diff options
| -rw-r--r-- | NEWS | 9 | ||||
| -rw-r--r-- | configure.in | 4 | ||||
| -rw-r--r-- | doc/examples/ex-client-resume.c | 2 | ||||
| -rw-r--r-- | doc/examples/ex-client-srp.c | 6 | ||||
| -rw-r--r-- | doc/examples/ex-client-tlsia.c | 4 | ||||
| -rw-r--r-- | doc/examples/ex-client1.c | 4 | ||||
| -rw-r--r-- | doc/examples/ex-client2.c | 9 | ||||
| -rw-r--r-- | doc/examples/ex-serv-anon.c | 4 | ||||
| -rw-r--r-- | doc/examples/ex-serv-export.c | 2 | ||||
| -rw-r--r-- | doc/examples/ex-serv-pgp.c | 4 | ||||
| -rw-r--r-- | doc/examples/ex-serv-srp.c | 6 | ||||
| -rw-r--r-- | doc/examples/ex-serv1.c | 4 | ||||
| -rw-r--r-- | doc/gnutls.texi | 7 | ||||
| -rw-r--r-- | includes/gnutls/compat.h | 4 | ||||
| -rw-r--r-- | includes/gnutls/gnutls.h.in | 11 | ||||
| -rw-r--r-- | includes/gnutls/gnutlsxx.h | 4 | ||||
| -rw-r--r-- | lib/gnutls_algorithms.h | 6 | ||||
| -rw-r--r-- | lib/gnutls_priority.c | 628 | ||||
| -rw-r--r-- | lib/gnutlsxx.cpp | 4 | ||||
| -rw-r--r-- | src/cli-gaa.c | 131 | ||||
| -rw-r--r-- | src/cli-gaa.h | 32 | ||||
| -rw-r--r-- | src/cli.c | 10 | ||||
| -rw-r--r-- | src/cli.gaa | 5 | ||||
| -rw-r--r-- | src/serv-gaa.c | 99 | ||||
| -rw-r--r-- | src/serv-gaa.h | 2 | ||||
| -rw-r--r-- | src/serv.c | 7 | ||||
| -rw-r--r-- | src/serv.gaa | 5 |
27 files changed, 638 insertions, 375 deletions
@@ -5,10 +5,17 @@ See the end for copying conditions. * Version 2.1.7 (unreleased) +** Updated gnutls_set_default_priority2() now renamed to +gnutls_set_priority() which now accepts a string to indicate +preferences of ciphersuite parameters. + +** gnutls-cli and gnutls-serv now have a --priority option to set +the priority string. + ** Internal copy of OpenCDK upgraded to version 0.6.6. ** API and ABI modifications: -No changes since last version. +gnutls_set_default_priority2: RENAMED to gnutls_set_priority() * Version 2.1.6 (released 2007-11-15) diff --git a/configure.in b/configure.in index 729995fb4a..9def41ac1b 100644 --- a/configure.in +++ b/configure.in @@ -35,8 +35,8 @@ AB_INIT # Interfaces changed/added/removed: CURRENT++ REVISION=0 # Interfaces added: AGE++ # Interfaces removed: AGE=0 -AC_SUBST(LT_CURRENT, 25) -AC_SUBST(LT_REVISION, 2) +AC_SUBST(LT_CURRENT, 26) +AC_SUBST(LT_REVISION, 0) AC_SUBST(LT_AGE, 0) ac_full=1 diff --git a/doc/examples/ex-client-resume.c b/doc/examples/ex-client-resume.c index 0e73901912..39c025e3a1 100644 --- a/doc/examples/ex-client-resume.c +++ b/doc/examples/ex-client-resume.c @@ -54,7 +54,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); + gnutls_set_priority (session, "PERFORMANCE", NULL, 0); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c index 5a2bc137ed..d1e0eb55d7 100644 --- a/doc/examples/ex-client-srp.c +++ b/doc/examples/ex-client-srp.c @@ -39,7 +39,6 @@ main (void) char buffer[MAX_BUF + 1]; gnutls_srp_client_credentials_t srp_cred; gnutls_certificate_credentials_t cert_cred; - int kx_priorities[MAX_PRIORITIES]; gnutls_global_init (); @@ -48,9 +47,6 @@ main (void) */ gnutls_global_init_extra (); - gnutls_kx_convert_priority( kx_priorities, MAX_PRIORITIES, - "SRP, SRP-RSA, SRP-DSS", ','); - gnutls_srp_allocate_client_credentials (&srp_cred); gnutls_certificate_allocate_credentials (&cert_cred); @@ -70,7 +66,7 @@ main (void) /* Set the priorities. */ gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); - gnutls_kx_set_priority( session, kx_priorities); + gnutls_set_priority (session, "NORMAL:+SRP:+SRP-RSA:+SRP-DSS", NULL, 0); /* put the SRP credentials to the current session */ diff --git a/doc/examples/ex-client-tlsia.c b/doc/examples/ex-client-tlsia.c index b546c19207..fb699e69d2 100644 --- a/doc/examples/ex-client-tlsia.c +++ b/doc/examples/ex-client-tlsia.c @@ -63,7 +63,6 @@ main (void) gnutls_anon_client_credentials_t anoncred; gnutls_ia_client_credentials_t iacred; /* Need to enable anonymous KX specifically. */ - const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_global_init (); @@ -79,8 +78,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); - gnutls_kx_set_priority (session, kx_prio); + gnutls_set_priority (session, "NORMAL:+ANON-DH", NULL, 0); /* put the anonymous and TLS/IA credentials to the current session */ diff --git a/doc/examples/ex-client1.c b/doc/examples/ex-client1.c index 6aeceec83b..c5e4f2dfa4 100644 --- a/doc/examples/ex-client1.c +++ b/doc/examples/ex-client1.c @@ -36,7 +36,6 @@ main (void) char buffer[MAX_BUF + 1]; gnutls_anon_client_credentials_t anoncred; /* Need to enable anonymous KX specifically. */ - const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_global_init (); @@ -47,8 +46,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); - gnutls_kx_set_priority (session, kx_prio); + gnutls_set_priority (session, "PERFORMANCE:+ANON-DH:!ARCFOUR-128", NULL, 0); /* put the anonymous credentials to the current session */ diff --git a/doc/examples/ex-client2.c b/doc/examples/ex-client2.c index 37b074489b..51c1608c68 100644 --- a/doc/examples/ex-client2.c +++ b/doc/examples/ex-client2.c @@ -34,6 +34,7 @@ main (void) int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; + char err[128]; gnutls_certificate_credentials_t xcred; gnutls_global_init (); @@ -50,7 +51,13 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); + ret = gnutls_set_priority (session, "PERFORMANCE", err, sizeof(err)); + if (ret < 0) { + if (ret == GNUTLS_E_INVALID_REQUEST) { + fprintf(stderr, "%s\n", err); + } + exit(1); + } /* put the x509 credentials to the current session */ diff --git a/doc/examples/ex-serv-anon.c b/doc/examples/ex-serv-anon.c index f2e8c06977..46eb721fa6 100644 --- a/doc/examples/ex-serv-anon.c +++ b/doc/examples/ex-serv-anon.c @@ -37,15 +37,13 @@ gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; - const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); - gnutls_kx_set_priority (session, kx_prio); + gnutls_set_priority (session, "NORMAL:+ANON-DH", NULL, 0); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); diff --git a/doc/examples/ex-serv-export.c b/doc/examples/ex-serv-export.c index cbe0b822ae..39713bb1dd 100644 --- a/doc/examples/ex-serv-export.c +++ b/doc/examples/ex-serv-export.c @@ -56,7 +56,7 @@ initialize_tls_session (void) /* Use the default priorities, plus, export cipher suites. */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_EXPORT); + gnutls_set_priority( session, "EXPORT", NULL, 0); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred); diff --git a/doc/examples/ex-serv-pgp.c b/doc/examples/ex-serv-pgp.c index 79fcca6e4f..c9b8ebf81b 100644 --- a/doc/examples/ex-serv-pgp.c +++ b/doc/examples/ex-serv-pgp.c @@ -66,9 +66,7 @@ initialize_tls_session (void) /* avoid calling all the priority functions, since the defaults * are adequate. */ - gnutls_set_default_priority (session); - - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); + gnutls_set_priority(session, "NORMAL", NULL, 0); /* request client certificate if any. */ diff --git a/doc/examples/ex-serv-srp.c b/doc/examples/ex-serv-srp.c index 5458db9670..3c58c94889 100644 --- a/doc/examples/ex-serv-srp.c +++ b/doc/examples/ex-serv-srp.c @@ -44,14 +44,10 @@ gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; - const int kx_priority[] = { GNUTLS_KX_SRP, GNUTLS_KX_SRP_DSS, - GNUTLS_KX_SRP_RSA, 0 - }; gnutls_init (&session, GNUTLS_SERVER); - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); - gnutls_kx_set_priority (session, kx_priority); + gnutls_set_priority (session, "NORMAL:+SRP:+SRP-DSS:+SRP-RSA", NULL, 0); gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); /* for the certificate authenticated ciphersuites. diff --git a/doc/examples/ex-serv1.c b/doc/examples/ex-serv1.c index f4eac9ad39..50ca98b10e 100644 --- a/doc/examples/ex-serv1.c +++ b/doc/examples/ex-serv1.c @@ -48,9 +48,9 @@ initialize_tls_session (void) /* avoid calling all the priority functions, since the defaults * are adequate. Depending on the needs it could also be - * GNUTLS_PRIORITIES_PERFORMANCE. + * "PERFORMANCE". */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); + gnutls_set_priority (session, "NORMAL", NULL, 0); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); diff --git a/doc/gnutls.texi b/doc/gnutls.texi index f58e5c8bc2..9af15c91ed 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -854,10 +854,9 @@ To set the priority of certificate types (e.g., @acronym{OpenPGP}, To set the priority of protocol versions (e.g., @acronym{SSL} 3.0, @acronym{TLS} 1.0). -@item @ref{gnutls_set_default_priority2}: -To set some defaults in the current session. That way you don't have -to call each priority function, independently, but you have to live -with the defaults. +@item @ref{gnutls_set_priority}: +To set some defaults in the current session. That way you don't have +to call each priority function, independently. @item @ref{gnutls_credentials_set}: To set the appropriate credentials structures. diff --git a/includes/gnutls/compat.h b/includes/gnutls/compat.h index 119316f7fc..4e5b14aff5 100644 --- a/includes/gnutls/compat.h +++ b/includes/gnutls/compat.h @@ -20,10 +20,10 @@ #endif #define gnutls_set_default_priority(x) \ - (gnutls_set_default_priority2 (x, GNUTLS_PRIORITIES_SECURITY_NORMAL), \ + (gnutls_set_default_priority2 (x, "NORMAL", NULL, 0), \ GNUTLS_E_SUCCESS) #define gnutls_set_default_export_priority(x) \ - (gnutls_set_default_priority2( x, GNUTLS_PRIORITIES_EXPORT), \ + (gnutls_set_default_priority2( x, "EXPORT", NULL, 0), \ GNUTLS_E_SUCCESS) #define gnutls_cipher_algorithm gnutls_cipher_algorithm_t diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in index 3f035d277c..0251fb43fa 100644 --- a/includes/gnutls/gnutls.h.in +++ b/includes/gnutls/gnutls.h.in @@ -165,14 +165,6 @@ extern "C" GNUTLS_CLIENT } gnutls_connection_end_t; - typedef enum - { - GNUTLS_PRIORITIES_EXPORT, - GNUTLS_PRIORITIES_PERFORMANCE, - GNUTLS_PRIORITIES_SECURITY_NORMAL, - GNUTLS_PRIORITIES_SECURITY_HIGH - } gnutls_priority_flag_t; - typedef enum { GNUTLS_AL_WARNING = 1, @@ -524,8 +516,7 @@ extern "C" /* if you just want some defaults, use the following. */ - void gnutls_set_default_priority2 (gnutls_session_t session, - gnutls_priority_flag_t flag); + int gnutls_set_priority(gnutls_session_t session, const char *priority, char* syntax_error, size_t syntax_error_size); /* Returns the name of a cipher suite */ const char *gnutls_cipher_suite_get_name (gnutls_kx_algorithm_t diff --git a/includes/gnutls/gnutlsxx.h b/includes/gnutls/gnutlsxx.h index 0931d0d3ae..01f9d3c39d 100644 --- a/includes/gnutls/gnutlsxx.h +++ b/includes/gnutls/gnutlsxx.h @@ -64,8 +64,6 @@ class rsa_params gnutls_rsa_params_t params; }; -typedef gnutls_priority_flag_t priority_flag; - class session { protected: @@ -125,7 +123,7 @@ class session /* if you just want some defaults, use the following. */ - void set_default_priority (priority_flag flag); + void set_default_priority (const char* prio); gnutls_protocol_t get_protocol_version() const; diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h index 14389eaa58..fd23ef0a32 100644 --- a/lib/gnutls_algorithms.h +++ b/lib/gnutls_algorithms.h @@ -132,4 +132,10 @@ int _gnutls_kx_priority (gnutls_session_t session, int _gnutls_compression_priority (gnutls_session_t session, gnutls_compression_method_t algorithm); +gnutls_mac_algorithm_t gnutls_mac_get_id (const char* name); +gnutls_cipher_algorithm_t gnutls_cipher_get_id (const char* name); +gnutls_kx_algorithm_t gnutls_kx_get_id (const char* name); +gnutls_protocol_t gnutls_protocol_get_id (const char* name); +gnutls_certificate_type_t gnutls_certificate_type_get_id (const char* name); + #endif diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 0a44fdf096..e2a38b5e2f 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -30,6 +30,11 @@ #include "gnutls_errors.h" #include <gnutls_num.h> +static void +break_comma_list (char *etag, + char **broken_etag, int *elements, int max_elements, + char sep); + /** * gnutls_cipher_set_priority - Sets the priority on the ciphers supported by gnutls. * @session: is a #gnutls_session_t structure. @@ -250,11 +255,11 @@ gnutls_certificate_type_set_priority (gnutls_session_t session, } static const int protocol_priority[] = { - /* GNUTLS_TLS1_2, -- not finalized yet! */ - GNUTLS_TLS1_1, - GNUTLS_TLS1_0, - GNUTLS_SSL3, - 0 + /* GNUTLS_TLS1_2, -- not finalized yet! */ + GNUTLS_TLS1_1, + GNUTLS_TLS1_0, + GNUTLS_SSL3, + 0 }; static const int kx_priority_performance[] = { @@ -317,7 +322,7 @@ static const int cipher_priority_performance[] = { static const int cipher_priority_security_normal[] = { GNUTLS_CIPHER_AES_128_CBC, #ifdef ENABLE_CAMELLIA - GNUTLS_CIPHER_CAMELLIA_128_CBC, + GNUTLS_CIPHER_CAMELLIA_128_CBC, #endif GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, @@ -328,11 +333,11 @@ static const int cipher_priority_security_normal[] = { static const int cipher_priority_security_high[] = { GNUTLS_CIPHER_AES_256_CBC, #ifdef ENABLE_CAMELLIA - GNUTLS_CIPHER_CAMELLIA_256_CBC, + GNUTLS_CIPHER_CAMELLIA_256_CBC, #endif GNUTLS_CIPHER_AES_128_CBC, #ifdef ENABLE_CAMELLIA - GNUTLS_CIPHER_CAMELLIA_128_CBC, + GNUTLS_CIPHER_CAMELLIA_128_CBC, #endif GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, @@ -374,14 +379,60 @@ static const int mac_priority_security[] = { static int cert_type_priority[] = { GNUTLS_CRT_X509, - GNUTLS_CRT_OPENPGP, 0 }; +typedef void (rmadd_func)(priority_st* priority_list, int alg); + +static void +prio_remove (priority_st* priority_list, int algo) +{ + int i = 0; + int pos = -1; /* the position of the cipher to remove */ + + while (priority_list->priority[i] != 0) + { + if (priority_list->priority[i] == algo) + pos = i; + i++; + } + + if (pos >= 0) + { + priority_list->priority[pos] = + priority_list->priority[i - 1]; + priority_list->priority[i - 1] = 0; + priority_list->algorithms--; + } + + return; +} + +static void +prio_add (priority_st* priority_list, int algo) +{ + register int i = 0; + while (priority_list->priority[i] != 0) { + if (algo == priority_list->priority[i]) return; /* if it exists */ + i++; + } + + if (i < MAX_ALGOS) { + priority_list->priority[i] = algo; + priority_list->algorithms++; + } + + return; +} + +#define MAX_ELEMENTS 48 /** - * gnutls_set_default_priority2 - Sets some default priority on the cipher suites supported by gnutls. + * gnutls_set_priority - Sets some default priority on the cipher suites supported by gnutls. * @session: is a #gnutls_session_t structure. + * @priority: is a string describing priorities + * @syntax_error: In case of an error an error string will be copied there. + * @syntax_error_size: the length of the previous string. * * Sets some default priority on the ciphers, key exchange methods, * macs and compression methods. This is to avoid using the @@ -389,21 +440,41 @@ static int cert_type_priority[] = { * override any of the following priorities by calling the * appropriate functions. * - * The default order is: - * Protocols: TLS 1.1, TLS 1.0, and SSL3. + * The #priority option allows you to specify a semi-colon separated + * list of the cipher priorities to enable. + * + * Unless the first keyword is "NONE" the defaults are: + * Protocols: TLS1.1, TLS1.0, and SSL3.0. * Compression: NULL. - * Certificate types: X.509, OpenPGP. + * Certificate types: X.509. * - * In GNUTLS_PRIORITIES_PERFORMANCE all the "secure" ciphersuites are enabled, + * You can also use predefined sets of ciphersuites: + * "PERFORMANCE" all the "secure" ciphersuites are enabled, * limited to 128 bit ciphers and sorted by terms of speed performance. - * The GNUTLS_PRIORITIES_SECURITY_NORMAL flag enables all "secure" ciphersuites + * + * "NORMAL" option enables all "secure" ciphersuites * limited to 128 bit ciphers and sorted by security margin. - * The GNUTLS_PRIORITIES_SECURITY_HIGH flag enables all "secure" ciphersuites + * + * "HIGH" flag enables all "secure" ciphersuites * including 256 bit ciphers and sorted by security margin. - * In GNUTLS_PRIORITIES_EXPORT all the ciphersuites are enabled, including + * + * "EXPORT" all the ciphersuites are enabled, including * the low-security 40 bit ciphers. * - * For key exchange algorithms when in SECURITY_NORMAL or SECURITY_HIGH levels + * "NONE" nothing is enabled. This disables even protocols and compression + * methods. + * + * Special keywords: + * '!' or '-' appended with an algorithm will remove this algorithm. + * '+' appended with an algorithm will add this algorithm. + * '%COMPAT' will enable compatibility features for a server. + * + * To avoid collisions in order to specify a compression algorithm + * in this string you have to prefix it with "COMP-", protocol versions with + * "VERS-" and certificate types with "CTYPE-". All other algorithms don't need + * a prefix. + * + * For key exchange algorithms when in NORMAL or HIGH levels * the perfect forward secrecy algorithms take precendence of the other protocols. * In all cases all the supported key exchange algorithms are enabled (except for the * RSA-EXPORT which is only enabled in EXPORT level). @@ -412,36 +483,130 @@ static int cert_type_priority[] = { * to actually increase security the public key algorithms have to use longer key * sizes as well. * - * Returns 0 on success. + * Examples: "NORMAL:!AES-128-CBC", "EXPORT:!VERS-TLS1.0:+COMP-DEFLATE:+CTYPE-OPENPGP", + * "+AES-128-CBC:+RSA:+SHA1", "NORMAL". + * + * On syntax error GNUTLS_E_INVALID_REQUEST is returned and 0 on success. * **/ -void -gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_flag_t flag) +int +gnutls_set_priority(gnutls_session_t session, const char *priority, + char *syntax_error, size_t syntax_error_size) { + char *broken_list[MAX_ELEMENTS]; + int broken_list_size, i, j; + char *darg; + int ret, algo; + rmadd_func* fn; - if (flag == GNUTLS_PRIORITIES_PERFORMANCE) { - gnutls_cipher_set_priority (session, cipher_priority_performance); - gnutls_kx_set_priority (session, kx_priority_performance); - gnutls_mac_set_priority (session, mac_priority_performance); - } else if (flag == GNUTLS_PRIORITIES_SECURITY_NORMAL) { - gnutls_cipher_set_priority (session, cipher_priority_security_normal); - gnutls_kx_set_priority (session, kx_priority_security); - gnutls_mac_set_priority (session, mac_priority_security); - } else if (flag == GNUTLS_PRIORITIES_SECURITY_HIGH) { - gnutls_cipher_set_priority (session, cipher_priority_security_high); - gnutls_kx_set_priority (session, kx_priority_security); - gnutls_mac_set_priority (session, mac_priority_security); - } else if (flag == GNUTLS_PRIORITIES_EXPORT) { - gnutls_cipher_set_priority (session, cipher_priority_export); - gnutls_kx_set_priority (session, kx_priority_export); - gnutls_mac_set_priority (session, mac_priority_export); - } + if (priority == NULL) + priority = "NORMAL"; + + darg = gnutls_strdup (priority); + if (darg == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } - gnutls_protocol_set_priority (session, protocol_priority); - gnutls_compression_set_priority (session, comp_priority); - gnutls_certificate_type_set_priority (session, cert_type_priority); + break_comma_list (darg, broken_list, &broken_list_size, MAX_ELEMENTS, ':'); + + /* This is our default set of protocol version, certificate types and + * compression methods. + */ + if (strcasecmp (broken_list[0], "NONE") != 0) + { + gnutls_protocol_set_priority (session, protocol_priority); + gnutls_compression_set_priority (session, comp_priority); + gnutls_certificate_type_set_priority (session, cert_type_priority); + } + + for (i = 0; i < broken_list_size; i++) + { + if (strcasecmp (broken_list[i], "PERFORMANCE") == 0) + { + gnutls_cipher_set_priority (session, cipher_priority_performance); + gnutls_kx_set_priority (session, kx_priority_performance); + gnutls_mac_set_priority (session, mac_priority_performance); + } + else if (strcasecmp (broken_list[i], "NORMAL") == 0) + { + gnutls_cipher_set_priority (session, + cipher_priority_security_normal); + gnutls_kx_set_priority (session, kx_priority_security); + gnutls_mac_set_priority (session, mac_priority_security); + } + else if (strcasecmp (broken_list[i], "HIGH") == 0) + { + gnutls_cipher_set_priority (session, cipher_priority_security_high); + gnutls_kx_set_priority (session, kx_priority_security); + gnutls_mac_set_priority (session, mac_priority_security); + } + else if (strcasecmp (broken_list[i], "EXPORT") == 0) + { + gnutls_cipher_set_priority (session, cipher_priority_export); + gnutls_kx_set_priority (session, kx_priority_export); + gnutls_mac_set_priority (session, mac_priority_export); + } /* now check if the element is something like -ALGO */ + else if (broken_list[i][0] == '!' || broken_list[i][0] == '+' || broken_list[i][0] == '-') + { + if (broken_list[i][0] == '+') fn = prio_add; + else fn = prio_remove; + + if ((algo = + gnutls_mac_get_id (&broken_list[i][1])) != GNUTLS_MAC_UNKNOWN) + fn(&session->internals.mac_algorithm_priority, algo); + else if ((algo = gnutls_cipher_get_id (&broken_list[i][1])) != + GNUTLS_CIPHER_UNKNOWN) + fn (&session->internals.cipher_algorithm_priority, algo); + else if ((algo = gnutls_kx_get_id (&broken_list[i][1])) != + GNUTLS_KX_UNKNOWN) + fn(&session->internals.kx_algorithm_priority, algo); + else if (strncasecmp (&broken_list[i][1], "VERS-", 5) == 0) + { + if ((algo = + gnutls_protocol_get_id (&broken_list[i][6])) != + GNUTLS_VERSION_UNKNOWN) + fn(&session->internals.protocol_priority, algo); + } /* now check if the element is something like -ALGO */ + else if (strncasecmp (&broken_list[i][1], "COMP-", 5) == 0) + { + if ((algo = + gnutls_compression_get_id (&broken_list[i][6])) != + GNUTLS_COMP_UNKNOWN) + fn(&session->internals.compression_method_priority, algo); + } /* now check if the element is something like -ALGO */ + else if (strncasecmp (&broken_list[i][1], "CTYPE-", 6) == 0) + { + if ((algo = + gnutls_certificate_type_get_id (&broken_list[i][7])) != + GNUTLS_CRT_UNKNOWN) + fn(&session->internals.cert_type_priority, algo); + } /* now check if the element is something like -ALGO */ + else + goto error; + } + else if (broken_list[i][0] == '%') + { + if (strcasecmp (&broken_list[i][1], "COMPAT") == 0) + gnutls_session_enable_compatibility_mode (session); + else + goto error; + } + else + goto error; + } + + gnutls_free (darg); + return 0; + +error: + gnutls_free (darg); + if (syntax_error != NULL) + snprintf (syntax_error, syntax_error_size, "Unknown element: %s", + broken_list[i]); + return GNUTLS_E_INVALID_REQUEST; - return; } /* New priority API with strings @@ -450,30 +615,35 @@ gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_flag_t f /* Breaks a list of "xxx", "yyy", to a character array, of * MAX_COMMA_SEP_ELEMENTS size; Note that the given string is modified. */ -static void break_comma_list(char *etag, - char **broken_etag, int* elements, int max_elements, - char sep) +static void +break_comma_list (char *etag, + char **broken_etag, int *elements, int max_elements, + char sep) { - char *p = etag; - if (sep == 0) sep = ','; + char *p = etag; + if (sep == 0) + sep = ','; - *elements = 0; + *elements = 0; - do { - broken_etag[*elements] = p; + do + { + broken_etag[*elements] = p; - (*elements)++; + (*elements)++; - p = strchr(p, sep); - if (p) { - *p = 0; - p++; /* move to next entry and skip white + p = strchr (p, sep); + if (p) + { + *p = 0; + p++; /* move to next entry and skip white * space. */ - while (*p == ' ') - p++; + while (*p == ' ') + p++; } - } while (p != NULL && *elements < max_elements); + } + while (p != NULL && *elements < max_elements); } #if defined(__STDC_VERSION__) && __STD_VERSION__ > 199901L @@ -504,40 +674,45 @@ static void break_comma_list(char *etag, * **/ int -gnutls_mac_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) +gnutls_mac_convert_priority (int *out_priority, int out_priority_len, + const char *prio, char sep) { - char *broken_list[_GNUTLS_MAX_PRIO]; - int broken_list_size, i, j; - char* darg; - int ret; - - _GNUTLS_MAX_PRIO_CHECK(out_priority_len); - - darg = gnutls_strdup( prio); - if (darg == NULL) { - gnutls_assert(); + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j; + char *darg; + int ret; + + _GNUTLS_MAX_PRIO_CHECK (out_priority_len); + + darg = gnutls_strdup (prio); + if (darg == NULL) + { + gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } - break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); + break_comma_list (darg, broken_list, &broken_list_size, + out_priority_len - 1, sep); - j = 0; - for (i=0;i<broken_list_size;i++) { - ret = gnutls_mac_get_id( broken_list[i]); - if (ret != GNUTLS_MAC_UNKNOWN) { - out_priority[j++] = ret; - continue; - } - - _gnutls_debug_log( "MAC algorithm %s is not known\n", broken_list[i]); + j = 0; + for (i = 0; i < broken_list_size; i++) + { + ret = gnutls_mac_get_id (broken_list[i]); + if (ret != GNUTLS_MAC_UNKNOWN) + { + out_priority[j++] = ret; + continue; + } - gnutls_free(darg); - return GNUTLS_E_UNKNOWN_ALGORITHM; + _gnutls_debug_log ("MAC algorithm %s is not known\n", broken_list[i]); + + gnutls_free (darg); + return GNUTLS_E_UNKNOWN_ALGORITHM; } - out_priority[j] = 0; + out_priority[j] = 0; - gnutls_free(darg); - return 0; + gnutls_free (darg); + return 0; } /** @@ -560,38 +735,45 @@ gnutls_mac_convert_priority (int* out_priority, int out_priority_len, const char * **/ int -gnutls_certificate_type_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) +gnutls_certificate_type_convert_priority (int *out_priority, + int out_priority_len, + const char *prio, char sep) { - char *broken_list[_GNUTLS_MAX_PRIO]; - int broken_list_size, i, j, ret; - char* darg; - - _GNUTLS_MAX_PRIO_CHECK(out_priority_len); - - darg = gnutls_strdup( prio); - if (darg == NULL) { - gnutls_assert(); + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j, ret; + char *darg; + + _GNUTLS_MAX_PRIO_CHECK (out_priority_len); + + darg = gnutls_strdup (prio); + if (darg == NULL) + { + gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } - break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); - - j = 0; - for (i=0;i<broken_list_size;i++) { - ret = gnutls_certificate_type_get_id( broken_list[i]); - if (ret != GNUTLS_CRT_UNKNOWN) { - out_priority[j++] = ret; - continue; - } - - _gnutls_debug_log("Certificate type %s is not known\n", broken_list[i]); - gnutls_free(darg); - return GNUTLS_E_UNKNOWN_ALGORITHM; + break_comma_list (darg, broken_list, &broken_list_size, + out_priority_len - 1, sep); + + j = 0; + for (i = 0; i < broken_list_size; i++) + { + ret = gnutls_certificate_type_get_id (broken_list[i]); + if (ret != GNUTLS_CRT_UNKNOWN) + { + out_priority[j++] = ret; + continue; + } + + _gnutls_debug_log ("Certificate type %s is not known\n", + broken_list[i]); + gnutls_free (darg); + return GNUTLS_E_UNKNOWN_ALGORITHM; } - out_priority[j] = 0; + out_priority[j] = 0; - gnutls_free(darg); - return 0; + gnutls_free (darg); + return 0; } /** @@ -614,39 +796,45 @@ gnutls_certificate_type_convert_priority (int* out_priority, int out_priority_le * **/ int -gnutls_compression_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) +gnutls_compression_convert_priority (int *out_priority, int out_priority_len, + const char *prio, char sep) { - char *broken_list[_GNUTLS_MAX_PRIO]; - int