diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2007-10-24 16:50:59 +0300 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2007-10-24 16:50:59 +0300 |
commit | e7077f7feefe1584b4597bcda5e420f6d439e8c6 (patch) | |
tree | 64c887ef68a9ff73920b4fa231fa7c75fb6e4c23 | |
parent | c626bc95043787c7f85178ee52bbc3c925b620f8 (diff) | |
download | gnutls-e7077f7feefe1584b4597bcda5e420f6d439e8c6.tar.gz |
Added gnutls_set_default_priority2() and deprecated gnutls_set_default_priority().
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | doc/examples/ex-client-resume.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-client-srp.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-client-tlsia.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-client1.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-client2.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv-anon.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv-export.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv-pgp.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv-srp.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv1.c | 5 | ||||
-rw-r--r-- | includes/gnutls/gnutls.h.in | 27 | ||||
-rw-r--r-- | lib/gnutls_priority.c | 243 | ||||
-rw-r--r-- | src/cli.c | 2 | ||||
-rw-r--r-- | src/serv.c | 2 |
15 files changed, 211 insertions, 92 deletions
@@ -13,6 +13,9 @@ of using /dev/random to generate keys. ** Added priority functions that accept strings. +** Added gnutls_set_default_priority2() which accepts a flag to indicate +priorities preferences. + ** Added gnutls_record_disable_padding() to allow servers talking to buggy clients that complain if the TLS 1.0 record protocol padding is used. @@ -21,6 +24,9 @@ used. all supported compatibility options (like disabling padding). ** API and ABI modifications: +gnutls_set_default_priority: DEPRECATED +gnutls_set_default_priority_export: DEPRECATED +gnutls_set_default_priority2: ADDED gnutls_session_enable_compatibility_mode: ADDED gnutls_record_disable_padding: ADDED gnutls_mac_convert_priority: ADDED diff --git a/doc/examples/ex-client-resume.c b/doc/examples/ex-client-resume.c index 3002a0c630..0e73901912 100644 --- a/doc/examples/ex-client-resume.c +++ b/doc/examples/ex-client-resume.c @@ -54,7 +54,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c index dde39bb105..ea09c2f82e 100644 --- a/doc/examples/ex-client-srp.c +++ b/doc/examples/ex-client-srp.c @@ -69,7 +69,7 @@ main (void) /* Set the priorities. */ - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); gnutls_kx_set_priority( session, kx_priorities); /* put the SRP credentials to the current session diff --git a/doc/examples/ex-client-tlsia.c b/doc/examples/ex-client-tlsia.c index d07953dc9e..40a5670ad6 100644 --- a/doc/examples/ex-client-tlsia.c +++ b/doc/examples/ex-client-tlsia.c @@ -79,7 +79,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); gnutls_kx_set_priority (session, kx_prio); /* put the anonymous and TLS/IA credentials to the current session diff --git a/doc/examples/ex-client1.c b/doc/examples/ex-client1.c index 150c714dc7..6aeceec83b 100644 --- a/doc/examples/ex-client1.c +++ b/doc/examples/ex-client1.c @@ -47,7 +47,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); gnutls_kx_set_priority (session, kx_prio); /* put the anonymous credentials to the current session diff --git a/doc/examples/ex-client2.c b/doc/examples/ex-client2.c index 858f6955c1..37b074489b 100644 --- a/doc/examples/ex-client2.c +++ b/doc/examples/ex-client2.c @@ -50,7 +50,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); /* put the x509 credentials to the current session */ diff --git a/doc/examples/ex-serv-anon.c b/doc/examples/ex-serv-anon.c index 96b8c64262..22ca9d2933 