|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
* Copyright (C) 2004-2015 Free Software Foundation, Inc.
|
|
Packit Service |
4684c1 |
* Copyright (C) 2015-2019 Red Hat, Inc.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Author: Nikos Mavrogiannopoulos
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This file is part of GnuTLS.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit Service |
4684c1 |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit Service |
4684c1 |
* the License, or (at your option) any later version.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This library is distributed in the hope that it will be useful, but
|
|
Packit Service |
4684c1 |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
4684c1 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit Service |
4684c1 |
* Lesser General Public License for more details.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Here lies the code of the gnutls_*_set_priority() functions.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include "gnutls_int.h"
|
|
Packit Service |
4684c1 |
#include "algorithms.h"
|
|
Packit Service |
4684c1 |
#include "errors.h"
|
|
Packit Service |
4684c1 |
#include <num.h>
|
|
Packit Service |
4684c1 |
#include <gnutls/x509.h>
|
|
Packit Service |
4684c1 |
#include <c-ctype.h>
|
|
Packit Service |
4684c1 |
#include <hello_ext.h>
|
|
Packit Service |
4684c1 |
#include <c-strcase.h>
|
|
Packit Service |
4684c1 |
#include "fips.h"
|
|
Packit Service |
4684c1 |
#include "errno.h"
|
|
Packit Service |
4684c1 |
#include "ext/srp.h"
|
|
Packit Service |
4684c1 |
#include <gnutls/gnutls.h>
|
|
Packit Service |
4684c1 |
#include "profiles.h"
|
|
Packit Service |
4684c1 |
#include "c-strcase.h"
|
|
Packit Service |
4684c1 |
#include "inih/ini.h"
|
|
Packit Service |
4684c1 |
#include "profiles.h"
|
|
Packit Service |
4684c1 |
#include "name_val_array.h"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define MAX_ELEMENTS 64
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define ENABLE_PROFILE(c, profile) do { \
|
|
Packit Service |
4684c1 |
c->additional_verify_flags &= 0x00ffffff; \
|
|
Packit Service |
4684c1 |
c->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(profile); \
|
|
Packit Service |
4684c1 |
c->level = _gnutls_profile_to_sec_level(profile); \
|
|
Packit Service |
4684c1 |
} while(0)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* This function is used by the test suite */
|
|
Packit Service |
4684c1 |
char *_gnutls_resolve_priorities(const char* priorities);
|
|
Packit Service |
4684c1 |
const char *_gnutls_default_priority_string = DEFAULT_PRIORITY_STRING;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void prio_remove(priority_st * priority_list, unsigned int algo);
|
|
Packit Service |
4684c1 |
static void prio_add(priority_st * priority_list, unsigned int algo);
|
|
Packit Service |
4684c1 |
static void
|
|
Packit Service |
4684c1 |
break_list(char *etag,
|
|
Packit Service |
4684c1 |
char *broken_etag[MAX_ELEMENTS], int *size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
typedef void (bulk_rmadd_func) (priority_st * priority_list, const int *);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static void _set_priority(priority_st * st, const int *list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int num = 0, i;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
while (list[num] != 0)
|
|
Packit Service |
4684c1 |
num++;
|
|
Packit Service |
4684c1 |
if (num > MAX_ALGOS)
|
|
Packit Service |
4684c1 |
num = MAX_ALGOS;
|
|
Packit Service |
4684c1 |
st->num_priorities = num;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < num; i++) {
|
|
Packit Service |
4684c1 |
st->priorities[i] = list[i];
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
inline static void _add_priority(priority_st * st, const int *list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int num, i, j, init;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
init = i = st->num_priorities;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (num = 0; list[num] != 0; ++num) {
|
|
Packit Service |
4684c1 |
if (i + 1 > MAX_ALGOS) {
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (j = 0; j < init; j++) {
|
|
Packit Service |
4684c1 |
if (st->priorities[j] == (unsigned) list[num]) {
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (j == init) {
|
|
Packit Service |
4684c1 |
st->priorities[i++] = list[num];
|
|
Packit Service |
4684c1 |
st->num_priorities++;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void _clear_priorities(priority_st * st, const int *list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
memset(st, 0, sizeof(*st));
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void _clear_given_priorities(priority_st * st, const int *list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned i;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i=0;list[i]!=0;i++) {
|
|
Packit Service |
4684c1 |
prio_remove(st, list[i]);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _supported_groups_dh[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE2048,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE3072,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE4096,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE6144,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE8192,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _supported_groups_ecdh[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP256R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP384R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP521R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_X25519, /* RFC 8422 */
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_X448, /* RFC 8422 */
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _supported_groups_gost[] = {
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_GOST
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_GC256A,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_GC256B,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_GC256C,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_GC256D,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_GC512A,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_GC512B,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_GC512C,
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _supported_groups_normal[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP256R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP384R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP521R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_X25519, /* RFC 8422 */
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_X448, /* RFC 8422 */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* These should stay last as our default behavior
|
|
Packit Service |
4684c1 |
* is to send key shares for two top types (GNUTLS_KEY_SHARE_TOP2)
|
|
Packit Service |
4684c1 |
* and we wouldn't want to have these sent by all clients
|
|
Packit Service |
4684c1 |
* by default as they are quite expensive CPU-wise. */
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE2048,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE3072,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE4096,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE6144,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE8192,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* supported_groups_normal = _supported_groups_normal;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _supported_groups_secure128[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP256R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP384R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP521R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_X25519, /* RFC 8422 */
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_X448, /* RFC 8422 */
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE2048,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE3072,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE4096,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE6144,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE8192,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* supported_groups_secure128 = _supported_groups_secure128;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _supported_groups_suiteb128[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP256R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP384R1,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* supported_groups_suiteb128 = _supported_groups_suiteb128;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _supported_groups_suiteb192[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP384R1,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* supported_groups_suiteb192 = _supported_groups_suiteb192;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _supported_groups_secure192[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP384R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_SECP521R1,
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_FFDHE8192,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* supported_groups_secure192 = _supported_groups_secure192;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int protocol_priority[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_TLS1_3,
|
|
Packit Service |
4684c1 |
GNUTLS_TLS1_2,
|
|
Packit Service |
4684c1 |
GNUTLS_TLS1_1,
|
|
Packit Service |
4684c1 |
GNUTLS_TLS1_0,
|
|
Packit Service |
4684c1 |
GNUTLS_DTLS1_2,
|
|
Packit Service |
4684c1 |
GNUTLS_DTLS1_0,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* contains all the supported TLS protocols, intended to be used for eliminating them
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static const int stream_protocol_priority[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_TLS1_3,
|
|
Packit Service |
4684c1 |
GNUTLS_TLS1_2,
|
|
Packit Service |
4684c1 |
GNUTLS_TLS1_1,
|
|
Packit Service |
4684c1 |
GNUTLS_TLS1_0,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* contains all the supported DTLS protocols, intended to be used for eliminating them
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static const int dgram_protocol_priority[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_DTLS1_2,
|
|
Packit Service |
4684c1 |
GNUTLS_DTLS1_0,
|
|
Packit Service |
4684c1 |
GNUTLS_DTLS0_9,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int dtls_protocol_priority[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_DTLS1_2,
|
|
Packit Service |
4684c1 |
GNUTLS_DTLS1_0,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _protocol_priority_suiteb[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_TLS1_2,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* protocol_priority_suiteb = _protocol_priority_suiteb;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _kx_priority_performance[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_KX_RSA,
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_ECDHE
|
|
Packit Service |
4684c1 |
GNUTLS_KX_ECDHE_ECDSA,
|
|
Packit Service |
4684c1 |
GNUTLS_KX_ECDHE_RSA,
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_DHE
|
|
Packit Service |
4684c1 |
GNUTLS_KX_DHE_RSA,
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* kx_priority_performance = _kx_priority_performance;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _kx_priority_pfs[] = {
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_ECDHE
|
|
Packit Service |
4684c1 |
GNUTLS_KX_ECDHE_ECDSA,
|
|
Packit Service |
4684c1 |
GNUTLS_KX_ECDHE_RSA,
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_DHE
|
|
Packit Service |
4684c1 |
GNUTLS_KX_DHE_RSA,
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* kx_priority_pfs = _kx_priority_pfs;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _kx_priority_suiteb[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_KX_ECDHE_ECDSA,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* kx_priority_suiteb = _kx_priority_suiteb;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _kx_priority_secure[] = {
|
|
Packit Service |
4684c1 |
/* The ciphersuites that offer forward secrecy take
|
|
Packit Service |
4684c1 |
* precedence
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_ECDHE
|
|
Packit Service |
4684c1 |
GNUTLS_KX_ECDHE_ECDSA,
|
|
Packit Service |
4684c1 |
GNUTLS_KX_ECDHE_RSA,
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
GNUTLS_KX_RSA,
|
|
Packit Service |
4684c1 |
/* KX-RSA is now ahead of DHE-RSA and DHE-DSS due to the compatibility
|
|
Packit Service |
4684c1 |
* issues the DHE ciphersuites have. That is, one cannot enforce a specific
|
|
Packit Service |
4684c1 |
* security level without dropping the connection.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_DHE
|
|
Packit Service |
4684c1 |
GNUTLS_KX_DHE_RSA,
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
/* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* kx_priority_secure = _kx_priority_secure;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _kx_priority_gost[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_KX_VKO_GOST_12,
|
|
Packit Service |
4684c1 |
0,
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* kx_priority_gost = _kx_priority_gost;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _cipher_priority_performance_default[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_CHACHA20_POLY1305,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CBC,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CBC,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _cipher_priority_performance_no_aesni[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_CHACHA20_POLY1305,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CBC,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CBC,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* If GCM and AES acceleration is available then prefer
|
|
Packit Service |
4684c1 |
* them over anything else. Overall we prioritise AEAD
|
|
Packit Service |
4684c1 |
* over legacy ciphers, and 256-bit over 128 (for future
|
|
Packit Service |
4684c1 |
* proof).
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static const int _cipher_priority_normal_default[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_CHACHA20_POLY1305,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CCM,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CBC,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CCM,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CBC,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int cipher_priority_performance_fips[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CCM,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CBC,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CBC,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int cipher_priority_normal_fips[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CBC,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CBC,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CCM,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _cipher_priority_suiteb128[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_GCM,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* cipher_priority_suiteb128 = _cipher_priority_suiteb128;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _cipher_priority_suiteb192[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_GCM,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* cipher_priority_suiteb192 = _cipher_priority_suiteb192;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _cipher_priority_secure128[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_CHACHA20_POLY1305,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CBC,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CCM,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CBC,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_128_CCM,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int *cipher_priority_secure128 = _cipher_priority_secure128;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _cipher_priority_secure192[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_GCM,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_CHACHA20_POLY1305,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CBC,
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_AES_256_CCM,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* cipher_priority_secure192 = _cipher_priority_secure192;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _sign_priority_default[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_SHA256,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_SHA256,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_RSAE_SHA256,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA256,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SECP256R1_SHA256,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_EDDSA_ED25519,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_RSAE_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_EDDSA_ED448,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_SHA512,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_SHA512,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_RSAE_SHA512,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA512,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SECP521R1_SHA512,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_SHA1,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA1,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* sign_priority_default = _sign_priority_default;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _sign_priority_suiteb128[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA256,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SECP256R1_SHA256,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* sign_priority_suiteb128 = _sign_priority_suiteb128;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _sign_priority_suiteb192[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* sign_priority_suiteb192 = _sign_priority_suiteb192;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _sign_priority_secure128[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_SHA256,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_SHA256,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_RSAE_SHA256,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA256,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SECP256R1_SHA256,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_EDDSA_ED25519,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_RSAE_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_EDDSA_ED448,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_SHA512,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_SHA512,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_RSAE_SHA512,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA512,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SECP521R1_SHA512,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* sign_priority_secure128 = _sign_priority_secure128;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _sign_priority_secure192[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_RSAE_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_SHA512,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_SHA512,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_RSA_PSS_RSAE_SHA512,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SHA512,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_ECDSA_SECP521R1_SHA512,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* sign_priority_secure192 = _sign_priority_secure192;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _sign_priority_gost[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_GOST_256,
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_GOST_512,
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* sign_priority_gost = _sign_priority_gost;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int mac_priority_normal_default[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_MAC_SHA1,
|
|
Packit Service |
4684c1 |
GNUTLS_MAC_AEAD,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int mac_priority_normal_fips[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_MAC_SHA1,
|
|
Packit Service |
4684c1 |
GNUTLS_MAC_AEAD,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int *cipher_priority_performance = _cipher_priority_performance_default;
|
|
Packit Service |
4684c1 |
static const int *cipher_priority_normal = _cipher_priority_normal_default;
|
|
Packit Service |
4684c1 |
static const int *mac_priority_normal = mac_priority_normal_default;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _cipher_priority_gost[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CIPHER_GOST28147_TC26Z_CNT,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int *cipher_priority_gost = _cipher_priority_gost;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _mac_priority_gost[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_MAC_GOST28147_TC26Z_IMIT,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int *mac_priority_gost = _mac_priority_gost;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* if called with replace the default priorities with the FIPS140 ones */
|
|
Packit Service |
4684c1 |
void _gnutls_priority_update_fips(void)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
cipher_priority_performance = cipher_priority_performance_fips;
|
|
Packit Service |
4684c1 |
cipher_priority_normal = cipher_priority_normal_fips;
|
|
Packit Service |
4684c1 |
mac_priority_normal = mac_priority_normal_fips;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
void _gnutls_priority_update_non_aesni(void)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
/* if we have no AES acceleration in performance mode
|
|
Packit Service |
4684c1 |
* prefer fast stream ciphers */
|
|
Packit Service |
4684c1 |
if (_gnutls_fips_mode_enabled() == 0) {
|
|
Packit Service |
4684c1 |
cipher_priority_performance = _cipher_priority_performance_no_aesni;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _mac_priority_suiteb[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_MAC_AEAD,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* mac_priority_suiteb = _mac_priority_suiteb;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _mac_priority_secure128[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_MAC_SHA1,
|
|
Packit Service |
4684c1 |
GNUTLS_MAC_AEAD,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* mac_priority_secure128 = _mac_priority_secure128;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int _mac_priority_secure192[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_MAC_AEAD,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
static const int* mac_priority_secure192 = _mac_priority_secure192;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int cert_type_priority_default[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CRT_X509,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const int cert_type_priority_all[] = {
|
|
Packit Service |
4684c1 |
GNUTLS_CRT_X509,
|
|
Packit Service |
4684c1 |
GNUTLS_CRT_RAWPK,
|
|
Packit Service |
4684c1 |
0
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
typedef void (rmadd_func) (priority_st * priority_list, unsigned int alg);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void prio_remove(priority_st * priority_list, unsigned int algo)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned int i;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < priority_list->num_priorities; i++) {
|
|
Packit Service |
4684c1 |
if (priority_list->priorities[i] == algo) {
|
|
Packit Service |
4684c1 |
priority_list->num_priorities--;
|
|
Packit Service |
4684c1 |
if ((priority_list->num_priorities - i) > 0)
|
|
Packit Service |
4684c1 |
memmove(&priority_list->priorities[i],
|
|
Packit Service |
4684c1 |
&priority_list->priorities[i + 1],
|
|
Packit Service |
4684c1 |
(priority_list->num_priorities -
|
|
Packit Service |
4684c1 |
i) *
|
|
Packit Service |
4684c1 |
sizeof(priority_list->
|
|
Packit Service |
4684c1 |
priorities[0]));
|
|
Packit Service |
4684c1 |
priority_list->priorities[priority_list->
|
|
Packit Service |
4684c1 |
num_priorities] = 0;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void prio_add(priority_st * priority_list, unsigned int algo)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned int i, l = priority_list->num_priorities;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (l >= MAX_ALGOS)
|
|
Packit Service |
4684c1 |
return; /* can't add it anyway */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < l; ++i) {
|
|
Packit Service |
4684c1 |
if (algo == priority_list->priorities[i])
|
|
Packit Service |
4684c1 |
return; /* if it exists */
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
priority_list->priorities[l] = algo;
|
|
Packit Service |
4684c1 |
priority_list->num_priorities++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_set:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @priority: is a #gnutls_priority_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Sets the priorities to use on the ciphers, key exchange methods,
|
|
Packit Service |
4684c1 |
* and macs. Note that this function is expected to be called once
|
|
Packit Service |
4684c1 |
* per session; when called multiple times (e.g., before a re-handshake,
|
|
Packit Service |
4684c1 |
* the caller should make sure that any new settings are not incompatible
|
|
Packit Service |
4684c1 |
* with the original session).
