Added gnutls_set_default_priority2() and deprecated gnutls_set_default_priority().

15 files changed, 211 insertions, 92 deletions

diff --git a/NEWS b/NEWS
index e257a93013..5d6e644eac 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,9 @@ of using /dev/random to generate keys.
 
 ** Added priority functions that accept strings.
 
+** Added gnutls_set_default_priority2() which accepts a flag to indicate
+priorities preferences.
+
 ** Added gnutls_record_disable_padding() to allow servers talking to 
 buggy clients that complain if the TLS 1.0 record protocol padding is
 used.
@@ -21,6 +24,9 @@ used.
 all supported compatibility options (like disabling padding).
 
 ** API and ABI modifications:
+gnutls_set_default_priority: DEPRECATED
+gnutls_set_default_priority_export: DEPRECATED
+gnutls_set_default_priority2: ADDED
 gnutls_session_enable_compatibility_mode: ADDED
 gnutls_record_disable_padding: ADDED
 gnutls_mac_convert_priority: ADDED
diff --git a/doc/examples/ex-client-resume.c b/doc/examples/ex-client-resume.c
index 3002a0c630..0e73901912 100644
--- a/doc/examples/ex-client-resume.c
+++ b/doc/examples/ex-client-resume.c
@@ -54,7 +54,7 @@ main (void)
 
       gnutls_init (&session, GNUTLS_CLIENT);
 
-      gnutls_set_default_priority (session);
+      gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE);
 
       gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
 
diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c
index dde39bb105..ea09c2f82e 100644
--- a/doc/examples/ex-client-srp.c
+++ b/doc/examples/ex-client-srp.c
@@ -69,7 +69,7 @@ main (void)
 
   /* Set the priorities.
    */
-  gnutls_set_default_priority (session);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
   gnutls_kx_set_priority( session, kx_priorities);
 
   /* put the SRP credentials to the current session
diff --git a/doc/examples/ex-client-tlsia.c b/doc/examples/ex-client-tlsia.c
index d07953dc9e..40a5670ad6 100644
--- a/doc/examples/ex-client-tlsia.c
+++ b/doc/examples/ex-client-tlsia.c
@@ -79,7 +79,7 @@ main (void)
   gnutls_init (&session, GNUTLS_CLIENT);
 
   /* Use default priorities */
-  gnutls_set_default_priority (session);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
   gnutls_kx_set_priority (session, kx_prio);
 
   /* put the anonymous and TLS/IA credentials to the current session
diff --git a/doc/examples/ex-client1.c b/doc/examples/ex-client1.c
index 150c714dc7..6aeceec83b 100644
--- a/doc/examples/ex-client1.c
+++ b/doc/examples/ex-client1.c
@@ -47,7 +47,7 @@ main (void)
   gnutls_init (&session, GNUTLS_CLIENT);
 
   /* Use default priorities */
-  gnutls_set_default_priority (session);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE);
   gnutls_kx_set_priority (session, kx_prio);
 
   /* put the anonymous credentials to the current session
diff --git a/doc/examples/ex-client2.c b/doc/examples/ex-client2.c
index 858f6955c1..37b074489b 100644
--- a/doc/examples/ex-client2.c
+++ b/doc/examples/ex-client2.c
@@ -50,7 +50,7 @@ main (void)
   gnutls_init (&session, GNUTLS_CLIENT);
 
   /* Use default priorities */
-  gnutls_set_default_priority (session);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE);
 
   /* put the x509 credentials to the current session
    */
diff --git a/doc/examples/ex-serv-anon.c b/doc/examples/ex-serv-anon.c
index 96b8c64262..22ca9d2933 100644
--- a/doc/examples/ex-serv-anon.c
+++ b/doc/examples/ex-serv-anon.c
@@ -44,7 +44,7 @@ initialize_tls_session (void)
   /* avoid calling all the priority functions, since the defaults
    * are adequate.
    */
-  gnutls_set_default_priority (session);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
   gnutls_kx_set_priority (session, kx_prio);
 
   gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
diff --git a/doc/examples/ex-serv-export.c b/doc/examples/ex-serv-export.c
index f8c80cf9b6..e457ecff5d 100644
--- a/doc/examples/ex-serv-export.c
+++ b/doc/examples/ex-serv-export.c
@@ -56,7 +56,7 @@ initialize_tls_session (void)
 
   /* Use the default priorities, plus, export cipher suites.
    */
-  gnutls_set_default_export_priority (session);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_EXPORT);
 