broken_list_size, i, j; - char* darg; - int ret; - - _GNUTLS_MAX_PRIO_CHECK(out_priority_len); - - darg = gnutls_strdup( prio); - if (darg == NULL) { - gnutls_assert(); + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j; + char *darg; + int ret; + + _GNUTLS_MAX_PRIO_CHECK (out_priority_len); + + darg = gnutls_strdup (prio); + if (darg == NULL) + { + gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } - break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); + break_comma_list (darg, broken_list, &broken_list_size, + out_priority_len - 1, sep); - j = 0; - for (i=0;i<broken_list_size;i++) { - ret = gnutls_compression_get_id( broken_list[i]); - if (ret != GNUTLS_COMP_UNKNOWN) { - out_priority[j++] = ret; - continue; - } + j = 0; + for (i = 0; i < broken_list_size; i++) + { + ret = gnutls_compression_get_id (broken_list[i]); + if (ret != GNUTLS_COMP_UNKNOWN) + { + out_priority[j++] = ret; + continue; + } - _gnutls_debug_log( "Compression algorithm %s is not known\n", broken_list[i]); - gnutls_free(darg); - return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + _gnutls_debug_log ("Compression algorithm %s is not known\n", + broken_list[i]); + gnutls_free (darg); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } - out_priority[j] = 0; + out_priority[j] = 0; - gnutls_free(darg); - return 0; + gnutls_free (darg); + return 0; } /** @@ -669,39 +857,44 @@ gnutls_compression_convert_priority (int* out_priority, int out_priority_len, co * **/ int -gnutls_protocol_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) +gnutls_protocol_convert_priority (int *out_priority, int out_priority_len, + const char *prio, char sep) { - char *broken_list[_GNUTLS_MAX_PRIO]; - int broken_list_size, i, j; - char* darg; - int ret; - - _GNUTLS_MAX_PRIO_CHECK(out_priority_len); - - darg = gnutls_strdup( prio); - if (darg == NULL) { - gnutls_assert(); + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j; + char *darg; + int ret; + + _GNUTLS_MAX_PRIO_CHECK (out_priority_len); + + darg = gnutls_strdup (prio); + if (darg == NULL) + { + gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } - break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); - - j = 0; - for (i=0;i<broken_list_size;i++) { - ret = gnutls_compression_get_id( broken_list[i]); - if (ret != GNUTLS_VERSION_UNKNOWN) { - out_priority[j++] = ret; - continue; - } - - _gnutls_debug_log( "Protocol %s is not known\n", broken_list[i]); - gnutls_free(darg); - return GNUTLS_E_UNKNOWN_ALGORITHM; + break_comma_list (darg, broken_list, &broken_list_size, + out_priority_len - 1, sep); + + j = 0; + for (i = 0; i < broken_list_size; i++) + { + ret = gnutls_compression_get_id (broken_list[i]); + if (ret != GNUTLS_VERSION_UNKNOWN) + { + out_priority[j++] = ret; + continue; + } + + _gnutls_debug_log ("Protocol %s is not known\n", broken_list[i]); + gnutls_free (darg); + return GNUTLS_E_UNKNOWN_ALGORITHM; } - out_priority[j] = 0; + out_priority[j] = 0; - gnutls_free(darg); - return 0; + gnutls_free (darg); + return 0; } /** @@ -725,39 +918,45 @@ gnutls_protocol_convert_priority (int* out_priority, int out_priority_len, const * **/ int -gnutls_kx_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) +gnutls_kx_convert_priority (int *out_priority, int out_priority_len, + const char *prio, char sep) { - char *broken_list[_GNUTLS_MAX_PRIO]; - int broken_list_size, i, j; - char* darg; - int ret; - - _GNUTLS_MAX_PRIO_CHECK(out_priority_len); - - darg = gnutls_strdup( prio); - if (darg == NULL) { - gnutls_assert(); + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j; + char *darg; + int ret; + + _GNUTLS_MAX_PRIO_CHECK (out_priority_len); + + darg = gnutls_strdup (prio); + if (darg == NULL) + { + gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } - break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); + break_comma_list (darg, broken_list, &broken_list_size, + out_priority_len - 1, sep); - j = 0; - for (i=0;i<broken_list_size;i++) { - ret = gnutls_kx_get_id( broken_list[i]); - if (ret != GNUTLS_KX_UNKNOWN) { - out_priority[j++] = ret; - continue; - } + j = 0; + for (i = 0; i < broken_list_size; i++) + { + ret = gnutls_kx_get_id (broken_list[i]); + if (ret != GNUTLS_KX_UNKNOWN) + { + out_priority[j++] = ret; + continue; + } - _gnutls_debug_log( "Key exchange algorithm %s is not known\n", broken_list[i]); - gnutls_free(darg); - return GNUTLS_E_UNKNOWN_ALGORITHM; + _gnutls_debug_log ("Key exchange algorithm %s is not known\n", + broken_list[i]); + gnutls_free (darg); + return GNUTLS_E_UNKNOWN_ALGORITHM; } - out_priority[j] = 0; + out_priority[j] = 0; - gnutls_free(darg); - return 0; + gnutls_free (darg); + return 0; } /** @@ -781,37 +980,42 @@ gnutls_kx_convert_priority (int* out_priority, int out_priority_len, const char * **/ int -gnutls_cipher_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) +gnutls_cipher_convert_priority (int *out_priority, int out_priority_len, + const char *prio, char sep) { - char *broken_list[_GNUTLS_MAX_PRIO]; - int broken_list_size, i, j; - char* darg; - int ret; - - _GNUTLS_MAX_PRIO_CHECK(out_priority_len); - - darg = gnutls_strdup( prio); - if (darg == NULL) { - gnutls_assert(); + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j; + char *darg; + int ret; + + _GNUTLS_MAX_PRIO_CHECK (out_priority_len); + + darg = gnutls_strdup (prio); + if (darg == NULL) + { + gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } - break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); + break_comma_list (darg, broken_list, &broken_list_size, + out_priority_len - 1, sep); - j = 0; - for (i=0;i<broken_list_size;i++) { - ret = gnutls_cipher_get_id( broken_list[i]); - if (ret != GNUTLS_CIPHER_UNKNOWN) { - out_priority[j++] = ret; - continue; - } + j = 0; + for (i = 0; i < broken_list_size; i++) + { + ret = gnutls_cipher_get_id (broken_list[i]); + if (ret != GNUTLS_CIPHER_UNKNOWN) + { + out_priority[j++] = ret; + continue; + } - _gnutls_debug_log( "Cipher %s is not known\n", broken_list[i]); - gnutls_free(darg); - return GNUTLS_E_UNKNOWN_ALGORITHM; + _gnutls_debug_log ("Cipher %s is not known\n", broken_list[i]); + gnutls_free (darg); + return GNUTLS_E_UNKNOWN_ALGORITHM; } - out_priority[j] = 0; + out_priority[j] = 0; - gnutls_free(darg); - return 0; + gnutls_free (darg); + return 0; } diff --git a/lib/gnutlsxx.cpp b/lib/gnutlsxx.cpp index 71e22c50c3..9cca9270ab 100644 --- a/lib/gnutlsxx.cpp +++ b/lib/gnutlsxx.cpp @@ -187,9 +187,9 @@ void session::set_certificate_type_priority (const int *list) /* if you just want some defaults, use the following. */ -void session::set_default_priority(priority_flag flag) +void session::set_default_priority(const char* prio) { - gnutls_set_default_priority2( this->s, flag); + gnutls_set_default_priority2( this->s, prio, NULL, 0); } gnutls_protocol_t