search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Removed incorrect test on IPAddresses (was relying on IPaddresses encoded as text)
[gnutls.git] / lib / gnutls_priority.c
blob8f592070f2e2977b6bb69d0fd59d06e58c61d9de
1 /*
2 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
3 * Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
25
26 /* Here lies the code of the gnutls_*_set_priority() functions.
27 */
28
29 #include "gnutls_int.h"
30 #include "gnutls_algorithms.h"
31 #include "gnutls_errors.h"
32 #include <gnutls_num.h>
33
34 static void
35 break_comma_list (char *etag,
36 char **broken_etag, int *elements, int max_elements,
37 char sep);
38
39 /**
40 * gnutls_cipher_set_priority:
41 * @session: is a #gnutls_session_t structure.
42 * @list: is a 0 terminated list of gnutls_cipher_algorithm_t elements.
43 *
44 * Sets the priority on the ciphers supported by gnutls. Priority is
45 * higher for elements specified before others. After specifying the
46 * ciphers you want, you must append a 0. Note that the priority is
47 * set on the client. The server does not use the algorithm's
48 * priority except for disabling algorithms that were not specified.
49 *
50 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
51 **/
52 int
53 gnutls_cipher_set_priority (gnutls_session_t session, const int *list)
54 {
55 int num = 0, i;
56
57 while (list[num] != 0)
58 num++;
59 if (num > MAX_ALGOS)
60 num = MAX_ALGOS;
61 session->internals.priorities.cipher.algorithms = num;
62
63 for (i = 0; i < num; i++)
64 {
65 session->internals.priorities.cipher.priority[i] = list[i];
66 }
67
68 return 0;
69 }
70
71 typedef void (bulk_rmadd_func) (priority_st * priority_list, const int *);
72
73 inline static void
74 _set_priority (priority_st * st, const int *list)
75 {
76 int num = 0, i;
77
78 while (list[num] != 0)
79 num++;
80 if (num > MAX_ALGOS)
81 num = MAX_ALGOS;
82 st->algorithms = num;
83
84 for (i = 0; i < num; i++)
85 {
86 st->priority[i] = list[i];
87 }
88
89 return;
90 }
91
92 static void
93 _clear_priorities (priority_st * st, const int *list)
94 {
95 memset(st, 0, sizeof(*st));
96 }
97
98 /**
99 * gnutls_kx_set_priority:
100 * @session: is a #gnutls_session_t structure.
101 * @list: is a 0 terminated list of gnutls_kx_algorithm_t elements.
102 *
103 * Sets the priority on the key exchange algorithms supported by
104 * gnutls. Priority is higher for elements specified before others.
105 * After specifying the algorithms you want, you must append a 0.
106 * Note that the priority is set on the client. The server does not
107 * use the algorithm's priority except for disabling algorithms that
108 * were not specified.
109 *
110 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
111 **/
112 int
113 gnutls_kx_set_priority (gnutls_session_t session, const int *list)
114 {
115 _set_priority (&session->internals.priorities.kx, list);
116 return 0;
117 }
118
119 /**
120 * gnutls_mac_set_priority:
121 * @session: is a #gnutls_session_t structure.
122 * @list: is a 0 terminated list of gnutls_mac_algorithm_t elements.
123 *
124 * Sets the priority on the mac algorithms supported by gnutls.
125 * Priority is higher for elements specified before others. After
126 * specifying the algorithms you want, you must append a 0. Note
127 * that the priority is set on the client. The server does not use
128 * the algorithm's priority except for disabling algorithms that were
129 * not specified.
130 *
131 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
132 **/
133 int
134 gnutls_mac_set_priority (gnutls_session_t session, const int *list)
135 {
136 _set_priority (&session->internals.priorities.mac, list);
137 return 0;
138 }
139
140 /**
141 * gnutls_compression_set_priority:
142 * @session: is a #gnutls_session_t structure.
143 * @list: is a 0 terminated list of gnutls_compression_method_t elements.
144 *
145 * Sets the priority on the compression algorithms supported by
146 * gnutls. Priority is higher for elements specified before others.
147 * After specifying the algorithms you want, you must append a 0.
148 * Note that the priority is set on the client. The server does not
149 * use the algorithm's priority except for disabling algorithms that
150 * were not specified.
151 *
152 * TLS 1.0 does not define any compression algorithms except
153 * NULL. Other compression algorithms are to be considered as gnutls
154 * extensions.