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, or an error code on error.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (priority == NULL || priority->protocol.num_priorities == 0 ||
|
|
Packit Service |
4684c1 |
priority->cs.size == 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* set the current version to the first in the chain, if this is
|
|
Packit Service |
4684c1 |
* the call before the initial handshake. During a re-handshake
|
|
Packit Service |
4684c1 |
* we do not set the version to avoid overriding the currently
|
|
Packit Service |
4684c1 |
* negotiated version. */
|
|
Packit Service |
4684c1 |
if (!session->internals.handshake_in_progress &&
|
|
Packit Service |
4684c1 |
!session->internals.initial_negotiation_completed) {
|
|
Packit Service |
4684c1 |
ret = _gnutls_set_current_version(session,
|
|
Packit Service |
4684c1 |
priority->protocol.priorities[0]);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* At this point the provided priorities passed the sanity tests */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (session->internals.priorities)
|
|
Packit Service |
4684c1 |
gnutls_priority_deinit(session->internals.priorities);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_atomic_increment(&priority->usage_cnt);
|
|
Packit Service |
4684c1 |
session->internals.priorities = priority;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (priority->no_tickets != 0) {
|
|
Packit Service |
4684c1 |
/* when PFS is explicitly requested, disable session tickets */
|
|
Packit Service |
4684c1 |
session->internals.flags |= GNUTLS_NO_TICKETS;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ADD_PROFILE_VFLAGS(session, priority->additional_verify_flags);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* mirror variables */
|
|
Packit Service |
4684c1 |
#undef COPY_TO_INTERNALS
|
|
Packit Service |
4684c1 |
#define COPY_TO_INTERNALS(xx) session->internals.xx = priority->_##xx
|
|
Packit Service |
4684c1 |
COPY_TO_INTERNALS(allow_large_records);
|
|
Packit Service |
4684c1 |
COPY_TO_INTERNALS(allow_small_records);
|
|
Packit Service |
4684c1 |
COPY_TO_INTERNALS(no_etm);
|
|
Packit Service |
4684c1 |
COPY_TO_INTERNALS(no_ext_master_secret);
|
|
Packit Service |
4684c1 |
COPY_TO_INTERNALS(allow_key_usage_violation);
|
|
Packit Service |
4684c1 |
COPY_TO_INTERNALS(allow_wrong_pms);
|
|
Packit Service |
4684c1 |
COPY_TO_INTERNALS(dumbfw);
|
|
Packit Service |
4684c1 |
COPY_TO_INTERNALS(dh_prime_bits);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define LEVEL_NONE "NONE"
|
|
Packit Service |
4684c1 |
#define LEVEL_NORMAL "NORMAL"
|
|
Packit Service |
4684c1 |
#define LEVEL_PFS "PFS"
|
|
Packit Service |
4684c1 |
#define LEVEL_PERFORMANCE "PERFORMANCE"
|
|
Packit Service |
4684c1 |
#define LEVEL_SECURE128 "SECURE128"
|
|
Packit Service |
4684c1 |
#define LEVEL_SECURE192 "SECURE192"
|
|
Packit Service |
4684c1 |
#define LEVEL_SECURE256 "SECURE256"
|
|
Packit Service |
4684c1 |
#define LEVEL_SUITEB128 "SUITEB128"
|
|
Packit Service |
4684c1 |
#define LEVEL_SUITEB192 "SUITEB192"
|
|
Packit Service |
4684c1 |
#define LEVEL_LEGACY "LEGACY"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
struct priority_groups_st {
|
|
Packit Service |
4684c1 |
const char *name;
|
|
Packit Service |
4684c1 |
const char *alias;
|
|
Packit Service |
4684c1 |
const int **proto_list;
|
|
Packit Service |
4684c1 |
const int **cipher_list;
|
|
Packit Service |
4684c1 |
const int **mac_list;
|
|
Packit Service |
4684c1 |
const int **kx_list;
|
|
Packit Service |
4684c1 |
const int **sign_list;
|
|
Packit Service |
4684c1 |
const int **group_list;
|
|
Packit Service |
4684c1 |
unsigned profile;
|
|
Packit Service |
4684c1 |
int sec_param;
|
|
Packit Service |
4684c1 |
bool no_tickets;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const struct priority_groups_st pgroups[] =
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
{.name = LEVEL_NORMAL,
|
|
Packit Service |
4684c1 |
.cipher_list = &cipher_priority_normal,
|
|
Packit Service |
4684c1 |
.mac_list = &mac_priority_normal,
|
|
Packit Service |
4684c1 |
.kx_list = &kx_priority_secure,
|
|
Packit Service |
4684c1 |
.sign_list = &sign_priority_default,
|
|
Packit Service |
4684c1 |
.group_list = &supported_groups_normal,
|
|
Packit Service |
4684c1 |
.profile = GNUTLS_PROFILE_LOW,
|
|
Packit Service |
4684c1 |
.sec_param = GNUTLS_SEC_PARAM_WEAK
|
|
Packit Service |
4684c1 |
},
|
|
Packit Service |
4684c1 |
{.name = LEVEL_PFS,
|
|
Packit Service |
4684c1 |
.cipher_list = &cipher_priority_normal,
|
|
Packit Service |
4684c1 |
.mac_list = &mac_priority_secure128,
|
|
Packit Service |
4684c1 |
.kx_list = &kx_priority_pfs,
|
|
Packit Service |
4684c1 |
.sign_list = &sign_priority_default,
|
|
Packit Service |
4684c1 |
.group_list = &supported_groups_normal,
|
|
Packit Service |
4684c1 |
.profile = GNUTLS_PROFILE_LOW,
|
|
Packit Service |
4684c1 |
.sec_param = GNUTLS_SEC_PARAM_WEAK,
|
|
Packit Service |
4684c1 |
.no_tickets = 1
|
|
Packit Service |
4684c1 |
},
|
|
Packit Service |
4684c1 |
{.name = LEVEL_SECURE128,
|
|
Packit Service |
4684c1 |
.alias = "SECURE",
|
|
Packit Service |
4684c1 |
.cipher_list = &cipher_priority_secure128,
|
|
Packit Service |
4684c1 |
.mac_list = &mac_priority_secure128,
|
|
Packit Service |
4684c1 |
.kx_list = &kx_priority_secure,
|
|
Packit Service |
4684c1 |
.sign_list = &sign_priority_secure128,
|
|
Packit Service |
4684c1 |
.group_list = &supported_groups_secure128,
|
|
Packit Service |
4684c1 |
/* The profile should have been HIGH but if we don't allow
|
|
Packit Service |
4684c1 |
* SHA-1 (80-bits) as signature algorithm we are not able
|
|
Packit Service |
4684c1 |
* to connect anywhere with this level */
|
|
Packit Service |
4684c1 |
.profile = GNUTLS_PROFILE_LOW,
|
|
Packit Service |
4684c1 |
.sec_param = GNUTLS_SEC_PARAM_LOW
|
|
Packit Service |
4684c1 |
},
|
|
Packit Service |
4684c1 |
{.name = LEVEL_SECURE192,
|
|
Packit Service |
4684c1 |
.alias = LEVEL_SECURE256,
|
|
Packit Service |
4684c1 |
.cipher_list = &cipher_priority_secure192,
|
|
Packit Service |
4684c1 |
.mac_list = &mac_priority_secure192,
|
|
Packit Service |
4684c1 |
.kx_list = &kx_priority_secure,
|
|
Packit Service |
4684c1 |
.sign_list = &sign_priority_secure192,
|
|
Packit Service |
4684c1 |
.group_list = &supported_groups_secure192,
|
|
Packit Service |
4684c1 |
.profile = GNUTLS_PROFILE_HIGH,
|
|
Packit Service |
4684c1 |
.sec_param = GNUTLS_SEC_PARAM_HIGH
|
|
Packit Service |
4684c1 |
},
|
|
Packit Service |
4684c1 |
{.name = LEVEL_SUITEB128,
|
|
Packit Service |
4684c1 |
.proto_list = &protocol_priority_suiteb,
|
|
Packit Service |
4684c1 |
.cipher_list = &cipher_priority_suiteb128,
|
|
Packit Service |
4684c1 |
.mac_list = &mac_priority_suiteb,
|
|
Packit Service |
4684c1 |
.kx_list = &kx_priority_suiteb,
|
|
Packit Service |
4684c1 |
.sign_list = &sign_priority_suiteb128,
|
|
Packit Service |
4684c1 |
.group_list = &supported_groups_suiteb128,
|
|
Packit Service |
4684c1 |
.profile = GNUTLS_PROFILE_SUITEB128,
|
|
Packit Service |
4684c1 |
.sec_param = GNUTLS_SEC_PARAM_HIGH
|
|
Packit Service |
4684c1 |
},
|
|
Packit Service |
4684c1 |
{.name = LEVEL_SUITEB192,
|
|
Packit Service |
4684c1 |
.proto_list = &protocol_priority_suiteb,
|
|
Packit Service |
4684c1 |
.cipher_list = &cipher_priority_suiteb192,
|
|
Packit Service |
4684c1 |
.mac_list = &mac_priority_suiteb,
|
|
Packit Service |
4684c1 |
.kx_list = &kx_priority_suiteb,
|
|
Packit Service |
4684c1 |
.sign_list = &sign_priority_suiteb192,
|
|
Packit Service |
4684c1 |
.group_list = &supported_groups_suiteb192,
|
|
Packit Service |
4684c1 |
.profile = GNUTLS_PROFILE_SUITEB192,
|
|
Packit Service |
4684c1 |
.sec_param = GNUTLS_SEC_PARAM_ULTRA
|
|
Packit Service |
4684c1 |
},
|
|
Packit Service |
4684c1 |
{.name = LEVEL_LEGACY,
|
|
Packit Service |
4684c1 |
.cipher_list = &cipher_priority_normal,
|
|
Packit Service |
4684c1 |
.mac_list = &mac_priority_normal,
|
|
Packit Service |
4684c1 |
.kx_list = &kx_priority_secure,
|
|
Packit Service |
4684c1 |
.sign_list = &sign_priority_default,
|
|
Packit Service |
4684c1 |
.group_list = &supported_groups_normal,
|
|
Packit Service |
4684c1 |
.sec_param = GNUTLS_SEC_PARAM_VERY_WEAK
|
|
Packit Service |
4684c1 |
},
|
|
Packit Service |
4684c1 |
{.name = LEVEL_PERFORMANCE,
|
|
Packit Service |
4684c1 |
.cipher_list = &cipher_priority_performance,
|
|
Packit Service |
4684c1 |
.mac_list = &mac_priority_normal,
|
|
Packit Service |
4684c1 |
.kx_list = &kx_priority_performance,
|
|
Packit Service |
4684c1 |
.sign_list = &sign_priority_default,
|
|
Packit Service |
4684c1 |
.group_list = &supported_groups_normal,
|
|
Packit Service |
4684c1 |
.profile = GNUTLS_PROFILE_LOW,
|
|
Packit Service |
4684c1 |
.sec_param = GNUTLS_SEC_PARAM_WEAK
|
|
Packit Service |
4684c1 |
},
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
.name = NULL,
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define SET_PROFILE(to_set) \
|
|
Packit Service |
4684c1 |
profile = GNUTLS_VFLAGS_TO_PROFILE(priority_cache->additional_verify_flags); \
|
|
Packit Service |
4684c1 |
if (profile == 0 || profile > to_set) { \
|
|
Packit Service |
4684c1 |
priority_cache->additional_verify_flags &= ~GNUTLS_VFLAGS_PROFILE_MASK; \
|
|
Packit Service |
4684c1 |
priority_cache->additional_verify_flags |= GNUTLS_PROFILE_TO_VFLAGS(to_set); \
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define SET_LEVEL(to_set) \
|
|
Packit Service |
4684c1 |
if (priority_cache->level == 0 || (unsigned)priority_cache->level > (unsigned)to_set) \
|
|
Packit Service |
4684c1 |
priority_cache->level = to_set
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static
|
|
Packit Service |
4684c1 |
int check_level(const char *level, gnutls_priority_t priority_cache,
|
|
Packit Service |
4684c1 |
int add)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
bulk_rmadd_func *func;
|
|
Packit Service |
4684c1 |
unsigned profile = 0;
|
|
Packit Service |
4684c1 |
unsigned i;
|
|
Packit Service |
4684c1 |
int j;
|
|
Packit Service |
4684c1 |
const cipher_entry_st *centry;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (add)
|
|
Packit Service |
4684c1 |
func = _add_priority;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
func = _set_priority;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i=0;;i++) {
|
|
Packit Service |
4684c1 |
if (pgroups[i].name == NULL)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (c_strcasecmp(level, pgroups[i].name) == 0 ||
|
|
Packit Service |
4684c1 |
(pgroups[i].alias != NULL && c_strcasecmp(level, pgroups[i].alias) == 0)) {
|
|
Packit Service |
4684c1 |
if (pgroups[i].proto_list != NULL)
|
|
Packit Service |
4684c1 |
func(&priority_cache->protocol, *pgroups[i].proto_list);
|
|
Packit Service |
4684c1 |
func(&priority_cache->_cipher, *pgroups[i].cipher_list);
|
|
Packit Service |
4684c1 |
func(&priority_cache->_kx, *pgroups[i].kx_list);
|
|
Packit Service |
4684c1 |
func(&priority_cache->_mac, *pgroups[i].mac_list);
|
|
Packit Service |
4684c1 |
func(&priority_cache->_sign_algo, *pgroups[i].sign_list);
|
|
Packit Service |
4684c1 |
func(&priority_cache->_supported_ecc, *pgroups[i].group_list);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (pgroups[i].profile != 0) {
|
|
Packit Service |
4684c1 |
SET_PROFILE(pgroups[i].profile); /* set certificate level */
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
SET_LEVEL(pgroups[i].sec_param); /* set DH params level */
|
|
Packit Service |
4684c1 |
priority_cache->no_tickets = pgroups[i].no_tickets;
|
|
Packit Service |
4684c1 |
if (priority_cache->have_cbc == 0) {
|
|
Packit Service |
4684c1 |
for (j=0;(*pgroups[i].cipher_list)[j]!=0;j++) {
|
|
Packit Service |
4684c1 |
centry = cipher_to_entry((*pgroups[i].cipher_list)[j]);
|
|
Packit Service |
4684c1 |
if (centry != NULL && centry->type == CIPHER_BLOCK) {
|
|
Packit Service |
4684c1 |
priority_cache->have_cbc = 1;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void enable_compat(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
ENABLE_PRIO_COMPAT(c);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_server_key_usage_violations(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->allow_server_key_usage_violation = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_allow_small_records(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->_allow_small_records = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_dumbfw(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->_dumbfw = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_no_extensions(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->no_extensions = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_no_ext_master_secret(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->_no_ext_master_secret = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_no_etm(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->_no_etm = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_force_etm(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->force_etm = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_no_tickets(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->no_tickets = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void disable_wildcards(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->additional_verify_flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_profile_very_weak(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
ENABLE_PROFILE(c, GNUTLS_PROFILE_VERY_WEAK);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_profile_low(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
ENABLE_PROFILE(c, GNUTLS_PROFILE_LOW);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_profile_legacy(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
ENABLE_PROFILE(c, GNUTLS_PROFILE_LEGACY);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_profile_medium(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