100644 --- a/doc/examples/ex-serv-anon.c +++ b/doc/examples/ex-serv-anon.c @@ -44,7 +44,7 @@ initialize_tls_session (void) /* avoid calling all the priority functions, since the defaults * are adequate. */ - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); diff --git a/doc/examples/ex-serv-export.c b/doc/examples/ex-serv-export.c index f8c80cf9b6..e457ecff5d 100644 --- a/doc/examples/ex-serv-export.c +++ b/doc/examples/ex-serv-export.c @@ -56,7 +56,7 @@ initialize_tls_session (void) /* Use the default priorities, plus, export cipher suites. */ - gnutls_set_default_export_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_EXPORT); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred); diff --git a/doc/examples/ex-serv-pgp.c b/doc/examples/ex-serv-pgp.c index 27906744f6..be79e3e980 100644 --- a/doc/examples/ex-serv-pgp.c +++ b/doc/examples/ex-serv-pgp.c @@ -68,7 +68,7 @@ initialize_tls_session (void) */ gnutls_set_default_priority (session); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cred); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); /* request client certificate if any. */ diff --git a/doc/examples/ex-serv-srp.c b/doc/examples/ex-serv-srp.c index 32a63c3374..b49b965293 100644 --- a/doc/examples/ex-serv-srp.c +++ b/doc/examples/ex-serv-srp.c @@ -50,7 +50,7 @@ initialize_tls_session (void) gnutls_init (&session, GNUTLS_SERVER); - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); gnutls_kx_set_priority (session, kx_priority); gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); diff --git a/doc/examples/ex-serv1.c b/doc/examples/ex-serv1.c index e0327e7f27..b1ed81cd06 100644 --- a/doc/examples/ex-serv1.c +++ b/doc/examples/ex-serv1.c @@ -47,9 +47,10 @@ initialize_tls_session (void) gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults - * are adequate. + * are adequate. Depending on the needs it could also be + * GNUTLS_PRIORITIES_PERFORMANCE. */ - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in index 345752474b..70ef5c6183 100644 --- a/includes/gnutls/gnutls.h.in +++ b/includes/gnutls/gnutls.h.in @@ -165,6 +165,13 @@ extern "C" GNUTLS_CLIENT } gnutls_connection_end_t; + typedef enum + { + GNUTLS_PRIORITIES_PERFORMANCE, + GNUTLS_PRIORITIES_SECURITY, + GNUTLS_PRIORITIES_EXPORT + } gnutls_priority_t; + typedef enum { GNUTLS_AL_WARNING = 1, @@ -516,10 +523,26 @@ extern "C" int gnutls_cipher_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep); int gnutls_certificate_type_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep); +#ifdef __GNUC__ + +#define _GNUTLS_GCC_VERSION (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) + +#if _GNUTLS_GCC_VERSION >= 30100 +#define _GNUTLS_GCC_ATTR_DEPRECATED __attribute__ ((__deprecated__)) +#endif + +#endif /* __GNUC__ */ + +#ifndef _GNUTLS_GCC_ATTR_DEPRECATED +#define _GNUTLS_GCC_ATTR_DEPRECATED +#endif + + /* if you just want some defaults, use the following. */ - int gnutls_set_default_priority (gnutls_session_t session); - int gnutls_set_default_export_priority (gnutls_session_t session); + void gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_t flag); + int gnutls_set_default_priority (gnutls_session_t session) _GNUTLS_GCC_ATTR_DEPRECATED; + int gnutls_set_default_export_priority (gnutls_session_t session) _GNUTLS_GCC_ATTR_DEPRECATED; /* Returns the name of a cipher suite */ const char *gnutls_cipher_suite_get_name (gnutls_kx_algorithm_t diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index b65afa710e..52dba9a93a 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -275,65 +275,179 @@ gnutls_certificate_type_set_priority (gnutls_session_t session, int gnutls_set_default_priority (gnutls_session_t session) { - static const int