155 *
156 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
157 **/
158 int
159 gnutls_compression_set_priority (gnutls_session_t session, const int *list)
160 {
161 _set_priority (&session->internals.priorities.compression, list);
162 return 0;
163 }
164
165 /**
166 * gnutls_protocol_set_priority:
167 * @session: is a #gnutls_session_t structure.
168 * @list: is a 0 terminated list of gnutls_protocol_t elements.
169 *
170 * Sets the priority on the protocol versions supported by gnutls.
171 * This function actually enables or disables protocols. Newer protocol
172 * versions always have highest priority.
173 *
174 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
175 **/
176 int
177 gnutls_protocol_set_priority (gnutls_session_t session, const int *list)
178 {
179 _set_priority (&session->internals.priorities.protocol, list);
180
181 /* set the current version to the first in the chain.
182 * This will be overridden later.
183 */
184 if (list)
185 _gnutls_set_current_version (session, list[0]);
186
187 return 0;
188 }
189
190 /**
191 * gnutls_certificate_type_set_priority:
192 * @session: is a #gnutls_session_t structure.
193 * @list: is a 0 terminated list of gnutls_certificate_type_t elements.
194 *
195 * Sets the priority on the certificate types supported by gnutls.
196 * Priority is higher for elements specified before others.
197 * After specifying the types you want, you must append a 0.
198 * Note that the certificate type priority is set on the client.
199 * The server does not use the cert type priority except for disabling
200 * types that were not specified.
201 *
202 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
203 **/
204 int
205 gnutls_certificate_type_set_priority (gnutls_session_t session,
206 const int *list)
207 {
208 #ifdef ENABLE_OPENPGP
209 _set_priority (&session->internals.priorities.cert_type, list);
210 return 0;
211 #else
212
213 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
214
215 #endif
216 }
217
218 static const int protocol_priority[] = {
219 GNUTLS_TLS1_2,
220 GNUTLS_TLS1_1,
221 GNUTLS_TLS1_0,
222 GNUTLS_SSL3,
223 0
224 };
225
226 static const int kx_priority_performance[] = {
227 GNUTLS_KX_RSA,
228 GNUTLS_KX_DHE_RSA,
229 GNUTLS_KX_DHE_DSS,
230 /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
231 * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
232 */
233 0
234 };
235
236 static const int kx_priority_export[] = {
237 GNUTLS_KX_RSA,
238 GNUTLS_KX_DHE_RSA,
239 GNUTLS_KX_DHE_DSS,
240 GNUTLS_KX_RSA_EXPORT,
241 0
242 };
243
244 static const int kx_priority_secure[] = {
245 /* The ciphersuites that offer forward secrecy take
246 * precendance
247 */
248 GNUTLS_KX_DHE_RSA,
249 GNUTLS_KX_DHE_DSS,
250 GNUTLS_KX_RSA,
251 /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
252 * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
253 */
254 0
255 };
256
257 static const int cipher_priority_performance[] = {
258 GNUTLS_CIPHER_ARCFOUR_128,
259 #ifdef ENABLE_CAMELLIA
260 GNUTLS_CIPHER_CAMELLIA_128_CBC,
261 #endif
262 GNUTLS_CIPHER_AES_128_CBC,
263 GNUTLS_CIPHER_3DES_CBC,
264 GNUTLS_CIPHER_AES_256_CBC,
265 #ifdef ENABLE_CAMELLIA
266 GNUTLS_CIPHER_CAMELLIA_256_CBC,
267 #endif
268 /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
269 0
270 };
271
272 static const int cipher_priority_normal[] = {
273 GNUTLS_CIPHER_AES_128_CBC,
274 #ifdef ENABLE_CAMELLIA
275 GNUTLS_CIPHER_CAMELLIA_128_CBC,
276 #endif