session::get_protocol_version() const diff --git a/src/cli-gaa.c b/src/cli-gaa.c index 1a1513793f..98276be25c 100644 --- a/src/cli-gaa.c +++ b/src/cli-gaa.c @@ -143,6 +143,7 @@ void gaa_help(void) __gaa_helpsingle(0, "macs", "mac1 mac2... ", "MACs to enable."); __gaa_helpsingle(0, "kx", "kx1 kx2... ", "Key exchange methods to enable."); __gaa_helpsingle(0, "ctypes", "certType1 certType2... ", "Certificate types to enable."); + __gaa_helpsingle(0, "priority", "PRIORITY STRING ", "Priorities string."); __gaa_helpsingle(0, "x509cafile", "FILE ", "Certificate file to use."); __gaa_helpsingle(0, "x509crlfile", "FILE ", "CRL file to use."); __gaa_helpsingle(0, "pgpkeyfile", "FILE ", "PGP Key file to use."); @@ -175,36 +176,38 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 116 "cli.gaa" +#line 119 "cli.gaa" char *rest_args; -#line 107 "cli.gaa" +#line 110 "cli.gaa" int insecure; -#line 104 "cli.gaa" +#line 107 "cli.gaa" char *port; -#line 101 "cli.gaa" +#line 104 "cli.gaa" char *opaque_prf_input; -#line 98 "cli.gaa" +#line 101 "cli.gaa" char *psk_key; -#line 95 "cli.gaa" +#line 98 "cli.gaa" char *psk_username; -#line 92 "cli.gaa" +#line 95 "cli.gaa" char *srp_passwd; -#line 89 "cli.gaa" +#line 92 "cli.gaa" char *srp_username; -#line 86 "cli.gaa" +#line 89 "cli.gaa" char *x509_certfile; -#line 83 "cli.gaa" +#line 86 "cli.gaa" char *x509_keyfile; -#line 80 "cli.gaa" +#line 83 "cli.gaa" char *pgp_certfile; -#line 77 "cli.gaa" +#line 80 "cli.gaa" char *pgp_keyring; -#line 74 "cli.gaa" +#line 77 "cli.gaa" char *pgp_keyfile; -#line 71 "cli.gaa" +#line 74 "cli.gaa" char *x509_crlfile; -#line 68 "cli.gaa" +#line 71 "cli.gaa" char *x509_cafile; +#line 68 "cli.gaa" + char *priorities; #line 65 "cli.gaa" char **ctype; #line 64 "cli.gaa" @@ -303,7 +306,7 @@ static int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 34 +#define GAA_NB_OPTION 35 #define GAAOPTID_copyright 1 #define GAAOPTID_version 2 #define GAAOPTID_help 3 @@ -322,22 +325,23 @@ static int gaa_error = 0; #define GAAOPTID_pgpkeyfile 16 #define GAAOPTID_x509crlfile 17 #define GAAOPTID_x509cafile 18 -#define GAAOPTID_ctypes 19 -#define GAAOPTID_kx 20 -#define GAAOPTID_macs 21 -#define GAAOPTID_comp 22 -#define GAAOPTID_protocols 23 -#define GAAOPTID_ciphers 24 -#define GAAOPTID_verbose 25 -#define GAAOPTID_recordsize 26 -#define GAAOPTID_print_cert 27 -#define GAAOPTID_disable_extensions 28 -#define GAAOPTID_fingerprint 29 -#define GAAOPTID_x509fmtder 30 -#define GAAOPTID_crlf 31 -#define GAAOPTID_starttls 32 -#define GAAOPTID_resume 33 -#define GAAOPTID_debug 34 +#define GAAOPTID_priority 19 +#define GAAOPTID_ctypes 20 +#define GAAOPTID_kx 21 +#define GAAOPTID_macs 22 +#define GAAOPTID_comp 23 +#define GAAOPTID_protocols 24 +#define GAAOPTID_ciphers 25 +#define GAAOPTID_verbose 26 +#define GAAOPTID_recordsize 27 +#define GAAOPTID_print_cert 28 +#define GAAOPTID_disable_extensions 29 +#define GAAOPTID_fingerprint 30 +#define GAAOPTID_x509fmtder 31 +#define GAAOPTID_crlf 32 +#define GAAOPTID_starttls 33 +#define GAAOPTID_resume 34 +#define GAAOPTID_debug 35 #line 168 "gaa.skel" @@ -602,6 +606,12 @@ struct GAAOPTION_x509cafile int size1; }; +struct GAAOPTION_priority +{ + char* arg1; + int size1; +}; + struct GAAOPTION_ctypes { char** arg1; @@ -699,6 +709,7 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECK1STR("", GAAOPTID_pgpkeyfile); GAA_CHECK1STR("", GAAOPTID_x509crlfile); GAA_CHECK1STR("", GAAOPTID_x509cafile); + GAA_CHECK1STR("", GAAOPTID_priority); GAA_CHECK1STR("", GAAOPTID_ctypes); GAA_CHECK1STR("", GAAOPTID_kx); GAA_CHECK1STR("", GAAOPTID_macs); @@ -744,6 +755,7 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("pgpkeyfile", GAAOPTID_pgpkeyfile); GAA_CHECKSTR("x509crlfile", GAAOPTID_x509crlfile); GAA_CHECKSTR("x509cafile", GAAOPTID_x509cafile); + GAA_CHECKSTR("priority", GAAOPTID_priority); GAA_CHECKSTR("ctypes", GAAOPTID_ctypes); GAA_CHECKSTR("kx", GAAOPTID_kx); GAA_CHECKSTR("macs", GAAOPTID_macs); @@ -785,6 +797,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) struct GAAOPTION_pgpkeyfile GAATMP_pgpkeyfile; struct GAAOPTION_x509crlfile GAATMP_x509crlfile; struct GAAOPTION_x509cafile GAATMP_x509cafile; + struct GAAOPTION_priority GAATMP_priority; struct GAAOPTION_ctypes GAATMP_ctypes; struct GAAOPTION_kx GAATMP_kx; struct GAAOPTION_macs GAATMP_macs; @@ -815,35 +828,35 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_copyright: OK = 0; -#line 114 "cli.gaa" +#line 117 "cli.gaa" { print_license(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_version: OK = 0; -#line 113 "cli.gaa" +#line 116 "cli.gaa" { cli_version(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_help: OK = 0; -#line 111 "cli.gaa" +#line 114 "cli.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_list: OK = 0; -#line 110 "cli.gaa" +#line 113 "cli.gaa" { print_list(gaaval->verbose); exit(0); ;}; return GAA_OK; break; case GAAOPTID_insecure: OK = 0; -#line 108 "cli.gaa" +#line 111 "cli.gaa" { gaaval->insecure = 1 ;}; return GAA_OK; @@ -853,7 +866,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_port.arg1, gaa_getstr, GAATMP_port.size1); gaa_index++; -#line 105 "cli.gaa" +#line 108 "cli.gaa" { gaaval->port = GAATMP_port.arg1 ;}; return GAA_OK; @@ -863,7 +876,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_opaque_prf_input.arg1, gaa_getstr, GAATMP_opaque_prf_input.size1); gaa_index++; -#line 102 "cli.gaa" +#line 105 "cli.gaa" { gaaval->opaque_prf_input = GAATMP_opaque_prf_input.arg1 ;}; return GAA_OK; @@ -873,7 +886,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_pskkey.arg1, gaa_getstr, GAATMP_pskkey.size1); gaa_index++; -#line 99 "cli.gaa" +#line 102 "cli.gaa" { gaaval->psk_key = GAATMP_pskkey.arg1 ;}; return GAA_OK; @@ -883,7 +896,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_pskusername.arg1, gaa_getstr, GAATMP_pskusername.size1); gaa_index++; -#line 96 "cli.gaa" +#line 99 "cli.gaa" { gaaval->psk_username = GAATMP_pskusername.arg1 ;}; return GAA_OK; @@ -893,7 +906,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_srppasswd.arg1, gaa_getstr, GAATMP_srppasswd.size1); gaa_index++; -#line 93 "cli.gaa" +#line 96 "cli.gaa" { gaaval->srp_passwd = GAATMP_srppasswd.arg1 ;}; return GAA_OK; @@ -903,7 +916,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_srpusername.arg1, gaa_getstr, GAATMP_srpusername.size1); gaa_index++; -#line 90 "cli.gaa" +#line 93 "cli.gaa" { gaaval->srp_username = GAATMP_srpusername.arg1 ;}; return GAA_OK; @@ -913,7 +926,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_x509certfile.arg1, gaa_getstr, GAATMP_x509certfile.size1); gaa_index++; -#line 87 "cli.gaa" +#line 90 "cli.gaa" { gaaval->x509_certfile = GAATMP_x509certfile.arg1 ;}; return GAA_OK; @@ -923,7 +936,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_x509keyfile.arg1, gaa_getstr, GAATMP_x509keyfile.size1); gaa_index++; -#line 