diff options
-rw-r--r-- | doc/tex/ciphersuites.tex | 13 | ||||
-rw-r--r-- | doc/tex/ex1.tex | 2 | ||||
-rw-r--r-- | doc/tex/ex2.tex | 4 | ||||
-rw-r--r-- | doc/tex/ex3.tex | 2 | ||||
-rw-r--r-- | doc/tex/serv1.tex | 2 | ||||
-rw-r--r-- | doc/tex/srp1.tex | 2 | ||||
-rw-r--r-- | lib/auth_x509.c | 4 | ||||
-rw-r--r-- | lib/gnutls.h.in | 2 | ||||
-rw-r--r-- | lib/gnutls_algorithms.c | 201 | ||||
-rw-r--r-- | lib/gnutls_cert.c | 12 | ||||
-rw-r--r-- | lib/gnutls_int.h | 2 | ||||
-rw-r--r-- | src/cli.c | 2 | ||||
-rw-r--r-- | src/serv.c | 8 |
13 files changed, 102 insertions, 154 deletions
diff --git a/doc/tex/ciphersuites.tex b/doc/tex/ciphersuites.tex index 53385cfc0a..d656df3648 100644 --- a/doc/tex/ciphersuites.tex +++ b/doc/tex/ciphersuites.tex @@ -1,9 +1,10 @@ \newpage \section{TLS Cipher suites} \par -\tls 1.0 supports ciphersuites like {\bf TLS\_DHE\_RSA\_WITH\_3DES\_CBC\_SHA}. +\tls 1.0 supports ciphersuites like {\bf TLS\_X509PKI\_DHE\_RSA\_WITH\_3DES\_CBC\_SHA}. These ciphersuites contain three parameters: \begin{itemize} +\item The key authentication method (X.509 PKI in the example) \item The key exchange algorithm (DHE\_RSA in the example) \item The Symmetric encryption algorithm and mode (3DES\_CBC in this example) @@ -30,14 +31,6 @@ DHE\_DSS & The DSS\footnote{DSS stands for Digital Signature Standard} algorithm parameters which are send to the peer. Currently \gnutls does not support this ciphersuite. \\ \hline -DH\_DSS & Static Diffie Hellman parameters signed by a DSS certificate. -\gnutls does not support this ciphersuite. -\\ -\hline -DH\_RSA & Static Diffie Hellman parameters signed by an RSA certificate. -\gnutls does not support this ciphersuite. -\\ -\hline \end{tabular} \caption{Supported X.509 key exchange algorithms} @@ -48,7 +41,7 @@ DH\_RSA & Static Diffie Hellman parameters signed by an RSA certificate. \begin{tabular}{|l|p{9cm}|} \hline -DH\_ANON & This algorithm exchanges not signed diffie Hellman parameters. That way encryption may +ANON\_DH & This algorithm exchanges not signed diffie Hellman parameters. That way encryption may be performed but there is no indication of the identity of the peer. This kind of authentication is vulnerable to man in the middle attack, but this protocol can be used even if there is no prior communication or common trusted diff --git a/doc/tex/ex1.tex b/doc/tex/ex1.tex index 27fbcca778..619a2f4a38 100644 --- a/doc/tex/ex1.tex +++ b/doc/tex/ex1.tex @@ -17,7 +17,7 @@ #define MSG "GET / HTTP/1.0\r\n\r\n" const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; -const int kx_priority[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, 0 }; +const int kx_priority[] = { GNUTLS_KX_X509PKI_RSA, GNUTLS_KX_X509PKI_DHE_RSA, 0 }; const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; diff --git a/doc/tex/ex2.tex b/doc/tex/ex2.tex index 9aab9b0dd9..0550e7e002 100644 --- a/doc/tex/ex2.tex +++ b/doc/tex/ex2.tex @@ -25,7 +25,7 @@ int main() char buffer[MAX_BUF + 1]; X509PKI_CLIENT_CREDENTIALS xcred; const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; - const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; + const int kx_priority[] = { GNUTLS_KX_X509PKI_RSA, 0 }; const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; @@ -75,7 +75,7 @@ int main() */ gnutls_compression_set_priority(state, comp_priority); - /* use GNUTLS_KX_RSA + /* use GNUTLS_KX_X509PKI_RSA */ gnutls_kx_set_priority(state, kx_priority); diff --git a/doc/tex/ex3.tex b/doc/tex/ex3.tex index 01a3caf008..7709b39948 100644 --- a/doc/tex/ex3.tex +++ b/doc/tex/ex3.tex @@ -31,7 +31,7 @@ int print_info(GNUTLS_STATE state) /* Check if we have been using ephemeral Diffie Hellman. */ - if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { + if (kx == GNUTLS_KX_X509PKI_DHE_RSA || kx == GNUTLS_KX_X509PKI_DHE_DSS) { printf("\n- Ephemeral DH using prime of %d bits\n", gnutls_x509pki_server_get_dh_bits( state)); } diff --git a/doc/tex/serv1.tex b/doc/tex/serv1.tex index 7d2ef42613..88fbd6dff7 100644 --- a/doc/tex/serv1.tex +++ b/doc/tex/serv1.tex @@ -38,7 +38,7 @@ GNUTLS_STATE initialize_state() GNUTLS_STATE state; int ret; const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; - const int kx_priority[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; + const int kx_priority[] = { GNUTLS_KX_X509PKI_RSA, GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_KX_SRP, 0 }; const int cipher_priority[] = { GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_CIPHER_3DES_CBC, 0}; const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; diff --git a/doc/tex/srp1.tex b/doc/tex/srp1.tex index 4c93016062..9043be15ff 100644 --- a/doc/tex/srp1.tex +++ b/doc/tex/srp1.tex @@ -72,7 +72,7 @@ int main() */ gnutls_compression_set_priority(state, comp_priority); - /* use GNUTLS_KX_RSA + /* use GNUTLS_KX_SRP */ gnutls_kx_set_priority(state, kx_priority); diff --git a/lib/auth_x509.c b/lib/auth_x509.c index 47039e911c..649acc7dde 100644 --- a/lib/auth_x509.c +++ b/lib/auth_x509.c @@ -1283,8 +1283,8 @@ int gnutls_x509pki_get_peer_certificate_status(GNUTLS_STATE state) } /* finds the most appropriate certificate in the cert list. - * The 'appropriate' is defined by the user. - * FIXME: provide user callback. + * The 'appropriate' is defined by the user. + * (frontend to _gnutls_server_find_cert_index()) */ const gnutls_cert *_gnutls_server_find_cert(GNUTLS_STATE state, gnutls_cert ** cert_list, diff --git a/lib/gnutls.h.in b/lib/gnutls.h.in index 0b62318652..d7d5fcf90e 100644 --- a/lib/gnutls.h.in +++ b/lib/gnutls.h.in @@ -33,7 +33,7 @@ extern "C" { #define GNUTLS_AES GNUTLS_RIJNDAEL typedef enum BulkCipherAlgorithm { GNUTLS_CIPHER_NULL=1, GNUTLS_CIPHER_ARCFOUR, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_CIPHER_RIJNDAEL256_CBC } BulkCipherAlgorithm; -typedef enum KXAlgorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DH_DSS, GNUTLS_KX_DH_RSA, GNUTLS_KX_DH_ANON, GNUTLS_KX_SRP } KXAlgorithm; +typedef enum KXAlgorithm { GNUTLS_KX_X509PKI_RSA=1, GNUTLS_KX_X509PKI_DHE_DSS, GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP } KXAlgorithm; typedef enum CredType { GNUTLS_X509PKI=1, GNUTLS_ANON, GNUTLS_SRP } CredType; typedef enum MACAlgorithm { GNUTLS_MAC_NULL=1, GNUTLS_MAC_MD5, GNUTLS_MAC_SHA } MACAlgorithm; typedef enum CompressionMethod { GNUTLS_COMP_NULL=1, GNUTLS_COMP_ZLIB } CompressionMethod; diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index 22ed428866..52514a8539 