277 GNUTLS_CIPHER_AES_256_CBC,
278 #ifdef ENABLE_CAMELLIA
279 GNUTLS_CIPHER_CAMELLIA_256_CBC,
280 #endif
281 GNUTLS_CIPHER_3DES_CBC,
282 GNUTLS_CIPHER_ARCFOUR_128,
283 /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
284 0
285 };
286
287 static const int cipher_priority_secure128[] = {
288 GNUTLS_CIPHER_AES_128_CBC,
289 #ifdef ENABLE_CAMELLIA
290 GNUTLS_CIPHER_CAMELLIA_128_CBC,
291 #endif
292 GNUTLS_CIPHER_3DES_CBC,
293 GNUTLS_CIPHER_ARCFOUR_128,
294 /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
295 0
296 };
297
298
299 static const int cipher_priority_secure256[] = {
300 GNUTLS_CIPHER_AES_256_CBC,
301 #ifdef ENABLE_CAMELLIA
302 GNUTLS_CIPHER_CAMELLIA_256_CBC,
303 #endif
304 GNUTLS_CIPHER_AES_128_CBC,
305 #ifdef ENABLE_CAMELLIA
306 GNUTLS_CIPHER_CAMELLIA_128_CBC,
307 #endif
308 GNUTLS_CIPHER_3DES_CBC,
309 GNUTLS_CIPHER_ARCFOUR_128,
310 /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
311 0
312 };
313
314 /* The same as cipher_priority_security_normal + arcfour-40. */
315 static const int cipher_priority_export[] = {
316 GNUTLS_CIPHER_AES_128_CBC,
317 GNUTLS_CIPHER_AES_256_CBC,
318 #ifdef ENABLE_CAMELLIA
319 GNUTLS_CIPHER_CAMELLIA_128_CBC,
320 GNUTLS_CIPHER_CAMELLIA_256_CBC,
321 #endif
322 GNUTLS_CIPHER_3DES_CBC,
323 GNUTLS_CIPHER_ARCFOUR_128,
324 GNUTLS_CIPHER_ARCFOUR_40,
325 0
326 };
327
328 static const int comp_priority[] = {
329 /* compression should be explicitely requested to be enabled */
330 GNUTLS_COMP_NULL,
331 0
332 };
333
334 static const int sign_priority_default[] = {
335 GNUTLS_SIGN_DSA_SHA224,
336 GNUTLS_SIGN_DSA_SHA256,
337 GNUTLS_SIGN_RSA_SHA256,
338 GNUTLS_SIGN_RSA_SHA384,
339 GNUTLS_SIGN_RSA_SHA512,
340 GNUTLS_SIGN_RSA_SHA1,
341 GNUTLS_SIGN_DSA_SHA1,
342 0
343 };
344
345 static const int sign_priority_secure128[] = {
346 GNUTLS_SIGN_RSA_SHA256,
347 GNUTLS_SIGN_RSA_SHA384,
348 GNUTLS_SIGN_RSA_SHA512,
349 GNUTLS_SIGN_DSA_SHA1,
350 0
351 };
352
353 static const int sign_priority_secure256[] = {
354 GNUTLS_SIGN_RSA_SHA512,
355 0
356 };
357
358 static const int mac_priority_normal[] = {
359 GNUTLS_MAC_SHA1,
360 GNUTLS_MAC_SHA256,
361 GNUTLS_MAC_MD5,
362 0
363 };
364
365
366 static const int mac_priority_secure[] = {
367 GNUTLS_MAC_SHA256,
368 GNUTLS_MAC_SHA1,
369 0
370 };
371
372 static int cert_type_priority[] = {
373 GNUTLS_CRT_X509,
374 GNUTLS_CRT_OPENPGP,
375 0
376 };
377
378 typedef void (rmadd_func) (priority_st * priority_list, unsigned int alg);
379
380 static void
381 prio_remove (priority_st * priority_list, unsigned int algo)
382 {
383 int i = 0;
384 int pos = -1; /* the position of the cipher to remove */
385
386 while (priority_list->priority[i] != 0)
387 {
388 if (priority_list->priority[i] == algo)
389 pos = i;
390 i++;
391 }
392
393 if (pos >= 0)
394 {
395 priority_list->priority[pos] = priority_list->priority[i - 1];
396 priority_list->priority[i - 1] = 0;
397 priority_list->algorithms--;
398 }
399
400 return;
401 }
402
403 static void
404 prio_add (priority_st * priority_list, unsigned int algo)
405 {
406 register int i = 0;
407 while (priority_list->priority[i] != 0)
408 {
409 if (algo == priority_list->priority[i])
410 return; /* if it exists */
411 i++;
412 }
413
414 if (i < MAX_ALGOS)
415 {
416 priority_list->priority[i] = algo;
417 priority_list->algorithms++;
418 }
419
420 return;
421 }
422
423
424 /**
425 * gnutls_priority_set:
426 * @session: is a #gnutls_session_t structure.
427 * @priority: is a #gnutls_priority_t structure.