ENABLE_PROFILE(c, GNUTLS_PROFILE_MEDIUM);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_profile_high(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
ENABLE_PROFILE(c, GNUTLS_PROFILE_HIGH);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_profile_ultra(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
ENABLE_PROFILE(c, GNUTLS_PROFILE_ULTRA);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_profile_future(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
ENABLE_PROFILE(c, GNUTLS_PROFILE_FUTURE);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_profile_suiteb128(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
ENABLE_PROFILE(c, GNUTLS_PROFILE_SUITEB128);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_profile_suiteb192(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
ENABLE_PROFILE(c, GNUTLS_PROFILE_SUITEB128);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_safe_renegotiation(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->sr = SR_SAFE;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_unsafe_renegotiation(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->sr = SR_UNSAFE;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_partial_safe_renegotiation(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->sr = SR_PARTIAL;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void disable_safe_renegotiation(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->sr = SR_DISABLED;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_fallback_scsv(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->fallback = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_latest_record_version(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->min_record_version = 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_ssl3_record_version(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->min_record_version = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_verify_allow_rsa_md5(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->additional_verify_flags |=
|
|
Packit Service |
4684c1 |
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_verify_allow_sha1(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->additional_verify_flags |=
|
|
Packit Service |
4684c1 |
GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_verify_allow_broken(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->additional_verify_flags |=
|
|
Packit Service |
4684c1 |
GNUTLS_VERIFY_ALLOW_BROKEN;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void disable_crl_checks(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->additional_verify_flags |=
|
|
Packit Service |
4684c1 |
GNUTLS_VERIFY_DISABLE_CRL_CHECKS;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void enable_server_precedence(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
c->server_precedence = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
static void dummy_func(gnutls_priority_t c)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include <priority_options.h>
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN;
|
|
Packit Service |
4684c1 |
static name_val_array_t system_wide_priority_strings = NULL;
|
|
Packit Service |
4684c1 |
static unsigned system_wide_priority_strings_init = 0;
|
|
Packit Service |
4684c1 |
static unsigned system_wide_default_priority_string = 0;
|
|
Packit Service |
4684c1 |
static unsigned fail_on_invalid_config = 0;
|
|
Packit Service |
4684c1 |
static unsigned system_wide_disabled_ciphers[MAX_ALGOS+1] = {0};
|
|
Packit Service |
4684c1 |
static unsigned system_wide_disabled_macs[MAX_ALGOS+1] = {0};
|
|
Packit Service |
4684c1 |
static unsigned system_wide_disabled_groups[MAX_ALGOS+1] = {0};
|
|
Packit Service |
4684c1 |
static unsigned system_wide_disabled_kxs[MAX_ALGOS+1] = {0};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static const char *system_priority_file = SYSTEM_PRIORITY_FILE;
|
|
Packit Service |
4684c1 |
static time_t system_priority_last_mod = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define CUSTOM_PRIORITY_SECTION "priorities"
|
|
Packit Service |
4684c1 |
#define OVERRIDES_SECTION "overrides"
|
|
Packit Service |
4684c1 |
#define MAX_ALGO_NAME 2048
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void _clear_default_system_priority(void)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (system_wide_default_priority_string) {
|
|
Packit Service |
4684c1 |
gnutls_free(_gnutls_default_priority_string);
|
|
Packit Service |
4684c1 |
_gnutls_default_priority_string = DEFAULT_PRIORITY_STRING;
|
|
Packit Service |
4684c1 |
system_wide_default_priority_string = 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_certificate_verification_profiles_t _gnutls_get_system_wide_verification_profile(void)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return system_wide_verification_profile;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* removes spaces */
|
|
Packit Service |
4684c1 |
static char *clear_spaces(const char *str, char out[MAX_ALGO_NAME])
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
const char *p = str;
|
|
Packit Service |
4684c1 |
unsigned i = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
while (c_isspace(*p))
|
|
Packit Service |
4684c1 |
p++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
while (!c_isspace(*p) && *p != 0) {
|
|
Packit Service |
4684c1 |
out[i++] = *p;
|
|
Packit Service |
4684c1 |
p++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (i >= MAX_ALGO_NAME-1)
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
out[i] = 0;
|
|
Packit Service |
4684c1 |
return out;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* This function parses a gnutls configuration file and updates internal
|
|
Packit Service |
4684c1 |
* settings accordingly.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static int cfg_ini_handler(void *_ctx, const char *section, const char *name, const char *value)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
char *p;
|
|
Packit Service |
4684c1 |
int ret, type;
|
|
Packit Service |
4684c1 |
unsigned i;
|
|
Packit Service |
4684c1 |
char str[MAX_ALGO_NAME];
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Note that we intentionally overwrite the value above; inih does
|
|
Packit Service |
4684c1 |
* not use that value after we handle it. */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Parse sections */
|
|
Packit Service |
4684c1 |
if (section == NULL || section[0] == 0 || c_strcasecmp(section, CUSTOM_PRIORITY_SECTION)==0) {
|
|
Packit Service |
4684c1 |
if (system_wide_priority_strings_init == 0) {
|
|
Packit Service |
4684c1 |
_name_val_array_init(&system_wide_priority_strings);
|
|
Packit Service |
4684c1 |
system_wide_priority_strings_init = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: adding priority: %s -> %s\n", name, value);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _name_val_array_append(&system_wide_priority_strings, name, value);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
} else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) {
|
|
Packit Service |
4684c1 |
if (c_strcasecmp(name, "default-priority-string")==0) {
|
|
Packit Service |
4684c1 |
_clear_default_system_priority();
|
|
Packit Service |
4684c1 |
p = clear_spaces(value, str);
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: setting default-priority-string to %s\n", p);
|
|
Packit Service |
4684c1 |
if (strlen(p) > 0) {
|
|
Packit Service |
4684c1 |
_gnutls_default_priority_string = gnutls_strdup(p);
|
|
Packit Service |
4684c1 |
if (!_gnutls_default_priority_string) {
|
|
Packit Service |
4684c1 |
_gnutls_default_priority_string = DEFAULT_PRIORITY_STRING;
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: failed setting default-priority-string\n");
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
system_wide_default_priority_string = 1;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: empty default-priority-string, using default\n");
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (c_strcasecmp(name, "insecure-hash")==0) {
|
|
Packit Service |
4684c1 |
p = clear_spaces(value, str);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: marking hash %s as insecure\n",
|
|
Packit Service |
4684c1 |
p);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_digest_mark_insecure(p);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: found unknown hash %s in %s\n",
|
|
Packit Service |
4684c1 |
p, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (c_strcasecmp(name, "insecure-sig")==0 || c_strcasecmp(name, "insecure-sig-for-cert")==0) {
|
|
Packit Service |
4684c1 |
p = clear_spaces(value, str);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (c_strcasecmp(name, "insecure-sig")==0) {
|
|
Packit Service |
4684c1 |
type = _INSECURE;
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: marking signature %s as insecure\n",
|
|
Packit Service |
4684c1 |
p);
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: marking signature %s as insecure for certs\n",
|
|
Packit Service |
4684c1 |
p);
|
|
Packit Service |
4684c1 |
type = _INSECURE_FOR_CERTS;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_sign_mark_insecure(p, type);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n",
|
|
Packit Service |
4684c1 |
p, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (c_strcasecmp(name, "disabled-version")==0) {
|
|
Packit Service |
4684c1 |
p = clear_spaces(value, str);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: disabling version %s\n",
|
|
Packit Service |
4684c1 |
p);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_version_mark_disabled(p);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: found unknown version %s in %s\n",
|
|
Packit Service |
4684c1 |
p, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (c_strcasecmp(name, "disabled-curve")==0) {
|
|
Packit Service |
4684c1 |
p = clear_spaces(value, str);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: disabling curve %s\n",
|
|
Packit Service |
4684c1 |
p);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_ecc_curve_mark_disabled(p);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: found unknown curve %s in %s\n",
|
|
Packit Service |
4684c1 |
p, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (c_strcasecmp(name, "min-verification-profile")==0) {
|
|
Packit Service |
4684c1 |
gnutls_certificate_verification_profiles_t profile;
|
|
Packit Service |
4684c1 |
profile = gnutls_certificate_verification_profile_get_id(value);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (profile == GNUTLS_PROFILE_UNKNOWN) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: found unknown profile %s in %s\n",
|
|
Packit Service |
4684c1 |
value, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
system_wide_verification_profile = profile;
|
|
Packit Service |
4684c1 |
} else if (c_strcasecmp(name, "tls-disabled-cipher")==0) {
|
|
Packit Service |
4684c1 |
unsigned algo;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
p = clear_spaces(value, str);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: disabling cipher %s for TLS\n",
|
|
Packit Service |
4684c1 |
p);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
algo = gnutls_cipher_get_id(p);
|
|
Packit Service |
4684c1 |
if (algo == 0) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: unknown algorithm %s listed at %s\n",
|
|
Packit Service |
4684c1 |
p, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
i = 0;
|
|
Packit Service |
4684c1 |
while (system_wide_disabled_ciphers[i] != 0)
|
|
Packit Service |
4684c1 |
i++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (i > MAX_ALGOS-1) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n",
|
|
Packit Service |
4684c1 |
i, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
goto exit;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
system_wide_disabled_ciphers[i] = algo;
|
|
Packit Service |
4684c1 |
system_wide_disabled_ciphers[i+1] = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
} else if (c_strcasecmp(name, "tls-disabled-mac")==0) {
|
|
Packit Service |
4684c1 |
unsigned algo;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
p = clear_spaces(value, str);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: disabling MAC %s for TLS\n",
|
|
Packit Service |
4684c1 |
p);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
algo = gnutls_mac_get_id(p);
|
|
Packit Service |
4684c1 |
if (algo == 0) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: unknown algorithm %s listed at %s\n",
|
|
Packit Service |
4684c1 |
p, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
goto exit;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
i = 0;
|
|
Packit Service |
4684c1 |
while (system_wide_disabled_macs[i] != 0)
|
|
Packit Service |
4684c1 |
i++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (i > MAX_ALGOS-1) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n",
|
|
Packit Service |
4684c1 |
i, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
goto exit;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
system_wide_disabled_macs[i] = algo;
|
|
Packit Service |
4684c1 |
system_wide_disabled_macs[i+1] = 0;
|
|
Packit Service |
4684c1 |
} else if (c_strcasecmp(name, "tls-disabled-group")==0) {
|
|
Packit Service |
4684c1 |
unsigned algo;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
p = clear_spaces(value, str);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (strlen(p) > 6)
|
|
Packit Service |
4684c1 |
p += 6; // skip GROUP-
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: disabling group %s for TLS\n",
|
|
Packit Service |
4684c1 |
p);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
algo = gnutls_group_get_id(p);
|
|
Packit Service |
4684c1 |
if (algo == 0) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: unknown group %s listed at %s\n",
|
|
Packit Service |
4684c1 |
p, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
