diff options
Diffstat (limited to 'lib/algorithms')
-rw-r--r-- | lib/algorithms/cert_types.c | 4 | ||||
-rw-r--r-- | lib/algorithms/ciphers.c | 673 | ||||
-rw-r--r-- | lib/algorithms/ciphersuites.c | 2201 | ||||
-rw-r--r-- | lib/algorithms/ecc.c | 464 | ||||
-rw-r--r-- | lib/algorithms/groups.c | 310 | ||||
-rw-r--r-- | lib/algorithms/kx.c | 155 | ||||
-rw-r--r-- | lib/algorithms/mac.c | 446 | ||||
-rw-r--r-- | lib/algorithms/protocols.c | 323 | ||||
-rw-r--r-- | lib/algorithms/publickey.c | 242 | ||||
-rw-r--r-- | lib/algorithms/secparams.c | 50 | ||||
-rw-r--r-- | lib/algorithms/sign.c | 811 |
11 files changed, 3069 insertions, 2610 deletions
diff --git a/lib/algorithms/cert_types.c b/lib/algorithms/cert_types.c index 41c3b903a1..e78ec2e4f6 100644 --- a/lib/algorithms/cert_types.c +++ b/lib/algorithms/cert_types.c @@ -69,9 +69,7 @@ gnutls_certificate_type_t gnutls_certificate_type_get_id(const char *name) } static const gnutls_certificate_type_t supported_certificate_types[] = { - GNUTLS_CRT_X509, - GNUTLS_CRT_RAWPK, - 0 + GNUTLS_CRT_X509, GNUTLS_CRT_RAWPK, 0 }; /** diff --git a/lib/algorithms/ciphers.c b/lib/algorithms/ciphers.c index 3a6b86efcc..3efe121cb8 100644 --- a/lib/algorithms/ciphers.c +++ b/lib/algorithms/ciphers.c @@ -38,332 +38,348 @@ * that specify them (they will be a no-op). */ static const cipher_entry_st algorithms[] = { - {.name = "AES-256-CBC", - .id = GNUTLS_CIPHER_AES_256_CBC, - .blocksize = 16, - .keysize = 32, - .type = CIPHER_BLOCK, - .explicit_iv = 16, - .cipher_iv = 16}, - {.name = "AES-192-CBC", - .id = GNUTLS_CIPHER_AES_192_CBC, - .blocksize = 16, - .keysize = 24, - .type = CIPHER_BLOCK, - .explicit_iv = 16, - .cipher_iv = 16}, - {.name = "AES-128-CBC", - .id = GNUTLS_CIPHER_AES_128_CBC, - .blocksize = 16, - .keysize = 16, - .type = CIPHER_BLOCK, - .explicit_iv = 16, - .cipher_iv = 16}, - {.name = "AES-128-GCM", - .id = GNUTLS_CIPHER_AES_128_GCM, - .blocksize = 16, - .keysize = 16, - .type = CIPHER_AEAD, - .implicit_iv = 4, - .explicit_iv = 8, - .cipher_iv = 12, - .tagsize = 16}, - {.name = "AES-192-GCM", - .id = GNUTLS_CIPHER_AES_192_GCM, - .blocksize = 16, - .keysize = 24, - .type = CIPHER_AEAD, - .implicit_iv = 4, - .explicit_iv = 8, - .cipher_iv = 12, - .tagsize = 16}, - {.name = "AES-256-GCM", - .id = GNUTLS_CIPHER_AES_256_GCM, - .blocksize = 16, - .keysize = 32, - .type = CIPHER_AEAD, - .implicit_iv = 4, - .explicit_iv = 8, - .cipher_iv = 12, - .tagsize = 16}, - {.name = "AES-128-CCM", - .id = GNUTLS_CIPHER_AES_128_CCM, - .blocksize = 16, - .keysize = 16, - .type = CIPHER_AEAD, - .implicit_iv = 4, - .explicit_iv = 8, - .cipher_iv = 12, - .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD, - .tagsize = 16}, - {.name = "AES-256-CCM", - .id = GNUTLS_CIPHER_AES_256_CCM, - .blocksize = 16, - .keysize = 32, - .type = CIPHER_AEAD, - .implicit_iv = 4, - .explicit_iv = 8, - .cipher_iv = 12, - .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD, - .tagsize = 16}, - {.name = "AES-128-CCM-8", - .id = GNUTLS_CIPHER_AES_128_CCM_8, - .blocksize = 16, - .keysize = 16, - .type = CIPHER_AEAD, - .implicit_iv = 4, - .explicit_iv = 8, - .cipher_iv = 12, - .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD, - .tagsize = 8}, - {.name = "AES-256-CCM-8", - .id = GNUTLS_CIPHER_AES_256_CCM_8, - .blocksize = 16, - .keysize = 32, - .type = CIPHER_AEAD, - .implicit_iv = 4, - .explicit_iv = 8, - .cipher_iv = 12, - .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD, - .tagsize = 8}, - {.name = "ARCFOUR-128", - .id = GNUTLS_CIPHER_ARCFOUR_128, - .blocksize = 1, - .keysize = 16, - .type = CIPHER_STREAM, - 0, 0, 0, 0}, - {.name = "ESTREAM-SALSA20-256", - .id = GNUTLS_CIPHER_ESTREAM_SALSA20_256, - .blocksize = 64, - .keysize = 32, - .type = CIPHER_STREAM, 0, 0, 8, 0}, - {.name = "SALSA20-256", - .id = GNUTLS_CIPHER_SALSA20_256, - .blocksize = 64, - .keysize = 32, - .type = CIPHER_STREAM, - .explicit_iv = 0, - .cipher_iv = 8}, - {.name = "CHACHA20-32", - .id = GNUTLS_CIPHER_CHACHA20_32, - .blocksize = 64, - .keysize = 32, - .type = CIPHER_STREAM, - .explicit_iv = 0, - /* IV includes counter */ - .cipher_iv = 16}, - {.name = "CHACHA20-64", - .id = GNUTLS_CIPHER_CHACHA20_64, - .blocksize = 64, - .keysize = 32, - .type = CIPHER_STREAM, - .explicit_iv = 0, - /* IV includes counter */ - .cipher_iv = 16}, - {.name = "CAMELLIA-256-CBC", - .id = GNUTLS_CIPHER_CAMELLIA_256_CBC, - .blocksize = 16, - .keysize = 32, - .type = CIPHER_BLOCK, - .explicit_iv = 16, - .cipher_iv = 16}, - {.name = "CAMELLIA-192-CBC", - .id = GNUTLS_CIPHER_CAMELLIA_192_CBC, - .blocksize = 16, - .keysize = 24, - .type = CIPHER_BLOCK, - .explicit_iv = 16, - .cipher_iv = 16}, - {.name = "CAMELLIA-128-CBC", - .id = GNUTLS_CIPHER_CAMELLIA_128_CBC, - .blocksize = 16, - .keysize = 16, - .type = CIPHER_BLOCK, - .explicit_iv = 16, - .cipher_iv = 16}, - {.name = "CHACHA20-POLY1305", - .id = GNUTLS_CIPHER_CHACHA20_POLY1305, - .blocksize = 64, - .keysize = 32, - .type = CIPHER_AEAD, - .implicit_iv = 12, - .explicit_iv = 0, - /* in chacha20 we don't need a rekey after 2^24 messages */ - .flags = GNUTLS_CIPHER_FLAG_XOR_NONCE | GNUTLS_CIPHER_FLAG_NO_REKEY, - .cipher_iv = 12, - .tagsize = 16}, - {.name = "CAMELLIA-128-GCM", - .id = GNUTLS_CIPHER_CAMELLIA_128_GCM, - .blocksize = 16, - .keysize = 16, - .type = CIPHER_AEAD, 4, 8, 12, 16}, - {.name = "CAMELLIA-256-GCM", - .id = GNUTLS_CIPHER_CAMELLIA_256_GCM, - .blocksize = 16, - .keysize = 32, - .type = CIPHER_AEAD, - .implicit_iv = 4, - .explicit_iv = 8, - .cipher_iv = 12, - .tagsize = 16}, - {.name = "GOST28147-TC26Z-CFB", - .id = GNUTLS_CIPHER_GOST28147_TC26Z_CFB, - .blocksize = 8, - .keysize = 32, - .type = CIPHER_STREAM, - .implicit_iv = 8, - .cipher_iv = 8}, - {.name = "GOST28147-CPA-CFB", - .id = GNUTLS_CIPHER_GOST28147_CPA_CFB, - .blocksize = 8, - .keysize = 32, - .type = CIPHER_STREAM, - .implicit_iv = 8, - .cipher_iv = 8}, - {.name = "GOST28147-CPB-CFB", - .id = GNUTLS_CIPHER_GOST28147_CPB_CFB, - .blocksize = 8, - .keysize = 32, - .type = CIPHER_STREAM, - .implicit_iv = 8, - .cipher_iv = 8}, - {.name = "GOST28147-CPC-CFB", - .id = GNUTLS_CIPHER_GOST28147_CPC_CFB, - .blocksize = 8, - .keysize = 32, - .type = CIPHER_STREAM, - .implicit_iv = 8, - .cipher_iv = 8}, - {.name = "GOST28147-CPD-CFB", - .id = GNUTLS_CIPHER_GOST28147_CPD_CFB, - .blocksize = 8, - .keysize = 32, - .type = CIPHER_STREAM, - .implicit_iv = 8, - .cipher_iv = 8}, + { .name = "AES-256-CBC", + .id = GNUTLS_CIPHER_AES_256_CBC, + .blocksize = 16, + .keysize = 32, + .type = CIPHER_BLOCK, + .explicit_iv = 16, + .cipher_iv = 16 }, + { .name = "AES-192-CBC", + .id = GNUTLS_CIPHER_AES_192_CBC, + .blocksize = 16, + .keysize = 24, + .type = CIPHER_BLOCK, + .explicit_iv = 16, + .cipher_iv = 16 }, + { .name = "AES-128-CBC", + .id = GNUTLS_CIPHER_AES_128_CBC, + .blocksize = 16, + .keysize = 16, + .type = CIPHER_BLOCK, + .explicit_iv = 16, + .cipher_iv = 16 }, + { .name = "AES-128-GCM", + .id = GNUTLS_CIPHER_AES_128_GCM, + .blocksize = 16, + .keysize = 16, + .type = CIPHER_AEAD, + .implicit_iv = 4, + .explicit_iv = 8, + .cipher_iv = 12, + .tagsize = 16 }, + { .name = "AES-192-GCM", + .id = GNUTLS_CIPHER_AES_192_GCM, + .blocksize = 16, + .keysize = 24, + .type = CIPHER_AEAD, + .implicit_iv = 4, + .explicit_iv = 8, + .cipher_iv = 12, + .tagsize = 16 }, + { .name = "AES-256-GCM", + .id = GNUTLS_CIPHER_AES_256_GCM, + .blocksize = 16, + .keysize = 32, + .type = CIPHER_AEAD, + .implicit_iv = 4, + .explicit_iv = 8, + .cipher_iv = 12, + .tagsize = 16 }, + { .name = "AES-128-CCM", + .id = GNUTLS_CIPHER_AES_128_CCM, + .blocksize = 16, + .keysize = 16, + .type = CIPHER_AEAD, + .implicit_iv = 4, + .explicit_iv = 8, + .cipher_iv = 12, + .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD, + .tagsize = 16 }, + { .name = "AES-256-CCM", + .id = GNUTLS_CIPHER_AES_256_CCM, + .blocksize = 16, + .keysize = 32, + .type = CIPHER_AEAD, + .implicit_iv = 4, + .explicit_iv = 8, + .cipher_iv = 12, + .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD, + .tagsize = 16 }, + { .name = "AES-128-CCM-8", + .id = GNUTLS_CIPHER_AES_128_CCM_8, + .blocksize = 16, + .keysize = 16, + .type = CIPHER_AEAD, + .implicit_iv = 4, + .explicit_iv = 8, + .cipher_iv = 12, + .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD, + .tagsize = 8 }, + { .name = "AES-256-CCM-8", + .id = GNUTLS_CIPHER_AES_256_CCM_8, + .blocksize = 16, + .keysize = 32, + .type = CIPHER_AEAD, + .implicit_iv = 4, + .explicit_iv = 8, + .cipher_iv = 12, + .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD, + .tagsize = 8 }, + { .name = "ARCFOUR-128", + .id = GNUTLS_CIPHER_ARCFOUR_128, + .blocksize = 1, + .keysize = 16, + .type = CIPHER_STREAM, + 0, + 0, + 0, + 0 }, + { .name = "ESTREAM-SALSA20-256", + .id = GNUTLS_CIPHER_ESTREAM_SALSA20_256, + .blocksize = 64, + .keysize = 32, + .type = CIPHER_STREAM, + 0, + 0, + 8, + 0 }, + { .name = "SALSA20-256", + .id = GNUTLS_CIPHER_SALSA20_256, + .blocksize = 64, + .keysize = 32, + .type = CIPHER_STREAM, + .explicit_iv = 0, + .cipher_iv = 8 }, + { .name = "CHACHA20-32", + .id = GNUTLS_CIPHER_CHACHA20_32, + .blocksize = 64, + .keysize = 32, + .type = CIPHER_STREAM, + .explicit_iv = 0, + /* IV includes counter */ + .cipher_iv = 16 }, + { .name = "CHACHA20-64", + .id = GNUTLS_CIPHER_CHACHA20_64, + .blocksize = 64, + .keysize = 32, + .type = CIPHER_STREAM, + .explicit_iv = 0, + /* IV includes counter */ + .cipher_iv = 16 }, + { .name = "CAMELLIA-256-CBC", + .id = GNUTLS_CIPHER_CAMELLIA_256_CBC, + .blocksize = 16, + .keysize = 32, + .type = CIPHER_BLOCK, + .explicit_iv = 16, + .cipher_iv = 16 }, + { .name = "CAMELLIA-192-CBC", + .id = GNUTLS_CIPHER_CAMELLIA_192_CBC, + .blocksize = 16, + .keysize = 24, + .type = CIPHER_BLOCK, + .explicit_iv = 16, + .cipher_iv = 16 }, + { .name = "CAMELLIA-128-CBC", + .id = GNUTLS_CIPHER_CAMELLIA_128_CBC, + .blocksize = 16, + .keysize = 16, + .type = CIPHER_BLOCK, + .explicit_iv = 16, + .cipher_iv = 16 }, + { .name = "CHACHA20-POLY1305", + .id = GNUTLS_CIPHER_CHACHA20_POLY1305, + .blocksize = 64, + .keysize = 32, + .type = CIPHER_AEAD, + .implicit_iv = 12, + .explicit_iv = 0, + /* in chacha20 we don't need a rekey after 2^24 messages */ + .flags = GNUTLS_CIPHER_FLAG_XOR_NONCE | GNUTLS_CIPHER_FLAG_NO_REKEY, + .cipher_iv = 12, + .tagsize = 16 }, + { .name = "CAMELLIA-128-GCM", + .id = GNUTLS_CIPHER_CAMELLIA_128_GCM, + .blocksize = 16, + .keysize = 16, + .type = CIPHER_AEAD, + 4, + 8, + 12, + 16 }, + { .name = "CAMELLIA-256-GCM", + .id = GNUTLS_CIPHER_CAMELLIA_256_GCM, + .blocksize = 16, + .keysize = 32, + .type = CIPHER_AEAD, + .implicit_iv = 4, + .explicit_iv = 8, + .cipher_iv = 12, + .tagsize = 16 }, + { .name = "GOST28147-TC26Z-CFB", + .id = GNUTLS_CIPHER_GOST28147_TC26Z_CFB, + .blocksize = 8, + .keysize = 32, + .type = CIPHER_STREAM, + .implicit_iv = 8, + .cipher_iv = 8 }, + { .name = "GOST28147-CPA-CFB", + .id = GNUTLS_CIPHER_GOST28147_CPA_CFB, + .blocksize = 8, + .keysize = 32, + .type = CIPHER_STREAM, + .implicit_iv = 8, + .cipher_iv = 8 }, + { .name = "GOST28147-CPB-CFB", + .id = GNUTLS_CIPHER_GOST28147_CPB_CFB, + .blocksize = 8, + .keysize = 32, + .type = CIPHER_STREAM, + .implicit_iv = 8, + .cipher_iv = 8 }, + { .name = "GOST28147-CPC-CFB", + .id = GNUTLS_CIPHER_GOST28147_CPC_CFB, + .blocksize = 8, + .keysize = 32, + .type = CIPHER_STREAM, + .implicit_iv = 8, + .cipher_iv = 8 }, + { .name = "GOST28147-CPD-CFB", + .id = GNUTLS_CIPHER_GOST28147_CPD_CFB, + .blocksize = 8, + .keysize = 32, + .type = CIPHER_STREAM, + .implicit_iv = 8, + .cipher_iv = 8 }, - {.name = "AES-128-CFB8", - .id = GNUTLS_CIPHER_AES_128_CFB8, - .blocksize = 16, - .keysize = 16, - .type = CIPHER_BLOCK, - .explicit_iv = 16, - .cipher_iv = 16}, - {.name = "AES-192-CFB8", - .id = GNUTLS_CIPHER_AES_192_CFB8, - .blocksize = 16, - .keysize = 24, - .type = CIPHER_BLOCK, - .explicit_iv = 16, - .cipher_iv = 16}, - {.name = "AES-256-CFB8", - .id = GNUTLS_CIPHER_AES_256_CFB8, - .blocksize = 16, - .keysize = 32, - .type = CIPHER_BLOCK, - .explicit_iv = 16, - .cipher_iv = 16}, - {.name = "AES-128-XTS", - .id = GNUTLS_CIPHER_AES_128_XTS, - .blocksize = 16, - .keysize = 32, - .type = CIPHER_BLOCK, - .explicit_iv = 16, - .cipher_iv = 16}, - {.name = "AES-256-XTS", - .id = GNUTLS_CIPHER_AES_256_XTS, - .blocksize = 16, - .keysize = 64, - .type = CIPHER_BLOCK, - .explicit_iv = 16, - .cipher_iv = 16}, - {.name = "AES-128-SIV", - .id = GNUTLS_CIPHER_AES_128_SIV, - .blocksize = 16, - .keysize = 32, - .type = CIPHER_AEAD, - .explicit_iv = 16, - .cipher_iv = 16, - .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD | - GNUTLS_CIPHER_FLAG_TAG_PREFIXED, - .tagsize = 16}, - {.name = "AES-256-SIV", - .id = GNUTLS_CIPHER_AES_256_SIV, - .blocksize = 16, - .keysize = 64, - .type = CIPHER_AEAD, - .explicit_iv = 16, - .cipher_iv = 16, - .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD | - GNUTLS_CIPHER_FLAG_TAG_PREFIXED, - .tagsize = 16}, - {.name = "GOST28147-TC26Z-CNT", - .id = GNUTLS_CIPHER_GOST28147_TC26Z_CNT, - .blocksize = 8, - .keysize = 32, - .type = CIPHER_STREAM, - .implicit_iv = 8, - .cipher_iv = 8}, - {.name = "MAGMA-CTR-ACPKM", - .id = GNUTLS_CIPHER_MAGMA_CTR_ACPKM, - .blocksize = 8, - .keysize = 32, - .type = CIPHER_STREAM, - .implicit_iv = 4, - .cipher_iv = 8}, - {.name = "KUZNYECHIK-CTR-ACPKM", - .id = GNUTLS_CIPHER_KUZNYECHIK_CTR_ACPKM, - .blocksize = 16, - .keysize = 32, - .type = CIPHER_STREAM, - .implicit_iv = 8, - .cipher_iv = 16}, - {.name = "3DES-CBC", - .id = GNUTLS_CIPHER_3DES_CBC, - .blocksize = 8, - .keysize = 24, - .type = CIPHER_BLOCK, - .explicit_iv = 8, - .cipher_iv = 8}, - {.name = "DES-CBC", - .id = GNUTLS_CIPHER_DES_CBC, - .blocksize = 8, - .keysize = 8, - .type = CIPHER_BLOCK, - .explicit_iv = 8, - .cipher_iv = 8}, - {.name = "ARCFOUR-40", - .id = GNUTLS_CIPHER_ARCFOUR_40, - .blocksize = 1, - .keysize = 5, - .type = CIPHER_STREAM}, - {.name = "RC2-40", - .id = GNUTLS_CIPHER_RC2_40_CBC, - .blocksize = 8, - .keysize = 5, - .type = CIPHER_BLOCK, - .explicit_iv = 8, - .cipher_iv = 8}, - {.name = "NULL", - .id = GNUTLS_CIPHER_NULL, - .blocksize = 1, - .keysize = 0, - .type = CIPHER_STREAM}, - {0, 0, 0, 0, 0, 0, 0} + { .name = "AES-128-CFB8", + .id = GNUTLS_CIPHER_AES_128_CFB8, + .blocksize = 16, + .keysize = 16, + .type = CIPHER_BLOCK, + .explicit_iv = 16, + .cipher_iv = 16 }, + { .name = "AES-192-CFB8", + .id = GNUTLS_CIPHER_AES_192_CFB8, + .blocksize = 16, + .keysize = 24, + .type = CIPHER_BLOCK, + .explicit_iv = 16, + .cipher_iv = 16 }, + { .name = "AES-256-CFB8", + .id = GNUTLS_CIPHER_AES_256_CFB8, + .blocksize = 16, + .keysize = 32, + .type = CIPHER_BLOCK, + .explicit_iv = 16, + .cipher_iv = 16 }, + { .name = "AES-128-XTS", + .id = GNUTLS_CIPHER_AES_128_XTS, + .blocksize = 16, + .keysize = 32, + .type = CIPHER_BLOCK, + .explicit_iv = 16, + .cipher_iv = 16 }, + { .name = "AES-256-XTS", + .id = GNUTLS_CIPHER_AES_256_XTS, + .blocksize = 16, + .keysize = 64, + .type = CIPHER_BLOCK, + .explicit_iv = 16, + .cipher_iv = 16 }, + { .name = "AES-128-SIV", + .id = GNUTLS_CIPHER_AES_128_SIV, + .blocksize = 16, + .keysize = 32, + .type = CIPHER_AEAD, + .explicit_iv = 16, + .cipher_iv = 16, + .