428 *
429 * Sets the priorities to use on the ciphers, key exchange methods,
430 * macs and compression methods.
431 *
432 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
433 **/
434 int
435 gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority)
436 {
437 if (priority == NULL)
438 {
439 gnutls_assert ();
440 return GNUTLS_E_NO_CIPHER_SUITES;
441 }
442
443 memcpy (&session->internals.priorities, priority,
444 sizeof (struct gnutls_priority_st));
445
446 /* set the current version to the first in the chain.
447 * This will be overridden later.
448 */
449 if (session->internals.priorities.protocol.algorithms > 0)
450 _gnutls_set_current_version (session,
451 session->internals.priorities.protocol.
452 priority[0]);
453
454 return 0;
455 }
456
457
458 #define MAX_ELEMENTS 48
459
460 /**
461 * gnutls_priority_init:
462 * @priority_cache: is a #gnutls_prioritity_t structure.
463 * @priorities: is a string describing priorities
464 * @err_pos: In case of an error this will have the position in the string the error occured
465 *
466 * Sets priorities for the ciphers, key exchange methods, macs and
467 * compression methods.
468 *
469 * The #priorities option allows you to specify a colon
470 * separated list of the cipher priorities to enable.
471 *
472 * Common keywords: Some keywords are defined to provide quick access
473 * to common preferences.
474 *
475 * "PERFORMANCE" means all the "secure" ciphersuites are enabled,
476 * limited to 128 bit ciphers and sorted by terms of speed
477 * performance.
478 *
479 * "NORMAL" means all "secure" ciphersuites. The 256-bit ciphers are
480 * included as a fallback only. The ciphers are sorted by security
481 * margin.
482 *
483 * "SECURE128" means all "secure" ciphersuites with ciphers up to 128
484 * bits, sorted by security margin.
485 *
486 * "SECURE256" means all "secure" ciphersuites including the 256 bit
487 * ciphers, sorted by security margin.
488 *
489 * "EXPORT" means all ciphersuites are enabled, including the
490 * low-security 40 bit ciphers.
491 *
492 * "NONE" means nothing is enabled. This disables even protocols and
493 * compression methods.
494 *
495 * Special keywords:
496 * "!" or "-" appended with an algorithm will remove this algorithm.
497 *
498 * "+" appended with an algorithm will add this algorithm.
499 *
500 * Check the GnuTLS manual section "Priority strings" for detailed
501 * information.
502 *
503 * Examples:
504 *
505 * "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
506 *
507 * "NORMAL:-ARCFOUR-128" means normal ciphers except for ARCFOUR-128.
508 *
509 * "SECURE:-VERS-SSL3.0:+COMP-DEFLATE" means that only secure ciphers are
510 * enabled, SSL3.0 is disabled, and libz compression enabled.
511 *
512 * "NONE:+VERS-TLS-ALL:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1",
513 *
514 * "NORMAL:%COMPAT" is the most compatible mode.
515 *
516 * Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
517 * %GNUTLS_E_SUCCESS on success, or an error code.
518 **/
519 int
520 gnutls_priority_init (gnutls_priority_t * priority_cache,
521 const char *priorities, const char **err_pos)
522 {
523 char *broken_list[MAX_ELEMENTS];
524 int broken_list_size = 0, i = 0, j;
525 char *darg = NULL;
526 int algo;
527 rmadd_func *fn;
528 bulk_rmadd_func *bulk_fn;
529
530 *priority_cache = gnutls_calloc (1, sizeof (struct gnutls_priority_st));
531 if (*priority_cache == NULL)
532 {
533 gnutls_assert ();
534 return GNUTLS_E_MEMORY_ERROR;
535 }
536
537 /* for now unsafe renegotiation is default on everyone. To be removed
538 * when we make it the default.
539 */
540 (*priority_cache)->sr = SR_PARTIAL;
541 (*priority_cache)->ssl3_record_version = 1;
542
543 if (priorities == NULL)
544 priorities = "NORMAL";
545
546 darg = gnutls_strdup (priorities);
547 if (darg == NULL)
548 {
549 gnutls_assert ();
550 goto error;
551 }
552
553 break_comma_list (darg, broken_list, &broken_list_size, MAX_ELEMENTS, ':');
554 /* This is our default set of protocol version, certificate types and
555 * compression methods.