goto exit;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
i = 0;
|
|
Packit Service |
4684c1 |
while (system_wide_disabled_groups[i] != 0)
|
|
Packit Service |
4684c1 |
i++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (i > MAX_ALGOS-1) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n",
|
|
Packit Service |
4684c1 |
i, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
goto exit;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
system_wide_disabled_groups[i] = algo;
|
|
Packit Service |
4684c1 |
system_wide_disabled_groups[i+1] = 0;
|
|
Packit Service |
4684c1 |
} else if (c_strcasecmp(name, "tls-disabled-kx")==0) {
|
|
Packit Service |
4684c1 |
unsigned algo;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
p = clear_spaces(value, str);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: disabling key exchange %s for TLS\n",
|
|
Packit Service |
4684c1 |
p);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
algo = gnutls_kx_get_id(p);
|
|
Packit Service |
4684c1 |
if (algo == 0) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: unknown key exchange %s listed at %s\n",
|
|
Packit Service |
4684c1 |
p, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
goto exit;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
i = 0;
|
|
Packit Service |
4684c1 |
while (system_wide_disabled_kxs[i] != 0)
|
|
Packit Service |
4684c1 |
i++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (i > MAX_ALGOS-1) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n",
|
|
Packit Service |
4684c1 |
i, name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
goto exit;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
system_wide_disabled_kxs[i] = algo;
|
|
Packit Service |
4684c1 |
system_wide_disabled_kxs[i+1] = 0;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("unknown parameter %s\n", name);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: unknown section %s\n",
|
|
Packit Service |
4684c1 |
section);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
exit:
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void _gnutls_update_system_priorities(void)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
struct stat sb;
|
|
Packit Service |
4684c1 |
FILE *fp;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (stat(system_priority_file, &sb) < 0) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: unable to access: %s: %d\n",
|
|
Packit Service |
4684c1 |
system_priority_file, errno);
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (system_wide_priority_strings_init != 0 &&
|
|
Packit Service |
4684c1 |
sb.st_mtime == system_priority_last_mod) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: system priority %s has not changed\n",
|
|
Packit Service |
4684c1 |
system_priority_file);
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (system_wide_priority_strings_init != 0)
|
|
Packit Service |
4684c1 |
_name_val_array_clear(&system_wide_priority_strings);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
fp = fopen(system_priority_file, "re");
|
|
Packit Service |
4684c1 |
if (fp == NULL) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: unable to open: %s: %d\n",
|
|
Packit Service |
4684c1 |
system_priority_file, errno);
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
ret = ini_parse_file(fp, cfg_ini_handler, NULL);
|
|
Packit Service |
4684c1 |
fclose(fp);
|
|
Packit Service |
4684c1 |
if (ret != 0) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: unable to parse: %s: %d\n",
|
|
Packit Service |
4684c1 |
system_priority_file, ret);
|
|
Packit Service |
4684c1 |
if (fail_on_invalid_config)
|
|
Packit Service |
4684c1 |
exit(1);
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("cfg: loaded system priority %s mtime %lld\n",
|
|
Packit Service |
4684c1 |
system_priority_file,
|
|
Packit Service |
4684c1 |
(unsigned long long)sb.st_mtime);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
system_priority_last_mod = sb.st_mtime;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
void _gnutls_load_system_priorities(void)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
const char *p;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
p = secure_getenv("GNUTLS_SYSTEM_PRIORITY_FILE");
|
|
Packit Service |
4684c1 |
if (p != NULL)
|
|
Packit Service |
4684c1 |
system_priority_file = p;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
p = secure_getenv("GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID");
|
|
Packit Service |
4684c1 |
if (p != NULL && p[0] == '1' && p[1] == 0)
|
|
Packit Service |
4684c1 |
fail_on_invalid_config = 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_update_system_priorities();
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
void _gnutls_unload_system_priorities(void)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
_name_val_array_clear(&system_wide_priority_strings);
|
|
Packit Service |
4684c1 |
_clear_default_system_priority();
|
|
Packit Service |
4684c1 |
system_priority_last_mod = 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_get_system_config_file:
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns the filename of the system wide configuration
|
|
Packit Service |
4684c1 |
* file loaded by the library. The returned pointer is valid
|
|
Packit Service |
4684c1 |
* until the library is unloaded.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: a constant pointer to the config file loaded, or %NULL if none
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.9
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
const char *gnutls_get_system_config_file(void)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (system_wide_priority_strings_init)
|
|
Packit Service |
4684c1 |
return system_priority_file;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define S(str) ((str!=NULL)?str:"")
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Returns the new priorities if a priority string prefixed
|
|
Packit Service |
4684c1 |
* with '@' is provided, or just a copy of the provided
|
|
Packit Service |
4684c1 |
* priorities, appended with any additional present in
|
|
Packit Service |
4684c1 |
* the priorities string.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The returned string must be released using gnutls_free().
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
char *_gnutls_resolve_priorities(const char* priorities)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
const char *p = priorities;
|
|
Packit Service |
4684c1 |
char *additional = NULL;
|
|
Packit Service |
4684c1 |
char *ret = NULL;
|
|
Packit Service |
4684c1 |
const char *ss, *ss_next;
|
|
Packit Service |
4684c1 |
unsigned ss_len, ss_next_len;
|
|
Packit Service |
4684c1 |
size_t n, n2 = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
while (c_isspace(*p))
|
|
Packit Service |
4684c1 |
p++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (*p == '@') {
|
|
Packit Service |
4684c1 |
ss = p+1;
|
|
Packit Service |
4684c1 |
additional = strchr(ss, ':');
|
|
Packit Service |
4684c1 |
if (additional != NULL) {
|
|
Packit Service |
4684c1 |
additional++;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
do {
|
|
Packit Service |
4684c1 |
ss_next = strchr(ss, ',');
|
|
Packit Service |
4684c1 |
if (ss_next != NULL) {
|
|
Packit Service |
4684c1 |
if (additional && ss_next > additional)
|
|
Packit Service |
4684c1 |
ss_next = NULL;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
ss_next++;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (ss_next) {
|
|
Packit Service |
4684c1 |
ss_len = ss_next - ss - 1;
|
|
Packit Service |
4684c1 |
ss_next_len = additional - ss_next - 1;
|
|
Packit Service |
4684c1 |
} else if (additional) {
|
|
Packit Service |
4684c1 |
ss_len = additional - ss - 1;
|
|
Packit Service |
4684c1 |
ss_next_len = 0;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
ss_len = strlen(ss);
|
|
Packit Service |
4684c1 |
ss_next_len = 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Always try to refresh the cached data, to
|
|
Packit Service |
4684c1 |
* allow it to be updated without restarting
|
|
Packit Service |
4684c1 |
* all applications
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
_gnutls_update_system_priorities();
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
p = _name_val_array_value(system_wide_priority_strings, ss, ss_len);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("resolved '%.*s' to '%s', next '%.*s'\n",
|
|
Packit Service |
4684c1 |
ss_len, ss, S(p), ss_next_len, S(ss_next));
|
|
Packit Service |
4684c1 |
ss = ss_next;
|
|
Packit Service |
4684c1 |
} while (ss && p == NULL);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (p == NULL) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("unable to resolve %s\n", priorities);
|
|
Packit Service |
4684c1 |
ret = NULL;
|
|
Packit Service |
4684c1 |
goto finish;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
n = strlen(p);
|
|
Packit Service |
4684c1 |
if (additional)
|
|
Packit Service |
4684c1 |
n2 = strlen(additional);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_malloc(n+n2+1+1);
|
|
Packit Service |
4684c1 |
if (ret == NULL) {
|
|
Packit Service |
4684c1 |
goto finish;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
memcpy(ret, p, n);
|
|
Packit Service |
4684c1 |
if (additional != NULL) {
|
|
Packit Service |
4684c1 |
ret[n] = ':';
|
|
Packit Service |
4684c1 |
memcpy(&ret[n+1], additional, n2);
|
|
Packit Service |
4684c1 |
ret[n+n2+1] = 0;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
ret[n] = 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
return gnutls_strdup(p);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
finish:
|
|
Packit Service |
4684c1 |
if (ret != NULL) {
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("selected priority string: %s\n", ret);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void add_ec(gnutls_priority_t priority_cache)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
const gnutls_group_entry_st *ge;
|
|
Packit Service |
4684c1 |
unsigned i;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < priority_cache->_supported_ecc.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
ge = _gnutls_id_to_group(priority_cache->_supported_ecc.priorities[i]);
|
|
Packit Service |
4684c1 |
if (ge != NULL && priority_cache->groups.size < sizeof(priority_cache->groups.entry)/sizeof(priority_cache->groups.entry[0])) {
|
|
Packit Service |
4684c1 |
/* do not add groups which do not correspond to enabled ciphersuites */
|
|
Packit Service |
4684c1 |
if (!ge->curve)
|
|
Packit Service |
4684c1 |
continue;
|
|
Packit Service |
4684c1 |
priority_cache->groups.entry[priority_cache->groups.size++] = ge;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void add_dh(gnutls_priority_t priority_cache)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
const gnutls_group_entry_st *ge;
|
|
Packit Service |
4684c1 |
unsigned i;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < priority_cache->_supported_ecc.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
ge = _gnutls_id_to_group(priority_cache->_supported_ecc.priorities[i]);
|
|
Packit Service |
4684c1 |
if (ge != NULL && priority_cache->groups.size < sizeof(priority_cache->groups.entry)/sizeof(priority_cache->groups.entry[0])) {
|
|
Packit Service |
4684c1 |
/* do not add groups which do not correspond to enabled ciphersuites */
|
|
Packit Service |
4684c1 |
if (!ge->prime)
|
|
Packit Service |
4684c1 |
continue;
|
|
Packit Service |
4684c1 |
priority_cache->groups.entry[priority_cache->groups.size++] = ge;
|
|
Packit Service |
4684c1 |
priority_cache->groups.have_ffdhe = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* This function was originally precalculating ciphersuite-specific items, however
|
|
Packit Service |
4684c1 |
* it has now extended to much more than that. It provides a consistency check to
|
|
Packit Service |
4684c1 |
* set parameters, and in cases it applies policy specific items.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static int set_ciphersuite_list(gnutls_priority_t priority_cache)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned i, j, z;
|
|
Packit Service |
4684c1 |
const gnutls_cipher_suite_entry_st *ce;
|
|
Packit Service |
4684c1 |
const gnutls_sign_entry_st *se;
|
|
Packit Service |
4684c1 |
unsigned have_ec = 0;
|
|
Packit Service |
4684c1 |
unsigned have_dh = 0;
|
|
Packit Service |
4684c1 |
unsigned tls_sig_sem = 0;
|
|
Packit Service |
4684c1 |
const version_entry_st *tlsmax = NULL, *vers;
|
|
Packit Service |
4684c1 |
const version_entry_st *dtlsmax = NULL;
|
|
Packit Service |
4684c1 |
const version_entry_st *tlsmin = NULL;
|
|
Packit Service |
4684c1 |
const version_entry_st *dtlsmin = NULL;
|
|
Packit Service |
4684c1 |
unsigned have_tls13 = 0, have_srp = 0;
|
|
Packit Service |
4684c1 |
unsigned have_pre_tls12 = 0, have_tls12 = 0;
|
|
Packit Service |
4684c1 |
unsigned have_psk = 0, have_null = 0, have_rsa_psk = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* have_psk indicates that a PSK key exchange compatible
|
|
Packit Service |
4684c1 |
* with TLS1.3 is enabled. */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
priority_cache->cs.size = 0;
|
|
Packit Service |
4684c1 |
priority_cache->sigalg.size = 0;
|
|
Packit Service |
4684c1 |
priority_cache->groups.size = 0;
|
|
Packit Service |
4684c1 |
priority_cache->groups.have_ffdhe = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* disable key exchanges which are globally disabled */
|
|
Packit Service |
4684c1 |
z = 0;
|
|
Packit Service |
4684c1 |
while (system_wide_disabled_kxs[z] != 0) {
|
|
Packit Service |
4684c1 |
for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
if (priority_cache->_kx.priorities[i] != system_wide_disabled_kxs[z])
|
|
Packit Service |
4684c1 |
priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i];
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