84 "cli.gaa" +#line 87 "cli.gaa" { gaaval->x509_keyfile = GAATMP_x509keyfile.arg1 ;}; return GAA_OK; @@ -933,7 +946,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_pgpcertfile.arg1, gaa_getstr, GAATMP_pgpcertfile.size1); gaa_index++; -#line 81 "cli.gaa" +#line 84 "cli.gaa" { gaaval->pgp_certfile = GAATMP_pgpcertfile.arg1 ;}; return GAA_OK; @@ -943,7 +956,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_pgpkeyring.arg1, gaa_getstr, GAATMP_pgpkeyring.size1); gaa_index++; -#line 78 "cli.gaa" +#line 81 "cli.gaa" { gaaval->pgp_keyring = GAATMP_pgpkeyring.arg1 ;}; return GAA_OK; @@ -953,7 +966,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_pgpkeyfile.arg1, gaa_getstr, GAATMP_pgpkeyfile.size1); gaa_index++; -#line 75 "cli.gaa" +#line 78 "cli.gaa" { gaaval->pgp_keyfile = GAATMP_pgpkeyfile.arg1 ;}; return GAA_OK; @@ -963,7 +976,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_x509crlfile.arg1, gaa_getstr, GAATMP_x509crlfile.size1); gaa_index++; -#line 72 "cli.gaa" +#line 75 "cli.gaa" { gaaval->x509_crlfile = GAATMP_x509crlfile.arg1 ;}; return GAA_OK; @@ -973,11 +986,21 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_x509cafile.arg1, gaa_getstr, GAATMP_x509cafile.size1); gaa_index++; -#line 69 "cli.gaa" +#line 72 "cli.gaa" { gaaval->x509_cafile = GAATMP_x509cafile.arg1 ;}; return GAA_OK; break; + case GAAOPTID_priority: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_priority.arg1, gaa_getstr, GAATMP_priority.size1); + gaa_index++; +#line 69 "cli.gaa" +{ gaaval->priorities = GAATMP_priority.arg1 ;}; + + return GAA_OK; + break; case GAAOPTID_ctypes: OK = 0; GAA_LIST_FILL(GAATMP_ctypes.arg1, gaa_getstr, char*, GAATMP_ctypes.size1); @@ -1106,7 +1129,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAAREST_tmp.arg1, gaa_getstr, GAAREST_tmp.size1); gaa_index++; -#line 117 "cli.gaa" +#line 120 "cli.gaa" { gaaval->rest_args = GAAREST_tmp.arg1; ;}; return GAA_OK; @@ -1135,7 +1158,7 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 119 "cli.gaa" +#line 122 "cli.gaa" { gaaval->resume=0; gaaval->port="443"; gaaval->rest_args=NULL; gaaval->ciphers=NULL; gaaval->kx=NULL; gaaval->comp=NULL; gaaval->macs=NULL; gaaval->ctype=NULL; gaaval->nciphers=0; gaaval->nkx=0; gaaval->ncomp=0; gaaval->nmacs=0; gaaval->nctype = 0; gaaval->record_size=0; @@ -1144,7 +1167,7 @@ int gaa(int argc, char **argv, gaainfo *gaaval) gaaval->x509_keyfile=NULL; gaaval->x509_certfile=NULL; gaaval->crlf = 0; gaaval->srp_username=NULL; gaaval->srp_passwd=NULL; gaaval->fmtder = 0; gaaval->starttls =0; gaaval->debug = 0; gaaval->print_cert = 0; gaaval->verbose = 0; gaaval->psk_key = NULL; - gaaval->psk_username = NULL; + gaaval->psk_username = NULL; gaaval->priorities = NULL; gaaval->opaque_prf_input = NULL; ;}; } @@ -1293,7 +1316,7 @@ static int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc len++; a = fgetc( file); - if(a==EOF) return 0; /* a = ' '; */ + if(a==EOF) return 0; //a = ' '; } len += 1; diff --git a/src/cli-gaa.h b/src/cli-gaa.h index 5b1cc8cc43..bb44749995 100644 --- a/src/cli-gaa.h +++ b/src/cli-gaa.h @@ -8,36 +8,38 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 116 "cli.gaa" +#line 119 "cli.gaa" char *rest_args; -#line 107 "cli.gaa" +#line 110 "cli.gaa" int insecure; -#line 104 "cli.gaa" +#line 107 "cli.gaa" char *port; -#line 101 "cli.gaa" +#line 104 "cli.gaa" char *opaque_prf_input; -#line 98 "cli.gaa" +#line 101 "cli.gaa" char *psk_key; -#line 95 "cli.gaa" +#line 98 "cli.gaa" char *psk_username; -#line 92 "cli.gaa" +#line 95 "cli.gaa" char *srp_passwd; -#line 89 "cli.gaa" +#line 92 "cli.gaa" char *srp_username; -#line 86 "cli.gaa" +#line 89 "cli.gaa" char *x509_certfile; -#line 83 "cli.gaa" +#line 86 "cli.gaa" char *x509_keyfile; -#line 80 "cli.gaa" +#line 83 "cli.gaa" char *pgp_certfile; -#line 77 "cli.gaa" +#line 80 "cli.gaa" char *pgp_keyring; -#line 74 "cli.gaa" +#line 77 "cli.gaa" char *pgp_keyfile; -#line 71 "cli.gaa" +#line 74 "cli.gaa" char *x509_crlfile; -#line 68 "cli.gaa" +#line 71 "cli.gaa" char *x509_cafile; +#line 68 "cli.gaa" + char *priorities; #line 65 "cli.gaa" char **ctype; #line 64 "cli.gaa" @@ -374,11 +374,17 @@ cert_callback (gnutls_session_t session, static gnutls_session_t init_tls_session (const char *hostname) { +char err[128]; + gnutls_session_t session; gnutls_init (&session, GNUTLS_CLIENT); - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); + if (gnutls_set_priority (session, info.priorities, err, sizeof(err)-1) < 0) + { + fprintf(stderr, "%s\n", err); + exit(1); + } /* allow the use of private ciphersuites. */ @@ -530,7 +536,7 @@ main (int argc, char **argv) if ((ret = gnutls_global_init_extra ()) < 0) { fprintf (stderr, "global_init_extra: %s\n", gnutls_strerror (ret)); - exit (1); +// exit (1); } gaa_parser (argc, argv); diff --git a/src/cli.gaa b/src/cli.gaa index d099db2401..03ae11ac17 100644 --- a/src/cli.gaa +++ b/src/cli.gaa @@ -65,6 +65,9 @@ option (kx) *STR "kx1 kx2..." { $kx = $1; $nkx = @1 } "Key exchange methods to e #char **ctype; option (ctypes) *STR "certType1 certType2..." { $ctype = $1; $nctype = @1 } "Certificate types to enable." +#char *priorities; +option (priority) STR "PRIORITY STRING" { $priorities = $1 } "Priorities string." + #char *x509_cafile; option (x509cafile) STR "FILE" { $x509_cafile = $1 } "Certificate file to use." @@ -124,5 +127,5 @@ init { $resume=0; $port="443"; $rest_args=NULL; $ciphers=NULL; $x509_keyfile=NULL; $x509_certfile=NULL; $crlf = 0; $srp_username=NULL; $srp_passwd=NULL; $fmtder = 0; $starttls =0; $debug = 0; $print_cert = 0; $verbose = 0; $psk_key = NULL; - $psk_username = NULL; + $psk_username = NULL; $priorities = NULL; $opaque_prf_input = NULL; } diff --git a/src/serv-gaa.c b/src/serv-gaa.c index 3abe465f52..6adfd2d4f6 100644 --- a/src/serv-gaa.c +++ b/src/serv-gaa.c @@ -155,6 +155,7 @@ void gaa_help(void) __gaa_helpsingle(0, "macs", "mac1 mac2... ", "MACs to enable."); __gaa_helpsingle(0, "kx", "kx1 kx2... ", "Key exchange methods to enable."); __gaa_helpsingle(0, "ctypes", "certType1 certType2... ", "Certificate types to enable."); + __gaa_helpsingle(0, "priority", "PRIORITY STRING ", "Priorities string."); __gaa_helpsingle('l', "list", "", "Print a list of the supported algorithms and modes."); __gaa_helpsingle('h', "help", "", "prints this help"); __gaa_helpsingle('v', "version", "", "prints the program's version number"); @@ -173,6 +174,8 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { +#line 106 "serv.gaa" + char *priorities; #line 103 "serv.gaa" char **ctype; #line 102 "serv.gaa" @@ -297,41 +300,42 @@ static int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 34 +#define GAA_NB_OPTION 35 #define GAAOPTID_copyright 1 #define GAAOPTID_version 2 #define GAAOPTID_help 3 #define GAAOPTID_list 