protocol_priority[] = { - /* GNUTLS_TLS1_2, -- not finalized yet! */ - GNUTLS_TLS1_1, - GNUTLS_TLS1_0, - GNUTLS_SSL3, - 0 - }; - static const int kx_priority[] = { - GNUTLS_KX_DHE_PSK, - GNUTLS_KX_PSK, - GNUTLS_KX_SRP_RSA, - GNUTLS_KX_SRP_DSS, - GNUTLS_KX_SRP, - GNUTLS_KX_DHE_RSA, - GNUTLS_KX_DHE_DSS, - GNUTLS_KX_RSA, - /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add! - * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add! - */ - 0 - }; - static const int cipher_priority[] = { - GNUTLS_CIPHER_AES_256_CBC, - GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, + + gnutls_set_default_priority2( session, GNUTLS_PRIORITIES_SECURITY); + + return 0; +} + +static const int protocol_priority[] = { + /* GNUTLS_TLS1_2, -- not finalized yet! */ + GNUTLS_TLS1_1, + GNUTLS_TLS1_0, + GNUTLS_SSL3, + 0 +}; + +static const int kx_priority_performance[] = { + GNUTLS_KX_RSA, + GNUTLS_KX_DHE_RSA, + GNUTLS_KX_DHE_DSS, + GNUTLS_KX_PSK, + GNUTLS_KX_DHE_PSK, + GNUTLS_KX_SRP_RSA, + GNUTLS_KX_SRP_DSS, + GNUTLS_KX_SRP, + /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add! + * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add! + */ + 0 +}; + +static const int kx_priority_export[] = { + GNUTLS_KX_RSA, + GNUTLS_KX_DHE_RSA, + GNUTLS_KX_DHE_DSS, + GNUTLS_KX_PSK, + GNUTLS_KX_DHE_PSK, + GNUTLS_KX_SRP_RSA, + GNUTLS_KX_SRP_DSS, + GNUTLS_KX_SRP, + GNUTLS_KX_RSA_EXPORT, + 0 +}; + +static const int kx_priority_security[] = { + /* The ciphersuites that offer forward secrecy take + * precendance + */ + GNUTLS_KX_DHE_RSA, + GNUTLS_KX_DHE_DSS, + GNUTLS_KX_DHE_PSK, + GNUTLS_KX_SRP_RSA, + GNUTLS_KX_SRP_DSS, + GNUTLS_KX_RSA, + GNUTLS_KX_PSK, + GNUTLS_KX_SRP, + /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add! + * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add! + */ + 0 +}; + +static const int cipher_priority_performance[] = { + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_CIPHER_AES_128_CBC, #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_128_CBC, #endif - GNUTLS_CIPHER_ARCFOUR_128, - /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ - 0 - }; - static const int comp_priority[] = { - /* GNUTLS_COMP_LZO: Not standardized, don't add! */ - GNUTLS_COMP_DEFLATE, - GNUTLS_COMP_NULL, - 0 - }; - static const int mac_priority[] = { - GNUTLS_MAC_SHA1, - GNUTLS_MAC_MD5, - 0 - }; - static int cert_type_priority[] = { - GNUTLS_CRT_X509, - GNUTLS_CRT_OPENPGP, - 0 - }; - - gnutls_cipher_set_priority (session, cipher_priority); - gnutls_compression_set_priority (session, comp_priority); - gnutls_kx_set_priority (session, kx_priority); + GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_CIPHER_3DES_CBC, + /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ + 0 +}; + + +static const int cipher_priority_security[] = { + GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_CIPHER_AES_128_CBC, +#ifdef ENABLE_CAMELLIA + GNUTLS_CIPHER_CAMELLIA_128_CBC, +#endif + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_ARCFOUR_128, + /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ + 0 +}; + +static const int cipher_priority_export[] = { + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_CIPHER_AES_128_CBC, +#ifdef ENABLE_CAMELLIA + GNUTLS_CIPHER_CAMELLIA_128_CBC, +#endif + GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_ARCFOUR_40, + 0 +}; + +static const int comp_priority[] = { + /* compression should be explicitely requested to be enabled */ + GNUTLS_COMP_NULL, + 0 +}; + + +static const int mac_priority_performance[] = { + GNUTLS_MAC_MD5, + GNUTLS_MAC_SHA1, + 0 +}; + +static const int mac_priority_security[] = { + GNUTLS_MAC_SHA1, + GNUTLS_MAC_MD5, + 0 +}; + +#define mac_priority_export mac_priority_security + +static int