priority_cache->_kx.num_priorities = j;
|
|
Packit Service |
4684c1 |
z++;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* disable groups which are globally disabled */
|
|
Packit Service |
4684c1 |
z = 0;
|
|
Packit Service |
4684c1 |
while (system_wide_disabled_groups[z] != 0) {
|
|
Packit Service |
4684c1 |
for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
if (priority_cache->_supported_ecc.priorities[i] != system_wide_disabled_groups[z])
|
|
Packit Service |
4684c1 |
priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i];
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
priority_cache->_supported_ecc.num_priorities = j;
|
|
Packit Service |
4684c1 |
z++;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* disable ciphers which are globally disabled */
|
|
Packit Service |
4684c1 |
z = 0;
|
|
Packit Service |
4684c1 |
while (system_wide_disabled_ciphers[z] != 0) {
|
|
Packit Service |
4684c1 |
for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
if (priority_cache->_cipher.priorities[i] != system_wide_disabled_ciphers[z])
|
|
Packit Service |
4684c1 |
priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i];
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
priority_cache->_cipher.num_priorities = j;
|
|
Packit Service |
4684c1 |
z++;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* disable MACs which are globally disabled */
|
|
Packit Service |
4684c1 |
z = 0;
|
|
Packit Service |
4684c1 |
while (system_wide_disabled_macs[z] != 0) {
|
|
Packit Service |
4684c1 |
for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
if (priority_cache->_mac.priorities[i] != system_wide_disabled_macs[z])
|
|
Packit Service |
4684c1 |
priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i];
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
priority_cache->_mac.num_priorities = j;
|
|
Packit Service |
4684c1 |
z++;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (j=0;j<priority_cache->_cipher.num_priorities;j++) {
|
|
Packit Service |
4684c1 |
if (priority_cache->_cipher.priorities[j] == GNUTLS_CIPHER_NULL) {
|
|
Packit Service |
4684c1 |
have_null = 1;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < priority_cache->_kx.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
if (IS_SRP_KX(priority_cache->_kx.priorities[i])) {
|
|
Packit Service |
4684c1 |
have_srp = 1;
|
|
Packit Service |
4684c1 |
} else if (_gnutls_kx_is_psk(priority_cache->_kx.priorities[i])) {
|
|
Packit Service |
4684c1 |
if (priority_cache->_kx.priorities[i] == GNUTLS_KX_RSA_PSK)
|
|
Packit Service |
4684c1 |
have_rsa_psk = 1;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
have_psk = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* disable TLS versions which are added but are unsupported */
|
|
Packit Service |
4684c1 |
for (i = j = 0; i < priority_cache->protocol.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
vers = version_to_entry(priority_cache->protocol.priorities[i]);
|
|
Packit Service |
4684c1 |
if (!vers || vers->supported)
|
|
Packit Service |
4684c1 |
priority_cache->protocol.priorities[j++] = priority_cache->protocol.priorities[i];
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
priority_cache->protocol.num_priorities = j;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* if we have NULL ciphersuites, SRP, or RSA-PSK enabled remove TLS1.3+
|
|
Packit Service |
4684c1 |
* protocol versions; they cannot be negotiated under TLS1.3. */
|
|
Packit Service |
4684c1 |
if (have_null || have_srp || have_rsa_psk || priority_cache->no_extensions) {
|
|
Packit Service |
4684c1 |
for (i = j = 0; i < priority_cache->protocol.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
vers = version_to_entry(priority_cache->protocol.priorities[i]);
|
|
Packit Service |
4684c1 |
if (!vers || !vers->tls13_sem)
|
|
Packit Service |
4684c1 |
priority_cache->protocol.priorities[j++] = priority_cache->protocol.priorities[i];
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
priority_cache->protocol.num_priorities = j;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < priority_cache->protocol.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
vers = version_to_entry(priority_cache->protocol.priorities[i]);
|
|
Packit Service |
4684c1 |
if (!vers)
|
|
Packit Service |
4684c1 |
continue;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (vers->transport == GNUTLS_STREAM) { /* TLS */
|
|
Packit Service |
4684c1 |
tls_sig_sem |= vers->tls_sig_sem;
|
|
Packit Service |
4684c1 |
if (vers->tls13_sem)
|
|
Packit Service |
4684c1 |
have_tls13 = 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (vers->id == GNUTLS_TLS1_2)
|
|
Packit Service |
4684c1 |
have_tls12 = 1;
|
|
Packit Service |
4684c1 |
else if (vers->id < GNUTLS_TLS1_2)
|
|
Packit Service |
4684c1 |
have_pre_tls12 = 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (tlsmax == NULL || vers->age > tlsmax->age)
|
|
Packit Service |
4684c1 |
tlsmax = vers;
|
|
Packit Service |
4684c1 |
if (tlsmin == NULL || vers->age < tlsmin->age)
|
|
Packit Service |
4684c1 |
tlsmin = vers;
|
|
Packit Service |
4684c1 |
} else { /* dtls */
|
|
Packit Service |
4684c1 |
tls_sig_sem |= vers->tls_sig_sem;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* we need to introduce similar handling to above
|
|
Packit Service |
4684c1 |
* when DTLS1.3 is supported */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (dtlsmax == NULL || vers->age > dtlsmax->age)
|
|
Packit Service |
4684c1 |
dtlsmax = vers;
|
|
Packit Service |
4684c1 |
if (dtlsmin == NULL || vers->age < dtlsmin->age)
|
|
Packit Service |
4684c1 |
dtlsmin = vers;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* DTLS or TLS protocols must be present */
|
|
Packit Service |
4684c1 |
if ((!tlsmax || !tlsmin) && (!dtlsmax || !dtlsmin))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
priority_cache->have_psk = have_psk;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* if we are have TLS1.3+ do not enable any key exchange algorithms,
|
|
Packit Service |
4684c1 |
* the protocol doesn't require any. */
|
|
Packit Service |
4684c1 |
if (tlsmin && tlsmin->tls13_sem && !have_psk) {
|
|
Packit Service |
4684c1 |
if (!dtlsmin || (dtlsmin && dtlsmin->tls13_sem))
|
|
Packit Service |
4684c1 |
priority_cache->_kx.num_priorities = 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Add TLS 1.3 ciphersuites (no KX) */
|
|
Packit Service |
4684c1 |
for (j=0;j<priority_cache->_cipher.num_priorities;j++) {
|
|
Packit Service |
4684c1 |
for (z=0;z<priority_cache->_mac.num_priorities;z++) {
|
|
Packit Service |
4684c1 |
ce = cipher_suite_get(
|
|
Packit Service |
4684c1 |
0, priority_cache->_cipher.priorities[j],
|
|
Packit Service |
4684c1 |
priority_cache->_mac.priorities[z]);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (ce != NULL && priority_cache->cs.size < MAX_CIPHERSUITE_SIZE) {
|
|
Packit Service |
4684c1 |
priority_cache->cs.entry[priority_cache->cs.size++] = ce;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < priority_cache->_kx.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
for (j=0;j<priority_cache->_cipher.num_priorities;j++) {
|
|
Packit Service |
4684c1 |
for (z=0;z<priority_cache->_mac.num_priorities;z++) {
|
|
Packit Service |
4684c1 |
ce = cipher_suite_get(
|
|
Packit Service |
4684c1 |
priority_cache->_kx.priorities[i],
|
|
Packit Service |
4684c1 |
priority_cache->_cipher.priorities[j],
|
|
Packit Service |
4684c1 |
priority_cache->_mac.priorities[z]);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (ce != NULL && priority_cache->cs.size < MAX_CIPHERSUITE_SIZE) {
|
|
Packit Service |
4684c1 |
priority_cache->cs.entry[priority_cache->cs.size++] = ce;
|
|
Packit Service |
4684c1 |
if (!have_ec && (_gnutls_kx_is_ecc(ce->kx_algorithm) ||
|
|
Packit Service |
4684c1 |
_gnutls_kx_is_vko_gost(ce->kx_algorithm))) {
|
|
Packit Service |
4684c1 |
have_ec = 1;
|
|
Packit Service |
4684c1 |
add_ec(priority_cache);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
if (!have_dh && _gnutls_kx_is_dhe(ce->kx_algorithm)) {
|
|
Packit Service |
4684c1 |
have_dh = 1;
|
|
Packit Service |
4684c1 |
add_dh(priority_cache);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (have_tls13 && (!have_ec || !have_dh)) {
|
|
Packit Service |
4684c1 |
/* scan groups to determine have_ec and have_dh */
|
|
Packit Service |
4684c1 |
for (i=0; i < priority_cache->_supported_ecc.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
const gnutls_group_entry_st *ge;
|
|
Packit Service |
4684c1 |
ge = _gnutls_id_to_group(priority_cache->_supported_ecc.priorities[i]);
|
|
Packit Service |
4684c1 |
if (ge) {
|
|
Packit Service |
4684c1 |
if (ge->curve && !have_ec) {
|
|
Packit Service |
4684c1 |
add_ec(priority_cache);
|
|
Packit Service |
4684c1 |
have_ec = 1;
|
|
Packit Service |
4684c1 |
} else if (ge->prime && !have_dh) {
|
|
Packit Service |
4684c1 |
add_dh(priority_cache);
|
|
Packit Service |
4684c1 |
have_dh = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (have_dh && have_ec)
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < priority_cache->_sign_algo.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
se = _gnutls_sign_to_entry(priority_cache->_sign_algo.priorities[i]);
|
|
Packit Service |
4684c1 |
if (se != NULL && priority_cache->sigalg.size < sizeof(priority_cache->sigalg.entry)/sizeof(priority_cache->sigalg.entry[0])) {
|
|
Packit Service |
4684c1 |
/* if the signature algorithm semantics are not compatible with
|
|
Packit Service |
4684c1 |
* the protocol's, then skip. */
|
|
Packit Service |
4684c1 |
if ((se->aid.tls_sem & tls_sig_sem) == 0)
|
|
Packit Service |
4684c1 |
continue;
|
|
Packit Service |
4684c1 |
priority_cache->sigalg.entry[priority_cache->sigalg.size++] = se;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_debug_log("added %d protocols, %d ciphersuites, %d sig algos and %d groups into priority list\n",
|
|
Packit Service |
4684c1 |
priority_cache->protocol.num_priorities,
|
|
Packit Service |
4684c1 |
priority_cache->cs.size, priority_cache->sigalg.size,
|
|
Packit Service |
4684c1 |
priority_cache->groups.size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (priority_cache->sigalg.size == 0) {
|
|
Packit Service |
4684c1 |
/* no signature algorithms; eliminate TLS 1.2 or DTLS 1.2 and later */
|
|
Packit Service |
4684c1 |
priority_st newp;
|
|
Packit Service |
4684c1 |
newp.num_priorities = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* we need to eliminate TLS 1.2 or DTLS 1.2 and later protocols */
|
|
Packit Service |
4684c1 |
for (i = 0; i < priority_cache->protocol.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
if (priority_cache->protocol.priorities[i] < GNUTLS_TLS1_2) {
|
|
Packit Service |
4684c1 |
newp.priorities[newp.num_priorities++] = priority_cache->protocol.priorities[i];
|
|
Packit Service |
4684c1 |
} else if (priority_cache->protocol.priorities[i] >= GNUTLS_DTLS_VERSION_MIN &&
|
|
Packit Service |
4684c1 |
priority_cache->protocol.priorities[i] < GNUTLS_DTLS1_2) {
|
|
Packit Service |
4684c1 |
newp.priorities[newp.num_priorities++] = priority_cache->protocol.priorities[i];
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
memcpy(&priority_cache->protocol, &newp, sizeof(newp));
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (unlikely(priority_cache->protocol.num_priorities == 0))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
|
|
Packit Service |
4684c1 |
#ifndef ENABLE_SSL3
|
|
Packit Service |
4684c1 |
else if (unlikely(priority_cache->protocol.num_priorities == 1 && priority_cache->protocol.priorities[0] == GNUTLS_SSL3))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (unlikely(priority_cache->cs.size == 0))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* when TLS 1.3 is available we must have groups set; additionally
|
|
Packit Service |
4684c1 |
* we require TLS1.2 to be enabled if TLS1.3 is asked for, and
|
|
Packit Service |
4684c1 |
* a pre-TLS1.2 protocol is there; that is because servers which
|
|
Packit Service |
4684c1 |
* do not support TLS1.3 will negotiate TLS1.2 if seen a TLS1.3 handshake */
|
|
Packit Service |
4684c1 |
if (unlikely((!have_psk && tlsmax && tlsmax->id >= GNUTLS_TLS1_3 && priority_cache->groups.size == 0)) ||
|
|
Packit Service |
4684c1 |
(!have_tls12 && have_pre_tls12 && have_tls13)) {
|
|
Packit Service |
4684c1 |
for (i = j = 0; i < priority_cache->protocol.num_priorities; i++) {
|
|
Packit Service |
4684c1 |
vers = version_to_entry(priority_cache->protocol.priorities[i]);
|
|
Packit Service |
4684c1 |
if (!vers || vers->transport != GNUTLS_STREAM || !vers->tls13_sem)
|
|
Packit Service |
4684c1 |
priority_cache->protocol.priorities[j++] = priority_cache->protocol.priorities[i];
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
priority_cache->protocol.num_priorities = j;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* ensure that the verification profile is not lower from the configured */
|
|
Packit Service |
4684c1 |
if (system_wide_verification_profile) {
|
|
Packit Service |
4684c1 |
gnutls_sec_param_t level = priority_cache->level;
|
|
Packit Service |
4684c1 |
gnutls_sec_param_t system_wide_level = _gnutls_profile_to_sec_level(system_wide_verification_profile);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (level < system_wide_level) {
|
|
Packit Service |
4684c1 |
ENABLE_PROFILE(priority_cache, system_wide_verification_profile);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_init2:
|
|
Packit Service |
4684c1 |
* @priority_cache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @priorities: is a string describing priorities (may be %NULL)
|
|
Packit Service |
4684c1 |
* @err_pos: In case of an error this will have the position in the string the error occurred
|
|
Packit Service |
4684c1 |
* @flags: zero or %GNUTLS_PRIORITY_INIT_DEF_APPEND
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Sets priorities for the ciphers, key exchange methods, and macs.