4 -#define GAAOPTID_ctypes 5 -#define GAAOPTID_kx 6 -#define GAAOPTID_macs 7 -#define GAAOPTID_comp 8 -#define GAAOPTID_protocols 9 -#define GAAOPTID_ciphers 10 -#define GAAOPTID_opaque_prf_input 11 -#define GAAOPTID_srppasswdconf 12 -#define GAAOPTID_srppasswd 13 -#define GAAOPTID_pskpasswd 14 -#define GAAOPTID_disable_client_cert 15 -#define GAAOPTID_require_cert 16 -#define GAAOPTID_x509dsacertfile 17 -#define GAAOPTID_x509dsakeyfile 18 -#define GAAOPTID_x509certfile 19 -#define GAAOPTID_x509keyfile 20 -#define GAAOPTID_pgpcertfile 21 -#define GAAOPTID_pgpkeyfile 22 -#define GAAOPTID_pgpkeyring 23 -#define GAAOPTID_x509crlfile 24 -#define GAAOPTID_x509cafile 25 -#define GAAOPTID_x509fmtder 26 -#define GAAOPTID_dhparams 27 -#define GAAOPTID_echo 28 -#define GAAOPTID_http 29 -#define GAAOPTID_nodb 30 -#define GAAOPTID_quiet 31 -#define GAAOPTID_port 32 -#define GAAOPTID_generate 33 -#define GAAOPTID_debug 34 +#define GAAOPTID_priority 5 +#define GAAOPTID_ctypes 6 +#define GAAOPTID_kx 7 +#define GAAOPTID_macs 8 +#define GAAOPTID_comp 9 +#define GAAOPTID_protocols 10 +#define GAAOPTID_ciphers 11 +#define GAAOPTID_opaque_prf_input 12 +#define GAAOPTID_srppasswdconf 13 +#define GAAOPTID_srppasswd 14 +#define GAAOPTID_pskpasswd 15 +#define GAAOPTID_disable_client_cert 16 +#define GAAOPTID_require_cert 17 +#define GAAOPTID_x509dsacertfile 18 +#define GAAOPTID_x509dsakeyfile 19 +#define GAAOPTID_x509certfile 20 +#define GAAOPTID_x509keyfile 21 +#define GAAOPTID_pgpcertfile 22 +#define GAAOPTID_pgpkeyfile 23 +#define GAAOPTID_pgpkeyring 24 +#define GAAOPTID_x509crlfile 25 +#define GAAOPTID_x509cafile 26 +#define GAAOPTID_x509fmtder 27 +#define GAAOPTID_dhparams 28 +#define GAAOPTID_echo 29 +#define GAAOPTID_http 30 +#define GAAOPTID_nodb 31 +#define GAAOPTID_quiet 32 +#define GAAOPTID_port 33 +#define GAAOPTID_generate 34 +#define GAAOPTID_debug 35 #line 168 "gaa.skel" @@ -518,6 +522,12 @@ static float gaa_getfloat(char *arg) } /* option structures */ +struct GAAOPTION_priority +{ + char* arg1; + int size1; +}; + struct GAAOPTION_ctypes { char** arg1; @@ -679,6 +689,7 @@ static int gaa_get_option_num(char *str, int status) switch(status) { case GAA_LETTER_OPTION: + GAA_CHECK1STR("", GAAOPTID_priority); GAA_CHECK1STR("", GAAOPTID_ctypes); GAA_CHECK1STR("", GAAOPTID_kx); GAA_CHECK1STR("", GAAOPTID_macs); @@ -723,6 +734,7 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("version", GAAOPTID_version); GAA_CHECKSTR("help", GAAOPTID_help); GAA_CHECKSTR("list", GAAOPTID_list); + GAA_CHECKSTR("priority", GAAOPTID_priority); GAA_CHECKSTR("ctypes", GAAOPTID_ctypes); GAA_CHECKSTR("kx", GAAOPTID_kx); GAA_CHECKSTR("macs", GAAOPTID_macs); @@ -765,6 +777,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { int OK = 0; int gaa_last_non_option; + struct GAAOPTION_priority GAATMP_priority; struct GAAOPTION_ctypes GAATMP_ctypes; struct GAAOPTION_kx GAATMP_kx; struct GAAOPTION_macs GAATMP_macs; @@ -809,32 +822,42 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_copyright: OK = 0; -#line 110 "serv.gaa" +#line 113 "serv.gaa" { print_serv_license(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_version: OK = 0; -#line 109 "serv.gaa" +#line 112 "serv.gaa" { serv_version(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_help: OK = 0; -#line 107 "serv.gaa" +#line 110 "serv.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_list: OK = 0; -#line 106 "serv.gaa" +#line 109 "serv.gaa" { print_list(0); exit(0); ;}; return GAA_OK; break; + case GAAOPTID_priority: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_priority.arg1, gaa_getstr, GAATMP_priority.size1); + gaa_index++; +#line 107 "serv.gaa" +{ gaaval->priorities = GAATMP_priority.arg1 ;}; + + return GAA_OK; + break; case GAAOPTID_ctypes: OK = 0; GAA_LIST_FILL(GAATMP_ctypes.arg1, gaa_getstr, char*, GAATMP_ctypes.size1); @@ -1123,7 +1146,7 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 114 "serv.gaa" +#line 117 "serv.gaa" { gaaval->generate=0; gaaval->port=5556; gaaval->http=0; gaaval->ciphers=NULL; gaaval->kx=NULL; gaaval->comp=NULL; gaaval->macs=NULL; gaaval->ctype=NULL; gaaval->nciphers=0; gaaval->nkx=0; gaaval->ncomp=0; gaaval->nmacs=0; gaaval->nctype = 0; gaaval->nodb = 0; @@ -1132,7 +1155,7 @@ int gaa(int argc, char **argv, gaainfo *gaaval) gaaval->x509_dsakeyfile=NULL; gaaval->x509_dsacertfile=NULL; gaaval->srp_passwd=NULL; gaaval->srp_passwd_conf=NULL; gaaval->quiet = 0; gaaval->pgp_keyring=NULL; gaaval->fmtder = 0; - gaaval->disable_client_cert = 0; + gaaval->disable_client_cert = 0; gaaval->priorities = NULL; gaaval->dh_params_file=NULL; gaaval->debug=0; gaaval->require_cert = 0; gaaval->psk_passwd = 0; gaaval->opaque_prf_input=NULL; ;}; @@ -1283,7 +1306,7 @@ static int gaa_internal_get_next_str(FILE *file, gaa_str_node *tmp_str, int argc len++; a = fgetc( file); - if(a==EOF) return 0; /* a = ' '; */ + if(a==EOF) return 0; //a = ' '; } len += 1; diff --git a/src/serv-gaa.h b/src/serv-gaa.h index e1f2ef05a8..8cc21c994e 100644 --- a/src/serv-gaa.h +++ b/src/serv-gaa.h @@ -8,6 +8,8 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { +#line 106 "serv.gaa" + char *priorities; #line 103 "serv.gaa" char **ctype; #line 102 "serv.gaa" diff --git a/src/serv.c b/src/serv.c index 701cf92adf..24c06f7189 100644 --- a/src/serv.c +++ b/src/serv.c @@ -365,6 +365,7 @@ gnutls_session_t initialize_session (void) { gnutls_session_t session; + char err[128]; gnutls_init (&session, GNUTLS_SERVER); @@ -380,7 +381,11 @@ initialize_session (void) gnutls_db_set_ptr (session, NULL); } - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); + if (gnutls_set_priority (session, info.priorities, err, sizeof(err)-1) < 0) + { + fprintf(stderr, "%s\n", err); + exit(1); + } if (cipher_priority[0]) gnutls_cipher_set_priority (session, cipher_priority); diff --git a/src/serv.gaa b/src/serv.gaa index 81d0f9c963..eac2e65083 100644 --- a/src/serv.gaa +++ b/src/serv.gaa @@ -103,6 +103,9 @@ option (kx) *STR "kx1 kx2..." { $kx = $1; $nkx = @1 } "Key exchange methods to e #char **ctype; option (ctypes) *STR "certType1 certType2..." { $ctype = $1; $nctype = @1 } "Certificate types to enable." +#char *priorities; +option (priority) STR "PRIORITY STRING" { $priorities = $1 } "Priorities string." + option (l, list) { print_list(0); exit(0); } "Print a list of the supported algorithms and modes." option (h, help) { gaa_help(); exit(0); } "prints this help" @@ -119,6 +122,6 @@ init { $generate=0; $port=5556; $http=0; $ciphers=NULL; $x509_dsakeyfile=NULL; $x509_dsacertfile=NULL; $srp_passwd=NULL; $srp_passwd_conf=NULL; $quiet = 0; $pgp_keyring=NULL; $fmtder = 0; - $disable_client_cert = 0; + $disable_client_cert = 0; $priorities = NULL; $dh_params_file=NULL; $debug=0; $require_cert = 0; $psk_passwd = 0; $opaque_prf_input=NULL; } |