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -38,12 +38,10 @@ typedef struct { } gnutls_cred_map; static const gnutls_cred_map cred_mappings[] = { - { GNUTLS_KX_DH_ANON, GNUTLS_ANON }, - { GNUTLS_KX_RSA, GNUTLS_X509PKI }, - { GNUTLS_KX_DHE_DSS, GNUTLS_X509PKI }, - { GNUTLS_KX_DHE_RSA, GNUTLS_X509PKI }, - { GNUTLS_KX_DH_DSS, GNUTLS_X509PKI }, - { GNUTLS_KX_DH_RSA, GNUTLS_X509PKI }, + { GNUTLS_KX_ANON_DH, GNUTLS_ANON }, + { GNUTLS_KX_X509PKI_RSA, GNUTLS_X509PKI }, + { GNUTLS_KX_X509PKI_DHE_DSS, GNUTLS_X509PKI }, + { GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_X509PKI }, { GNUTLS_KX_SRP, GNUTLS_SRP }, { 0 } }; @@ -187,9 +185,9 @@ extern MOD_AUTH_STRUCT anon_auth_struct; extern MOD_AUTH_STRUCT srp_auth_struct; static const gnutls_kx_algo_entry kx_algorithms[] = { - GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_DH_ANON, &anon_auth_struct), - GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_RSA, &rsa_auth_struct), - GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct), + GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_ANON_DH, &anon_auth_struct), + GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_X509PKI_RSA, &rsa_auth_struct), + GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_X509PKI_DHE_RSA, &dhe_rsa_auth_struct), GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_SRP, &srp_auth_struct), {0} }; @@ -215,14 +213,14 @@ typedef struct { MACAlgorithm mac_algorithm; } gnutls_cipher_suite_entry; -#define GNUTLS_RSA_NULL_MD5 { 0x00, 0x01 } +#define GNUTLS_X509PKI_RSA_NULL_MD5 { 0x00, 0x01 } -#define GNUTLS_DH_anon_3DES_EDE_CBC_SHA { 0x00, 0x1B } -#define GNUTLS_DH_anon_ARCFOUR_MD5 { 0x00, 0x18 } -#define GNUTLS_DH_anon_RIJNDAEL_128_CBC_SHA { 0x00, 0x34 } -#define GNUTLS_DH_anon_RIJNDAEL_256_CBC_SHA { 0x00, 0x3A } +#define GNUTLS_ANON_DH_3DES_EDE_CBC_SHA { 0x00, 0x1B } +#define GNUTLS_ANON_DH_ARCFOUR_MD5 { 0x00, 0x18 } +#define GNUTLS_ANON_DH_RIJNDAEL_128_CBC_SHA { 0x00, 0x34 } +#define GNUTLS_ANON_DH_RIJNDAEL_256_CBC_SHA { 0x00, 0x3A } /* Twofish is a gnutls extension */ -#define GNUTLS_DH_anon_TWOFISH_128_CBC_SHA { 0xF6, 0x50 } +#define GNUTLS_ANON_DH_TWOFISH_128_CBC_SHA { 0xF6, 0x50 } /* SRP is a gnutls extension - for now */ #define GNUTLS_SRP_3DES_EDE_CBC_SHA { 0x00, 0x5B } @@ -233,59 +231,44 @@ typedef struct { #define GNUTLS_SRP_TWOFISH_128_CBC_SHA { 0xF6, 0x64 } /* RSA */ -#define GNUTLS_RSA_ARCFOUR_SHA { 0x00, 0x05 } -#define GNUTLS_RSA_ARCFOUR_MD5 { 0x00, 0x04 } -#define GNUTLS_RSA_3DES_EDE_CBC_SHA { 0x00, 0x0A } -#define GNUTLS_RSA_DES_CBC_SHA { 0x00, 0x09 } -#define GNUTLS_RSA_RIJNDAEL_128_CBC_SHA { 0x00, 0x2F } -#define GNUTLS_RSA_RIJNDAEL_256_CBC_SHA { 0x00, 0x35 } -#define GNUTLS_RSA_TWOFISH_128_CBC_SHA { 0xF6, 0x51 } - -/* DH_DSS */ -#define GNUTLS_DH_DSS_RIJNDAEL_128_CBC_SHA { 0x00, 0x30 } -#define GNUTLS_DH_DSS_TWOFISH_128_CBC_SHA { 0xF6, 0x52 } -#define GNUTLS_DH_DSS_DES_CBC_SHA { 0x00, 0x0C } -#define GNUTLS_DH_DSS_RIJNDAEL_256_CBC_SHA { 0x00, 0x36 } -#define GNUTLS_DH_DSS_3DES_EDE_CBC_SHA { 0x00, 0x0D } - -/* DHE_DSS */ -#define GNUTLS_DHE_DSS_RIJNDAEL_256_CBC_SHA { 0x00, 0x38 } -#define GNUTLS_DHE_DSS_RIJNDAEL_128_CBC_SHA { 0x00, 0x32 } -#define GNUTLS_DHE_DSS_DES_CBC_SHA { 0x00, 0x12 } -#define