|
|
Packit Service |
4684c1 |
* The @priority_cache should be deinitialized
|
|
Packit Service |
4684c1 |
* using gnutls_priority_deinit().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The #priorities option allows you to specify a colon
|
|
Packit Service |
4684c1 |
* separated list of the cipher priorities to enable.
|
|
Packit Service |
4684c1 |
* Some keywords are defined to provide quick access
|
|
Packit Service |
4684c1 |
* to common preferences.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* When @flags is set to %GNUTLS_PRIORITY_INIT_DEF_APPEND then the @priorities
|
|
Packit Service |
4684c1 |
* specified will be appended to the default options.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Unless there is a special need, use the "NORMAL" keyword to
|
|
Packit Service |
4684c1 |
* apply a reasonable security level, or "NORMAL:%%COMPAT" for compatibility.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "PERFORMANCE" means all the "secure" ciphersuites are enabled,
|
|
Packit Service |
4684c1 |
* limited to 128 bit ciphers and sorted by terms of speed
|
|
Packit Service |
4684c1 |
* performance.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "LEGACY" the NORMAL settings for GnuTLS 3.2.x or earlier. There is
|
|
Packit Service |
4684c1 |
* no verification profile set, and the allowed DH primes are considered
|
|
Packit Service |
4684c1 |
* weak today.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "NORMAL" means all "secure" ciphersuites. The 256-bit ciphers are
|
|
Packit Service |
4684c1 |
* included as a fallback only. The ciphers are sorted by security
|
|
Packit Service |
4684c1 |
* margin.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "PFS" means all "secure" ciphersuites that support perfect forward secrecy.
|
|
Packit Service |
4684c1 |
* The 256-bit ciphers are included as a fallback only.
|
|
Packit Service |
4684c1 |
* The ciphers are sorted by security margin.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "SECURE128" means all "secure" ciphersuites of security level 128-bit
|
|
Packit Service |
4684c1 |
* or more.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "SECURE192" means all "secure" ciphersuites of security level 192-bit
|
|
Packit Service |
4684c1 |
* or more.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "SUITEB128" means all the NSA SuiteB ciphersuites with security level
|
|
Packit Service |
4684c1 |
* of 128.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "SUITEB192" means all the NSA SuiteB ciphersuites with security level
|
|
Packit Service |
4684c1 |
* of 192.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "NONE" means nothing is enabled. This disables everything, including protocols.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "@@KEYWORD1,KEYWORD2,..." The system administrator imposed settings.
|
|
Packit Service |
4684c1 |
* The provided keyword(s) will be expanded from a configuration-time
|
|
Packit Service |
4684c1 |
* provided file - default is: /etc/gnutls/config.
|
|
Packit Service |
4684c1 |
* Any attributes that follow it, will be appended to the expanded
|
|
Packit Service |
4684c1 |
* string. If multiple keywords are provided, separated by commas,
|
|
Packit Service |
4684c1 |
* then the first keyword that exists in the configuration file
|
|
Packit Service |
4684c1 |
* will be used. At least one of the keywords must exist, or this
|
|
Packit Service |
4684c1 |
* function will return an error. Typical usage would be to specify
|
|
Packit Service |
4684c1 |
* an application specified keyword first, followed by "SYSTEM" as
|
|
Packit Service |
4684c1 |
* a default fallback. e.g., "@LIBVIRT,SYSTEM:!-VERS-SSL3.0" will
|
|
Packit Service |
4684c1 |
* first try to find a config file entry matching "LIBVIRT", but if
|
|
Packit Service |
4684c1 |
* that does not exist will use the entry for "SYSTEM". If "SYSTEM"
|
|
Packit Service |
4684c1 |
* does not exist either, an error will be returned. In all cases,
|
|
Packit Service |
4684c1 |
* the SSL3.0 protocol will be disabled. The system priority file
|
|
Packit Service |
4684c1 |
* entries should be formatted as "KEYWORD=VALUE", e.g.,
|
|
Packit Service |
4684c1 |
* "SYSTEM=NORMAL:+ARCFOUR-128".
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Special keywords are "!", "-" and "+".
|
|
Packit Service |
4684c1 |
* "!" or "-" appended with an algorithm will remove this algorithm.
|
|
Packit Service |
4684c1 |
* "+" appended with an algorithm will add this algorithm.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Check the GnuTLS manual section "Priority strings" for detailed
|
|
Packit Service |
4684c1 |
* information.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Examples:
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "NORMAL:+ARCFOUR-128" means normal ciphers plus ARCFOUR-128.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "SECURE128:-VERS-SSL3.0" means that only secure ciphers are
|
|
Packit Service |
4684c1 |
* and enabled, SSL3.0 is disabled.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "NONE:+VERS-TLS-ALL:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1",
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "NONE:+VERS-TLS-ALL:+AES-128-CBC:+ECDHE-RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1:+CURVE-SECP256R1",
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* "SECURE256:+SECURE128",
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Note that "NORMAL:%%COMPAT" is the most compatible mode.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* A %NULL @priorities string indicates the default priorities to be
|
|
Packit Service |
4684c1 |
* used (this is available since GnuTLS 3.3.0).
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
|
|
Packit Service |
4684c1 |
* %GNUTLS_E_SUCCESS on success, or an error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.3
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_init2(gnutls_priority_t * priority_cache,
|
|
Packit Service |
4684c1 |
const char *priorities, const char **err_pos,
|
|
Packit Service |
4684c1 |
unsigned flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_buffer_st buf;
|
|
Packit Service |
4684c1 |
const char *ep;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_PRIORITY_INIT_DEF_APPEND) {
|
|
Packit Service |
4684c1 |
if (priorities == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (err_pos)
|
|
Packit Service |
4684c1 |
*err_pos = priorities;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_buffer_init(&buf;;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_buffer_append_str(&buf, _gnutls_default_priority_string);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&buf;;
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_buffer_append_str(&buf, ":");
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&buf;;
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_buffer_append_str(&buf, priorities);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&buf;;
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_priority_init(priority_cache, (const char*)buf.data, &ep);
|
|
Packit Service |
4684c1 |
if (ret < 0 && ep != (const char*)buf.data && ep != NULL) {
|
|
Packit Service |
4684c1 |
ptrdiff_t diff = (ptrdiff_t)ep-(ptrdiff_t)buf.data;
|
|
Packit Service |
4684c1 |
unsigned hlen = strlen(_gnutls_default_priority_string)+1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (err_pos && diff > hlen) {
|
|
Packit Service |
4684c1 |
*err_pos = priorities + diff - hlen;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&buf;;
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
return gnutls_priority_init(priority_cache, priorities, err_pos);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define PRIO_MATCH(name) c_strncasecmp(&broken_list[i][1], name, sizeof(name) - 1)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_init:
|
|
Packit Service |
4684c1 |
* @priority_cache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @priorities: is a string describing priorities (may be %NULL)
|
|
Packit Service |
4684c1 |
* @err_pos: In case of an error this will have the position in the string the error occurred
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* For applications that do not modify their crypto settings per release, consider
|
|
Packit Service |
4684c1 |
* using gnutls_priority_init2() with %GNUTLS_PRIORITY_INIT_DEF_APPEND flag
|
|
Packit Service |
4684c1 |
* instead. We suggest to use centralized crypto settings handled by the GnuTLS
|
|
Packit Service |
4684c1 |
* library, and applications modifying the default settings to their needs.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function is identical to gnutls_priority_init2() with zero
|
|
Packit Service |
4684c1 |
* flags.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* A %NULL @priorities string indicates the default priorities to be
|
|
Packit Service |
4684c1 |
* used (this is available since GnuTLS 3.3.0).
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
|
|
Packit Service |
4684c1 |
* %GNUTLS_E_SUCCESS on success, or an error code.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_init(gnutls_priority_t * priority_cache,
|
|
Packit Service |
4684c1 |
const char *priorities, const char **err_pos)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
char *broken_list[MAX_ELEMENTS];
|
|
Packit Service |
4684c1 |
int broken_list_size = 0, i = 0, j;
|
|
Packit Service |
4684c1 |
char *darg = NULL;
|
|
Packit Service |
4684c1 |
unsigned ikeyword_set = 0;
|
|
Packit Service |
4684c1 |
int algo;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
rmadd_func *fn;
|
|
Packit Service |
4684c1 |
bulk_rmadd_func *bulk_fn;
|
|
Packit Service |
4684c1 |
bulk_rmadd_func *bulk_given_fn;
|
|
Packit Service |
4684c1 |
const cipher_entry_st *centry;
|
|
Packit Service |
4684c1 |
unsigned resolved_match = 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (err_pos)
|
|
Packit Service |
4684c1 |
*err_pos = priorities;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*priority_cache =
|
|
Packit Service |
4684c1 |
gnutls_calloc(1, sizeof(struct gnutls_priority_st));
|
|
Packit Service |
4684c1 |
if (*priority_cache == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* for now unsafe renegotiation is default on everyone. To be removed
|
|
Packit Service |
4684c1 |
* when we make it the default.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
(*priority_cache)->sr = SR_PARTIAL;
|
|
Packit Service |
4684c1 |
(*priority_cache)->min_record_version = 1;
|
|
Packit Service |
4684c1 |
gnutls_atomic_init(&(*priority_cache)->usage_cnt);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (priorities == NULL) {
|
|
Packit Service |
4684c1 |
priorities = _gnutls_default_priority_string;
|
|
Packit Service |
4684c1 |
resolved_match = 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
darg = _gnutls_resolve_priorities(priorities);
|
|
Packit Service |
4684c1 |
if (darg == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
goto error;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (strcmp(darg, priorities) != 0)
|
|
Packit Service |
4684c1 |
resolved_match = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
break_list(darg, broken_list, &broken_list_size);
|
|
Packit Service |
4684c1 |
/* This is our default set of protocol version, certificate types.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
if (c_strcasecmp(broken_list[0], LEVEL_NONE) != 0) {
|
|
Packit Service |
4684c1 |
_set_priority(&(*priority_cache)->protocol,
|
|
Packit Service |
4684c1 |
protocol_priority);
|
|
Packit Service |
4684c1 |
_set_priority(&(*priority_cache)->client_ctype,
|
|
Packit Service |
4684c1 |
cert_type_priority_default);
|
|
Packit Service |
4684c1 |
_set_priority(&(*priority_cache)->server_ctype,
|
|
Packit Service |
4684c1 |
cert_type_priority_default);
|
|
Packit Service |
4684c1 |
_set_priority(&(*priority_cache)->_sign_algo,
|
|
Packit Service |
4684c1 |
sign_priority_default);
|
|
Packit Service |
4684c1 |
_set_priority(&(*priority_cache)->_supported_ecc,
|
|
Packit Service |
4684c1 |
supported_groups_normal);
|
|
Packit Service |
4684c1 |
i = 0;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
ikeyword_set = 1;
|
|
Packit Service |
4684c1 |
i = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (; i < broken_list_size; i++) {
|
|
Packit Service |
4684c1 |
if (check_level(broken_list[i], *priority_cache, ikeyword_set) != 0) {
|
|
Packit Service |
4684c1 |
ikeyword_set = 1;
|
|
Packit Service |
4684c1 |
continue;
|
|
Packit Service |
4684c1 |
} else if (broken_list[i][0] == '!'