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD | + GNUTLS_CIPHER_FLAG_TAG_PREFIXED, + .tagsize = 16 }, + { .name = "AES-256-SIV", + .id = GNUTLS_CIPHER_AES_256_SIV, + .blocksize = 16, + .keysize = 64, + .type = CIPHER_AEAD, + .explicit_iv = 16, + .cipher_iv = 16, + .flags = GNUTLS_CIPHER_FLAG_ONLY_AEAD | + GNUTLS_CIPHER_FLAG_TAG_PREFIXED, + .tagsize = 16 }, + { .name = "GOST28147-TC26Z-CNT", + .id = GNUTLS_CIPHER_GOST28147_TC26Z_CNT, + .blocksize = 8, + .keysize = 32, + .type = CIPHER_STREAM, + .implicit_iv = 8, + .cipher_iv = 8 }, + { .name = "MAGMA-CTR-ACPKM", + .id = GNUTLS_CIPHER_MAGMA_CTR_ACPKM, + .blocksize = 8, + .keysize = 32, + .type = CIPHER_STREAM, + .implicit_iv = 4, + .cipher_iv = 8 }, + { .name = "KUZNYECHIK-CTR-ACPKM", + .id = GNUTLS_CIPHER_KUZNYECHIK_CTR_ACPKM, + .blocksize = 16, + .keysize = 32, + .type = CIPHER_STREAM, + .implicit_iv = 8, + .cipher_iv = 16 }, + { .name = "3DES-CBC", + .id = GNUTLS_CIPHER_3DES_CBC, + .blocksize = 8, + .keysize = 24, + .type = CIPHER_BLOCK, + .explicit_iv = 8, + .cipher_iv = 8 }, + { .name = "DES-CBC", + .id = GNUTLS_CIPHER_DES_CBC, + .blocksize = 8, + .keysize = 8, + .type = CIPHER_BLOCK, + .explicit_iv = 8, + .cipher_iv = 8 }, + { .name = "ARCFOUR-40", + .id = GNUTLS_CIPHER_ARCFOUR_40, + .blocksize = 1, + .keysize = 5, + .type = CIPHER_STREAM }, + { .name = "RC2-40", + .id = GNUTLS_CIPHER_RC2_40_CBC, + .blocksize = 8, + .keysize = 5, + .type = CIPHER_BLOCK, + .explicit_iv = 8, + .cipher_iv = 8 }, + { .name = "NULL", + .id = GNUTLS_CIPHER_NULL, + .blocksize = 1, + .keysize = 0, + .type = CIPHER_STREAM }, + { 0, 0, 0, 0, 0, 0, 0 } }; -#define GNUTLS_CIPHER_LOOP(b) \ - const cipher_entry_st *p; \ - for(p = algorithms; p->name != NULL; p++) { b ; } +#define GNUTLS_CIPHER_LOOP(b) \ + const cipher_entry_st *p; \ + for (p = algorithms; p->name != NULL; p++) { \ + b; \ + } -#define GNUTLS_ALG_LOOP(a) \ - GNUTLS_CIPHER_LOOP( if(p->id == algorithm) { a; break; } ) +#define GNUTLS_ALG_LOOP(a) \ + GNUTLS_CIPHER_LOOP(if (p->id == algorithm) { \ + a; \ + break; \ + }) /* CIPHER functions */ const cipher_entry_st *_gnutls_cipher_to_entry(gnutls_cipher_algorithm_t c) { - GNUTLS_CIPHER_LOOP(if (c == p->id) return p) ; + GNUTLS_CIPHER_LOOP(if (c == p->id) return p); return NULL; } @@ -373,9 +389,7 @@ const cipher_entry_st *_gnutls_cipher_to_entry(gnutls_cipher_algorithm_t c) */ const cipher_entry_st *cipher_name_to_entry(const char *name) { - GNUTLS_CIPHER_LOOP(if (c_strcasecmp(p->name, name) == 0) { - return p;} - ) ; + GNUTLS_CIPHER_LOOP(if (c_strcasecmp(p->name, name) == 0) { return p; }); return NULL; } @@ -393,7 +407,6 @@ unsigned gnutls_cipher_get_block_size(gnutls_cipher_algorithm_t algorithm) size_t ret = 0; GNUTLS_ALG_LOOP(ret = p->blocksize); return ret; - } /** @@ -441,11 +454,10 @@ unsigned gnutls_cipher_get_iv_size(gnutls_cipher_algorithm_t algorithm) * the given cipher is invalid. **/ size_t gnutls_cipher_get_key_size(gnutls_cipher_algorithm_t algorithm) -{ /* In bytes */ +{ /* In bytes */ size_t ret = 0; GNUTLS_ALG_LOOP(ret = p->keysize); return ret; - } /** @@ -481,10 +493,10 @@ gnutls_cipher_algorithm_t gnutls_cipher_get_id(const char *name) gnutls_cipher_algorithm_t ret = GNUTLS_CIPHER_UNKNOWN; GNUTLS_CIPHER_LOOP(if (c_strcasecmp(p->name, name) == 0) { - if (p->id == GNUTLS_CIPHER_NULL - || _gnutls_cipher_exists(p->id)) - ret = p->id; break;} - ) ; + if (p->id == GNUTLS_CIPHER_NULL || _gnutls_cipher_exists(p->id)) + ret = p->id; + break; + }); return ret; } @@ -510,10 +522,9 @@ const gnutls_cipher_algorithm_t *gnutls_cipher_list(void) if (supported_ciphers[0] == 0) { int i = 0; - GNUTLS_CIPHER_LOOP(if - (p->id == GNUTLS_CIPHER_NULL - || _gnutls_cipher_exists(p->id)) - supported_ciphers[i++] = p->id;) ; + GNUTLS_CIPHER_LOOP(if (p->id == GNUTLS_CIPHER_NULL || + _gnutls_cipher_exists(p->id)) + supported_ciphers[i++] = p->id;); supported_ciphers[i++] = 0; } diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c index 7df945bf83..8e702ce6d9 100644 --- a/lib/algorithms/ciphersuites.c +++ b/lib/algorithms/ciphersuites.c @@ -33,1097 +33,1535 @@ #include <ext/safe_renegotiation.h> #ifndef ENABLE_SSL3 -# define GNUTLS_SSL3 GNUTLS_TLS1 +#define GNUTLS_SSL3 GNUTLS_TLS1 #endif /* Cipher SUITES */ -#define ENTRY( name, canonical_name, block_algorithm, kx_algorithm, mac_algorithm, min_version, dtls_version ) \ - { #name, name, canonical_name, block_algorithm, kx_algorithm, mac_algorithm, min_version, GNUTLS_TLS1_2, dtls_version, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA256} -#define ENTRY_PRF( name, canonical_name, block_algorithm, kx_algorithm, mac_algorithm, min_version, dtls_version, prf ) \ - { #name, name, canonical_name, block_algorithm, kx_algorithm, mac_algorithm, min_version, GNUTLS_TLS1_2, dtls_version, GNUTLS_DTLS1_2, prf} -#define ENTRY_TLS13( name, canonical_name, block_algorithm, min_version, prf ) \ - { #name, name, canonical_name, block_algorithm, 0, GNUTLS_MAC_AEAD, min_version, GNUTLS_TLS1_3, GNUTLS_VERSION_UNKNOWN, GNUTLS_VERSION_UNKNOWN, prf} +#define ENTRY(name, canonical_name, block_algorithm, kx_algorithm, \ + mac_algorithm, min_version, dtls_version) \ + { \ +#name, name, canonical_name, block_algorithm, kx_algorithm, \ + mac_algorithm, min_version, GNUTLS_TLS1_2, \ + dtls_version, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA256 \ + } +#define ENTRY_PRF(name, canonical_name, block_algorithm, kx_algorithm, \ + mac_algorithm, min_version, dtls_version, prf) \ + { \ +#name, name, canonical_name, block_algorithm, kx_algorithm, \ + mac_algorithm, min_version, GNUTLS_TLS1_2, \ + dtls_version, GNUTLS_DTLS1_2, prf \ + } +#define ENTRY_TLS13(name, canonical_name, block_algorithm, min_version, prf) \ + { \ +#name, name, canonical_name, block_algorithm, 0, \ + GNUTLS_MAC_AEAD, min_version, GNUTLS_TLS1_3, \ + GNUTLS_VERSION_UNKNOWN, GNUTLS_VERSION_UNKNOWN, prf \ + } /* TLS 1.3 ciphersuites */ -#define GNUTLS_AES_128_GCM_SHA256 { 0x13, 0x01 } -#define GNUTLS_AES_256_GCM_SHA384 { 0x13, 0x02 } -#define GNUTLS_CHACHA20_POLY1305_SHA256 { 0x13, 0x03 } -#define GNUTLS_AES_128_CCM_SHA256 { 0x13, 0x04 } -#define GNUTLS_AES_128_CCM_8_SHA256 { 0x13,0x05 } +#define GNUTLS_AES_128_GCM_SHA256 \ + { \ + 0x13, 0x01 \ + } +#define GNUTLS_AES_256_GCM_SHA384 \ + { \ + 0x13, 0x02 \ + } +#define GNUTLS_CHACHA20_POLY1305_SHA256 \ + { \ + 0x13, 0x03 \ + } +#define GNUTLS_AES_128_CCM_SHA256 \ + { \ + 0x13, 0x04 \ + } +#define GNUTLS_AES_128_CCM_8_SHA256 \ + { \ + 0x13, 0x05 \ + } /* RSA with NULL cipher and MD5 MAC * for test purposes. */ -#define GNUTLS_RSA_NULL_MD5 { 0x00, 0x01 } -#define GNUTLS_RSA_NULL_SHA1 { 0x00, 0x02 } -#define GNUTLS_RSA_NULL_SHA256 { 0x00, 0x3B } +#define GNUTLS_RSA_NULL_MD5 \ + { \ + 0x00, 0x01 \ + } +#define GNUTLS_RSA_NULL_SHA1 \ + { \ + 0x00, 0x02 \ + } +#define GNUTLS_RSA_NULL_SHA256 \ + { \ + 0x00, 0x3B \ + } /* ANONymous cipher suites. */ -#define GNUTLS_DH_ANON_3DES_EDE_CBC_SHA1 { 0x00, 0x1B } -#define GNUTLS_DH_ANON_ARCFOUR_128_MD5 { 0x00, 0x18 } +#define GNUTLS_DH_ANON_3DES_EDE_CBC_SHA1 \ + { \ + 0x00, 0x1B \ + } +#define GNUTLS_DH_ANON_ARCFOUR_128_MD5 \ + { \ + 0x00, 0x18 \ + } - /* rfc3268: */ -#define GNUTLS_DH_ANON_AES_128_CBC_SHA1 { 0x00, 0x34 } -#define GNUTLS_DH_ANON_AES_256_CBC_SHA1 { 0x00, 0x3A } +/* rfc3268: */ +#define GNUTLS_DH_ANON_AES_128_CBC_SHA1 \ + { \ + 0x00, 0x34 \ + } +#define GNUTLS_DH_ANON_AES_256_CBC_SHA1 \ + { \ + 0x00, 0x3A \ + } /* rfc4132 */ -#define GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA1 { 0x00,0x46 } -#define GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA1 { 0x00,0x89 } +#define GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA1 \ + { \ + 0x00, 0x46 \ + } +#define GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA1 \ + { \ + 0x00, 0x89 \ + } /* rfc5932 */ -#define GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 { 0x00,0xBA } -#define GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA256 { 0x00,0xBD } -#define GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 { 0x00,0xBE } -#define GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA256 { 0x00,0xBF } -#define GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 { 0x00,0xC0 } -#define GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA256 { 0x00,0xC3 } -#define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 { 0x00,0xC4 } -#define GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA256 { 0x00,0xC5 } +#define GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 \ + { \ + 0x00, 0xBA \ + } +#define GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA256 \ + { \ + 0x00, 0xBD \ + } +#define GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 \ + { \ + 0x00, 0xBE \ + } +#define GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA256 \ + { \ + 0x00, 0xBF \ + } +#define GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 \ + { \ + 0x00, 0xC0 \ + } +#define GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA256 \ + { \ + 0x00, 0xC3 \ + } +#define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 \ + { \ + 0x00, 0xC4 \ + } +#define GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA256 \ + { \ + 0x00, 0xC5 \ + } /* rfc6367 */ -#define GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 { 0xC0,0x72 } -#define GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 { 0xC0,0x73 } -#define GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 { 0xC0,0x76 } -#define GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 { 0xC0,0x77 } -#define GNUTLS_PSK_CAMELLIA_128_CBC_SHA256 { 0xC0,0x94 } -#define GNUTLS_PSK_CAMELLIA_256_CBC_SHA384 { 0xC0,0x95 } -#define GNUTLS_DHE_PSK_CAMELLIA_128_CBC_SHA256 { 0xC0,0x96 } -#define GNUTLS_DHE_PSK_CAMELLIA_256_CBC_SHA384 { 0xC0,0x97 } -#define GNUTLS_RSA_PSK_CAMELLIA_128_CBC_SHA256 { 0xC0,0x98 } -#define GNUTLS_RSA_PSK_CAMELLIA_256_CBC_SHA384 { 0xC0,0x99 } -#define GNUTLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256 { 0xC0,0x9A } -#define GNUTLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384 { 0xC0,0x9B } - -#define GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 { 0xC0, 0x7A } -#define GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 { 0xC0,0x7B } -#define GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 { 0xC0,0x7C } -#define GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 { 0xC0,0x7D } -#define GNUTLS_DHE_DSS_CAMELLIA_128_GCM_SHA256 { 0xC0,0x80 } -#define GNUTLS_DHE_DSS_CAMELLIA_256_GCM_SHA384 { 0xC0,0x81 } -#define GNUTLS_DH_ANON_CAMELLIA_128_GCM_SHA256 { 0xC0,0x84 } -#define GNUTLS_DH_ANON_CAMELLIA_256_GCM_SHA384 { 0xC0,0x85 } -#define GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 { 0xC0,0x86 } -#define GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 { 0xC0,0x87 } -#define GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 { 0xC0,0x8A } -#define GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 { 0xC0,0x8B } -#define GNUTLS_PSK_CAMELLIA_128_GCM_SHA256 { 0xC0,0x8E } -#define GNUTLS_PSK_CAMELLIA_256_GCM_SHA384 { 0xC0,0x8F } -#define GNUTLS_DHE_PSK_CAMELLIA_128_GCM_SHA256 { 0xC0,0x90 } -#define GNUTLS_DHE_PSK_CAMELLIA_256_GCM_SHA384 { 0xC0,0x91 } -#define GNUTLS_RSA_PSK_CAMELLIA_128_GCM_SHA256 { 0xC0,0x92 } -#define GNUTLS_RSA_PSK_CAMELLIA_256_GCM_SHA384 { 0xC0,0x93 } - -#define GNUTLS_DH_ANON_AES_128_CBC_SHA256 { 0x00, 0x6C } -#define GNUTLS_DH_ANON_AES_256_CBC_SHA256 { 0x00, 0x6D } +#define GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 \ + { \ + 0xC0, 0x72 \ + } +#define GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 \ + { \ + 0xC0, 0x73 \ + } +#define GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 \ + { \ + 0xC0, 0x76 \ + } +#define GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 \ + { \ + 0xC0, 0x77 \ + } +#define GNUTLS_PSK_CAMELLIA_128_CBC_SHA256 \ + { \ + 0xC0, 0x94 \ + } +#define GNUTLS_PSK_CAMELLIA_256_CBC_SHA384 \ + { \ + 0xC0, 0x95 \ + } +#define GNUTLS_DHE_PSK_CAMELLIA_128_CBC_SHA256 \ + { \ + 0xC0, 0x96 \ + } +#define GNUTLS_DHE_PSK_CAMELLIA_256_CBC_SHA384 \ + { \ + 0xC0, 0x97 \ + } +#define GNUTLS_RSA_PSK_CAMELLIA_128_CBC_SHA256 \ + { \ + 0xC0, 0x98 \ + } +#define GNUTLS_RSA_PSK_CAMELLIA_256_CBC_SHA384 \ + { \ + 0xC0, 0x99 \ + } +#define GNUTLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256 \ + { \ + 0xC0, 0x9A \ + } +#define GNUTLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384 \ + { \ + 0xC0, 0x9B \ + } + +#define GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 \ + { \ + 0xC0, 0x7A \ + } +#define GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 \ + { \ + 0xC0, 0x7B \ + } +#define GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 \ + { \ + 0xC0, 0x7C \ + } +#define GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 \ + { \ + 0xC0, 0x7D \ + } +#define GNUTLS_DHE_DSS_CAMELLIA_128_GCM_SHA256 \ + { \ + 0xC0, 0x80 \ + } +#define GNUTLS_DHE_DSS_CAMELLIA_256_GCM_SHA384 \ + { \ + 0xC0, 0x81 \ + } +#define GNUTLS_DH_ANON_CAMELLIA_128_GCM_SHA256 \ + { \ + 0xC0, 0x84 \ + } +#define GNUTLS_DH_ANON_CAMELLIA_256_GCM_SHA384 \ + { \ + 0xC0, 0x85 \ + } +#define GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 \ + { \ + 0xC0, 0x86 \ + } +#define GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 \ + { \ + 0xC0, 0x87 \ + } +#define GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 \ + { \ + 0xC0, 0x8A \ + } +#define GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 \ + { \ + 0xC0, 0x8B \ + } +#define GNUTLS_PSK_CAMELLIA_128_GCM_SHA256 \ + { \ + 0xC0, 0x8E \ + } +#define GNUTLS_PSK_CAMELLIA_256_GCM_SHA384 \ + { \ + 0xC0, 0x8F \ + } +#define GNUTLS_DHE_PSK_CAMELLIA_128_GCM_SHA256 \ + { \ + 0xC0, 0x90 \ + } +#define GNUTLS_DHE_PSK_CAMELLIA_256_GCM_SHA384 \ + { \ + 0xC0, 0x91 \ + } +#define GNUTLS_RSA_PSK_CAMELLIA_128_GCM_SHA256 \ + { \ + 0xC0, 0x92 \ + } +#define GNUTLS_RSA_PSK_CAMELLIA_256_GCM_SHA384 \ + { \ + 0xC0, 0x93 \ + } + +#define GNUTLS_DH_ANON_AES_128_CBC_SHA256 \ + { \ + 0x00, 0x6C \ + } +#define GNUTLS_DH_ANON_AES_256_CBC_SHA256 \ + { \ + 0x00, 0x6D \ + } /* draft-ietf-tls-chacha20-poly1305-02 */ -#define GNUTLS_ECDHE_RSA_CHACHA20_POLY1305 { 0xCC, 0xA8 } -#define GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305 { 0xCC, 0xA9 } -#define GNUTLS_DHE_RSA_CHACHA20_POLY1305 { 0xCC, 0xAA } +#define GNUTLS_ECDHE_RSA_CHACHA20_POLY1305 \ + { \ + 0xCC, 0xA8 \ + } +#define GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305 \ + { \ + 0xCC, 0xA9 \ + } +#define GNUTLS_DHE_RSA_CHACHA20_POLY1305 \ + { \ + 0xCC, 0xAA \ + } -#define GNUTLS_PSK_CHACHA20_POLY1305 { 0xCC, 0xAB } -#define GNUTLS_ECDHE_PSK_CHACHA20_POLY1305 { 0xCC, 0xAC } -#define GNUTLS_DHE_PSK_CHACHA20_POLY1305 { 0xCC, 0xAD } -#define GNUTLS_RSA_PSK_CHACHA20_POLY1305 { 0xCC, 0xAE } +#define GNUTLS_PSK_CHACHA20_POLY1305 \ + { \ + 0xCC, 0xAB \ + } +#define GNUTLS_ECDHE_PSK_CHACHA20_POLY1305 \ + { \ + 0xCC, 0xAC \ + } +#define GNUTLS_DHE_PSK_CHACHA20_POLY1305 \ + { \ + 0xCC, 0xAD \ + } +#define GNUTLS_RSA_PSK_CHACHA20_POLY1305 \ + { \ + 0xCC, 0xAE \ + } /* PSK (not in TLS 1.0) * draft-ietf-tls-psk: */ -#define GNUTLS_PSK_ARCFOUR_128_SHA1 { 0x00, 0x8A } -#define GNUTLS_PSK_3DES_EDE_CBC_SHA1 { 0x00, 0x8B } -#define GNUTLS_PSK_AES_128_CBC_SHA1 { 0x00, 0x8C } -#define GNUTLS_PSK_AES_256_CBC_SHA1 { 0x00, 0x8D } +#define GNUTLS_PSK_ARCFOUR_128_SHA1 \ + { \ + 0x00, 0x8A \ + } +#define GNUTLS_PSK_3DES_EDE_CBC_SHA1 \ + { \ + 0x00, 0x8B \ + } +#define GNUTLS_PSK_AES_128_CBC_SHA1 \ + { \ + 0x00, 0x8C \ + } +#define GNUTLS_PSK_AES_256_CBC_SHA1 \ + { \ + 0x00, 0x8D \ + } -#define GNUTLS_DHE_PSK_ARCFOUR_128_SHA1 { 0x00, 0x8E } -#define