   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred);
 
diff --git a/doc/examples/ex-serv-pgp.c b/doc/examples/ex-serv-pgp.c
index 27906744f6..be79e3e980 100644
--- a/doc/examples/ex-serv-pgp.c
+++ b/doc/examples/ex-serv-pgp.c
@@ -68,7 +68,7 @@ initialize_tls_session (void)
    */
   gnutls_set_default_priority (session);
 
-  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cred);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
 
   /* request client certificate if any.
    */
diff --git a/doc/examples/ex-serv-srp.c b/doc/examples/ex-serv-srp.c
index 32a63c3374..b49b965293 100644
--- a/doc/examples/ex-serv-srp.c
+++ b/doc/examples/ex-serv-srp.c
@@ -50,7 +50,7 @@ initialize_tls_session (void)
 
   gnutls_init (&session, GNUTLS_SERVER);
 
-  gnutls_set_default_priority (session);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
   gnutls_kx_set_priority (session, kx_priority);
 
   gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
diff --git a/doc/examples/ex-serv1.c b/doc/examples/ex-serv1.c
index e0327e7f27..b1ed81cd06 100644
--- a/doc/examples/ex-serv1.c
+++ b/doc/examples/ex-serv1.c
@@ -47,9 +47,10 @@ initialize_tls_session (void)
   gnutls_init (&session, GNUTLS_SERVER);
 
   /* avoid calling all the priority functions, since the defaults
-   * are adequate.
+   * are adequate. Depending on the needs it could also be 
+   * GNUTLS_PRIORITIES_PERFORMANCE.
    */
-  gnutls_set_default_priority (session);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
 
   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
 
diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in
index 345752474b..70ef5c6183 100644
--- a/includes/gnutls/gnutls.h.in
+++ b/includes/gnutls/gnutls.h.in
@@ -165,6 +165,13 @@ extern "C"
     GNUTLS_CLIENT
   } gnutls_connection_end_t;
 
+  typedef enum 
+  {
+    GNUTLS_PRIORITIES_PERFORMANCE,
+    GNUTLS_PRIORITIES_SECURITY,
+    GNUTLS_PRIORITIES_EXPORT
+  } gnutls_priority_t;
+
   typedef enum
   {
     GNUTLS_AL_WARNING = 1,
@@ -516,10 +523,26 @@ extern "C"
   int gnutls_cipher_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep);
   int gnutls_certificate_type_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep);
 
+#ifdef __GNUC__
+
+#define _GNUTLS_GCC_VERSION (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)  
+                                                          
+#if _GNUTLS_GCC_VERSION >= 30100
+#define _GNUTLS_GCC_ATTR_DEPRECATED __attribute__ ((__deprecated__))
+#endif
+
+#endif /* __GNUC__ */
+
+#ifndef _GNUTLS_GCC_ATTR_DEPRECATED
+#define _GNUTLS_GCC_ATTR_DEPRECATED
+#endif
+                                                          
+                                                          
 /* if you just want some defaults, use the following.
  */
-  int gnutls_set_default_priority (gnutls_session_t session);
-  int gnutls_set_default_export_priority (gnutls_session_t session);
+  void gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_t flag);
+  int gnutls_set_default_priority (gnutls_session_t session) _GNUTLS_GCC_ATTR_DEPRECATED;
+  int gnutls_set_default_export_priority (gnutls_session_t session) _GNUTLS_GCC_ATTR_DEPRECATED;
 