|
|
Packit Service |
4684c1 |
|| broken_list[i][0] == '+'
|
|
Packit Service |
4684c1 |
|| broken_list[i][0] == '-') {
|
|
Packit Service |
4684c1 |
if (broken_list[i][0] == '+') {
|
|
Packit Service |
4684c1 |
fn = prio_add;
|
|
Packit Service |
4684c1 |
bulk_fn = _add_priority;
|
|
Packit Service |
4684c1 |
bulk_given_fn = _add_priority;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
fn = prio_remove;
|
|
Packit Service |
4684c1 |
bulk_fn = _clear_priorities;
|
|
Packit Service |
4684c1 |
bulk_given_fn = _clear_given_priorities;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (broken_list[i][0] == '+'
|
|
Packit Service |
4684c1 |
&& check_level(&broken_list[i][1],
|
|
Packit Service |
4684c1 |
*priority_cache, 1) != 0) {
|
|
Packit Service |
4684c1 |
continue;
|
|
Packit Service |
4684c1 |
} else if ((algo =
|
|
Packit Service |
4684c1 |
gnutls_mac_get_id(&broken_list[i][1]))
|
|
Packit Service |
4684c1 |
!= GNUTLS_MAC_UNKNOWN) {
|
|
Packit Service |
4684c1 |
fn(&(*priority_cache)->_mac, algo);
|
|
Packit Service |
4684c1 |
} else if ((centry = cipher_name_to_entry(&broken_list[i][1])) != NULL) {
|
|
Packit Service |
4684c1 |
if (_gnutls_cipher_exists(centry->id)) {
|
|
Packit Service |
4684c1 |
fn(&(*priority_cache)->_cipher, centry->id);
|
|
Packit Service |
4684c1 |
if (centry->type == CIPHER_BLOCK)
|
|
Packit Service |
4684c1 |
(*priority_cache)->have_cbc = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if ((algo =
|
|
Packit Service |
4684c1 |
_gnutls_kx_get_id(&broken_list[i][1])) !=
|
|
Packit Service |
4684c1 |
GNUTLS_KX_UNKNOWN) {
|
|
Packit Service |
4684c1 |
if (algo != GNUTLS_KX_INVALID)
|
|
Packit Service |
4684c1 |
fn(&(*priority_cache)->_kx, algo);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("VERS-") == 0) {
|
|
Packit Service |
4684c1 |
if (PRIO_MATCH("VERS-TLS-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_given_fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
protocol,
|
|
Packit Service |
4684c1 |
stream_protocol_priority);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("VERS-DTLS-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_given_fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
protocol,
|
|
Packit Service |
4684c1 |
(bulk_given_fn==_add_priority)?dtls_protocol_priority:dgram_protocol_priority);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("VERS-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
protocol,
|
|
Packit Service |
4684c1 |
protocol_priority);
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
if ((algo =
|
|
Packit Service |
4684c1 |
gnutls_protocol_get_id
|
|
Packit Service |
4684c1 |
(&broken_list[i][6])) !=
|
|
Packit Service |
4684c1 |
GNUTLS_VERSION_UNKNOWN) {
|
|
Packit Service |
4684c1 |
fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
protocol, algo);
|
|
Packit Service |
4684c1 |
} else
|
|
Packit Service |
4684c1 |
goto error;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} /* now check if the element is something like -ALGO */
|
|
Packit Service |
4684c1 |
else if (PRIO_MATCH("COMP-") == 0) {
|
|
Packit Service |
4684c1 |
/* ignore all compression methods */
|
|
Packit Service |
4684c1 |
continue;
|
|
Packit Service |
4684c1 |
} /* now check if the element is something like -ALGO */
|
|
Packit Service |
4684c1 |
else if (PRIO_MATCH("CURVE-") == 0) {
|
|
Packit Service |
4684c1 |
if (PRIO_MATCH("CURVE-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
_supported_ecc,
|
|
Packit Service |
4684c1 |
supported_groups_normal);
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
if ((algo =
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_get_id
|
|
Packit Service |
4684c1 |
(&broken_list[i][7])) !=
|
|
Packit Service |
4684c1 |
GNUTLS_ECC_CURVE_INVALID)
|
|
Packit Service |
4684c1 |
fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
_supported_ecc, algo);
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
goto error;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("GROUP-") == 0) {
|
|
Packit Service |
4684c1 |
if (PRIO_MATCH("GROUP-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
_supported_ecc,
|
|
Packit Service |
4684c1 |
supported_groups_normal);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("GROUP-DH-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_given_fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
_supported_ecc,
|
|
Packit Service |
4684c1 |
_supported_groups_dh);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("GROUP-EC-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_given_fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
_supported_ecc,
|
|
Packit Service |
4684c1 |
_supported_groups_ecdh);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("GROUP-GOST-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_given_fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
_supported_ecc,
|
|
Packit Service |
4684c1 |
_supported_groups_gost);
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
if ((algo =
|
|
Packit Service |
4684c1 |
gnutls_group_get_id
|
|
Packit Service |
4684c1 |
(&broken_list[i][7])) !=
|
|
Packit Service |
4684c1 |
GNUTLS_GROUP_INVALID)
|
|
Packit Service |
4684c1 |
fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
_supported_ecc, algo);
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
goto error;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("CTYPE-") == 0) {
|
|
Packit Service |
4684c1 |
// Certificate types
|
|
Packit Service |
4684c1 |
if (PRIO_MATCH("CTYPE-ALL") == 0) {
|
|
Packit Service |
4684c1 |
// Symmetric cert types, all types allowed
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->client_ctype,
|
|
Packit Service |
4684c1 |
cert_type_priority_all);
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->server_ctype,
|
|
Packit Service |
4684c1 |
cert_type_priority_all);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("CTYPE-CLI-") == 0) {
|
|
Packit Service |
4684c1 |
// Client certificate types
|
|
Packit Service |
4684c1 |
if (PRIO_MATCH("CTYPE-CLI-ALL") == 0) {
|
|
Packit Service |
4684c1 |
// All client cert types allowed
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->client_ctype,
|
|
Packit Service |
4684c1 |
cert_type_priority_all);
|
|
Packit Service |
4684c1 |
} else if ((algo = gnutls_certificate_type_get_id
|
|
Packit Service |
4684c1 |
(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN) {
|
|
Packit Service |
4684c1 |
// Specific client cert type allowed
|
|
Packit Service |
4684c1 |
fn(&(*priority_cache)->client_ctype, algo);
|
|
Packit Service |
4684c1 |
} else goto error;
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("CTYPE-SRV-") == 0) {
|
|
Packit Service |
4684c1 |
// Server certificate types
|
|
Packit Service |
4684c1 |
if (PRIO_MATCH("CTYPE-SRV-ALL") == 0) {
|
|
Packit Service |
4684c1 |
// All server cert types allowed
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->server_ctype,
|
|
Packit Service |
4684c1 |
cert_type_priority_all);
|
|
Packit Service |
4684c1 |
} else if ((algo = gnutls_certificate_type_get_id
|
|
Packit Service |
4684c1 |
(&broken_list[i][11])) != GNUTLS_CRT_UNKNOWN) {
|
|
Packit Service |
4684c1 |
// Specific server cert type allowed
|
|
Packit Service |
4684c1 |
fn(&(*priority_cache)->server_ctype, algo);
|
|
Packit Service |
4684c1 |
} else goto error;
|
|
Packit Service |
4684c1 |
} else { // Symmetric certificate type
|
|
Packit Service |
4684c1 |
if ((algo = gnutls_certificate_type_get_id
|
|
Packit Service |
4684c1 |
(&broken_list[i][7])) != GNUTLS_CRT_UNKNOWN) {
|
|
Packit Service |
4684c1 |
fn(&(*priority_cache)->client_ctype, algo);
|
|
Packit Service |
4684c1 |
fn(&(*priority_cache)->server_ctype, algo);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("CTYPE-OPENPGP") == 0) {
|
|
Packit Service |
4684c1 |
/* legacy openpgp option - ignore */
|
|
Packit Service |
4684c1 |
continue;
|
|
Packit Service |
4684c1 |
} else goto error;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("SIGN-") == 0) {
|
|
Packit Service |
4684c1 |
if (PRIO_MATCH("SIGN-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
_sign_algo,
|
|
Packit Service |
4684c1 |
sign_priority_default);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("SIGN-GOST-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
_sign_algo,
|
|
Packit Service |
4684c1 |
sign_priority_gost);
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
if ((algo =
|
|
Packit Service |
4684c1 |
gnutls_sign_get_id
|
|
Packit Service |
4684c1 |
(&broken_list[i][6])) !=
|
|
Packit Service |
4684c1 |
GNUTLS_SIGN_UNKNOWN)
|
|
Packit Service |
4684c1 |
fn(&(*priority_cache)->
|
|
Packit Service |
4684c1 |
_sign_algo, algo);
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
goto error;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("MAC-") == 0) {
|
|
Packit Service |
4684c1 |
if (PRIO_MATCH("MAC-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->_mac,
|
|
Packit Service |
4684c1 |
mac_priority_normal);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("MAC-GOST-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->_mac,
|
|
Packit Service |
4684c1 |
mac_priority_gost);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("CIPHER-") == 0) {
|
|
Packit Service |
4684c1 |
if (PRIO_MATCH("CIPHER-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->_cipher,
|
|
Packit Service |
4684c1 |
cipher_priority_normal);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("CIPHER-GOST-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->_cipher,
|
|
Packit Service |
4684c1 |
cipher_priority_gost);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("KX-") == 0) {
|
|
Packit Service |
4684c1 |
if (PRIO_MATCH("KX-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->_kx,
|
|
Packit Service |
4684c1 |
kx_priority_secure);
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("KX-GOST-ALL") == 0) {
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->_kx,
|
|
Packit Service |
4684c1 |
kx_priority_gost);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (PRIO_MATCH("GOST") == 0) {
|
|
Packit Service |
4684c1 |
bulk_given_fn(&(*priority_cache)->_supported_ecc,
|
|
Packit Service |
4684c1 |
_supported_groups_gost);
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->_sign_algo,
|
|
Packit Service |
4684c1 |
sign_priority_gost);
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->_mac,
|
|
Packit Service |
4684c1 |
mac_priority_gost);
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->_cipher,
|
|
Packit Service |
4684c1 |
cipher_priority_gost);
|
|
Packit Service |
4684c1 |
bulk_fn(&(*priority_cache)->_kx,
|
|
Packit Service |
4684c1 |
kx_priority_gost);
|
|
Packit Service |
4684c1 |
} else
|
|
Packit Service |
4684c1 |
goto error;
|
|
Packit Service |
4684c1 |
} else if (broken_list[i][0] == '%') {
|
|
Packit Service |
4684c1 |
const struct priority_options_st * o;
|
|
Packit Service |
4684c1 |
/* to add a new option modify
|
|
Packit Service |
4684c1 |
* priority_options.gperf */
|
|
Packit Service |
4684c1 |
o = in_word_set(&broken_list[i][1], strlen(&broken_list[i][1]));
|
|
Packit Service |
4684c1 |
if (o == NULL) {
|
|
Packit Service |
4684c1 |
goto error;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
o->func(*priority_cache);
|
|
Packit Service |
4684c1 |
} else
|
|
Packit Service |
4684c1 |
goto error;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = set_ciphersuite_list(*priority_cache);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
if (err_pos)
|
|
Packit Service |
4684c1 |
*err_pos = priorities;
|
|
Packit Service |
4684c1 |
goto error_cleanup;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_free(darg);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
error:
|
|
Packit Service |
4684c1 |
if (err_pos != NULL && i < broken_list_size && resolved_match) {
|
|
Packit Service |
4684c1 |
*err_pos = priorities;
|
|
Packit Service |
4684c1 |
for (j = 0; j < i; j++) {
|
|
Packit Service |
4684c1 |
(*err_pos) += strlen(broken_list[j]) + 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
ret = GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
error_cleanup:
|
|
Packit Service |
4684c1 |
free(darg);
|
|
Packit Service |
4684c1 |
gnutls_priority_deinit(*priority_cache);
|
|
Packit Service |
4684c1 |
*priority_cache = NULL;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_deinit:
|
|
Packit Service |
4684c1 |
* @priority_cache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Deinitializes the priority cache.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_priority_deinit(gnutls_priority_t priority_cache)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (priority_cache == NULL)
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Note that here we care about the following two cases:
|
|
Packit Service |
4684c1 |
* 1. Multiple sessions or different threads holding a reference + a global reference
|
|
Packit Service |
4684c1 |
* 2. One session holding a reference with a possible global reference
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* As such, it will never be that two threads reach the
|
|
Packit Service |
4684c1 |
* zero state at the same time, unless the global reference
|
|
Packit Service |
4684c1 |
* is cleared too, which is invalid state.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
if (gnutls_atomic_val(&priority_cache->usage_cnt) == 0) {
|
|
Packit Service |
4684c1 |
gnutls_atomic_deinit(&priority_cache->usage_cnt);
|
|
Packit Service |
4684c1 |
gnutls_free(priority_cache);
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
gnutls_atomic_decrement(&priority_cache->usage_cnt);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_set_direct:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @priorities: is a string describing priorities
|
|
Packit Service |
4684c1 |
* @err_pos: In case of an error this will have the position in the string the error occurred
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Sets the priorities to use on the ciphers, key exchange methods,
|
|
Packit Service |
4684c1 |
* and macs. This function avoids keeping a
|
|
Packit Service |
4684c1 |
* priority cache and is used to directly set string priorities to a
|
|
Packit Service |
4684c1 |
* TLS session. For documentation check the gnutls_priority_init().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* To use a reasonable default, consider using gnutls_set_default_priority(),
|
|
Packit Service |
4684c1 |
* or gnutls_set_default_priority_append() instead of this function.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
|
|
Packit Service |
4684c1 |
* %GNUTLS_E_SUCCESS on success, or an error code.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_set_direct(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
const char *priorities, const char **err_pos)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_priority_t prio;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_priority_init(&prio, priorities, err_pos);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_priority_set(session, prio);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* ensure that the session holds the only reference for the struct */
|
|
Packit Service |
4684c1 |
gnutls_priority_deinit(prio);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Breaks a list of "xxx", "yyy", to a character array, of
|
|
Packit Service |
4684c1 |
* MAX_COMMA_SEP_ELEMENTS size; Note that the given string is modified.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static void
|
|
Packit Service |
4684c1 |
break_list(char *list,
|
|
Packit Service |
4684c1 |
char *broken_list[MAX_ELEMENTS], int *size)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
char *p = list;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*size = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
do {
|
|
Packit Service |
4684c1 |
broken_list[*size] = p;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(*size)++;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
p = strchr(p, ':');
|
|
Packit Service |
4684c1 |
if (p) {
|
|
Packit Service |
4684c1 |
*p = 0;
|
|
Packit Service |
4684c1 |