GNUTLS_DHE_PSK_3DES_EDE_CBC_SHA1 { 0x00, 0x8F } -#define GNUTLS_DHE_PSK_AES_128_CBC_SHA1 { 0x00, 0x90 } -#define GNUTLS_DHE_PSK_AES_256_CBC_SHA1 { 0x00, 0x91 } +#define GNUTLS_DHE_PSK_ARCFOUR_128_SHA1 \ + { \ + 0x00, 0x8E \ + } +#define GNUTLS_DHE_PSK_3DES_EDE_CBC_SHA1 \ + { \ + 0x00, 0x8F \ + } +#define GNUTLS_DHE_PSK_AES_128_CBC_SHA1 \ + { \ + 0x00, 0x90 \ + } +#define GNUTLS_DHE_PSK_AES_256_CBC_SHA1 \ + { \ + 0x00, 0x91 \ + } -#define GNUTLS_RSA_PSK_ARCFOUR_128_SHA1 { 0x00, 0x92 } -#define GNUTLS_RSA_PSK_3DES_EDE_CBC_SHA1 { 0x00, 0x93 } -#define GNUTLS_RSA_PSK_AES_128_CBC_SHA1 { 0x00, 0x94 } -#define GNUTLS_RSA_PSK_AES_256_CBC_SHA1 { 0x00, 0x95 } +#define GNUTLS_RSA_PSK_ARCFOUR_128_SHA1 \ + { \ + 0x00, 0x92 \ + } +#define GNUTLS_RSA_PSK_3DES_EDE_CBC_SHA1 \ + { \ + 0x00, 0x93 \ + } +#define GNUTLS_RSA_PSK_AES_128_CBC_SHA1 \ + { \ + 0x00, 0x94 \ + } +#define GNUTLS_RSA_PSK_AES_256_CBC_SHA1 \ + { \ + 0x00, 0x95 \ + } #ifdef ENABLE_SRP /* SRP (rfc5054) */ -# define GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1 { 0xC0, 0x1A } -# define GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 { 0xC0, 0x1B } -# define GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 { 0xC0, 0x1C } +#define GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1 \ + { \ + 0xC0, 0x1A \ + } +#define GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 \ + { \ + 0xC0, 0x1B \ + } +#define GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 \ + { \ + 0xC0, 0x1C \ + } -# define GNUTLS_SRP_SHA_AES_128_CBC_SHA1 { 0xC0, 0x1D } -# define GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1 { 0xC0, 0x1E } -# define GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1 { 0xC0, 0x1F } +#define GNUTLS_SRP_SHA_AES_128_CBC_SHA1 \ + { \ + 0xC0, 0x1D \ + } +#define GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1 \ + { \ + 0xC0, 0x1E \ + } +#define GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1 \ + { \ + 0xC0, 0x1F \ + } -# define GNUTLS_SRP_SHA_AES_256_CBC_SHA1 { 0xC0, 0x20 } -# define GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1 { 0xC0, 0x21 } -# define GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1 { 0xC0, 0x22 } +#define GNUTLS_SRP_SHA_AES_256_CBC_SHA1 \ + { \ + 0xC0, 0x20 \ + } +#define GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1 \ + { \ + 0xC0, 0x21 \ + } +#define GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1 \ + { \ + 0xC0, 0x22 \ + } #endif /* RSA */ -#define GNUTLS_RSA_ARCFOUR_128_SHA1 { 0x00, 0x05 } -#define GNUTLS_RSA_ARCFOUR_128_MD5 { 0x00, 0x04 } -#define GNUTLS_RSA_3DES_EDE_CBC_SHA1 { 0x00, 0x0A } +#define GNUTLS_RSA_ARCFOUR_128_SHA1 \ + { \ + 0x00, 0x05 \ + } +#define GNUTLS_RSA_ARCFOUR_128_MD5 \ + { \ + 0x00, 0x04 \ + } +#define GNUTLS_RSA_3DES_EDE_CBC_SHA1 \ + { \ + 0x00, 0x0A \ + } /* rfc3268: */ -#define GNUTLS_RSA_AES_128_CBC_SHA1 { 0x00, 0x2F } -#define GNUTLS_RSA_AES_256_CBC_SHA1 { 0x00, 0x35 } +#define GNUTLS_RSA_AES_128_CBC_SHA1 \ + { \ + 0x00, 0x2F \ + } +#define GNUTLS_RSA_AES_256_CBC_SHA1 \ + { \ + 0x00, 0x35 \ + } /* rfc4132 */ -#define GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 { 0x00,0x41 } -#define GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x84 } +#define GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 \ + { \ + 0x00, 0x41 \ + } +#define GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 \ + { \ + 0x00, 0x84 \ + } -#define GNUTLS_RSA_AES_128_CBC_SHA256 { 0x00, 0x3C } -#define GNUTLS_RSA_AES_256_CBC_SHA256 { 0x00, 0x3D } +#define GNUTLS_RSA_AES_128_CBC_SHA256 \ + { \ + 0x00, 0x3C \ + } +#define GNUTLS_RSA_AES_256_CBC_SHA256 \ + { \ + 0x00, 0x3D \ + } /* DHE DSS */ -#define GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA1 { 0x00, 0x13 } +#define GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA1 \ + { \ + 0x00, 0x13 \ + } /* draft-ietf-tls-56-bit-ciphersuites-01: */ -#define GNUTLS_DHE_DSS_ARCFOUR_128_SHA1 { 0x00, 0x66 } +#define GNUTLS_DHE_DSS_ARCFOUR_128_SHA1 \ + { \ + 0x00, 0x66 \ + } /* rfc3268: */ -#define GNUTLS_DHE_DSS_AES_256_CBC_SHA1 { 0x00, 0x38 } -#define GNUTLS_DHE_DSS_AES_128_CBC_SHA1 { 0x00, 0x32 } +#define GNUTLS_DHE_DSS_AES_256_CBC_SHA1 \ + { \ + 0x00, 0x38 \ + } +#define GNUTLS_DHE_DSS_AES_128_CBC_SHA1 \ + { \ + 0x00, 0x32 \ + } /* rfc4132 */ -#define GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 { 0x00,0x44 } -#define GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 { 0x00,0x87 } +#define GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 \ + { \ + 0x00, 0x44 \ + } +#define GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 \ + { \ + 0x00, 0x87 \ + } -#define GNUTLS_DHE_DSS_AES_128_CBC_SHA256 { 0x00, 0x40 } -#define GNUTLS_DHE_DSS_AES_256_CBC_SHA256 { 0x00, 0x6A } +#define GNUTLS_DHE_DSS_AES_128_CBC_SHA256 \ + { \ + 0x00, 0x40 \ + } +#define GNUTLS_DHE_DSS_AES_256_CBC_SHA256 \ + { \ + 0x00, 0x6A \ + } /* DHE RSA */ -#define GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 { 0x00, 0x16 } +#define GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 \ + { \ + 0x00, 0x16 \ + } /* rfc3268: */ -#define GNUTLS_DHE_RSA_AES_128_CBC_SHA1 { 0x00, 0x33 } -#define GNUTLS_DHE_RSA_AES_256_CBC_SHA1 { 0x00, 0x39 } +#define GNUTLS_DHE_RSA_AES_128_CBC_SHA1 \ + { \ + 0x00, 0x33 \ + } +#define GNUTLS_DHE_RSA_AES_256_CBC_SHA1 \ + { \ + 0x00, 0x39 \ + } /* rfc4132 */ -#define GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 { 0x00,0x45 } -#define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x88 } +#define GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 \ + { \ + 0x00, 0x45 \ + } +#define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 \ + { \ + 0x00, 0x88 \ + } -#define GNUTLS_DHE_RSA_AES_128_CBC_SHA256 { 0x00, 0x67 } -#define GNUTLS_DHE_RSA_AES_256_CBC_SHA256 { 0x00, 0x6B } +#define GNUTLS_DHE_RSA_AES_128_CBC_SHA256 \ + { \ + 0x00, 0x67 \ + } +#define GNUTLS_DHE_RSA_AES_256_CBC_SHA256 \ + { \ + 0x00, 0x6B \ + } /* GCM: RFC5288 */ -#define GNUTLS_RSA_AES_128_GCM_SHA256 { 0x00, 0x9C } -#define GNUTLS_DHE_RSA_AES_128_GCM_SHA256 {0x00,0x9E} -#define GNUTLS_DHE_DSS_AES_128_GCM_SHA256 {0x00,0xA2} -#define GNUTLS_DH_ANON_AES_128_GCM_SHA256 {0x00,0xA6} -#define GNUTLS_RSA_AES_256_GCM_SHA384 { 0x00, 0x9D } -#define GNUTLS_DHE_RSA_AES_256_GCM_SHA384 {0x00,0x9F} -#define GNUTLS_DHE_DSS_AES_256_GCM_SHA384 {0x00,0xA3} -#define GNUTLS_DH_ANON_AES_256_GCM_SHA384 {0x00,0xA7} +#define GNUTLS_RSA_AES_128_GCM_SHA256 \ + { \ + 0x00, 0x9C \ + } +#define GNUTLS_DHE_RSA_AES_128_GCM_SHA256 \ + { \ + 0x00, 0x9E \ + } +#define GNUTLS_DHE_DSS_AES_128_GCM_SHA256 \ + { \ + 0x00, 0xA2 \ + } +#define GNUTLS_DH_ANON_AES_128_GCM_SHA256 \ + { \ + 0x00, 0xA6 \ + } +#define GNUTLS_RSA_AES_256_GCM_SHA384 \ + { \ + 0x00, 0x9D \ + } +#define GNUTLS_DHE_RSA_AES_256_GCM_SHA384 \ + { \ + 0x00, 0x9F \ + } +#define GNUTLS_DHE_DSS_AES_256_GCM_SHA384 \ + { \ + 0x00, 0xA3 \ + } +#define GNUTLS_DH_ANON_AES_256_GCM_SHA384 \ + { \ + 0x00, 0xA7 \ + } /* CCM: RFC6655/7251 */ -#define GNUTLS_RSA_AES_128_CCM { 0xC0, 0x9C } -#define GNUTLS_RSA_AES_256_CCM { 0xC0, 0x9D } -#define GNUTLS_DHE_RSA_AES_128_CCM {0xC0,0x9E} -#define GNUTLS_DHE_RSA_AES_256_CCM {0xC0,0x9F} +#define GNUTLS_RSA_AES_128_CCM \ + { \ + 0xC0, 0x9C \ + } +#define GNUTLS_RSA_AES_256_CCM \ + { \ + 0xC0, 0x9D \ + } +#define GNUTLS_DHE_RSA_AES_128_CCM \ + { \ + 0xC0, 0x9E \ + } +#define GNUTLS_DHE_RSA_AES_256_CCM \ + { \ + 0xC0, 0x9F \ + } -#define GNUTLS_ECDHE_ECDSA_AES_128_CCM {0xC0,0xAC} -#define GNUTLS_ECDHE_ECDSA_AES_256_CCM {0xC0,0xAD} +#define GNUTLS_ECDHE_ECDSA_AES_128_CCM \ + { \ + 0xC0, 0xAC \ + } +#define GNUTLS_ECDHE_ECDSA_AES_256_CCM \ + { \ + 0xC0, 0xAD \ + } -#define GNUTLS_PSK_AES_128_CCM { 0xC0, 0xA4 } -#define GNUTLS_PSK_AES_256_CCM { 0xC0, 0xA5 } -#define GNUTLS_DHE_PSK_AES_128_CCM {0xC0,0xA6} -#define GNUTLS_DHE_PSK_AES_256_CCM {0xC0,0xA7} +#define GNUTLS_PSK_AES_128_CCM \ + { \ + 0xC0, 0xA4 \ + } +#define GNUTLS_PSK_AES_256_CCM \ + { \ + 0xC0, 0xA5 \ + } +#define GNUTLS_DHE_PSK_AES_128_CCM \ + { \ + 0xC0, 0xA6 \ + } +#define GNUTLS_DHE_PSK_AES_256_CCM \ + { \ + 0xC0, 0xA7 \ + } /* CCM-8: RFC6655/7251 */ -#define GNUTLS_RSA_AES_128_CCM_8 { 0xC0, 0xA0 } -#define GNUTLS_RSA_AES_256_CCM_8 { 0xC0, 0xA1 } -#define GNUTLS_DHE_RSA_AES_128_CCM_8 {0xC0,0xA2} -#define GNUTLS_DHE_RSA_AES_256_CCM_8 {0xC0,0xA3} +#define GNUTLS_RSA_AES_128_CCM_8 \ + { \ + 0xC0, 0xA0 \ + } +#define GNUTLS_RSA_AES_256_CCM_8 \ + { \ + 0xC0, 0xA1 \ + } +#define GNUTLS_DHE_RSA_AES_128_CCM_8 \ + { \ + 0xC0, 0xA2 \ + } +#define GNUTLS_DHE_RSA_AES_256_CCM_8 \ + { \ + 0xC0, 0xA3 \ + } -#define GNUTLS_ECDHE_ECDSA_AES_128_CCM_8 {0xC0,0xAE} -#define GNUTLS_ECDHE_ECDSA_AES_256_CCM_8 {0xC0,0xAF} +#define GNUTLS_ECDHE_ECDSA_AES_128_CCM_8 \ + { \ + 0xC0, 0xAE \ + } +#define GNUTLS_ECDHE_ECDSA_AES_256_CCM_8 \ + { \ + 0xC0, 0xAF \ + } -#define GNUTLS_PSK_AES_128_CCM_8 { 0xC0, 0xA8 } -#define GNUTLS_PSK_AES_256_CCM_8 { 0xC0, 0xA9 } -#define GNUTLS_DHE_PSK_AES_128_CCM_8 {0xC0,0xAA} -#define GNUTLS_DHE_PSK_AES_256_CCM_8 {0xC0,0xAB} +#define GNUTLS_PSK_AES_128_CCM_8 \ + { \ + 0xC0, 0xA8 \ + } +#define GNUTLS_PSK_AES_256_CCM_8 \ + { \ + 0xC0, 0xA9 \ + } +#define GNUTLS_DHE_PSK_AES_128_CCM_8 \ + { \ + 0xC0, 0xAA \ + } +#define GNUTLS_DHE_PSK_AES_256_CCM_8 \ + { \ + 0xC0, 0xAB \ + } /* RFC 5487 */ /* GCM-PSK */ -#define GNUTLS_PSK_AES_128_GCM_SHA256 { 0x00, 0xA8 } -#define GNUTLS_DHE_PSK_AES_128_GCM_SHA256 { 0x00, 0xAA } -#define GNUTLS_PSK_AES_256_GCM_SHA384 { 0x00, 0xA9 } -#define GNUTLS_DHE_PSK_AES_256_GCM_SHA384 { 0x00, 0xAB } - -#define GNUTLS_PSK_AES_256_CBC_SHA384 { 0x00,0xAF } -#define GNUTLS_PSK_NULL_SHA384 { 0x00,0xB1 } -#define GNUTLS_DHE_PSK_AES_256_CBC_SHA384 { 0x00,0xB3 } -#define GNUTLS_DHE_PSK_NULL_SHA384 { 0x00,0xB5 } - -#define GNUTLS_PSK_NULL_SHA1 { 0x00,0x2C } -#define GNUTLS_DHE_PSK_NULL_SHA1 { 0x00,0x2D } -#define GNUTLS_RSA_PSK_NULL_SHA1 { 0x00,0x2E } -#define GNUTLS_ECDHE_PSK_NULL_SHA1 { 0xC0,0x39 } - -#define GNUTLS_RSA_PSK_AES_128_GCM_SHA256 { 0x00,0xAC } -#define GNUTLS_RSA_PSK_AES_256_GCM_SHA384 { 0x00,0xAD } -#define GNUTLS_RSA_PSK_AES_128_CBC_SHA256 { 0x00,0xB6 } -#define GNUTLS_RSA_PSK_AES_256_CBC_SHA384 { 0x00,0xB7 } -#define GNUTLS_RSA_PSK_NULL_SHA256 { 0x00,0xB8 } -#define GNUTLS_RSA_PSK_NULL_SHA384 { 0x00,0xB9 } +#define GNUTLS_PSK_AES_128_GCM_SHA256 \ + { \ + 0x00, 0xA8 \ + } +#define GNUTLS_DHE_PSK_AES_128_GCM_SHA256 \ + { \ + 0x00, 0xAA \ + } +#define GNUTLS_PSK_AES_256_GCM_SHA384 \ + { \ + 0x00, 0xA9 \ + } +#define GNUTLS_DHE_PSK_AES_256_GCM_SHA384 \ + { \ + 0x00, 0xAB \ + } + +#define GNUTLS_PSK_AES_256_CBC_SHA384 \ + { \ + 0x00, 0xAF \ + } +#define GNUTLS_PSK_NULL_SHA384 \ + { \ + 0x00, 0xB1 \ + } +#define GNUTLS_DHE_PSK_AES_256_CBC_SHA384 \ + { \ + 0x00, 0xB3 \ + } +#define GNUTLS_DHE_PSK_NULL_SHA384 \ + { \ + 0x00, 0xB5 \ + } + +#define GNUTLS_PSK_NULL_SHA1 \ + { \ + 0x00, 0x2C \ + } +#define GNUTLS_DHE_PSK_NULL_SHA1 \ + { \ + 0x00, 0x2D \ + } +#define GNUTLS_RSA_PSK_NULL_SHA1 \ + { \ + 0x00, 0x2E \ + } +#define GNUTLS_ECDHE_PSK_NULL_SHA1 \ + { \ + 0xC0, 0x39 \ + } + +#define GNUTLS_RSA_PSK_AES_128_GCM_SHA256 \ + { \ + 0x00, 0xAC \ + } +#define GNUTLS_RSA_PSK_AES_256_GCM_SHA384 \ + { \ + 0x00, 0xAD \ + } +#define GNUTLS_RSA_PSK_AES_128_CBC_SHA256 \ + { \ + 0x00, 0xB6 \ + } +#define GNUTLS_RSA_PSK_AES_256_CBC_SHA384 \ + { \ + 0x00, 0xB7 \ + } +#define GNUTLS_RSA_PSK_NULL_SHA256 \ + { \ + 0x00, 0xB8 \ + } +#define GNUTLS_RSA_PSK_NULL_SHA384 \ + { \ + 0x00, 0xB9 \ + } /* PSK - SHA256 HMAC */ -#define GNUTLS_PSK_AES_128_CBC_SHA256 { 0x00, 0xAE } -#define GNUTLS_DHE_PSK_AES_128_CBC_SHA256 { 0x00, 0xB2 } +#define GNUTLS_PSK_AES_128_CBC_SHA256 \ + { \ + 0x00, 0xAE \ + } +#define GNUTLS_DHE_PSK_AES_128_CBC_SHA256 \ + { \ + 0x00, 0xB2 \ + } -#define GNUTLS_PSK_NULL_SHA256 { 0x00, 0xB0 } -#define GNUTLS_DHE_PSK_NULL_SHA256 { 0x00, 0xB4 } +#define GNUTLS_PSK_NULL_SHA256 \ + { \ + 0x00, 0xB0 \ + } +#define GNUTLS_DHE_PSK_NULL_SHA256 \ + { \ + 0x00, 0xB4 \ + } /* ECC */ -#define GNUTLS_ECDH_ANON_NULL_SHA1 { 0xC0, 0x15 } -#define GNUTLS_ECDH_ANON_3DES_EDE_CBC_SHA1 { 0xC0, 0x17 } -#define GNUTLS_ECDH_ANON_AES_128_CBC_SHA1 { 0xC0, 0x18 } -#define GNUTLS_ECDH_ANON_AES_256_CBC_SHA1 { 0xC0, 0x19 } -#define GNUTLS_ECDH_ANON_ARCFOUR_128_SHA1 { 0xC0, 0x16 } +#define GNUTLS_ECDH_ANON_NULL_SHA1 \ + { \ + 0xC0, 0x15 \ + } +#define GNUTLS_ECDH_ANON_3DES_EDE_CBC_SHA1 \ + { \ + 0xC0, 0x17 \ + } +#define GNUTLS_ECDH_ANON_AES_128_CBC_SHA1 \ + { \ + 0xC0, 0x18 \ + } +#define GNUTLS_ECDH_ANON_AES_256_CBC_SHA1 \ + { \ + 0xC0, 0x19 \ + } +#define GNUTLS_ECDH_ANON_ARCFOUR_128_SHA1 \ + { \ + 0xC0, 0x16 \ + } /* ECC-RSA */ -#define GNUTLS_ECDHE_RSA_NULL_SHA1 { 0xC0, 0x10 } -#define GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 { 0xC0, 0x12 } -#define GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 { 0xC0, 0x13 } -#define GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 { 0xC0, 0x14 } -#define GNUTLS_ECDHE_RSA_ARCFOUR_128_SHA1 { 0xC0, 0x11 } +#define GNUTLS_ECDHE_RSA_NULL_SHA1 \ + { \ + 0xC0, 0x10 \ + } +#define GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 \ + { \ + 0xC0, 0x12 \ + } +#define GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 \ + { \ + 0xC0, 0x13 \ + } +#define GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 \ + { \ + 0xC0, 0x14 \ + } +#define GNUTLS_ECDHE_RSA_ARCFOUR_128_SHA1 \ + { \ + 0xC0, 0x11 \ + } /* ECC-ECDSA */ -#define GNUTLS_ECDHE_ECDSA_NULL_SHA1 { 0xC0, 0x06 } -#define GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 { 0xC0, 0x08 } -#define GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 { 0xC0, 0x09 } -#define GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 { 0xC0, 0x0A } -#define GNUTLS_ECDHE_ECDSA_ARCFOUR_128_SHA1 { 0xC0, 0x07 } +#define GNUTLS_ECDHE_ECDSA_NULL_SHA1 \ + { \ + 0xC0, 0x06 \ + } +#define GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 \ + { \ + 0xC0, 0x08 \ + } +#define GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 \ + { \ + 0xC0, 0x09 \ + } +#define GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 \ + { \ + 0xC0, 0x0A \ + } +#define GNUTLS_ECDHE_ECDSA_ARCFOUR_128_SHA1 \ + { \ + 0xC0, 0x07 \ + } /* RFC5289 */ /* ECC with SHA2 */ -#define GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 {0xC0,0x23} -#define GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 {0xC0,0x27} -#define GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 { 0xC0,0x28 } +#define GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 \ + { \ + 0xC0, 0x23 \ + } +#define GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 \ + { \ + 0xC0, 0x27 \ + } +#define GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 \ + { \ + 0xC0, 0x28 \ + } /* ECC with AES-GCM */ -#define GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 {0xC0,0x2B} -#define GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 {0xC0,0x2F} -#define GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 {0xC0,0x30} +#define GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 \ + { \ + 0xC0, 0x2B \ + } +#define GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 \ + { \ + 0xC0, 0x2F \ + } +#define GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 \ + { \ + 0xC0, 0x30 \ + } /* SuiteB */ -#define GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 {0xC0,0x2C} -#define GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 {0xC0,0x24} +#define GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 \ + { \ + 0xC0, 0x2C \ + } +#define GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 \ + { \ + 0xC0, 0x24 \ + } /* ECC with PSK */ -#define GNUTLS_ECDHE_PSK_3DES_EDE_CBC_SHA1 { 0xC0, 0x34 } -#define GNUTLS_ECDHE_PSK_AES_128_CBC_SHA1 { 0xC0, 0x35 } -#define GNUTLS_ECDHE_PSK_AES_256_CBC_SHA1 { 0xC0, 0x36 } -#define GNUTLS_ECDHE_PSK_AES_128_CBC_SHA256 { 0xC0, 0x37 } -#define GNUTLS_ECDHE_PSK_AES_256_CBC_SHA384 { 0xC0, 0x38 } -#define GNUTLS_ECDHE_PSK_ARCFOUR_128_SHA1 { 0xC0, 0x33 } -#define GNUTLS_ECDHE_PSK_NULL_SHA256 { 0xC0, 0x3A } -#define GNUTLS_ECDHE_PSK_NULL_SHA384 { 0xC0, 0x3B } +#define GNUTLS_ECDHE_PSK_3DES_EDE_CBC_SHA1 \ + { \ + 0xC0, 0x34 \ + } +#define GNUTLS_ECDHE_PSK_AES_128_CBC_SHA1 \ + { \ + 0xC0, 0x35 \ + } +#define GNUTLS_ECDHE_PSK_AES_256_CBC_SHA1 \ + { \ + 0xC0, 0x36 \ + } +#define GNUTLS_ECDHE_PSK_AES_128_CBC_SHA256 \ + { \ + 0xC0, 0x37 \ + } +#define GNUTLS_ECDHE_PSK_AES_256_CBC_SHA384 \ + { \ + 0xC0, 0x38 \ + } +#define GNUTLS_ECDHE_PSK_ARCFOUR_128_SHA1 \ + { \ + 0xC0, 0x33 \ + } +#define GNUTLS_ECDHE_PSK_NULL_SHA256 \ + { \ + 0xC0, 0x3A \ + } +#define GNUTLS_ECDHE_PSK_NULL_SHA384 \ + { \ + 0xC0, 0x3B \ + } /* draft-smyshlyaev-tls12-gost-suites */ #ifdef ENABLE_GOST -# define GNUTLS_GOSTR341112_256_28147_CNT_IMIT { 0xc1, 0x02 } +#define GNUTLS_GOSTR341112_256_28147_CNT_IMIT \ + { \ + 0xc1, 0x02 \ + } #endif -#define CIPHER_SUITES_COUNT (sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry_st)-1) +#define CIPHER_SUITES_COUNT \ + (sizeof(cs_algorithms) / sizeof(gnutls_cipher_suite_entry_st) - 1) /* The following is a potential list of ciphersuites. For the options to be * available, the ciphers and MACs must be available to gnutls as well. */ static const gnutls_cipher_suite_entry_st cs_algorithms[] = { -/* TLS 1.3 */ + /* TLS 1.3 */ ENTRY_TLS13(GNUTLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", - GNUTLS_CIPHER_AES_128_GCM, - GNUTLS_TLS1_3, + GNUTLS_CIPHER_AES_128_GCM, GNUTLS_TLS1_3, GNUTLS_MAC_SHA256), ENTRY_TLS13(GNUTLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", - GNUTLS_CIPHER_AES_256_GCM, - GNUTLS_TLS1_3, + GNUTLS_CIPHER_AES_256_GCM, GNUTLS_TLS1_3, GNUTLS_MAC_SHA384), ENTRY_TLS13(GNUTLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", - GNUTLS_CIPHER_CHACHA20_POLY1305, - GNUTLS_TLS1_3, + GNUTLS_CIPHER_CHACHA20_POLY1305, GNUTLS_TLS1_3, GNUTLS_MAC_SHA256), ENTRY_TLS13(GNUTLS_AES_128_CCM_SHA256, "TLS_AES_128_CCM_SHA256", - GNUTLS_CIPHER_AES_128_CCM, - GNUTLS_TLS1_3, + GNUTLS_CIPHER_AES_128_CCM, GNUTLS_TLS1_3, GNUTLS_MAC_SHA256), ENTRY_TLS13(GNUTLS_AES_128_CCM_8_SHA256, "TLS_AES_128_CCM_8_SHA256", - GNUTLS_CIPHER_AES_128_CCM_8, - GNUTLS_TLS1_3, + GNUTLS_CIPHER_AES_128_CCM_8, GNUTLS_TLS1_3, GNUTLS_MAC_SHA256), /* RSA-NULL */ - ENTRY(GNUTLS_RSA_NULL_MD5, "TLS_RSA_WITH_NULL_MD5", - GNUTLS_CIPHER_NULL, + ENTRY(GNUTLS_RSA_NULL_MD5, "TLS_RSA_WITH_NULL_MD5", GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), - ENTRY(GNUTLS_RSA_NULL_SHA1, "TLS_RSA_WITH_NULL_SHA", - GNUTLS_CIPHER_NULL, + ENTRY(GNUTLS_RSA_NULL_SHA1, "TLS_RSA_WITH_NULL_SHA", GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_RSA_NULL_SHA256, "TLS_RSA_WITH_NULL_SHA256", - GNUTLS_CIPHER_NULL, - GNUTLS_KX_RSA, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), /* RSA */ ENTRY(GNUTLS_RSA_ARCFOUR_128_SHA1, "TLS_RSA_WITH_RC4_128_SHA", - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_VERSION_UNKNOWN), + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN), ENTRY(GNUTLS_RSA_ARCFOUR_128_MD5, "TLS_RSA_WITH_RC4_128_MD5", - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3, - GNUTLS_VERSION_UNKNOWN), + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_RSA, GNUTLS_MAC_MD5, + GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN), ENTRY(GNUTLS_RSA_3DES_EDE_CBC_SHA1, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, - GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_RSA_AES_128_CBC_SHA1, "TLS_RSA_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_RSA_AES_256_CBC_SHA1, "TLS_RSA_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_RSA_CAMELLIA_128_CBC_SHA256, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_RSA_CAMELLIA_256_CBC_SHA256, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_RSA_CAMELLIA_128_CBC_SHA1, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_RSA_CAMELLIA_256_CBC_SHA1, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_RSA_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_RSA_AES_256_CBC_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), -/* GCM */ + /* GCM */ ENTRY(GNUTLS_RSA_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_RSA_AES_256_GCM_SHA384, - "TLS_RSA_WITH_AES_256_GCM_SHA384", - GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + "TLS_RSA_WITH_AES_256_GCM_SHA384", GNUTLS_CIPHER_AES_256_GCM, + GNUTLS_KX_RSA, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_RSA_CAMELLIA_128_GCM_SHA256, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", - GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_RSA_CAMELLIA_256_GCM_SHA384, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), -/* CCM */ + /* CCM */ ENTRY(GNUTLS_RSA_AES_128_CCM, "TLS_RSA_WITH_AES_128_CCM", - GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_RSA_AES_256_CCM, "TLS_RSA_WITH_AES_256_CCM", - GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), -/* CCM_8 */ + /* CCM_8 */ ENTRY(GNUTLS_RSA_AES_128_CCM_8, "TLS_RSA_WITH_AES_128_CCM_8", - GNUTLS_CIPHER_AES_128_CCM_8, GNUTLS_KX_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CCM_8, GNUTLS_KX_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_RSA_AES_256_CCM_8, "TLS_RSA_WITH_AES_256_CCM_8", - GNUTLS_CIPHER_AES_256_CCM_8, GNUTLS_KX_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_256_CCM_8, GNUTLS_KX_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), - /* DHE_DSS */ +/* DHE_DSS */ #ifdef ENABLE_DHE ENTRY(GNUTLS_DHE_DSS_ARCFOUR_128_SHA1, "TLS_DHE_DSS_RC4_128_SHA", - GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_VERSION_UNKNOWN), + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN), ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA1, - "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_DHE_DSS, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_SHA1, - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_DHE_DSS, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_SHA1, - "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_DHE_DSS, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA256, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", - GNUTLS_CIPHER_CAMELLIA_128_CBC, - GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA256, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", - GNUTLS_CIPHER_CAMELLIA_256_CBC, - GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA1, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", - GNUTLS_CIPHER_CAMELLIA_128_CBC, - GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA1, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", - GNUTLS_CIPHER_CAMELLIA_256_CBC, - GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_DHE_DSS, + GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_SHA256, - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_DHE_DSS, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_SHA256, - "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_DHE_DSS, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), -/* GCM */ + /* GCM */ ENTRY(GNUTLS_DHE_DSS_AES_128_GCM_SHA256, - "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, + "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", GNUTLS_CIPHER_AES_128_GCM, + GNUTLS_KX_DHE_DSS, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_DHE_DSS_AES_256_GCM_SHA384, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", - GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_DSS, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), ENTRY(GNUTLS_DHE_DSS_CAMELLIA_128_GCM_SHA256, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256", GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_DHE_DSS_CAMELLIA_256_GCM_SHA384, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384", GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), /* DHE_RSA */ ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1, - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_SHA1, - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_SHA1, - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - GNUTLS_CIPHER_CAMELLIA_128_CBC, - GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - GNUTLS_CIPHER_CAMELLIA_256_CBC, - GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - GNUTLS_CIPHER_CAMELLIA_128_CBC, - GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - GNUTLS_CIPHER_CAMELLIA_256_CBC, - GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_DHE_RSA, + GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_SHA256, - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_SHA256, - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), -/* GCM */ + /* GCM */ ENTRY(GNUTLS_DHE_RSA_AES_128_GCM_SHA256, - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", GNUTLS_CIPHER_AES_128_GCM, + GNUTLS_KX_DHE_RSA, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_DHE_RSA_AES_256_GCM_SHA384, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), ENTRY(GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_DHE_RSA_CHACHA20_POLY1305, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", GNUTLS_CIPHER_CHACHA20_POLY1305, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), -/* CCM */ + /* CCM */ ENTRY(GNUTLS_DHE_RSA_AES_128_CCM, "TLS_DHE_RSA_WITH_AES_128_CCM", - GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_RSA_AES_256_CCM, "TLS_DHE_RSA_WITH_AES_256_CCM", - GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_RSA_AES_128_CCM_8, "TLS_DHE_RSA_WITH_AES_128_CCM_8", - GNUTLS_CIPHER_AES_128_CCM_8, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CCM_8, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_RSA_AES_256_CCM_8, "TLS_DHE_RSA_WITH_AES_256_CCM_8", - GNUTLS_CIPHER_AES_256_CCM_8, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_256_CCM_8, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), -#endif /* DHE */ +#endif /* DHE */ #ifdef ENABLE_ECDHE -/* ECC-RSA */ + /* ECC-RSA */ ENTRY(GNUTLS_ECDHE_RSA_NULL_SHA1, "TLS_ECDHE_RSA_WITH_NULL_SHA", - GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_RSA, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1, - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_ECDHE_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1, - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_ECDHE_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1, - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_ECDHE_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY_PRF(GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_ECDHE_RSA_ARCFOUR_128_SHA1, - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", GNUTLS_CIPHER_ARCFOUR, + GNUTLS_KX_ECDHE_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN), ENTRY(GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), /* ECDHE-ECDSA */ ENTRY(GNUTLS_ECDHE_ECDSA_NULL_SHA1, "TLS_ECDHE_ECDSA_WITH_NULL_SHA", - GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_ECDSA, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1, - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_ECDHE_ECDSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1, - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_ECDHE_ECDSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1, - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_ECDHE_ECDSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDHE_ECDSA_ARCFOUR_128_SHA1, - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", GNUTLS_CIPHER_ARCFOUR, + GNUTLS_KX_ECDHE_ECDSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN), ENTRY(GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), /* More ECC */ ENTRY(GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_RSA, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ECDHE_ECDSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ECDHE_RSA, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY_PRF(GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_ECDHE_RSA_CHACHA20_POLY1305, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", GNUTLS_CIPHER_CHACHA20_POLY1305, GNUTLS_KX_ECDHE_RSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", GNUTLS_CIPHER_CHACHA20_POLY1305, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_ECDHE_ECDSA_AES_128_CCM, - "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", - GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, + "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", GNUTLS_CIPHER_AES_128_CCM, + GNUTLS_KX_ECDHE_ECDSA, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_ECDHE_ECDSA_AES_256_CCM, - "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", - GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, + "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", GNUTLS_CIPHER_AES_256_CCM, + GNUTLS_KX_ECDHE_ECDSA, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_ECDHE_ECDSA_AES_128_CCM_8, - "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", - GNUTLS_CIPHER_AES_128_CCM_8, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, + "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", GNUTLS_CIPHER_AES_128_CCM_8, + GNUTLS_KX_ECDHE_ECDSA, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_ECDHE_ECDSA_AES_256_CCM_8, - "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", - GNUTLS_CIPHER_AES_256_CCM_8, GNUTLS_KX_ECDHE_ECDSA, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, + "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", GNUTLS_CIPHER_AES_256_CCM_8, + GNUTLS_KX_ECDHE_ECDSA, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), #endif #ifdef ENABLE_PSK /* ECC - PSK */ ENTRY(GNUTLS_ECDHE_PSK_3DES_EDE_CBC_SHA1, - "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ECDHE_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_ECDHE_PSK, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDHE_PSK_AES_128_CBC_SHA1, - "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_ECDHE_PSK, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDHE_PSK_AES_256_CBC_SHA1, - "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_ECDHE_PSK, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDHE_PSK_AES_128_CBC_SHA256, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_PSK, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_ECDHE_PSK_AES_256_CBC_SHA384, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_ECDHE_PSK_ARCFOUR_128_SHA1, - "TLS_ECDHE_PSK_WITH_RC4_128_SHA", - GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_ECDHE_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDHE_PSK_WITH_RC4_128_SHA", GNUTLS_CIPHER_ARCFOUR, + GNUTLS_KX_ECDHE_PSK, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN), ENTRY(GNUTLS_ECDHE_PSK_NULL_SHA1, "TLS_ECDHE_PSK_WITH_NULL_SHA", - GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_PSK, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDHE_PSK_NULL_SHA256, "TLS_ECDHE_PSK_WITH_NULL_SHA256", - GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_PSK, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_ECDHE_PSK_NULL_SHA384, - "TLS_ECDHE_PSK_WITH_NULL_SHA384", - GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1, + "TLS_ECDHE_PSK_WITH_NULL_SHA384", GNUTLS_CIPHER_NULL, + GNUTLS_KX_ECDHE_PSK, GNUTLS_MAC_SHA384, GNUTLS_TLS1, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), ENTRY(GNUTLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_ECDHE_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_ECDHE_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), /* PSK */ ENTRY(GNUTLS_PSK_ARCFOUR_128_SHA1, "TLS_PSK_WITH_RC4_128_SHA", - GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_VERSION_UNKNOWN), + GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_PSK, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN), ENTRY(GNUTLS_PSK_3DES_EDE_CBC_SHA1, "TLS_PSK_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_PSK, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_PSK_AES_128_CBC_SHA1, "TLS_PSK_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_PSK_AES_256_CBC_SHA1, "TLS_PSK_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_PSK, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_PSK_AES_128_CBC_SHA256, "TLS_PSK_WITH_AES_128_CBC_SHA256", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_PSK_AES_256_GCM_SHA384, - "TLS_PSK_WITH_AES_256_GCM_SHA384", - GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + "TLS_PSK_WITH_AES_256_GCM_SHA384", GNUTLS_CIPHER_AES_256_GCM, + GNUTLS_KX_PSK, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_PSK_CAMELLIA_128_GCM_SHA256, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256", - GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_PSK_CAMELLIA_256_GCM_SHA384, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384", GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_PSK_AES_128_GCM_SHA256, "TLS_PSK_WITH_AES_128_GCM_SHA256", - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), - ENTRY(GNUTLS_PSK_NULL_SHA1, "TLS_PSK_WITH_NULL_SHA", - GNUTLS_CIPHER_NULL, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), + ENTRY(GNUTLS_PSK_NULL_SHA1, "TLS_PSK_WITH_NULL_SHA", GNUTLS_CIPHER_NULL, + GNUTLS_KX_PSK, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_PSK_NULL_SHA256, "TLS_PSK_WITH_NULL_SHA256", - GNUTLS_CIPHER_NULL, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_NULL, GNUTLS_KX_PSK, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_PSK_CAMELLIA_128_CBC_SHA256, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256", - GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_PSK, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_PSK_CAMELLIA_256_CBC_SHA384, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384", GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY_PRF(GNUTLS_PSK_AES_256_CBC_SHA384, - "TLS_PSK_WITH_AES_256_CBC_SHA384", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, + "TLS_PSK_WITH_AES_256_CBC_SHA384", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_PSK, GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), ENTRY_PRF(GNUTLS_PSK_NULL_SHA384, "TLS_PSK_WITH_NULL_SHA384", - GNUTLS_CIPHER_NULL, GNUTLS_KX_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_CIPHER_NULL, GNUTLS_KX_PSK, GNUTLS_MAC_SHA384, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), /* RSA-PSK */ ENTRY(GNUTLS_RSA_PSK_ARCFOUR_128_SHA1, "TLS_RSA_PSK_WITH_RC4_128_SHA", - GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_SHA1, GNUTLS_TLS1, - GNUTLS_VERSION_UNKNOWN), + GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_RSA_PSK, GNUTLS_MAC_SHA1, + GNUTLS_TLS1, GNUTLS_VERSION_UNKNOWN), ENTRY(GNUTLS_RSA_PSK_3DES_EDE_CBC_SHA1, - "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_SHA1, GNUTLS_TLS1, + "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_RSA_PSK, GNUTLS_MAC_SHA1, GNUTLS_TLS1, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_RSA_PSK_AES_128_CBC_SHA1, - "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_SHA1, GNUTLS_TLS1, + "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_RSA_PSK, GNUTLS_MAC_SHA1, GNUTLS_TLS1, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_RSA_PSK_AES_256_CBC_SHA1, - "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_SHA1, GNUTLS_TLS1, + "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_RSA_PSK, GNUTLS_MAC_SHA1, GNUTLS_TLS1, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_RSA_PSK_CAMELLIA_128_GCM_SHA256, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256", GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_RSA_PSK_CAMELLIA_256_GCM_SHA384, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384", GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_RSA_PSK_AES_128_GCM_SHA256, - "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, + "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", GNUTLS_CIPHER_AES_128_GCM, + GNUTLS_KX_RSA_PSK, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_RSA_PSK_AES_128_CBC_SHA256, - "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, + "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_RSA_PSK, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_RSA_PSK_NULL_SHA1, "TLS_RSA_PSK_WITH_NULL_SHA", - GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_SHA1, GNUTLS_TLS1, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA_PSK, GNUTLS_MAC_SHA1, + GNUTLS_TLS1, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_RSA_PSK_NULL_SHA256, "TLS_RSA_PSK_WITH_NULL_SHA256", - GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA_PSK, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_RSA_PSK_AES_256_GCM_SHA384, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", - GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_RSA_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), ENTRY_PRF(GNUTLS_RSA_PSK_AES_256_CBC_SHA384, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY_PRF(GNUTLS_RSA_PSK_NULL_SHA384, "TLS_RSA_PSK_WITH_NULL_SHA384", - GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA_PSK, GNUTLS_MAC_SHA384, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), ENTRY(GNUTLS_RSA_PSK_CAMELLIA_128_CBC_SHA256, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256", GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_RSA_PSK_CAMELLIA_256_CBC_SHA384, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384", GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), /* DHE-PSK */ ENTRY(GNUTLS_DHE_PSK_ARCFOUR_128_SHA1, "TLS_DHE_PSK_WITH_RC4_128_SHA", - GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_VERSION_UNKNOWN), + GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_DHE_PSK, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN), ENTRY(GNUTLS_DHE_PSK_3DES_EDE_CBC_SHA1, - "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_DHE_PSK, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_PSK_AES_128_CBC_SHA1, - "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_DHE_PSK, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_PSK_AES_256_CBC_SHA1, - "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_DHE_PSK, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_PSK_AES_128_CBC_SHA256, - "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, + "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_DHE_PSK, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_PSK_AES_128_GCM_SHA256, - "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, + "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", GNUTLS_CIPHER_AES_128_GCM, + GNUTLS_KX_DHE_PSK, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_PSK_NULL_SHA1, "TLS_DHE_PSK_WITH_NULL_SHA", - GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DHE_PSK_NULL_SHA256, "TLS_DHE_PSK_WITH_NULL_SHA256", - GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK, GNUTLS_MAC_SHA256, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_DHE_PSK_NULL_SHA384, "TLS_DHE_PSK_WITH_NULL_SHA384", - GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK, GNUTLS_MAC_SHA384, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), ENTRY_PRF(GNUTLS_DHE_PSK_AES_256_CBC_SHA384, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY_PRF(GNUTLS_DHE_PSK_AES_256_GCM_SHA384, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384", - GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), ENTRY(GNUTLS_DHE_PSK_CAMELLIA_128_CBC_SHA256, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_DHE_PSK_CAMELLIA_256_CBC_SHA384, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_SHA384, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_DHE_PSK_CAMELLIA_128_GCM_SHA256, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256", GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_DHE_PSK_CAMELLIA_256_GCM_SHA384, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384", GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), ENTRY(GNUTLS_PSK_AES_128_CCM, "TLS_PSK_WITH_AES_128_CCM", - GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_PSK_AES_256_CCM, "TLS_PSK_WITH_AES_256_CCM", - GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_PSK_AES_128_CCM, "TLS_DHE_PSK_WITH_AES_128_CCM", - GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_DHE_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_PSK_AES_256_CCM, "TLS_DHE_PSK_WITH_AES_256_CCM", - GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_DHE_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_PSK_AES_128_CCM_8, "TLS_PSK_WITH_AES_128_CCM_8", - GNUTLS_CIPHER_AES_128_CCM_8, GNUTLS_KX_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CCM_8, GNUTLS_KX_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_PSK_AES_256_CCM_8, "TLS_PSK_WITH_AES_256_CCM_8", - GNUTLS_CIPHER_AES_256_CCM_8, GNUTLS_KX_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_256_CCM_8, GNUTLS_KX_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_PSK_AES_128_CCM_8, "TLS_PSK_DHE_WITH_AES_128_CCM_8", - GNUTLS_CIPHER_AES_128_CCM_8, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_128_CCM_8, GNUTLS_KX_DHE_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_PSK_AES_256_CCM_8, "TLS_PSK_DHE_WITH_AES_256_CCM_8", - GNUTLS_CIPHER_AES_256_CCM_8, GNUTLS_KX_DHE_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_AES_256_CCM_8, GNUTLS_KX_DHE_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DHE_PSK_CHACHA20_POLY1305, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256", GNUTLS_CIPHER_CHACHA20_POLY1305, GNUTLS_KX_DHE_PSK, @@ -1140,164 +1578,133 @@ static const gnutls_cipher_suite_entry_st cs_algorithms[] = { ENTRY(GNUTLS_PSK_CHACHA20_POLY1305, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256", - GNUTLS_CIPHER_CHACHA20_POLY1305, GNUTLS_KX_PSK, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CHACHA20_POLY1305, GNUTLS_KX_PSK, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2), #endif #ifdef ENABLE_ANON /* DH_ANON */ ENTRY(GNUTLS_DH_ANON_ARCFOUR_128_MD5, "TLS_DH_anon_WITH_RC4_128_MD5", - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5, + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5, GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN), ENTRY(GNUTLS_DH_ANON_3DES_EDE_CBC_SHA1, - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DH_ANON_AES_128_CBC_SHA1, - "TLS_DH_anon_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DH_anon_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DH_ANON_AES_256_CBC_SHA1, - "TLS_DH_anon_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_DH_anon_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA256, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", - GNUTLS_CIPHER_CAMELLIA_128_CBC, - GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA256, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", - GNUTLS_CIPHER_CAMELLIA_256_CBC, - GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA1, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", - GNUTLS_CIPHER_CAMELLIA_128_CBC, - GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA1, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", - GNUTLS_CIPHER_CAMELLIA_256_CBC, - GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_ANON_DH, + GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_DH_ANON_AES_128_CBC_SHA256, - "TLS_DH_anon_WITH_AES_128_CBC_SHA256", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, + "TLS_DH_anon_WITH_AES_128_CBC_SHA256", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DH_ANON_AES_256_CBC_SHA256, - "TLS_DH_anon_WITH_AES_256_CBC_SHA256", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, + "TLS_DH_anon_WITH_AES_256_CBC_SHA256", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY(GNUTLS_DH_ANON_AES_128_GCM_SHA256, - "TLS_DH_anon_WITH_AES_128_GCM_SHA256", - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, + "TLS_DH_anon_WITH_AES_128_GCM_SHA256", GNUTLS_CIPHER_AES_128_GCM, + GNUTLS_KX_ANON_DH, GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_DH_ANON_AES_256_GCM_SHA384, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", - GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ANON_DH, GNUTLS_MAC_AEAD, + GNUTLS_TLS1_2, GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), ENTRY(GNUTLS_DH_ANON_CAMELLIA_128_GCM_SHA256, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2), ENTRY_PRF(GNUTLS_DH_ANON_CAMELLIA_256_GCM_SHA384, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384", GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, - GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384), + GNUTLS_MAC_AEAD, GNUTLS_TLS1_2, GNUTLS_DTLS1_2, + GNUTLS_MAC_SHA384), -/* ECC-ANON */ + /* ECC-ANON */ ENTRY(GNUTLS_ECDH_ANON_NULL_SHA1, "TLS_ECDH_anon_WITH_NULL_SHA", - GNUTLS_CIPHER_NULL, GNUTLS_KX_ANON_ECDH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, - GNUTLS_DTLS_VERSION_MIN), + GNUTLS_CIPHER_NULL, GNUTLS_KX_ANON_ECDH, GNUTLS_MAC_SHA1, + GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDH_ANON_3DES_EDE_CBC_SHA1, - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_ECDH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_ANON_ECDH, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDH_ANON_AES_128_CBC_SHA1, - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_ECDH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_ANON_ECDH, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDH_ANON_AES_256_CBC_SHA1, - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_ECDH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_ANON_ECDH, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_ECDH_ANON_ARCFOUR_128_SHA1, - "TLS_ECDH_anon_WITH_RC4_128_SHA", - GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_ANON_ECDH, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_ECDH_anon_WITH_RC4_128_SHA", GNUTLS_CIPHER_ARCFOUR, + GNUTLS_KX_ANON_ECDH, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN), #endif #ifdef ENABLE_SRP /* SRP */ ENTRY(GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1, - "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_SRP, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_SRP_SHA_AES_128_CBC_SHA1, - "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_SRP, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_SRP_SHA_AES_256_CBC_SHA1, - "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_SRP, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1, - "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_SRP_DSS, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1, - "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", - GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", GNUTLS_CIPHER_3DES_CBC, + GNUTLS_KX_SRP_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1, - "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_SRP_DSS, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1, - "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_KX_SRP_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1, - "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_DSS, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_SRP_DSS, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), ENTRY(GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1, - "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_RSA, - GNUTLS_MAC_SHA1, GNUTLS_SSL3, + "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_KX_SRP_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3, GNUTLS_DTLS_VERSION_MIN), #endif @@ -1309,15 +1716,23 @@ static const gnutls_cipher_suite_entry_st cs_algorithms[] = { GNUTLS_VERSION_UNKNOWN, GNUTLS_MAC_STREEBOG_256), #endif - {0, {0, 0}, 0, 0, 0, 0, 0, 0} + { 0, { 0, 0 }, 0, 0, 0, 0, 0, 0 } }; -#define CIPHER_SUITE_LOOP(b) { \ - const gnutls_cipher_suite_entry_st *p; \ - for(p = cs_algorithms; p->name != NULL; p++) { b ; } } +#define CIPHER_SUITE_LOOP(b) \ + { \ + const gnutls_cipher_suite_entry_st *p; \ + for (p = cs_algorithms; p->name != NULL; p++) { \ + b; \ + } \ + } -#define CIPHER_SUITE_ALG_LOOP(a, suite) \ - CIPHER_SUITE_LOOP( if( (p->id[0] == suite[0]) && (p->id[1] == suite[1])) { a; break; } ) +#define CIPHER_SUITE_ALG_LOOP(a, suite) \ + CIPHER_SUITE_LOOP( \ + if ((p->id[0] == suite[0]) && (p->id[1] == suite[1])) { \ + a; \ + break; \ + }) /* Cipher Suite's functions */ const gnutls_cipher_suite_entry_st *ciphersuite_to_entry(const uint8_t suite[2]) @@ -1332,7 +1747,6 @@ gnutls_kx_algorithm_t _gnutls_cipher_suite_get_kx_algo(const uint8_t suite[2]) CIPHER_SUITE_ALG_LOOP(ret = p->kx_algorithm, suite); return ret; - } const char *_gnutls_cipher_suite_get_name(const uint8_t suite[2]) @@ -1345,18 +1759,19 @@ const char *_gnutls_cipher_suite_get_name(const uint8_t suite[2]) return ret; } -const gnutls_cipher_suite_entry_st - * cipher_suite_get(gnutls_kx_algorithm_t kx_algorithm, - gnutls_cipher_algorithm_t cipher_algorithm, - gnutls_mac_algorithm_t mac_algorithm) +const gnutls_cipher_suite_entry_st * +cipher_suite_get(gnutls_kx_algorithm_t kx_algorithm, + gnutls_cipher_algorithm_t cipher_algorithm, + gnutls_mac_algorithm_t mac_algorithm) { const gnutls_cipher_suite_entry_st *ret = NULL; CIPHER_SUITE_LOOP(if (kx_algorithm == p->kx_algorithm && - cipher_algorithm == p->block_algorithm - && mac_algorithm == p->mac_algorithm) { - ret = p; break;} - ) ; + cipher_algorithm == p->block_algorithm && + mac_algorithm == p->mac_algorithm) { + ret = p; + break; + }); return ret; } @@ -1364,9 +1779,9 @@ const gnutls_cipher_suite_entry_st /* Returns 0 if the given KX has not the corresponding parameters * (DH or RSA) set up. Otherwise returns 1. */ -static unsigned -check_server_dh_params(gnutls_session_t session, - unsigned cred_type, gnutls_kx_algorithm_t kx) +static unsigned check_server_dh_params(gnutls_session_t session, + unsigned cred_type, + gnutls_kx_algorithm_t kx) { unsigned have_dh_params = 0; @@ -1385,41 +1800,41 @@ check_server_dh_params(gnutls_session_t session, */ if (cred_type == GNUTLS_CRD_CERTIFICATE) { gnutls_certificate_credentials_t x509_cred = - (gnutls_certificate_credentials_t) - _gnutls_get_cred(session, cred_type); + (gnutls_certificate_credentials_t)_gnutls_get_cred( + session, cred_type); - if (x509_cred != NULL - && (x509_cred->dh_params || x509_cred->params_func - || x509_cred->dh_sec_param)) { + if (x509_cred != NULL && + (x509_cred->dh_params || x509_cred->params_func || + x509_cred->dh_sec_param)) { have_dh_params = 1; } #ifdef ENABLE_ANON } else if (cred_type == GNUTLS_CRD_ANON) { gnutls_anon_server_credentials_t anon_cred = - (gnutls_anon_server_credentials_t) - _gnutls_get_cred(session, cred_type); + (gnutls_anon_server_credentials_t)_gnutls_get_cred( + session, cred_type); - if (anon_cred != NULL - && (anon_cred->dh_params || anon_cred->params_func - || anon_cred->dh_sec_param)) { + if (anon_cred != NULL && + (anon_cred->dh_params || anon_cred->params_func || + anon_cred->dh_sec_param)) { have_dh_params = 1; } #endif #ifdef ENABLE_PSK } else if (cred_type == GNUTLS_CRD_PSK) { gnutls_psk_server_credentials_t psk_cred = - (gnutls_psk_server_credentials_t) - _gnutls_get_cred(session, cred_type); + (gnutls_psk_server_credentials_t)_gnutls_get_cred( + session, cred_type); - if (psk_cred != NULL - && (psk_cred->dh_params || psk_cred->params_func - || psk_cred->dh_sec_param)) { + if (psk_cred != NULL && + (psk_cred->dh_params || psk_cred->params_func || + psk_cred->dh_sec_param)) { have_dh_params = 1; } #endif } else { - return 1; /* no need for params */ + return 1; /* no need for params */ } return have_dh_params; @@ -1441,11 +1856,10 @@ check_server_dh_params(gnutls_session_t session, * Returns: a string that contains the name of a TLS cipher suite, * specified by the given algorithms, or %NULL. **/ -const char *gnutls_cipher_suite_get_name(gnutls_kx_algorithm_t - kx_algorithm, - gnutls_cipher_algorithm_t - cipher_algorithm, - gnutls_mac_algorithm_t mac_algorithm) +const char * +gnutls_cipher_suite_get_name(gnutls_kx_algorithm_t kx_algorithm, + gnutls_cipher_algorithm_t cipher_algorithm, + gnutls_mac_algorithm_t mac_algorithm) { const gnutls_cipher_suite_entry_st *ce; @@ -1468,11 +1882,10 @@ const char *gnutls_cipher_suite_get_name(gnutls_kx_algorithm_t * * Returns: 0 on success or a negative error code otherwise. -*/ -int -_gnutls_cipher_suite_get_id(gnutls_kx_algorithm_t kx_algorithm, - gnutls_cipher_algorithm_t cipher_algorithm, - gnutls_mac_algorithm_t mac_algorithm, - uint8_t suite[2]) +int _gnutls_cipher_suite_get_id(gnutls_kx_algorithm_t kx_algorithm, + gnutls_cipher_algorithm_t cipher_algorithm, + gnutls_mac_algorithm_t mac_algorithm, + uint8_t suite[2]) { const gnutls_cipher_suite_entry_st *ce; @@ -1504,12 +1917,11 @@ _gnutls_cipher_suite_get_id(gnutls_kx_algorithm_t kx_algorithm, * about the cipher suite in the output variables. If @idx is out of * bounds, %NULL is returned. **/ -const char *gnutls_cipher_suite_info(size_t idx, - unsigned char *cs_id, - gnutls_kx_algorithm_t * kx, - gnutls_cipher_algorithm_t * cipher, - gnutls_mac_algorithm_t * mac, - gnutls_protocol_t * min_version) +const char *gnutls_cipher_suite_info(size_t idx, unsigned char *cs_id, + gnutls_kx_algorithm_t *kx, + gnutls_cipher_algorithm_t *cipher, + gnutls_mac_algorithm_t *mac, + gnutls_protocol_t *min_version) { if (idx >= CIPHER_SUITES_COUNT) return NULL; @@ -1528,37 +1940,38 @@ const char *gnutls_cipher_suite_info(size_t idx, return cs_algorithms[idx].name + sizeof("GNU") - 1; } -#define VERSION_CHECK(entry) \ - if (is_dtls) { \ - if (entry->min_dtls_version == GNUTLS_VERSION_UNKNOWN || \ - version->id < entry->min_dtls_version || \ - version->id > entry->max_dtls_version) \ - continue; \ - } else { \ - if (entry->min_version == GNUTLS_VERSION_UNKNOWN || \ - version->id < entry->min_version || \ - version->id > entry->max_version) \ - continue; \ - } +#define VERSION_CHECK(entry) \ + if (is_dtls) { \ + if (entry->min_dtls_version == GNUTLS_VERSION_UNKNOWN || \ + version->id < entry->min_dtls_version || \ + version->id > entry->max_dtls_version) \ + continue; \ + } else { \ + if (entry->min_version == GNUTLS_VERSION_UNKNOWN || \ + version->id < entry->min_version || \ + version->id > entry->max_version) \ + continue; \ + } -#define CIPHER_CHECK(algo) \ - if (session->internals.priorities->force_etm && !have_etm) { \ - const cipher_entry_st *_cipher; \ - _cipher = cipher_to_entry(algo); \ - if (_cipher == NULL || _gnutls_cipher_type(_cipher) == CIPHER_BLOCK) \ - continue; \ - } +#define CIPHER_CHECK(algo) \ + if (session->internals.priorities->force_etm && !have_etm) { \ + const cipher_entry_st *_cipher; \ + _cipher = cipher_to_entry(algo); \ + if (_cipher == NULL || \ + _gnutls_cipher_type(_cipher) == CIPHER_BLOCK) \ + continue; \ + } -#define KX_SRP_CHECKS(kx, action) \ +#define KX_SRP_CHECKS(kx, action) \ if (kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS) { \ if (!_gnutls_get_cred(session, GNUTLS_CRD_SRP)) { \ - action; \ - } \ + action; \ + } \ } static unsigned kx_is_ok(gnutls_session_t session, gnutls_kx_algorithm_t kx, unsigned cred_type, - const gnutls_group_entry_st ** sgroup) + const gnutls_group_entry_st **sgroup) { if (_gnutls_kx_is_ecc(kx)) { if (session->internals.cand_ec_group == NULL) { @@ -1581,18 +1994,17 @@ static unsigned kx_is_ok(gnutls_session_t session, gnutls_kx_algorithm_t kx, } /* Called on server-side only */ -int -_gnutls_figure_common_ciphersuite(gnutls_session_t session, - const ciphersuite_list_st * peer_clist, - const gnutls_cipher_suite_entry_st ** ce) +int _gnutls_figure_common_ciphersuite(gnutls_session_t session, + const ciphersuite_list_st *peer_clist, + const gnutls_cipher_suite_entry_st **ce) { - unsigned int i, j; int ret; const version_entry_st *version = get_version(session); unsigned int is_dtls = IS_DTLS(session); gnutls_kx_algorithm_t kx; - gnutls_credentials_type_t cred_type = GNUTLS_CRD_CERTIFICATE; /* default for TLS1.3 */ + gnutls_credentials_type_t cred_type = + GNUTLS_CRD_CERTIFICATE; /* default for TLS1.3 */ const gnutls_group_entry_st *sgroup = NULL; gnutls_ext_priv_data_t epriv; unsigned have_etm = 0; @@ -1605,7 +2017,7 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session, * because we only set (security_params) EtM to true only after the ciphersuite is * negotiated. */ ret = _gnutls_hello_ext_get_priv(session, GNUTLS_EXTENSION_ETM, &epriv); - if (ret >= 0 && ((intptr_t) epriv) != 0) + if (ret >= 0 && ((intptr_t)epriv) != 0) have_etm = 1; /* If we didn't receive the supported_groups extension, then @@ -1616,16 +2028,16 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session, !_gnutls_hello_ext_is_present(session, GNUTLS_EXTENSION_SUPPORTED_GROUPS)) { session->internals.cand_ec_group = - _gnutls_id_to_group(DEFAULT_EC_GROUP); + _gnutls_id_to_group(DEFAULT_EC_GROUP); } if (session->internals.priorities->server_precedence == 0) { for (i = 0; i < peer_clist->size; i++) { - _gnutls_debug_log - ("checking %.2x.%.2x (%s) for compatibility\n", - (unsigned)peer_clist->entry[i]->id[0], - (unsigned)peer_clist->entry[i]->id[1], - peer_clist->entry[i]->name); + _gnutls_debug_log( + "checking %.2x.%.2x (%s) for compatibility\n", + (unsigned)peer_clist->entry[i]->id[0], + (unsigned)peer_clist->entry[i]->id[1], + peer_clist->entry[i]->name); VERSION_CHECK(peer_clist->entry[i]); kx = peer_clist->entry[i]->kx_algorithm; @@ -1637,29 +2049,29 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session, for (j = 0; j < session->internals.priorities->cs.size; j++) { - if (session->internals.priorities-> - cs.entry[j] == peer_clist->entry[i]) { + if (session->internals.priorities->cs.entry[j] == + peer_clist->entry[i]) { sgroup = NULL; - if (!kx_is_ok - (session, kx, cred_type, &sgroup)) + if (!kx_is_ok(session, kx, cred_type, + &sgroup)) continue; /* if we have selected PSK, we need a ciphersuites which matches * the selected binder */ if (session->internals.hsk_flags & HSK_PSK_SELECTED) { - if (session->key. - binders[0].prf->id != - session-> - internals.priorities->cs. - entry[j]->prf) + if (session->key.binders[0] + .prf->id != + session->internals + .priorities->cs + .entry[j] + ->prf) continue; } else if (cred_type == GNUTLS_CRD_CERTIFICATE) { - ret = - _gnutls_select_server_cert - (session, - peer_clist->entry[i]); + ret = _gnutls_select_server_cert( + session, + peer_clist->entry[i]); if (ret < 0) { /* couldn't select cert with this ciphersuite */ gnutls_assert(); @@ -1669,8 +2081,8 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session, /* select the group based on the selected ciphersuite */ if (sgroup) - _gnutls_session_group_set - (session, sgroup); + _gnutls_session_group_set( + session, sgroup); *ce = peer_clist->entry[i]; return 0; } @@ -1678,49 +2090,49 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session, } } else { for (j = 0; j < session->internals.priorities->cs.size; j++) { - VERSION_CHECK(session->internals.priorities-> - cs.entry[j]); + VERSION_CHECK( + session->internals.priorities->cs.entry[j]); - CIPHER_CHECK(session->internals.priorities-> - cs.entry[j]->block_algorithm); + CIPHER_CHECK(session->internals.priorities->cs.entry[j] + ->block_algorithm); for (i = 0; i < peer_clist->size; i++) { - _gnutls_debug_log - ("checking %.2x.%.2x (%s) for compatibility\n", - (unsigned)peer_clist->entry[i]->id[0], - (unsigned)peer_clist->entry[i]->id[1], - peer_clist->entry[i]->name); - - if (session->internals.priorities-> - cs.entry[j] == peer_clist->entry[i]) { + _gnutls_debug_log( + "checking %.2x.%.2x (%s) for compatibility\n", + (unsigned)peer_clist->entry[i]->id[0], + (unsigned)peer_clist->entry[i]->id[1], + peer_clist->entry[i]->name); + + if (session->internals.priorities->cs.entry[j] == + peer_clist->entry[i]) { sgroup = NULL; kx = peer_clist->entry[i]->kx_algorithm; if (!version->tls13_sem) cred_type = - _gnutls_map_kx_get_cred(kx, - 1); + _gnutls_map_kx_get_cred( + kx, 1); - if (!kx_is_ok - (session, kx, cred_type, &sgroup)) + if (!kx_is_ok(session, kx, cred_type, + &sgroup)) break; /* if we have selected PSK, we need a ciphersuites which matches * the selected binder */ if (session->internals.hsk_flags & HSK_PSK_SELECTED) { - if (session->key. - binders[0].prf->id != - session-> - internals.priorities->cs. - entry[j]->prf) + if (session->key.binders[0] + .prf->id != + session->internals + .priorities->cs + .entry[j] + ->prf) break; } else if (cred_type == GNUTLS_CRD_CERTIFICATE) { - ret = - _gnutls_select_server_cert - (session, - peer_clist->entry[i]); + ret = _gnutls_select_server_cert( + session, + peer_clist->entry[i]); if (ret < 0) { /* couldn't select cert with this ciphersuite */ gnutls_assert(); @@ -1730,14 +2142,13 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session, /* select the group based on the selected ciphersuite */ if (sgroup) - _gnutls_session_group_set - (session, sgroup); + _gnutls_session_group_set( + session, sgroup); *ce = peer_clist->entry[i]; return 0; } } } - } /* nothing in common */ @@ -1745,23 +2156,21 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session, return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES); } -#define CLIENT_VERSION_CHECK(minver, maxver, e) \ - if (is_dtls) { \ - if (e->min_dtls_version > maxver->id) \ - continue; \ - } else { \ - if (e->min_version > maxver->id) \ - continue; \ - } +#define CLIENT_VERSION_CHECK(minver, maxver, e) \ + if (is_dtls) { \ + if (e->min_dtls_version > maxver->id) \ + continue; \ + } else { \ + if (e->min_version > maxver->id) \ + continue; \ + } #define RESERVED_CIPHERSUITES 4 -int -_gnutls_get_client_ciphersuites(gnutls_session_t session, - gnutls_buffer_st * cdata, - const version_entry_st * vmin, - unsigned add_scsv) +int _gnutls_get_client_ciphersuites(gnutls_session_t session, + gnutls_buffer_st *cdata, + const version_entry_st *vmin, + unsigned add_scsv) { - unsigned int j; int ret; unsigned int is_dtls = IS_DTLS(session); @@ -1777,32 +2186,32 @@ _gnutls_get_client_ciphersuites(gnutls_session_t session, return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); for (j = 0; j < session->internals.priorities->cs.size; j++) { - CLIENT_VERSION_CHECK(vmin, vmax, - session->internals.priorities-> - cs.entry[j]); + CLIENT_VERSION_CHECK( + vmin, vmax, session->internals.priorities->cs.entry[j]); kx = session->internals.priorities->cs.entry[j]->kx_algorithm; - if (kx != GNUTLS_KX_UNKNOWN) { /* In TLS 1.3 ciphersuites don't map to credentials */ + if (kx != + GNUTLS_KX_UNKNOWN) { /* In TLS 1.3 ciphersuites don't map to credentials */ cred_type = _gnutls_map_kx_get_cred(kx, 0); - if (!session->internals.premaster_set - && _gnutls_get_cred(session, cred_type) == NULL) + if (!session->internals.premaster_set && + _gnutls_get_cred(session, cred_type) == NULL) continue; KX_SRP_CHECKS(kx, continue); } - _gnutls_debug_log("Keeping ciphersuite %.2x.