 /* Returns the name of a cipher suite */
   const char *gnutls_cipher_suite_get_name (gnutls_kx_algorithm_t
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index b65afa710e..52dba9a93a 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -275,65 +275,179 @@ gnutls_certificate_type_set_priority (gnutls_session_t session,
 int
 gnutls_set_default_priority (gnutls_session_t session)
 {
-  static const int protocol_priority[] = {
-    /* GNUTLS_TLS1_2, -- not finalized yet! */
-    GNUTLS_TLS1_1,
-    GNUTLS_TLS1_0,
-    GNUTLS_SSL3,
-    0
-  };
-  static const int kx_priority[] = {
-    GNUTLS_KX_DHE_PSK,
-    GNUTLS_KX_PSK,
-    GNUTLS_KX_SRP_RSA,
-    GNUTLS_KX_SRP_DSS,
-    GNUTLS_KX_SRP,
-    GNUTLS_KX_DHE_RSA,
-    GNUTLS_KX_DHE_DSS,
-    GNUTLS_KX_RSA,
-    /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
-     * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
-     */
-    0
-  };
-  static const int cipher_priority[] = {
-    GNUTLS_CIPHER_AES_256_CBC,
-    GNUTLS_CIPHER_AES_128_CBC,
-    GNUTLS_CIPHER_3DES_CBC,
+
+  gnutls_set_default_priority2( session, GNUTLS_PRIORITIES_SECURITY);
+
+  return 0;
+}
+
+static const int protocol_priority[] = {
+ /* GNUTLS_TLS1_2, -- not finalized yet! */
+ GNUTLS_TLS1_1,
+ GNUTLS_TLS1_0,
+ GNUTLS_SSL3,
+ 0
+};
+
+static const int kx_priority_performance[] = {
+  GNUTLS_KX_RSA,
+  GNUTLS_KX_DHE_RSA,
+  GNUTLS_KX_DHE_DSS,
+  GNUTLS_KX_PSK,
+  GNUTLS_KX_DHE_PSK,
+  GNUTLS_KX_SRP_RSA,
+  GNUTLS_KX_SRP_DSS,
+  GNUTLS_KX_SRP,
+  /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
+   * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
+   */
+  0
+};
+
+static const int kx_priority_export[] = {
+  GNUTLS_KX_RSA,
+  GNUTLS_KX_DHE_RSA,
+  GNUTLS_KX_DHE_DSS,
+  GNUTLS_KX_PSK,
+  GNUTLS_KX_DHE_PSK,
+  GNUTLS_KX_SRP_RSA,
+  GNUTLS_KX_SRP_DSS,
+  GNUTLS_KX_SRP,
+  GNUTLS_KX_RSA_EXPORT,
+  0
+};
+
+static const int kx_priority_security[] = {
+  /* The ciphersuites that offer forward secrecy take
+   * precendance
+   */
+  GNUTLS_KX_DHE_RSA,
+  GNUTLS_KX_DHE_DSS,
+  GNUTLS_KX_DHE_PSK,
+  GNUTLS_KX_SRP_RSA,
+  GNUTLS_KX_SRP_DSS,
+  GNUTLS_KX_RSA,
+  GNUTLS_KX_PSK,
+  GNUTLS_KX_SRP,
+  /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
+   * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
+   */
+  0
+};
+
+static const int cipher_priority_performance[] = {
+  GNUTLS_CIPHER_ARCFOUR_128,
+  GNUTLS_CIPHER_AES_128_CBC,
 #ifdef	ENABLE_CAMELLIA
     GNUTLS_CIPHER_CAMELLIA_128_CBC,
 #endif
-    GNUTLS_CIPHER_ARCFOUR_128,
-    /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
-    0
-  };
-  static const int comp_priority[] = {
-    /* GNUTLS_COMP_LZO: Not standardized, don't add! */
-    GNUTLS_COMP_DEFLATE,
-    GNUTLS_COMP_NULL,
-    0
-  };
-  static const int mac_priority[] = {
-    GNUTLS_MAC_SHA1,
-    GNUTLS_MAC_MD5,
-    0
-  };
-  static int cert_type_priority[] = {
-    GNUTLS_CRT_X509,
-    GNUTLS_CRT_OPENPGP,
-    0
-  };
-
-  gnutls_cipher_set_priority (session, cipher_priority);
-  gnutls_compression_set_priority (session, comp_priority);
-  gnutls_kx_set_priority (session, kx_priority);
+  GNUTLS_CIPHER_AES_256_CBC,
+  GNUTLS_CIPHER_3DES_CBC,
+  /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
+  0
+};
+
+
+static const int cipher_priority_security[] = {
+  GNUTLS_CIPHER_AES_256_CBC,
+  GNUTLS_CIPHER_AES_128_CBC,
+#ifdef	ENABLE_CAMELLIA
+    GNUTLS_CIPHER_CAMELLIA_128_CBC,
+#endif
+  GNUTLS_CIPHER_3DES_CBC,
+  GNUTLS_CIPHER_ARCFOUR_128,
+  /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
+  0
+};
+
+static const int cipher_priority_export[] = {
+  GNUTLS_CIPHER_ARCFOUR_128,
+  GNUTLS_CIPHER_AES_128_CBC,
+#ifdef	ENABLE_CAMELLIA
+    GNUTLS_CIPHER_CAMELLIA_128_CBC,
+#endif
+  GNUTLS_CIPHER_AES_256_CBC,
+  GNUTLS_CIPHER_3DES_CBC,
+  GNUTLS_CIPHER_ARCFOUR_40,
+  0
+};
+
+static const int comp_priority[] = {
+  /* compression should be explicitely requested to be enabled */
+  GNUTLS_COMP_NULL,
+  0
+};
+
+
+static const int mac_priority_performance[] = {
+  GNUTLS_MAC_MD5,
+  GNUTLS_MAC_SHA1,
+  0
+};
+
+static const int mac_priority_security[] = {
+  GNUTLS_MAC_SHA1,
+  GNUTLS_MAC_MD5,
+  0
+};
+
+#define mac_priority_export mac_priority_security
+
+static int cert_type_priority[] = {
+  GNUTLS_CRT_X509,
+  GNUTLS_CRT_OPENPGP,
+  0
+};
+
+
+/**
+  * gnutls_set_default_priority2 - Sets some default priority on the cipher suites supported by gnutls.
+  * @session: is a #gnutls_session_t structure.
+  *
+  * Sets some default priority on the ciphers, key exchange methods,
+  * macs and compression methods. This is to avoid using the
+  * gnutls_*_priority() functions, if these defaults are ok.  You may
+  * override any of the following priorities by calling the
+  * appropriate functions.
+  *
+  * The default order is:
+  * Protocols: TLS 1.1, TLS 1.0, and SSL3.
+  * Compression: NULL.
+  * Certificate types: X.509, OpenPGP
+  *
+  * When performance is requested the fastest ciphers and key exchange
+  * methods are used, whilst in security, the most conservative options
+  * are set.
+  *
+  * Returns 0 on success.
+  *
+  **/
+void
+gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_t flag)
+{
+
+  if (flag == GNUTLS_PRIORITIES_PERFORMANCE) {
+    gnutls_cipher_set_priority (session, cipher_priority_performance);
+    gnutls_kx_set_priority (session, kx_priority_performance);
+    gnutls_mac_set_priority (session, mac_priority_performance);
+  } else if (flag == GNUTLS_PRIORITIES_SECURITY) {
+    gnutls_cipher_set_priority (session, cipher_priority_security);
+    gnutls_kx_set_priority (session, kx_priority_security);
+    gnutls_mac_set_priority (session, mac_priority_security);
+  } else if (flag == GNUTLS_PRIORITIES_EXPORT) {
+    gnutls_cipher_set_priority (session, cipher_priority_export);
+    gnutls_kx_set_priority (session, kx_priority_export);
+    gnutls_mac_set_priority (session, mac_priority_export);
+  }
+
   gnutls_protocol_set_priority (session, protocol_priority);
-  gnutls_mac_set_priority (session, mac_priority);
+  gnutls_compression_set_priority (session, comp_priority);
   gnutls_certificate_type_set_priority (session, cert_type_priority);
 