556 */
557 if (strcasecmp (broken_list[0], "NONE") != 0)
558 {
559 _set_priority (&(*priority_cache)->protocol, protocol_priority);
560 _set_priority (&(*priority_cache)->compression, comp_priority);
561 _set_priority (&(*priority_cache)->cert_type, cert_type_priority);
562 _set_priority (&(*priority_cache)->sign_algo, sign_priority_default);
563 i = 0;
564 }
565 else
566 {
567 i = 1;
568 }
569
570 for (; i < broken_list_size; i++)
571 {
572 if (strcasecmp (broken_list[i], "PERFORMANCE") == 0)
573 {
574 _set_priority (&(*priority_cache)->cipher,
575 cipher_priority_performance);
576 _set_priority (&(*priority_cache)->kx, kx_priority_performance);
577 _set_priority (&(*priority_cache)->mac, mac_priority_normal);
578 _set_priority (&(*priority_cache)->sign_algo,
579 sign_priority_default);
580 }
581 else if (strcasecmp (broken_list[i], "NORMAL") == 0)
582 {
583 _set_priority (&(*priority_cache)->cipher, cipher_priority_normal);
584 _set_priority (&(*priority_cache)->kx, kx_priority_secure);
585 _set_priority (&(*priority_cache)->mac, mac_priority_normal);
586 _set_priority (&(*priority_cache)->sign_algo,
587 sign_priority_default);
588 }
589 else if (strcasecmp (broken_list[i], "SECURE256") == 0
590 || strcasecmp (broken_list[i], "SECURE") == 0)
591 {
592 _set_priority (&(*priority_cache)->cipher,
593 cipher_priority_secure256);
594 _set_priority (&(*priority_cache)->kx, kx_priority_secure);
595 _set_priority (&(*priority_cache)->mac, mac_priority_secure);
596 _set_priority (&(*priority_cache)->sign_algo,
597 sign_priority_secure256);
598 }
599 else if (strcasecmp (broken_list[i], "SECURE128") == 0)
600 {
601 _set_priority (&(*priority_cache)->cipher,
602 cipher_priority_secure128);
603 _set_priority (&(*priority_cache)->kx, kx_priority_secure);
604 _set_priority (&(*priority_cache)->mac, mac_priority_secure);
605 _set_priority (&(*priority_cache)->sign_algo,
606 sign_priority_secure128);
607 }
608 else if (strcasecmp (broken_list[i], "EXPORT") == 0)
609 {
610 _set_priority (&(*priority_cache)->cipher, cipher_priority_export);
611 _set_priority (&(*priority_cache)->kx, kx_priority_export);
612 _set_priority (&(*priority_cache)->mac, mac_priority_secure);
613 _set_priority (&(*priority_cache)->sign_algo,
614 sign_priority_default);
615 } /* now check if the element is something like -ALGO */
616 else if (broken_list[i][0] == '!' || broken_list[i][0] == '+'
617 || broken_list[i][0] == '-')
618 {
619 if (broken_list[i][0] == '+')
620 {
621 fn = prio_add;
622 bulk_fn = _set_priority;
623 }
624 else
625 {
626 fn = prio_remove;
627 bulk_fn = _clear_priorities;
628 }
629
630 if ((algo =
631 gnutls_mac_get_id (&broken_list[i][1])) != GNUTLS_MAC_UNKNOWN)
632 fn (&(*priority_cache)->mac, algo);
633 else if ((algo = gnutls_cipher_get_id (&broken_list[i][1])) !=
634 GNUTLS_CIPHER_UNKNOWN)
635 fn (&(*priority_cache)->cipher, algo);
636 else if ((algo = gnutls_kx_get_id (&broken_list[i][1])) !=
637 GNUTLS_KX_UNKNOWN)
638 fn (&(*priority_cache)->kx, algo);
639 else if (strncasecmp (&broken_list[i][1], "VERS-", 5) == 0)
640 {
641 if (strncasecmp (&broken_list[i][1], "VERS-TLS-ALL", 12) == 0)
642 {
643 bulk_fn (&(*priority_cache)->protocol,
644 protocol_priority);
645 }
646 else
647 {
648 if ((algo =
649 gnutls_protocol_get_id (&broken_list[i][6])) !=
650 GNUTLS_VERSION_UNKNOWN)
651 fn (&(*priority_cache)->protocol, algo);
652 else
653 goto error;
654
655 }
656 } /* now check if the element is something like -ALGO */
657 else if (strncasecmp (&broken_list[i][1], "COMP-", 5) == 0)
658 {