GNUTLS_DHE_DSS_TWOFISH_128_CBC_SHA { 0xF6, 0x54 } -#define GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA { 0x00, 0x13 } - -/* DHE_RSA */ -#define GNUTLS_DHE_RSA_TWOFISH_128_CBC_SHA { 0xF6, 0x55 } -#define GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA { 0x00, 0x16 } -#define GNUTLS_DHE_RSA_DES_CBC_SHA { 0x00, 0x15 } -#define GNUTLS_DHE_RSA_RIJNDAEL_128_CBC_SHA { 0x00, 0x33 } -#define GNUTLS_DHE_RSA_RIJNDAEL_256_CBC_SHA { 0x00, 0x39 } - -/* DH_RSA */ -#define GNUTLS_DH_RSA_TWOFISH_128_CBC_SHA { 0xF6, 0x53 } -#define GNUTLS_DH_RSA_DES_CBC_SHA { 0x00, 0x0F } -#define GNUTLS_DH_RSA_3DES_EDE_CBC_SHA { 0x00, 0x10 } -#define GNUTLS_DH_RSA_RIJNDAEL_256_CBC_SHA { 0x00, 0x37 } -#define GNUTLS_DH_RSA_RIJNDAEL_128_CBC_SHA { 0x00, 0x31 } - +#define GNUTLS_X509PKI_RSA_ARCFOUR_SHA { 0x00, 0x05 } +#define GNUTLS_X509PKI_RSA_ARCFOUR_MD5 { 0x00, 0x04 } +#define GNUTLS_X509PKI_RSA_3DES_EDE_CBC_SHA { 0x00, 0x0A } +#define GNUTLS_X509PKI_RSA_DES_CBC_SHA { 0x00, 0x09 } +#define GNUTLS_X509PKI_RSA_RIJNDAEL_128_CBC_SHA { 0x00, 0x2F } +#define GNUTLS_X509PKI_RSA_RIJNDAEL_256_CBC_SHA { 0x00, 0x35 } +#define GNUTLS_X509PKI_RSA_TWOFISH_128_CBC_SHA { 0xF6, 0x51 } + +/* X509PKI_DHE_DSS */ +#define GNUTLS_X509PKI_DHE_DSS_RIJNDAEL_256_CBC_SHA { 0x00, 0x38 } +#define GNUTLS_X509PKI_DHE_DSS_RIJNDAEL_128_CBC_SHA { 0x00, 0x32 } +#define GNUTLS_X509PKI_DHE_DSS_DES_CBC_SHA { 0x00, 0x12 } +#define GNUTLS_X509PKI_DHE_DSS_TWOFISH_128_CBC_SHA { 0xF6, 0x54 } +#define GNUTLS_X509PKI_DHE_DSS_3DES_EDE_CBC_SHA { 0x00, 0x13 } + +/* X509PKI_DHE_RSA */ +#define GNUTLS_X509PKI_DHE_RSA_TWOFISH_128_CBC_SHA { 0xF6, 0x55 } +#define GNUTLS_X509PKI_DHE_RSA_3DES_EDE_CBC_SHA { 0x00, 0x16 } +#define GNUTLS_X509PKI_DHE_RSA_DES_CBC_SHA { 0x00, 0x15 } +#define GNUTLS_X509PKI_DHE_RSA_RIJNDAEL_128_CBC_SHA { 0x00, 0x33 } +#define GNUTLS_X509PKI_DHE_RSA_RIJNDAEL_256_CBC_SHA { 0x00, 0x39 } static const gnutls_cipher_suite_entry cs_algorithms[] = { - /* DH_anon */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_anon_ARCFOUR_MD5, + /* ANON_DH */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_ARCFOUR_MD5, GNUTLS_CIPHER_ARCFOUR, - GNUTLS_KX_DH_ANON, GNUTLS_MAC_MD5), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_anon_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DH_ANON, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_anon_RIJNDAEL_128_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_KX_DH_ANON, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_RIJNDAEL_128_CBC_SHA, + GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_anon_RIJNDAEL_256_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL256_CBC, GNUTLS_KX_DH_ANON, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_RIJNDAEL_256_CBC_SHA, + GNUTLS_CIPHER_RIJNDAEL256_CBC, GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_anon_TWOFISH_128_CBC_SHA, - GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_KX_DH_ANON, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_TWOFISH_128_CBC_SHA, + GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA), /* SRP */ @@ -308,84 +291,56 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_KX_SRP, GNUTLS_MAC_SHA), - /* DH_DSS */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_DSS_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, - GNUTLS_KX_DH_DSS, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_DSS_RIJNDAEL_128_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_KX_DH_DSS, - GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_DSS_RIJNDAEL_256_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL256_CBC, GNUTLS_KX_DH_DSS, - GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_DSS_TWOFISH_128_CBC_SHA, - GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_KX_DH_DSS, - GNUTLS_MAC_SHA), - - /* DH_RSA */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_RSA_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, - GNUTLS_KX_DH_RSA, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_RSA_RIJNDAEL_128_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_KX_DH_RSA, - GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_RSA_RIJNDAEL_256_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL256_CBC, GNUTLS_KX_DH_RSA, - GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DH_RSA_TWOFISH_128_CBC_SHA, - GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_KX_DH_RSA, - GNUTLS_MAC_SHA), - - /* DHE_DSS */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_TWOFISH_128_CBC_SHA, - GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_KX_DHE_DSS, + /* X509PKI_DHE_DSS */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_DHE_DSS_TWOFISH_128_CBC_SHA, + GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_KX_X509PKI_DHE_DSS, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_DHE_DSS_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_X509PKI_DHE_DSS, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_RIJNDAEL_128_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_DHE_DSS_RIJNDAEL_128_CBC_SHA, + GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_KX_X509PKI_DHE_DSS, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_RIJNDAEL_256_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL256_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_DHE_DSS_RIJNDAEL_256_CBC_SHA, + GNUTLS_CIPHER_RIJNDAEL256_CBC, GNUTLS_KX_X509PKI_DHE_DSS, GNUTLS_MAC_SHA), - /* DHE_RSA */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_TWOFISH_128_CBC_SHA, - GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_KX_DHE_RSA, + /* X509PKI_DHE_RSA */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_DHE_RSA_TWOFISH_128_CBC_SHA, + GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA, - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_DHE_RSA_3DES_EDE_CBC_SHA, + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_RIJNDAEL_128_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_DHE_RSA_RIJNDAEL_128_CBC_SHA, + GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_RIJNDAEL_256_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL256_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_DHE_RSA_RIJNDAEL_256_CBC_SHA, + GNUTLS_CIPHER_RIJNDAEL256_CBC, GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_MAC_SHA), - /* RSA */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_NULL_MD5, + /* X509PKI_RSA */ + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_RSA_NULL_MD5, GNUTLS_CIPHER_NULL, - GNUTLS_KX_RSA, GNUTLS_MAC_MD5), + GNUTLS_KX_X509PKI_RSA, GNUTLS_MAC_MD5), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_SHA, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_RSA_ARCFOUR_SHA, GNUTLS_CIPHER_ARCFOUR, - GNUTLS_KX_RSA, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_ARCFOUR_MD5, + GNUTLS_KX_X509PKI_RSA, GNUTLS_MAC_SHA), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_RSA_ARCFOUR_MD5, GNUTLS_CIPHER_ARCFOUR, - GNUTLS_KX_RSA, GNUTLS_MAC_MD5), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_SHA, + GNUTLS_KX_X509PKI_RSA, GNUTLS_MAC_MD5), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_RSA_3DES_EDE_CBC_SHA, GNUTLS_CIPHER_3DES_CBC, - GNUTLS_KX_RSA, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_RIJNDAEL_128_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_KX_RSA, + GNUTLS_KX_X509PKI_RSA, GNUTLS_MAC_SHA), + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_RSA_RIJNDAEL_128_CBC_SHA, + GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_KX_X509PKI_RSA, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_RIJNDAEL_256_CBC_SHA, - GNUTLS_CIPHER_RIJNDAEL256_CBC, GNUTLS_KX_RSA, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_RSA_RIJNDAEL_256_CBC_SHA, + GNUTLS_CIPHER_RIJNDAEL256_CBC, GNUTLS_KX_X509PKI_RSA, GNUTLS_MAC_SHA), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_TWOFISH_128_CBC_SHA, - GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_KX_RSA, + GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_X509PKI_RSA_TWOFISH_128_CBC_SHA, + GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_KX_X509PKI_RSA, GNUTLS_MAC_SHA), {0} diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 8281885e1c..a2237d6f4c 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -47,11 +47,11 @@ typedef struct { /* This table maps the Key exchange algorithms to * the certificate algorithms. Eg. if we have * RSA algorithm in the certificate then we can - * use GNUTLS_KX_RSA or GNUTLS_KX_DHE_RSA. + * use GNUTLS_KX_X509PKI_RSA or GNUTLS_KX_X509PKI_DHE_RSA. */ static const gnutls_pk_map pk_mappings[] = { - {GNUTLS_KX_RSA, GNUTLS_PK_RSA}, - {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA}, + {GNUTLS_KX_X509PKI_RSA, GNUTLS_PK_RSA}, + {GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_PK_RSA}, {0} }; @@ -959,7 +959,7 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert, { if (_gnutls_map_kx_get_cred(alg) == GNUTLS_X509PKI) { switch (alg) { - case GNUTLS_KX_RSA: + case GNUTLS_KX_X509PKI_RSA: if (cert->keyUsage != 0) { if (! (cert-> @@ -970,7 +970,7 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert, return 0; } return 0; - case GNUTLS_KX_DHE_RSA: + case GNUTLS_KX_X509PKI_DHE_RSA: if (cert->keyUsage != 0) { if (! (cert-> @@ -991,7 +991,7 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert, /* returns the KX algorithms that are supported by a * certificate. (Eg a certificate with RSA params, supports - * GNUTLS_KX_RSA algorithm). + * GNUTLS_KX_X509PKI_RSA algorithm). * This function also uses the KeyUsage field of the certificate * extensions in order to disable unneded algorithms. */ diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 06c702f8e1..3f214c4743 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -142,7 +142,7 @@ typedef struct { typedef