-  return 0;
+  return;
 }
 
+
 /**
   * gnutls_set_default_export_priority - Sets some default priority on the cipher suites supported by gnutls.
   * @session: is a #gnutls_session_t structure.
@@ -353,32 +467,7 @@ gnutls_set_default_priority (gnutls_session_t session)
 int
 gnutls_set_default_export_priority (gnutls_session_t session)
 {
-  static const int protocol_priority[] = {
-    GNUTLS_TLS1, GNUTLS_SSL3, 0
-  };
-  static const int kx_priority[] = {
-    GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA,
-    GNUTLS_KX_RSA_EXPORT, 0
-  };
-  static const int cipher_priority[] = {
-    GNUTLS_CIPHER_AES_256_CBC,
-    GNUTLS_CIPHER_AES_128_CBC,
-    GNUTLS_CIPHER_3DES_CBC,
-#ifdef	ENABLE_CAMELLIA
-    GNUTLS_CIPHER_CAMELLIA_128_CBC,
-#endif
-    GNUTLS_CIPHER_ARCFOUR_128,
-    GNUTLS_CIPHER_ARCFOUR_40, 0
-  };
-  static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 };
-  static const int mac_priority[] =
-    { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 };
-
-  gnutls_cipher_set_priority (session, cipher_priority);
-  gnutls_compression_set_priority (session, comp_priority);
-  gnutls_kx_set_priority (session, kx_priority);
-  gnutls_protocol_set_priority (session, protocol_priority);
-  gnutls_mac_set_priority (session, mac_priority);
+  gnutls_set_default_priority2( session, GNUTLS_PRIORITIES_EXPORT);
 
   return 0;
 }
diff --git a/src/cli.c b/src/cli.c
index 6307f789e8..5640030ddb 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -378,7 +378,7 @@ init_tls_session (const char *hostname)
 
   gnutls_init (&session, GNUTLS_CLIENT);
 
-  gnutls_set_default_priority (session);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE);
 
   /* allow the use of private ciphersuites.
    */
diff --git a/src/serv.c b/src/serv.c
index f4d687cba6..9ab93d4755 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -380,7 +380,7 @@ initialize_session (void)
       gnutls_db_set_ptr (session, NULL);
     }
 
-  gnutls_set_default_priority (session);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE);
 
   if (cipher_priority[0])
     gnutls_cipher_set_priority (session, cipher_priority);