cert_type_priority[] = { + GNUTLS_CRT_X509, + GNUTLS_CRT_OPENPGP, + 0 +}; + + +/** + * gnutls_set_default_priority2 - Sets some default priority on the cipher suites supported by gnutls. + * @session: is a #gnutls_session_t structure. + * + * Sets some default priority on the ciphers, key exchange methods, + * macs and compression methods. This is to avoid using the + * gnutls_*_priority() functions, if these defaults are ok. You may + * override any of the following priorities by calling the + * appropriate functions. + * + * The default order is: + * Protocols: TLS 1.1, TLS 1.0, and SSL3. + * Compression: NULL. + * Certificate types: X.509, OpenPGP + * + * When performance is requested the fastest ciphers and key exchange + * methods are used, whilst in security, the most conservative options + * are set. + * + * Returns 0 on success. + * + **/ +void +gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_t flag) +{ + + if (flag == GNUTLS_PRIORITIES_PERFORMANCE) { + gnutls_cipher_set_priority (session, cipher_priority_performance); + gnutls_kx_set_priority (session, kx_priority_performance); + gnutls_mac_set_priority (session, mac_priority_performance); + } else if (flag == GNUTLS_PRIORITIES_SECURITY) { + gnutls_cipher_set_priority (session, cipher_priority_security); + gnutls_kx_set_priority (session, kx_priority_security); + gnutls_mac_set_priority (session, mac_priority_security); + } else if (flag == GNUTLS_PRIORITIES_EXPORT) { + gnutls_cipher_set_priority (session, cipher_priority_export); + gnutls_kx_set_priority (session, kx_priority_export); + gnutls_mac_set_priority (session, mac_priority_export); + } + gnutls_protocol_set_priority (session, protocol_priority); - gnutls_mac_set_priority (session, mac_priority); + gnutls_compression_set_priority (session, comp_priority); gnutls_certificate_type_set_priority (session, cert_type_priority); - return 0; + return; } + /** * gnutls_set_default_export_priority - Sets some default priority on the cipher suites supported by gnutls. * @session: is a #gnutls_session_t structure. @@ -353,32 +467,7 @@ gnutls_set_default_priority (gnutls_session_t session) int gnutls_set_default_export_priority (gnutls_session_t session) { - static const int protocol_priority[] = { - GNUTLS_TLS1, GNUTLS_SSL3, 0 - }; - static const int kx_priority[] = { - GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, - GNUTLS_KX_RSA_EXPORT, 0 - }; - static const int cipher_priority[] = { - GNUTLS_CIPHER_AES_256_CBC, - GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, -#ifdef ENABLE_CAMELLIA - GNUTLS_CIPHER_CAMELLIA_128_CBC, -#endif - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_CIPHER_ARCFOUR_40, 0 - }; - static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; - static const int mac_priority[] = - { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 }; - - gnutls_cipher_set_priority (session, cipher_priority); - gnutls_compression_set_priority (session, comp_priority); - gnutls_kx_set_priority (session, kx_priority); - gnutls_protocol_set_priority (session, protocol_priority); - gnutls_mac_set_priority (session, mac_priority); + gnutls_set_default_priority2( session, GNUTLS_PRIORITIES_EXPORT); return 0; } @@ -378,7 +378,7 @@ init_tls_session (const char *hostname) gnutls_init (&session, GNUTLS_CLIENT); - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); /* allow the use of private ciphersuites. */ diff --git a/src/serv.c b/src/serv.c index f4d687cba6..9ab93d4755 100644 --- a/src/serv.c +++ b/src/serv.c @@ -380,7 +380,7 @@ initialize_session (void) gnutls_db_set_ptr (session, NULL); } - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); if (cipher_priority[0]) gnutls_cipher_set_priority (session, cipher_priority); |