enum ConnectionEnd { GNUTLS_SERVER=1, GNUTLS_CLIENT } ConnectionEnd; typedef enum BulkCipherAlgorithm { GNUTLS_CIPHER_NULL=1, GNUTLS_CIPHER_ARCFOUR, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_CIPHER_TWOFISH_CBC, GNUTLS_CIPHER_RIJNDAEL256_CBC } BulkCipherAlgorithm; typedef enum Extensions { GNUTLS_EXTENSION_DNSNAME=0, GNUTLS_EXTENSION_MAX_RECORD_SIZE=1, GNUTLS_EXTENSION_SRP=6 } Extensions; -typedef enum KXAlgorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DH_DSS, GNUTLS_KX_DH_RSA, GNUTLS_KX_DH_ANON, GNUTLS_KX_SRP } KXAlgorithm; +typedef enum KXAlgorithm { GNUTLS_KX_X509PKI_RSA=1, GNUTLS_KX_X509PKI_DHE_DSS, GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP } KXAlgorithm; typedef enum CredType { GNUTLS_X509PKI=1, GNUTLS_ANON, GNUTLS_SRP } CredType; typedef enum CipherType { CIPHER_STREAM, CIPHER_BLOCK } CipherType; typedef enum MACAlgorithm { GNUTLS_MAC_NULL=1, GNUTLS_MAC_MD5, GNUTLS_MAC_SHA } MACAlgorithm; @@ -149,7 +149,7 @@ int cert_callback( const gnutls_datum *client_certs, int ncerts, const gnutls_da } const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; -const int kx_priority[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, GNUTLS_KX_DH_ANON, 0 }; +const int kx_priority[] = { GNUTLS_KX_X509PKI_RSA, GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_KX_SRP, GNUTLS_KX_ANON_DH, 0 }; const int cipher_priority[] = { GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; diff --git a/src/serv.c b/src/serv.c index d3124116d9..b876d134a6 100644 --- a/src/serv.c +++ b/src/serv.c @@ -76,7 +76,7 @@ GNUTLS_STATE initialize_state() GNUTLS_STATE state; int ret; int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; - int kx_priority[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, GNUTLS_KX_DH_ANON, 0 }; + int kx_priority[] = { GNUTLS_KX_X509PKI_RSA, GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_KX_SRP, GNUTLS_KX_ANON_DH, 0 }; int cipher_priority[] = { GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; @@ -167,7 +167,7 @@ void print_info(GNUTLS_STATE state) break; } - if (gnutls_kx_get_algo(state) == GNUTLS_KX_DHE_RSA || gnutls_kx_get_algo(state) == GNUTLS_KX_DHE_DSS) { + if (gnutls_kx_get_algo(state) == GNUTLS_KX_X509PKI_DHE_RSA || gnutls_kx_get_algo(state) == GNUTLS_KX_X509PKI_DHE_DSS) { printf("\n- Ephemeral DH using prime of %d bits\n", gnutls_x509pki_server_get_dh_bits( state)); } @@ -244,7 +244,7 @@ void peer_print_info( GNUTLS_STATE state) gnutls_srp_server_get_username( state)); } - if (gnutls_kx_get_algo(state) == GNUTLS_KX_DH_ANON) { + if (gnutls_kx_get_algo(state) == GNUTLS_KX_ANON_DH) { sprintf(tmp2, "<p> Connect using anonymous DH (prime of %d bits)</p>\n", gnutls_anon_server_get_dh_bits( state)); } @@ -258,7 +258,7 @@ void peer_print_info( GNUTLS_STATE state) tmp = gnutls_kx_get_name(gnutls_kx_get_algo(state)); sprintf(tmp2, "Key Exchange: <b>%s</b><br>\n", tmp); - if (gnutls_kx_get_algo(state) == GNUTLS_KX_DHE_RSA || gnutls_kx_get_algo(state) == GNUTLS_KX_DHE_DSS) { + if (gnutls_kx_get_algo(state) == GNUTLS_KX_X509PKI_DHE_RSA || gnutls_kx_get_algo(state) == GNUTLS_KX_X509PKI_DHE_DSS) { sprintf(tmp2, "Ephemeral DH using prime of <b>%d</b> bits.<br>\n", gnutls_x509pki_server_get_dh_bits( state)); } |