%.2x (%s)\n", - (unsigned)session->internals.priorities-> - cs.entry[j]->id[0], - (unsigned)session->internals.priorities-> - cs.entry[j]->id[1], - session->internals.priorities->cs. - entry[j]->name); + _gnutls_debug_log( + "Keeping ciphersuite %.2x.%.2x (%s)\n", + (unsigned)session->internals.priorities->cs.entry[j] + ->id[0], + (unsigned)session->internals.priorities->cs.entry[j] + ->id[1], + session->internals.priorities->cs.entry[j]->name); cipher_suites[cipher_suites_size] = - session->internals.priorities->cs.entry[j]->id[0]; + session->internals.priorities->cs.entry[j]->id[0]; cipher_suites[cipher_suites_size + 1] = - session->internals.priorities->cs.entry[j]->id[1]; + session->internals.priorities->cs.entry[j]->id[1]; cipher_suites_size += 2; if (cipher_suites_size >= MAX_CIPHERSUITE_SIZE * 2) @@ -1825,13 +2234,12 @@ _gnutls_get_client_ciphersuites(gnutls_session_t session, if (session->internals.priorities->fallback) { cipher_suites[cipher_suites_size] = GNUTLS_FALLBACK_SCSV_MAJOR; cipher_suites[cipher_suites_size + 1] = - GNUTLS_FALLBACK_SCSV_MINOR; + GNUTLS_FALLBACK_SCSV_MINOR; cipher_suites_size += 2; } - ret = - _gnutls_buffer_append_data_prefix(cdata, 16, cipher_suites, - cipher_suites_size); + ret = _gnutls_buffer_append_data_prefix(cdata, 16, cipher_suites, + cipher_suites_size); if (ret < 0) return gnutls_assert_val(ret); @@ -1856,9 +2264,8 @@ _gnutls_get_client_ciphersuites(gnutls_session_t session, * * Since: 3.0.9 **/ -int -gnutls_priority_get_cipher_suite_index(gnutls_priority_t pcache, - unsigned int idx, unsigned int *sidx) +int gnutls_priority_get_cipher_suite_index(gnutls_priority_t pcache, + unsigned int idx, unsigned int *sidx) { unsigned int i, j; unsigned max_tls = 0; @@ -1873,8 +2280,8 @@ gnutls_priority_get_cipher_suite_index(gnutls_priority_t pcache, pcache->protocol.priorities[j] >= max_tls) { max_tls = pcache->protocol.priorities[j]; } else if (pcache->protocol.priorities[j] <= - GNUTLS_DTLS_VERSION_MAX - && pcache->protocol.priorities[j] >= max_dtls) { + GNUTLS_DTLS_VERSION_MAX && + pcache->protocol.priorities[j] >= max_dtls) { max_dtls = pcache->protocol.priorities[j]; } } diff --git a/lib/algorithms/ecc.c b/lib/algorithms/ecc.c index f5eadd1dbd..fe60543f84 100644 --- a/lib/algorithms/ecc.c +++ b/lib/algorithms/ecc.c @@ -33,86 +33,86 @@ static SYSTEM_CONFIG_OR_CONST gnutls_ecc_curve_entry_st ecc_curves[] = { #ifdef ENABLE_NON_SUITEB_CURVES { - .name = "SECP192R1", - .oid = "1.2.840.10045.3.1.1", - .id = GNUTLS_ECC_CURVE_SECP192R1, - .group = GNUTLS_GROUP_SECP192R1, - .pk = GNUTLS_PK_ECDSA, - .size = 24, - .supported = 1, - }, + .name = "SECP192R1", + .oid = "1.2.840.10045.3.1.1", + .id = GNUTLS_ECC_CURVE_SECP192R1, + .group = GNUTLS_GROUP_SECP192R1, + .pk = GNUTLS_PK_ECDSA, + .size = 24, + .supported = 1, + }, { - .name = "SECP224R1", - .oid = "1.3.132.0.33", - .id = GNUTLS_ECC_CURVE_SECP224R1, - .group = GNUTLS_GROUP_SECP224R1, - .pk = GNUTLS_PK_ECDSA, - .size = 28, - .supported = 1, - }, + .name = "SECP224R1", + .oid = "1.3.132.0.33", + .id = GNUTLS_ECC_CURVE_SECP224R1, + .group = GNUTLS_GROUP_SECP224R1, + .pk = GNUTLS_PK_ECDSA, + .size = 28, + .supported = 1, + }, #endif { - .name = "SECP256R1", - .oid = "1.2.840.10045.3.1.7", - .id = GNUTLS_ECC_CURVE_SECP256R1, - .group = GNUTLS_GROUP_SECP256R1, - .pk = GNUTLS_PK_ECDSA, - .size = 32, - .supported = 1, - }, + .name = "SECP256R1", + .oid = "1.2.840.10045.3.1.7", + .id = GNUTLS_ECC_CURVE_SECP256R1, + .group = GNUTLS_GROUP_SECP256R1, + .pk = GNUTLS_PK_ECDSA, + .size = 32, + .supported = 1, + }, { - .name = "SECP384R1", - .oid = "1.3.132.0.34", - .id = GNUTLS_ECC_CURVE_SECP384R1, - .group = GNUTLS_GROUP_SECP384R1, - .pk = GNUTLS_PK_ECDSA, - .size = 48, - .supported = 1, - }, + .name = "SECP384R1", + .oid = "1.3.132.0.34", + .id = GNUTLS_ECC_CURVE_SECP384R1, + .group = GNUTLS_GROUP_SECP384R1, + .pk = GNUTLS_PK_ECDSA, + .size = 48, + .supported = 1, + }, { - .name = "SECP521R1", - .oid = "1.3.132.0.35", - .id = GNUTLS_ECC_CURVE_SECP521R1, - .group = GNUTLS_GROUP_SECP521R1, - .pk = GNUTLS_PK_ECDSA, - .size = 66, - .supported = 1, - }, + .name = "SECP521R1", + .oid = "1.3.132.0.35", + .id = GNUTLS_ECC_CURVE_SECP521R1, + .group = GNUTLS_GROUP_SECP521R1, + .pk = GNUTLS_PK_ECDSA, + .size = 66, + .supported = 1, + }, { - .name = "X25519", - .oid = ECDH_X25519_OID, - .id = GNUTLS_ECC_CURVE_X25519, - .group = GNUTLS_GROUP_X25519, - .pk = GNUTLS_PK_ECDH_X25519, - .size = 32, - .supported = 1, - }, + .name = "X25519", + .oid = ECDH_X25519_OID, + .id = GNUTLS_ECC_CURVE_X25519, + .group = GNUTLS_GROUP_X25519, + .pk = GNUTLS_PK_ECDH_X25519, + .size = 32, + .supported = 1, + }, { - .name = "Ed25519", - .oid = SIG_EDDSA_SHA512_OID, - .id = GNUTLS_ECC_CURVE_ED25519, - .pk = GNUTLS_PK_EDDSA_ED25519, - .size = 32, - .sig_size = 64, - .supported = 1, - }, + .name = "Ed25519", + .oid = SIG_EDDSA_SHA512_OID, + .id = GNUTLS_ECC_CURVE_ED25519, + .pk = GNUTLS_PK_EDDSA_ED25519, + .size = 32, + .sig_size = 64, + .supported = 1, + }, { - .name = "X448", - .oid = ECDH_X448_OID, - .id = GNUTLS_ECC_CURVE_X448, - .pk = GNUTLS_PK_ECDH_X448, - .size = 56, - .supported = 1, - }, + .name = "X448", + .oid = ECDH_X448_OID, + .id = GNUTLS_ECC_CURVE_X448, + .pk = GNUTLS_PK_ECDH_X448, + .size = 56, + .supported = 1, + }, { - .name = "Ed448", - .oid = SIG_ED448_OID, - .id = GNUTLS_ECC_CURVE_ED448, - .pk = GNUTLS_PK_EDDSA_ED448, - .size = 57, - .sig_size = 114, - .supported = 1, - }, + .name = "Ed448", + .oid = SIG_ED448_OID, + .id = GNUTLS_ECC_CURVE_ED448, + .pk = GNUTLS_PK_EDDSA_ED448, + .size = 57, + .sig_size = 114, + .supported = 1, + }, #if ENABLE_GOST /* Curves for usage in GOST digital signature algorithm (GOST R * 34.10-2001/-2012) and key agreement (VKO GOST R 34.10-2001/-2012). @@ -138,132 +138,136 @@ static SYSTEM_CONFIG_OR_CONST gnutls_ecc_curve_entry_st ecc_curves[] = { * TC26 OIDs are usable only for GOST R 34.10-2012 keys. */ { - .name = "CryptoPro-A", - .oid = "1.2.643.2.2.35.1", - .id = GNUTLS_ECC_CURVE_GOST256CPA, - .group = GNUTLS_GROUP_GC256B, - .pk = GNUTLS_PK_UNKNOWN, - .size = 32, - .gost_curve = 1, - .supported = 1, - }, + .name = "CryptoPro-A", + .oid = "1.2.643.2.2.35.1", + .id = GNUTLS_ECC_CURVE_GOST256CPA, + .group = GNUTLS_GROUP_GC256B, + .pk = GNUTLS_PK_UNKNOWN, + .size = 32, + .gost_curve = 1, + .supported = 1, + }, { - .name = "CryptoPro-B", - .oid = "1.2.643.2.2.35.2", - .id = GNUTLS_ECC_CURVE_GOST256CPB, - .group = GNUTLS_GROUP_GC256C, - .pk = GNUTLS_PK_UNKNOWN, - .size = 32, - .gost_curve = 1, - .supported = 1, - }, + .name = "CryptoPro-B", + .oid = "1.2.643.2.2.35.2", + .id = GNUTLS_ECC_CURVE_GOST256CPB, + .group = GNUTLS_GROUP_GC256C, + .pk = GNUTLS_PK_UNKNOWN, + .size = 32, + .gost_curve = 1, + .supported = 1, + }, { - .name = "CryptoPro-C", - .oid = "1.2.643.2.2.35.3", - .id = GNUTLS_ECC_CURVE_GOST256CPC, - .group = GNUTLS_GROUP_GC256D, - .pk = GNUTLS_PK_UNKNOWN, - .size = 32, - .gost_curve = 1, - .supported = 1, - }, + .name = "CryptoPro-C", + .oid = "1.2.643.2.2.35.3", + .id = GNUTLS_ECC_CURVE_GOST256CPC, + .group = GNUTLS_GROUP_GC256D, + .pk = GNUTLS_PK_UNKNOWN, + .size = 32, + .gost_curve = 1, + .supported = 1, + }, { - .name = "CryptoPro-XchA", - .oid = "1.2.643.2.2.36.0", - .id = GNUTLS_ECC_CURVE_GOST256CPXA, - .group = GNUTLS_GROUP_GC256B, - .pk = GNUTLS_PK_UNKNOWN, - .size = 32, - .gost_curve = 1, - .supported = 1, - }, + .name = "CryptoPro-XchA", + .oid = "1.2.643.2.2.36.0", + .id = GNUTLS_ECC_CURVE_GOST256CPXA, + .group = GNUTLS_GROUP_GC256B, + .pk = GNUTLS_PK_UNKNOWN, + .size = 32, + .gost_curve = 1, + .supported = 1, + }, { - .name = "CryptoPro-XchB", - .oid = "1.2.643.2.2.36.1", - .id = GNUTLS_ECC_CURVE_GOST256CPXB, - .group = GNUTLS_GROUP_GC256D, - .pk = GNUTLS_PK_UNKNOWN, - .size = 32, - .gost_curve = 1, - .supported = 1, - }, + .name = "CryptoPro-XchB", + .oid = "1.2.643.2.2.36.1", + .id = GNUTLS_ECC_CURVE_GOST256CPXB, + .group = GNUTLS_GROUP_GC256D, + .pk = GNUTLS_PK_UNKNOWN, + .size = 32, + .gost_curve = 1, + .supported = 1, + }, { - .name = "TC26-256-A", - .oid = "1.2.643.7.1.2.1.1.1", - .id = GNUTLS_ECC_CURVE_GOST256A, - .group = GNUTLS_GROUP_GC256A, - .pk = GNUTLS_PK_GOST_12_256, - .size = 32, - .gost_curve = 1, - .supported = 1, - }, + .name = "TC26-256-A", + .oid = "1.2.643.7.1.2.1.1.1", + .id = GNUTLS_ECC_CURVE_GOST256A, + .group = GNUTLS_GROUP_GC256A, + .pk = GNUTLS_PK_GOST_12_256, + .size = 32, + .gost_curve = 1, + .supported = 1, + }, { - .name = "TC26-256-B", - .oid = "1.2.643.7.1.2.1.1.2", - .id = GNUTLS_ECC_CURVE_GOST256B, - .group = GNUTLS_GROUP_GC256B, - .pk = GNUTLS_PK_GOST_12_256, - .size = 32, - .gost_curve = 1, - .supported = 1, - }, + .name = "TC26-256-B", + .oid = "1.2.643.7.1.2.1.1.2", + .id = GNUTLS_ECC_CURVE_GOST256B, + .group = GNUTLS_GROUP_GC256B, + .pk = GNUTLS_PK_GOST_12_256, + .size = 32, + .gost_curve = 1, + .supported = 1, + }, { - .name = "TC26-256-C", - .oid = "1.2.643.7.1.2.1.1.3", - .id = GNUTLS_ECC_CURVE_GOST256C, - .group = GNUTLS_GROUP_GC256C, - .pk = GNUTLS_PK_GOST_12_256, - .size = 32, - .gost_curve = 1, - .supported = 1, - }, + .name = "TC26-256-C", + .oid = "1.2.643.7.1.2.1.1.3", + .id = GNUTLS_ECC_CURVE_GOST256C, + .group = GNUTLS_GROUP_GC256C, + .pk = GNUTLS_PK_GOST_12_256, + .size = 32, + .gost_curve = 1, + .supported = 1, + }, { - .name = "TC26-256-D", - .oid = "1.2.643.7.1.2.1.1.4", - .id = GNUTLS_ECC_CURVE_GOST256D, - .group = GNUTLS_GROUP_GC256D, - .pk = GNUTLS_PK_GOST_12_256, - .size = 32, - .gost_curve = 1, - .supported = 1, - }, + .name = "TC26-256-D", + .oid = "1.2.643.7.1.2.1.1.4", + .id = GNUTLS_ECC_CURVE_GOST256D, + .group = GNUTLS_GROUP_GC256D, + .pk = GNUTLS_PK_GOST_12_256, + .size = 32, + .gost_curve = 1, + .supported = 1, + }, { - .name = "TC26-512-A", - .oid = "1.2.643.7.1.2.1.2.1", - .id = GNUTLS_ECC_CURVE_GOST512A, - .group = GNUTLS_GROUP_GC512A, - .pk = GNUTLS_PK_GOST_12_512, - .size = 64, - .gost_curve = 1, - .supported = 1, - }, + .name = "TC26-512-A", + .oid = "1.2.643.7.1.2.1.2.1", + .id = GNUTLS_ECC_CURVE_GOST512A, + .group = GNUTLS_GROUP_GC512A, + .pk = GNUTLS_PK_GOST_12_512, + .size = 64, + .gost_curve = 1, + .supported = 1, + }, { - .name = "TC26-512-B", - .oid = "1.2.643.7.1.2.1.2.2", - .id = GNUTLS_ECC_CURVE_GOST512B, - .group = GNUTLS_GROUP_GC512B, - .pk = GNUTLS_PK_GOST_12_512, - .size = 64, - .gost_curve = 1, - .supported = 1, - }, + .name = "TC26-512-B", + .oid = "1.2.643.7.1.2.1.2.2", + .id = GNUTLS_ECC_CURVE_GOST512B, + .group = GNUTLS_GROUP_GC512B, + .pk = GNUTLS_PK_GOST_12_512, + .size = 64, + .gost_curve = 1, + .supported = 1, + }, { - .name = "TC26-512-C", - .oid = "1.2.643.7.1.2.1.2.3", - .id = GNUTLS_ECC_CURVE_GOST512C, - .group = GNUTLS_GROUP_GC512C, - .pk = GNUTLS_PK_GOST_12_512, - .size = 64, - .gost_curve = 1, - .supported = 1, - }, + .name = "TC26-512-C", + .oid = "1.2.643.7.1.2.1.2.3", + .id = GNUTLS_ECC_CURVE_GOST512C, + .group = GNUTLS_GROUP_GC512C, + .pk = GNUTLS_PK_GOST_12_512, + .size = 64, + .gost_curve = 1, + .supported = 1, + }, #endif - {0, 0, 0} + { 0, 0, 0 } }; -#define GNUTLS_ECC_CURVE_LOOP(b) \ - { const gnutls_ecc_curve_entry_st *p; \ - for(p = ecc_curves; p->name != NULL; p++) { b ; } } +#define GNUTLS_ECC_CURVE_LOOP(b) \ + { \ + const gnutls_ecc_curve_entry_st *p; \ + for (p = ecc_curves; p->name != NULL; p++) { \ + b; \ + } \ + } /** * gnutls_ecc_curve_list: @@ -282,10 +286,9 @@ const gnutls_ecc_curve_t *gnutls_ecc_curve_list(void) if (supported_curves[0] == 0) { int i = 0; - GNUTLS_ECC_CURVE_LOOP(if - (p->supported - && _gnutls_pk_curve_exists(p->id)) - supported_curves[i++] = p->id;) ; + GNUTLS_ECC_CURVE_LOOP( + if (p->supported && _gnutls_pk_curve_exists(p->id)) + supported_curves[i++] = p->id;); supported_curves[i++] = 0; } @@ -294,10 +297,8 @@ const gnutls_ecc_curve_t *gnutls_ecc_curve_list(void) unsigned _gnutls_ecc_curve_is_supported(gnutls_ecc_curve_t curve) { - GNUTLS_ECC_CURVE_LOOP(if - (p->id == curve && p->supported - && _gnutls_pk_curve_exists(p->id)) - return 1;) ; + GNUTLS_ECC_CURVE_LOOP(if (p->id == curve && p->supported && + _gnutls_pk_curve_exists(p->id)) return 1;); return 0; } @@ -314,12 +315,12 @@ gnutls_ecc_curve_t gnutls_oid_to_ecc_curve(const char *oid) { gnutls_ecc_curve_t ret = GNUTLS_ECC_CURVE_INVALID; - GNUTLS_ECC_CURVE_LOOP(if - (p->oid != NULL && c_strcasecmp(p->oid, oid) == 0 - && p->supported - && _gnutls_pk_curve_exists(p->id)) { - ret = p->id; break;} - ) ; + GNUTLS_ECC_CURVE_LOOP( + if (p->oid != NULL && c_strcasecmp(p->oid, oid) == 0 && + p->supported && _gnutls_pk_curve_exists(p->id)) { + ret = p->id; + break; + }); return ret; } @@ -339,11 +340,12 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get_id(const char *name) { gnutls_ecc_curve_t ret = GNUTLS_ECC_CURVE_INVALID; - GNUTLS_ECC_CURVE_LOOP(if - (c_strcasecmp(p->name, name) == 0 && p->supported - && _gnutls_pk_curve_exists(p->id)) { - ret = p->id; break;} - ) ; + GNUTLS_ECC_CURVE_LOOP(if (c_strcasecmp(p->name, name) == 0 && + p->supported && + _gnutls_pk_curve_exists(p->id)) { + ret = p->id; + break; + }); return ret; } @@ -374,16 +376,16 @@ void _gnutls_ecc_curve_mark_disabled_all(void) } } -int -_gnutls_ecc_curve_set_enabled(gnutls_ecc_curve_t curve, unsigned int enabled) +int _gnutls_ecc_curve_set_enabled(gnutls_ecc_curve_t curve, + unsigned int enabled) { gnutls_ecc_curve_entry_st *p; for (p = ecc_curves; p->name != NULL; p++) { if (p->id == curve) { if (!p->supported_revertible) { - return - gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + return gnutls_assert_val( + GNUTLS_E_INVALID_REQUEST); } p->supported = enabled; return 0; @@ -393,7 +395,7 @@ _gnutls_ecc_curve_set_enabled(gnutls_ecc_curve_t curve, unsigned int enabled) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); } -static int _gnutls_ecc_pk_compatible(const gnutls_ecc_curve_entry_st * p, +static int _gnutls_ecc_pk_compatible(const gnutls_ecc_curve_entry_st *p, gnutls_pk_algorithm_t pk) { if (!p->supported || !