659 if (strncasecmp (&broken_list[i][1], "COMP-ALL", 8) == 0)
660 {
661 bulk_fn (&(*priority_cache)->compression,
662 comp_priority);
663 }
664 else
665 {
666 if ((algo =
667 gnutls_compression_get_id (&broken_list[i][6])) !=
668 GNUTLS_COMP_UNKNOWN)
669 fn (&(*priority_cache)->compression, algo);
670 else
671 goto error;
672 }
673 } /* now check if the element is something like -ALGO */
674 else if (strncasecmp (&broken_list[i][1], "CTYPE-", 6) == 0)
675 {
676 if (strncasecmp (&broken_list[i][1], "CTYPE-ALL", 9) == 0)
677 {
678 bulk_fn (&(*priority_cache)->cert_type,
679 cert_type_priority);
680 }
681 else
682 {
683 if ((algo =
684 gnutls_certificate_type_get_id (&broken_list[i][7])) !=
685 GNUTLS_CRT_UNKNOWN)
686 fn (&(*priority_cache)->cert_type, algo);
687 else
688 goto error;
689 }
690 } /* now check if the element is something like -ALGO */
691 else if (strncasecmp (&broken_list[i][1], "SIGN-", 5) == 0)
692 {
693 if (strncasecmp (&broken_list[i][1], "SIGN-ALL", 8) == 0)
694 {
695 bulk_fn (&(*priority_cache)->sign_algo,
696 sign_priority_default);
697 }
698 else
699 {
700 if ((algo =
701 gnutls_sign_get_id (&broken_list[i][6])) !=
702 GNUTLS_SIGN_UNKNOWN)
703 fn (&(*priority_cache)->sign_algo, algo);
704 else
705 goto error;
706 }
707 }
708 else if (strncasecmp (&broken_list[i][1], "MAC-ALL", 7) == 0)
709 {
710 bulk_fn (&(*priority_cache)->mac,
711 mac_priority_secure);
712 }
713 else if (strncasecmp (&broken_list[i][1], "CIPHER-ALL", 7) == 0)
714 {
715 bulk_fn (&(*priority_cache)->cipher,
716 cipher_priority_normal);
717 }
718 else
719 goto error;
720 }
721 else if (broken_list[i][0] == '%')
722 {
723 if (strcasecmp (&broken_list[i][1], "COMPAT") == 0)
724 {
725 (*priority_cache)->no_padding = 1;
726 (*priority_cache)->allow_large_records = 1;
727 }
728 else if (strcasecmp (&broken_list[i][1],
729 "VERIFY_ALLOW_SIGN_RSA_MD5") == 0)
730 {
731 prio_add (&(*priority_cache)->sign_algo, GNUTLS_SIGN_RSA_MD5);
732 (*priority_cache)->additional_verify_flags |=
733 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
734 }
735 else if (strcasecmp (&broken_list[i][1],
736 "SSL3_RECORD_VERSION") == 0)
737 (*priority_cache)->ssl3_record_version = 1;
738 else if (strcasecmp (&broken_list[i][1],
739 "LATEST_RECORD_VERSION") == 0)
740 (*priority_cache)->ssl3_record_version = 0;
741 else if (strcasecmp (&broken_list[i][1],
742 "VERIFY_ALLOW_X509_V1_CA_CRT") == 0)
743 (*priority_cache)->additional_verify_flags |=
744 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
745 else if (strcasecmp (&broken_list[i][1],
746 "UNSAFE_RENEGOTIATION") == 0)
747 {
748 (*priority_cache)->sr = SR_UNSAFE;
749 }
750 else if (strcasecmp (&broken_list[i][1], "SAFE_RENEGOTIATION") == 0)
751 {
752 (*priority_cache)->sr = SR_SAFE;
753 }
754 else if (strcasecmp (&broken_list[i][1],
755 "PARTIAL_RENEGOTIATION") == 0)
756 {
757 (*priority_cache)->sr = SR_PARTIAL;
758 }
759 else if (strcasecmp (&broken_list[i][1],
760 "DISABLE_SAFE_RENEGOTIATION") == 0)
761 {
762 (*priority_cache)->sr = SR_DISABLED;
763 }
764 else
765 goto error;
766 }
767 else
768 goto error;
769 }
770
771 gnutls_free (darg);
772 return 0;
773
774 error:
775 if (err_pos != NULL && i < broken_list_size)
776 {
777 *err_pos = priorities;
778 for (j = 0; j < i; j++)
779 {
780 (*err_pos) += strlen (broken_list[j]) + 1;
781 }
782 }
783 gnutls_free (darg);
784 gnutls_free (*priority_cache);
785
786 return GNUTLS_E_INVALID_REQUEST;
787
788 }
789
790 /**
791 * gnutls_priority_deinit:
792 * @priority_cache: is a #gnutls_prioritity_t structure.