p++; /* move to next entry and skip white
|
|
Packit Service |
4684c1 |
* space.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
while (*p == ' ')
|
|
Packit Service |
4684c1 |
p++;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
while (p != NULL && *size < MAX_ELEMENTS);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_set_default_priority:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Sets the default priority on the ciphers, key exchange methods,
|
|
Packit Service |
4684c1 |
* and macs. This is the recommended method of
|
|
Packit Service |
4684c1 |
* setting the defaults, in order to promote consistency between applications
|
|
Packit Service |
4684c1 |
* using GnuTLS, and to allow GnuTLS using applications to update settings
|
|
Packit Service |
4684c1 |
* in par with the library. For client applications which require
|
|
Packit Service |
4684c1 |
* maximum compatibility consider calling gnutls_session_enable_compatibility_mode()
|
|
Packit Service |
4684c1 |
* after this function.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* For an application to specify additional options to priority string
|
|
Packit Service |
4684c1 |
* consider using gnutls_set_default_priority_append().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* To allow a user to override the defaults (e.g., when a user interface
|
|
Packit Service |
4684c1 |
* or configuration file is available), the functions
|
|
Packit Service |
4684c1 |
* gnutls_priority_set_direct() or gnutls_priority_set() can
|
|
Packit Service |
4684c1 |
* be used.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.1.4
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_set_default_priority(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return gnutls_priority_set_direct(session, NULL, NULL);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_set_default_priority_append:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @add_prio: is a string describing priorities to be appended to default
|
|
Packit Service |
4684c1 |
* @err_pos: In case of an error this will have the position in the string the error occurred
|
|
Packit Service |
4684c1 |
* @flags: must be zero
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Sets the default priority on the ciphers, key exchange methods,
|
|
Packit Service |
4684c1 |
* and macs with the additional options in @add_prio. This is the recommended method of
|
|
Packit Service |
4684c1 |
* setting the defaults when only few additional options are to be added. This promotes
|
|
Packit Service |
4684c1 |
* consistency between applications using GnuTLS, and allows GnuTLS using applications
|
|
Packit Service |
4684c1 |
* to update settings in par with the library.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The @add_prio string should start as a normal priority string, e.g.,
|
|
Packit Service |
4684c1 |
* '-VERS-TLS-ALL:+VERS-TLS1.3:%%COMPAT' or '%%FORCE_ETM'. That is, it must not start
|
|
Packit Service |
4684c1 |
* with ':'.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* To allow a user to override the defaults (e.g., when a user interface
|
|
Packit Service |
4684c1 |
* or configuration file is available), the functions
|
|
Packit Service |
4684c1 |
* gnutls_priority_set_direct() or gnutls_priority_set() can
|
|
Packit Service |
4684c1 |
* be used.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.3
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_set_default_priority_append(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
const char *add_prio,
|
|
Packit Service |
4684c1 |
const char **err_pos,
|
|
Packit Service |
4684c1 |
unsigned flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_priority_t prio;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_priority_init2(&prio, add_prio, err_pos, GNUTLS_PRIORITY_INIT_DEF_APPEND);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_priority_set(session, prio);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* ensure that the session holds the only reference for the struct */
|
|
Packit Service |
4684c1 |
gnutls_priority_deinit(prio);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_ecc_curve_list:
|
|
Packit Service |
4684c1 |
* @pcache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @list: will point to an integer list
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get a list of available elliptic curves in the priority
|
|
Packit Service |
4684c1 |
* structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Deprecated: This function has been replaced by
|
|
Packit Service |
4684c1 |
* gnutls_priority_group_list() since 3.6.0.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the number of items, or an error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_ecc_curve_list(gnutls_priority_t pcache,
|
|
Packit Service |
4684c1 |
const unsigned int **list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned i;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (pcache->_supported_ecc.num_priorities == 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*list = pcache->_supported_ecc.priorities;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* to ensure we don't confuse the caller, we do not include
|
|
Packit Service |
4684c1 |
* any FFDHE groups. This may return an incomplete list. */
|
|
Packit Service |
4684c1 |
for (i=0;i<pcache->_supported_ecc.num_priorities;i++)
|
|
Packit Service |
4684c1 |
if (pcache->_supported_ecc.priorities[i] > GNUTLS_ECC_CURVE_MAX)
|
|
Packit Service |
4684c1 |
return i;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return pcache->_supported_ecc.num_priorities;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_group_list:
|
|
Packit Service |
4684c1 |
* @pcache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @list: will point to an integer list
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get a list of available groups in the priority
|
|
Packit Service |
4684c1 |
* structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the number of items, or an error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_group_list(gnutls_priority_t pcache,
|
|
Packit Service |
4684c1 |
const unsigned int **list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (pcache->_supported_ecc.num_priorities == 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*list = pcache->_supported_ecc.priorities;
|
|
Packit Service |
4684c1 |
return pcache->_supported_ecc.num_priorities;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_kx_list:
|
|
Packit Service |
4684c1 |
* @pcache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @list: will point to an integer list
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get a list of available key exchange methods in the priority
|
|
Packit Service |
4684c1 |
* structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the number of items, or an error code.
|
|
Packit Service |
4684c1 |
* Since: 3.2.3
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_kx_list(gnutls_priority_t pcache,
|
|
Packit Service |
4684c1 |
const unsigned int **list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (pcache->_kx.num_priorities == 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*list = pcache->_kx.priorities;
|
|
Packit Service |
4684c1 |
return pcache->_kx.num_priorities;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_cipher_list:
|
|
Packit Service |
4684c1 |
* @pcache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @list: will point to an integer list
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get a list of available ciphers in the priority
|
|
Packit Service |
4684c1 |
* structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the number of items, or an error code.
|
|
Packit Service |
4684c1 |
* Since: 3.2.3
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_cipher_list(gnutls_priority_t pcache,
|
|
Packit Service |
4684c1 |
const unsigned int **list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (pcache->_cipher.num_priorities == 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*list = pcache->_cipher.priorities;
|
|
Packit Service |
4684c1 |
return pcache->_cipher.num_priorities;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_mac_list:
|
|
Packit Service |
4684c1 |
* @pcache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @list: will point to an integer list
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get a list of available MAC algorithms in the priority
|
|
Packit Service |
4684c1 |
* structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the number of items, or an error code.
|
|
Packit Service |
4684c1 |
* Since: 3.2.3
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_mac_list(gnutls_priority_t pcache,
|
|
Packit Service |
4684c1 |
const unsigned int **list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (pcache->_mac.num_priorities == 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*list = pcache->_mac.priorities;
|
|
Packit Service |
4684c1 |
return pcache->_mac.num_priorities;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_compression_list:
|
|
Packit Service |
4684c1 |
* @pcache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @list: will point to an integer list
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get a list of available compression method in the priority
|
|
Packit Service |
4684c1 |
* structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the number of methods, or an error code.
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_compression_list(gnutls_priority_t pcache,
|
|
Packit Service |
4684c1 |
const unsigned int **list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
static const unsigned int priority[1] = {GNUTLS_COMP_NULL};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*list = priority;
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_protocol_list:
|
|
Packit Service |
4684c1 |
* @pcache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @list: will point to an integer list
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get a list of available TLS version numbers in the priority
|
|
Packit Service |
4684c1 |
* structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the number of protocols, or an error code.
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_protocol_list(gnutls_priority_t pcache,
|
|
Packit Service |
4684c1 |
const unsigned int **list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (pcache->protocol.num_priorities == 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*list = pcache->protocol.priorities;
|
|
Packit Service |
4684c1 |
return pcache->protocol.num_priorities;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_sign_list:
|
|
Packit Service |
4684c1 |
* @pcache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @list: will point to an integer list
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get a list of available signature algorithms in the priority
|
|
Packit Service |
4684c1 |
* structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the number of algorithms, or an error code.
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_sign_list(gnutls_priority_t pcache,
|
|
Packit Service |
4684c1 |
const unsigned int **list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (pcache->_sign_algo.num_priorities == 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*list = pcache->_sign_algo.priorities;
|
|
Packit Service |
4684c1 |
return pcache->_sign_algo.num_priorities;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_certificate_type_list:
|
|
Packit Service |
4684c1 |
* @pcache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @list: will point to an integer list
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get a list of available certificate types in the priority
|
|
Packit Service |
4684c1 |
* structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* As of version 3.6.4 this function is an alias for
|
|
Packit Service |
4684c1 |
* gnutls_priority_certificate_type_list2 with the target parameter
|
|
Packit Service |
4684c1 |
* set to:
|
|
Packit Service |
4684c1 |
* - GNUTLS_CTYPE_SERVER, if the %SERVER_PRECEDENCE option is set
|
|
Packit Service |
4684c1 |
* - GNUTLS_CTYPE_CLIENT, otherwise.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the number of certificate types, or an error code.
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_certificate_type_list(gnutls_priority_t pcache,
|
|
Packit Service |
4684c1 |
const unsigned int **list)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_ctype_target_t target =
|
|
Packit Service |
4684c1 |
pcache->server_precedence ? GNUTLS_CTYPE_SERVER : GNUTLS_CTYPE_CLIENT;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return gnutls_priority_certificate_type_list2(pcache, list, target);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_certificate_type_list2:
|
|
Packit Service |
4684c1 |
* @pcache: is a #gnutls_prioritity_t type.
|
|
Packit Service |
4684c1 |
* @list: will point to an integer list.
|
|
Packit Service |
4684c1 |
* @target: is a #gnutls_ctype_target_t type. Valid arguments are
|
|
Packit Service |
4684c1 |
* GNUTLS_CTYPE_CLIENT and GNUTLS_CTYPE_SERVER
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get a list of available certificate types for the given target
|
|
Packit Service |
4684c1 |
* in the priority structure.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the number of certificate types, or an error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.4
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_priority_certificate_type_list2(gnutls_priority_t pcache,
|
|
Packit Service |
4684c1 |
const unsigned int **list, gnutls_ctype_target_t target)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
switch (target) {
|
|
Packit Service |
4684c1 |
case GNUTLS_CTYPE_CLIENT:
|
|
Packit Service |
4684c1 |
if(pcache->client_ctype.num_priorities > 0) {
|
|
Packit Service |
4684c1 |
*list = pcache->client_ctype.priorities;
|
|
Packit Service |
4684c1 |
return pcache->client_ctype.num_priorities;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
case GNUTLS_CTYPE_SERVER:
|
|
Packit Service |
4684c1 |
if(pcache->server_ctype.num_priorities > 0) {
|
|
Packit Service |
4684c1 |
*list = pcache->server_ctype.priorities;
|
|
Packit Service |
4684c1 |
return pcache->server_ctype.num_priorities;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
// Invalid target given
|
|
Packit Service |
4684c1 |
gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
// Found a matching target but non of them had any ctypes set
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_priority_string_list:
|
|
Packit Service |
4684c1 |
* @iter: an integer counter starting from zero
|
|
Packit Service |
4684c1 |
* @flags: one of %GNUTLS_PRIORITY_LIST_INIT_KEYWORDS, %GNUTLS_PRIORITY_LIST_SPECIAL
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Can be used to iterate all available priority strings.
|
|
Packit Service |
4684c1 |
* Due to internal implementation details, there are cases where this
|
|
Packit Service |
4684c1 |
* function can return the empty string. In that case that string should be ignored.
|
|
Packit Service |
4684c1 |
* When no strings are available it returns %NULL.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: a priority string
|
|
Packit Service |
4684c1 |
* Since: 3.4.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
const char *
|
|
Packit Service |
4684c1 |
gnutls_priority_string_list(unsigned iter, unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_PRIORITY_LIST_INIT_KEYWORDS) {
|
|
Packit Service |
4684c1 |
if (iter >= (sizeof(pgroups)/sizeof(pgroups[0]))-1)
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
return pgroups[iter].name;
|
|
Packit Service |
4684c1 |
} else if (flags & GNUTLS_PRIORITY_LIST_SPECIAL) {
|
|
Packit Service |
4684c1 |
if (iter >= (sizeof(wordlist)/sizeof(wordlist[0]))-1)
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
return wordlist[iter].name;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
return NULL;
|
|
Packit Service |
4684c1 |
}
|