= pcache
->compression
.priority
;
1171 return pcache
->compression
.algorithms
;
1175 * gnutls_priority_protocol_list:
1176 * @pcache: is a #gnutls_prioritity_t structure.
1177 * @list: will point to an integer list
1179 * Get a list of available TLS version numbers in the priority
1182 * Returns: the number of protocols, or an error code.
1186 gnutls_priority_protocol_list (gnutls_priority_t pcache
, const unsigned int** list
)
1188 if (pcache
->protocol
.algorithms
== 0)
1191 *list
= pcache
->protocol
.priority
;
1192 return pcache
->protocol
.algorithms
;
1196 * gnutls_priority_sign_list:
1197 * @pcache: is a #gnutls_prioritity_t structure.
1198 * @list: will point to an integer list
1200 * Get a list of available signature algorithms in the priority
1203 * Returns: the number of algorithms, or an error code.
1207 gnutls_priority_sign_list (gnutls_priority_t pcache
, const unsigned int** list
)
1209 if (pcache
->sign_algo
.algorithms
== 0)
1212 *list
= pcache
->sign_algo
.priority
;
1213 return pcache
->sign_algo
.algorithms
;
1217 * gnutls_priority_certificate_type_list:
1218 * @pcache: is a #gnutls_prioritity_t structure.
1219 * @list: will point to an integer list
1221 * Get a list of available certificate types in the priority
1224 * Returns: the number of certificate types, or an error code.
1228 gnutls_priority_certificate_type_list (gnutls_priority_t pcache
, const unsigned int** list
)
1230 if (pcache
->cert_type
.algorithms
== 0)
1233 *list
= pcache
->cert_type
.priority
;
1234 return pcache
->cert_type
.algorithms
;