793 *
794 * Deinitializes the priority cache.
795 **/
796 void
797 gnutls_priority_deinit (gnutls_priority_t priority_cache)
798 {
799 gnutls_free (priority_cache);
800 }
801
802
803 /**
804 * gnutls_priority_set_direct:
805 * @session: is a #gnutls_session_t structure.
806 * @priorities: is a string describing priorities
807 * @err_pos: In case of an error this will have the position in the string the error occured
808 *
809 * Sets the priorities to use on the ciphers, key exchange methods,
810 * macs and compression methods. This function avoids keeping a
811 * priority cache and is used to directly set string priorities to a
812 * TLS session. For documentation check the gnutls_priority_init().
813 *
814 * Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
815 * %GNUTLS_E_SUCCESS on success, or an error code.
816 **/
817 int
818 gnutls_priority_set_direct (gnutls_session_t session,
819 const char *priorities, const char **err_pos)
820 {
821 gnutls_priority_t prio;
822 int ret;
823
824 ret = gnutls_priority_init (&prio, priorities, err_pos);
825 if (ret < 0)
826 {
827 gnutls_assert ();
828 return ret;
829 }
830
831 ret = gnutls_priority_set (session, prio);
832 if (ret < 0)
833 {
834 gnutls_assert ();
835 return ret;
836 }
837
838 gnutls_priority_deinit (prio);
839
840 return 0;
841 }
842
843 /* Breaks a list of "xxx", "yyy", to a character array, of
844 * MAX_COMMA_SEP_ELEMENTS size; Note that the given string is modified.
845 */
846 static void
847 break_comma_list (char *etag,
848 char **broken_etag, int *elements, int max_elements,
849 char sep)
850 {
851 char *p = etag;
852 if (sep == 0)
853 sep = ',';
854
855 *elements = 0;
856
857 do
858 {
859 broken_etag[*elements] = p;
860
861 (*elements)++;
862
863 p = strchr (p, sep);
864 if (p)
865 {
866 *p = 0;
867 p++; /* move to next entry and skip white
868 * space.
869 */
870 while (*p == ' ')
871 p++;
872 }
873 }
874 while (p != NULL && *elements < max_elements);
875 }
876
877 /**
878 * gnutls_set_default_priority:
879 * @session: is a #gnutls_session_t structure.
880 *
881 * Sets some default priority on the ciphers, key exchange methods,
882 * macs and compression methods.
883 *
884 * This is the same as calling:
885 *
886 * gnutls_priority_set_direct (session, "NORMAL", NULL);
887 *
888 * This function is kept around for backwards compatibility, but
889 * because of its wide use it is still fully supported. If you wish
890 * to allow users to provide a string that specify which ciphers to
891 * use (which is recommended), you should use
892 * gnutls_priority_set_direct() or gnutls_priority_set() instead.
893 *
894 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
895 **/
896 int
897 gnutls_set_default_priority (gnutls_session_t session)
898 {
899 return gnutls_priority_set_direct (session, "NORMAL", NULL);
900 }
901
902 /**
903 * gnutls_set_default_export_priority:
904 * @session: is a #gnutls_session_t structure.
905 *
906 * Sets some default priority on the ciphers, key exchange methods, macs
907 * and compression methods. This function also includes weak algorithms.
908 *
909 * This is the same as calling:
910 *
911 * gnutls_priority_set_direct (session, "EXPORT", NULL);
912 *
913 * This function is kept around for backwards compatibility, but
914 * because of its wide use it is still fully supported. If you wish
915 * to allow users to provide a string that specify which ciphers to
916 * use (which is recommended), you should use
917 * gnutls_priority_set_direct() or gnutls_priority_set() instead.
918 *
919 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
920 **/
921 int
922 gnutls_set_default_export_priority (gnutls_session_t session)
923 {
924 return gnutls_priority_set_direct (session, "EXPORT", NULL);
925 }
Implementation of the SSL/TLS protocol