_gnutls_pk_curve_exists(p->id)) @@ -425,10 +427,11 @@ gnutls_ecc_curve_t _gnutls_ecc_bits_to_curve(gnutls_pk_algorithm_t pk, int bits) else ret = GNUTLS_ECC_CURVE_ED25519; - GNUTLS_ECC_CURVE_LOOP(if (_gnutls_ecc_pk_compatible(p, pk) - && 8 * p->size >= (unsigned)bits) { - ret = p->id; break;} - ) ; + GNUTLS_ECC_CURVE_LOOP(if (_gnutls_ecc_pk_compatible(p, pk) && + 8 * p->size >= (unsigned)bits) { + ret = p->id; + break; + }); return ret; } @@ -449,8 +452,9 @@ const char *gnutls_ecc_curve_get_name(gnutls_ecc_curve_t curve) const char *ret = NULL; GNUTLS_ECC_CURVE_LOOP(if (p->id == curve) { - ret = p->name; break;} - ) ; + ret = p->name; + break; + }); return ret; } @@ -471,8 +475,9 @@ const char *gnutls_ecc_curve_get_oid(gnutls_ecc_curve_t curve) const char *ret = NULL; GNUTLS_ECC_CURVE_LOOP(if (p->id == curve) { - ret = p->oid; break;} - ) ; + ret = p->oid; + break; + }); return ret; } @@ -485,14 +490,15 @@ const char *gnutls_ecc_curve_get_oid(gnutls_ecc_curve_t curve) * * Returns: a pointer to #gnutls_ecc_curve_entry_st or %NULL. -*/ -const gnutls_ecc_curve_entry_st - * _gnutls_ecc_curve_get_params(gnutls_ecc_curve_t curve) +const gnutls_ecc_curve_entry_st * +_gnutls_ecc_curve_get_params(gnutls_ecc_curve_t curve) { const gnutls_ecc_curve_entry_st *ret = NULL; GNUTLS_ECC_CURVE_LOOP(if (p->id == curve) { - ret = p; break;} - ) ; + ret = p; + break; + }); return ret; } @@ -510,8 +516,9 @@ int gnutls_ecc_curve_get_size(gnutls_ecc_curve_t curve) int ret = 0; GNUTLS_ECC_CURVE_LOOP(if (p->id == curve) { - ret = p->size; break;} - ) ; + ret = p->size; + break; + }); return ret; } @@ -529,8 +536,9 @@ gnutls_pk_algorithm_t gnutls_ecc_curve_get_pk(gnutls_ecc_curve_t curve) int ret = GNUTLS_PK_UNKNOWN; GNUTLS_ECC_CURVE_LOOP(if (p->id == curve && p->supported) { - ret = p->pk; break;} - ) ; + ret = p->pk; + break; + }); return ret; } @@ -547,11 +555,11 @@ gnutls_group_t _gnutls_ecc_curve_get_group(gnutls_ecc_curve_t curve) { gnutls_group_t ret = GNUTLS_GROUP_INVALID; - GNUTLS_ECC_CURVE_LOOP(if - (p->id == curve && p->supported - && _gnutls_pk_curve_exists(p->id)) { - ret = p->group; break;} - ) ; + GNUTLS_ECC_CURVE_LOOP(if (p->id == curve && p->supported && + _gnutls_pk_curve_exists(p->id)) { + ret = p->group; + break; + }); return ret; } diff --git a/lib/algorithms/groups.c b/lib/algorithms/groups.c index dba091cbc6..ed8a3aa284 100644 --- a/lib/algorithms/groups.c +++ b/lib/algorithms/groups.c @@ -32,167 +32,163 @@ static const gnutls_group_entry_st supported_groups[] = { { - .name = "SECP192R1", - .id = GNUTLS_GROUP_SECP192R1, - .curve = GNUTLS_ECC_CURVE_SECP192R1, - .tls_id = 19, - .pk = GNUTLS_PK_ECDSA, - }, + .name = "SECP192R1", + .id = GNUTLS_GROUP_SECP192R1, + .curve = GNUTLS_ECC_CURVE_SECP192R1, + .tls_id = 19, + .pk = GNUTLS_PK_ECDSA, + }, { - .name = "SECP224R1", - .id = GNUTLS_GROUP_SECP224R1, - .curve = GNUTLS_ECC_CURVE_SECP224R1, - .tls_id = 21, - .pk = GNUTLS_PK_ECDSA, - }, + .name = "SECP224R1", + .id = GNUTLS_GROUP_SECP224R1, + .curve = GNUTLS_ECC_CURVE_SECP224R1, + .tls_id = 21, + .pk = GNUTLS_PK_ECDSA, + }, { - .name = "SECP256R1", - .id = GNUTLS_GROUP_SECP256R1, - .curve = GNUTLS_ECC_CURVE_SECP256R1, - .tls_id = 23, - .pk = GNUTLS_PK_ECDSA, - }, + .name = "SECP256R1", + .id = GNUTLS_GROUP_SECP256R1, + .curve = GNUTLS_ECC_CURVE_SECP256R1, + .tls_id = 23, + .pk = GNUTLS_PK_ECDSA, + }, { - .name = "SECP384R1", - .id = GNUTLS_GROUP_SECP384R1, - .curve = GNUTLS_ECC_CURVE_SECP384R1, - .tls_id = 24, - .pk = GNUTLS_PK_ECDSA, - }, + .name = "SECP384R1", + .id = GNUTLS_GROUP_SECP384R1, + .curve = GNUTLS_ECC_CURVE_SECP384R1, + .tls_id = 24, + .pk = GNUTLS_PK_ECDSA, + }, { - .name = "SECP521R1", - .id = GNUTLS_GROUP_SECP521R1, - .curve = GNUTLS_ECC_CURVE_SECP521R1, - .tls_id = 25, - .pk = GNUTLS_PK_ECDSA, - }, - { - .name = "X25519", - .id = GNUTLS_GROUP_X25519, - .curve = GNUTLS_ECC_CURVE_X25519, - .tls_id = 29, - .pk = GNUTLS_PK_ECDH_X25519}, + .name = "SECP521R1", + .id = GNUTLS_GROUP_SECP521R1, + .curve = GNUTLS_ECC_CURVE_SECP521R1, + .tls_id = 25, + .pk = GNUTLS_PK_ECDSA, + }, + { .name = "X25519", + .id = GNUTLS_GROUP_X25519, + .curve = GNUTLS_ECC_CURVE_X25519, + .tls_id = 29, + .pk = GNUTLS_PK_ECDH_X25519 }, #ifdef ENABLE_GOST /* draft-smyshlyaev-tls12-gost-suites-06, Section 6 */ { - .name = "GC256A", - .id = GNUTLS_GROUP_GC256A, - .curve = GNUTLS_ECC_CURVE_GOST256A, - .pk = GNUTLS_PK_GOST_12_256, - .tls_id = 34, - }, + .name = "GC256A", + .id = GNUTLS_GROUP_GC256A, + .curve = GNUTLS_ECC_CURVE_GOST256A, + .pk = GNUTLS_PK_GOST_12_256, + .tls_id = 34, + }, { - .name = "GC256B", - .id = GNUTLS_GROUP_GC256B, - .curve = GNUTLS_ECC_CURVE_GOST256B, - .pk = GNUTLS_PK_GOST_12_256, - .tls_id = 35, - }, + .name = "GC256B", + .id = GNUTLS_GROUP_GC256B, + .curve = GNUTLS_ECC_CURVE_GOST256B, + .pk = GNUTLS_PK_GOST_12_256, + .tls_id = 35, + }, { - .name = "GC256C", - .id = GNUTLS_GROUP_GC256C, - .curve = GNUTLS_ECC_CURVE_GOST256C, - .pk = GNUTLS_PK_GOST_12_256, - .tls_id = 36, - }, + .name = "GC256C", + .id = GNUTLS_GROUP_GC256C, + .curve = GNUTLS_ECC_CURVE_GOST256C, + .pk = GNUTLS_PK_GOST_12_256, + .tls_id = 36, + }, { - .name = "GC256D", - .id = GNUTLS_GROUP_GC256D, - .curve = GNUTLS_ECC_CURVE_GOST256D, - .pk = GNUTLS_PK_GOST_12_256, - .tls_id = 37, - }, + .name = "GC256D", + .id = GNUTLS_GROUP_GC256D, + .curve = GNUTLS_ECC_CURVE_GOST256D, + .pk = GNUTLS_PK_GOST_12_256, + .tls_id = 37, + }, { - .name = "GC512A", - .id = GNUTLS_GROUP_GC512A, - .curve = GNUTLS_ECC_CURVE_GOST512A, - .pk = GNUTLS_PK_GOST_12_512, - .tls_id = 38, - }, + .name = "GC512A", + .id = GNUTLS_GROUP_GC512A, + .curve = GNUTLS_ECC_CURVE_GOST512A, + .pk = GNUTLS_PK_GOST_12_512, + .tls_id = 38, + }, { - .name = "GC512B", - .id = GNUTLS_GROUP_GC512B, - .curve = GNUTLS_ECC_CURVE_GOST512B, - .pk = GNUTLS_PK_GOST_12_512, - .tls_id = 39, - }, + .name = "GC512B", + .id = GNUTLS_GROUP_GC512B, + .curve = GNUTLS_ECC_CURVE_GOST512B, + .pk = GNUTLS_PK_GOST_12_512, + .tls_id = 39, + }, { - .name = "GC512C", - .id = GNUTLS_GROUP_GC512C, - .curve = GNUTLS_ECC_CURVE_GOST512C, - .pk = GNUTLS_PK_GOST_12_512, - .tls_id = 40, - }, + .name = "GC512C", + .id = GNUTLS_GROUP_GC512C, + .curve = GNUTLS_ECC_CURVE_GOST512C, + .pk = GNUTLS_PK_GOST_12_512, + .tls_id = 40, + }, #endif - { - .name = "X448", - .id = GNUTLS_GROUP_X448, - .curve = GNUTLS_ECC_CURVE_X448, - .tls_id = 30, - .pk = GNUTLS_PK_ECDH_X448}, + { .name = "X448", + .id = GNUTLS_GROUP_X448, + .curve = GNUTLS_ECC_CURVE_X448, + .tls_id = 30, + .pk = GNUTLS_PK_ECDH_X448 }, #ifdef ENABLE_DHE - { - .name = "FFDHE2048", - .id = GNUTLS_GROUP_FFDHE2048, - .generator = &gnutls_ffdhe_2048_group_generator, - .prime = &gnutls_ffdhe_2048_group_prime, - .q = &gnutls_ffdhe_2048_group_q, - .q_bits = &gnutls_ffdhe_2048_key_bits, - .pk = GNUTLS_PK_DH, - .tls_id = 0x100}, - { - .name = "FFDHE3072", - .id = GNUTLS_GROUP_FFDHE3072, - .generator = &gnutls_ffdhe_3072_group_generator, - .prime = &gnutls_ffdhe_3072_group_prime, - .q = &gnutls_ffdhe_3072_group_q, - .q_bits = &gnutls_ffdhe_3072_key_bits, - .pk = GNUTLS_PK_DH, - .tls_id = 0x101}, - { - .name = "FFDHE4096", - .id = GNUTLS_GROUP_FFDHE4096, - .generator = &gnutls_ffdhe_4096_group_generator, - .prime = &gnutls_ffdhe_4096_group_prime, - .q = &gnutls_ffdhe_4096_group_q, - .q_bits = &gnutls_ffdhe_4096_key_bits, - .pk = GNUTLS_PK_DH, - .tls_id = 0x102}, - { - .name = "FFDHE6144", - .id = GNUTLS_GROUP_FFDHE6144, - .generator = &gnutls_ffdhe_6144_group_generator, - .prime = &gnutls_ffdhe_6144_group_prime, - .q = &gnutls_ffdhe_6144_group_q, - .q_bits = &gnutls_ffdhe_6144_key_bits, - .pk = GNUTLS_PK_DH, - .tls_id = 0x103}, - { - .name = "FFDHE8192", - .id = GNUTLS_GROUP_FFDHE8192, - .generator = &gnutls_ffdhe_8192_group_generator, - .prime = &gnutls_ffdhe_8192_group_prime, - .q = &gnutls_ffdhe_8192_group_q, - .q_bits = &gnutls_ffdhe_8192_key_bits, - .pk = GNUTLS_PK_DH, - .tls_id = 0x104}, + { .name = "FFDHE2048", + .id = GNUTLS_GROUP_FFDHE2048, + .generator = &gnutls_ffdhe_2048_group_generator, + .prime = &gnutls_ffdhe_2048_group_prime, + .q = &gnutls_ffdhe_2048_group_q, + .q_bits = &gnutls_ffdhe_2048_key_bits, + .pk = GNUTLS_PK_DH, + .tls_id = 0x100 }, + { .name = "FFDHE3072", + .id = GNUTLS_GROUP_FFDHE3072, + .generator = &gnutls_ffdhe_3072_group_generator, + .prime = &gnutls_ffdhe_3072_group_prime, + .q = &gnutls_ffdhe_3072_group_q, + .q_bits = &gnutls_ffdhe_3072_key_bits, + .pk = GNUTLS_PK_DH, + .tls_id = 0x101 }, + { .name = "FFDHE4096", + .id = GNUTLS_GROUP_FFDHE4096, + .generator = &gnutls_ffdhe_4096_group_generator, + .prime = &gnutls_ffdhe_4096_group_prime, + .q = &gnutls_ffdhe_4096_group_q, + .q_bits = &gnutls_ffdhe_4096_key_bits, + .pk = GNUTLS_PK_DH, + .tls_id = 0x102 }, + { .name = "FFDHE6144", + .id = GNUTLS_GROUP_FFDHE6144, + .generator = &gnutls_ffdhe_6144_group_generator, + .prime = &gnutls_ffdhe_6144_group_prime, + .q = &gnutls_ffdhe_6144_group_q, + .q_bits = &gnutls_ffdhe_6144_key_bits, + .pk = GNUTLS_PK_DH, + .tls_id = 0x103 }, + { .name = "FFDHE8192", + .id = GNUTLS_GROUP_FFDHE8192, + .generator = &gnutls_ffdhe_8192_group_generator, + .prime = &gnutls_ffdhe_8192_group_prime, + .q = &gnutls_ffdhe_8192_group_q, + .q_bits = &gnutls_ffdhe_8192_key_bits, + .pk = GNUTLS_PK_DH, + .tls_id = 0x104 }, #endif - {0, 0, 0} + { 0, 0, 0 } }; -#define GNUTLS_GROUP_LOOP(b) \ - { const gnutls_group_entry_st *p; \ - for(p = supported_groups; p->name != NULL; p++) { b ; } } +#define GNUTLS_GROUP_LOOP(b) \ + { \ + const gnutls_group_entry_st *p; \ + for (p = supported_groups; p->name != NULL; p++) { \ + b; \ + } \ + } /* Returns the TLS id of the given curve */ const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num) { - GNUTLS_GROUP_LOOP(if (p->tls_id == num && - (p->curve == 0 - || _gnutls_ecc_curve_is_supported(p->curve))) { - return p;} - ) ; + GNUTLS_GROUP_LOOP( + if (p->tls_id == num && + (p->curve == 0 || + _gnutls_ecc_curve_is_supported(p->curve))) { return p; }); return NULL; } @@ -202,11 +198,11 @@ const gnutls_group_entry_st *_gnutls_id_to_group(unsigned id) if (id == 0) return NULL; - GNUTLS_GROUP_LOOP(if (p->id == id && - (p->curve == 0 - || _gnutls_ecc_curve_is_supported(p->curve))) { - return p;} - ) ; + GNUTLS_GROUP_LOOP( + if (p->id == id && (p->curve == 0 || + _gnutls_ecc_curve_is_supported(p->curve))) { + return p; + }); return NULL; } @@ -230,10 +226,9 @@ const gnutls_group_t *gnutls_group_list(void) if (groups[0] == 0) { int i = 0; - GNUTLS_GROUP_LOOP(if - (p->curve == 0 - || _gnutls_ecc_curve_is_supported(p->curve)) - groups[i++] = p->id;) ; + GNUTLS_GROUP_LOOP(if (p->curve == 0 || + _gnutls_ecc_curve_is_supported(p->curve)) + groups[i++] = p->id;); groups[i++] = 0; } @@ -255,12 +250,12 @@ gnutls_group_t gnutls_group_get_id(const char *name) { gnutls_group_t ret = GNUTLS_GROUP_INVALID; - GNUTLS_GROUP_LOOP(if - (c_strcasecmp(p->name, name) == 0 - && (p->curve == 0 - || _gnutls_ecc_curve_is_supported(p->curve))) { - ret = p->id; break;} - ) ; + GNUTLS_GROUP_LOOP(if (c_strcasecmp(p->name, name) == 0 && + (p->curve == 0 || + _gnutls_ecc_curve_is_supported(p->curve))) { + ret = p->id; + break; + }); return ret; } @@ -273,8 +268,9 @@ gnutls_group_t _gnutls_group_get_id(const char *name) gnutls_group_t ret = GNUTLS_GROUP_INVALID; GNUTLS_GROUP_LOOP(if (c_strcasecmp(p->name, name) == 0) { - ret = p->id; break;} - ) ; + ret = p->id; + break; + }); return ret; } @@ -292,9 +288,7 @@ gnutls_group_t _gnutls_group_get_id(const char *name) **/ const char *gnutls_group_get_name(gnutls_group_t group) { - GNUTLS_GROUP_LOOP(if (p->id == group) { - return p->name;} - ) ; + GNUTLS_GROUP_LOOP(if (p->id == group) { return p->name; }); return NULL; } diff --git a/lib/algorithms/kx.c b/lib/algorithms/kx.c index df020d8a3f..41b65b5cd7 100644 --- a/lib/algorithms/kx.c +++ b/lib/algorithms/kx.c @@ -50,36 +50,36 @@ extern mod_auth_st vko_gost_auth_struct; typedef struct { gnutls_kx_algorithm_t algorithm; gnutls_credentials_type_t client_type; - gnutls_credentials_type_t server_type; /* The type of credentials a server + gnutls_credentials_type_t server_type; /* The type of credentials a server * needs to set */ } gnutls_cred_map; static const gnutls_cred_map cred_mappings[] = { - {GNUTLS_KX_ECDHE_RSA, GNUTLS_CRD_CERTIFICATE, - GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_ECDHE_ECDSA, GNUTLS_CRD_CERTIFICATE, - GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_DHE_DSS, GNUTLS_CRD_CERTIFICATE, - GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_DHE_RSA, GNUTLS_CRD_CERTIFICATE, - GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_ECDHE_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_PSK}, - {GNUTLS_KX_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_PSK}, - {GNUTLS_KX_DHE_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_PSK}, - {GNUTLS_KX_RSA_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_SRP, GNUTLS_CRD_SRP, GNUTLS_CRD_SRP}, - {GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE}, - {GNUTLS_KX_ANON_DH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON}, - {GNUTLS_KX_ANON_ECDH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON}, - {GNUTLS_KX_VKO_GOST_12, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE}, - {0, 0, 0} + { GNUTLS_KX_ECDHE_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, + { GNUTLS_KX_ECDHE_ECDSA, GNUTLS_CRD_CERTIFICATE, + GNUTLS_CRD_CERTIFICATE }, + { GNUTLS_KX_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, + { GNUTLS_KX_DHE_DSS, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, + { GNUTLS_KX_DHE_RSA, GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE }, + { GNUTLS_KX_ECDHE_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_PSK }, + { GNUTLS_KX_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_PSK }, + { GNUTLS_KX_DHE_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_PSK }, + { GNUTLS_KX_RSA_PSK, GNUTLS_CRD_PSK, GNUTLS_CRD_CERTIFICATE }, + { GNUTLS_KX_SRP, GNUTLS_CRD_SRP, GNUTLS_CRD_SRP }, + { GNUTLS_KX_SRP_RSA, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, + { GNUTLS_KX_SRP_DSS, GNUTLS_CRD_SRP, GNUTLS_CRD_CERTIFICATE }, + { GNUTLS_KX_ANON_DH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON }, + { GNUTLS_KX_ANON_ECDH, GNUTLS_CRD_ANON, GNUTLS_CRD_ANON }, + { GNUTLS_KX_VKO_GOST_12, GNUTLS_CRD_CERTIFICATE, + GNUTLS_CRD_CERTIFICATE }, + { 0, 0, 0 } }; -#define GNUTLS_KX_MAP_LOOP(b) \ - const gnutls_cred_map *p; \ - for(p = cred_mappings; p->algorithm != 0; p++) { b ; } +#define GNUTLS_KX_MAP_LOOP(b) \ + const gnutls_cred_map *p; \ + for (p = cred_mappings; p->algorithm != 0; p++) { \ + b; \ + } struct gnutls_kx_algo_entry { const char *name; @@ -92,54 +92,59 @@ typedef struct gnutls_kx_algo_entry gnutls_kx_algo_entry; static const gnutls_kx_algo_entry _gnutls_kx_algorithms[] = { #ifdef ENABLE_ECDHE - {"ECDHE-RSA", GNUTLS_KX_ECDHE_RSA, &ecdhe_rsa_auth_struct, 0, 1}, - {"ECDHE-ECDSA", GNUTLS_KX_ECDHE_ECDSA, &ecdhe_ecdsa_auth_struct, - 0, 1}, + { "ECDHE-RSA", GNUTLS_KX_ECDHE_RSA, &ecdhe_rsa_auth_struct, 0, 1 }, + { "ECDHE-ECDSA", GNUTLS_KX_ECDHE_ECDSA, &ecdhe_ecdsa_auth_struct, 0, + 1 }, #endif - {"RSA", GNUTLS_KX_RSA, &rsa_auth_struct, 0, 0}, + { "RSA", GNUTLS_KX_RSA, &rsa_auth_struct, 0, 0 }, #ifdef ENABLE_DHE - {"DHE-RSA", GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct, 1, 1}, - {"DHE-DSS", GNUTLS_KX_DHE_DSS, &dhe_dss_auth_struct, 1, 1}, + { "DHE-RSA", GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct, 1, 1 }, + { "DHE-DSS", GNUTLS_KX_DHE_DSS, &dhe_dss_auth_struct, 1, 1 }, #endif #ifdef ENABLE_PSK - {"PSK", GNUTLS_KX_PSK, &psk_auth_struct, 0, 0}, - {"RSA-PSK", GNUTLS_KX_RSA_PSK, &rsa_psk_auth_struct, 0, 0}, -# ifdef ENABLE_DHE - {"DHE-PSK", GNUTLS_KX_DHE_PSK, &dhe_psk_auth_struct, - 1 /* needs DHE params */ , 0}, -# endif -# ifdef ENABLE_ECDHE - {"ECDHE-PSK", GNUTLS_KX_ECDHE_PSK, &ecdhe_psk_auth_struct, 0, 0}, -# endif + { "PSK", GNUTLS_KX_PSK, &psk_auth_struct, 0, 0 }, + { "RSA-PSK", GNUTLS_KX_RSA_PSK, &rsa_psk_auth_struct, 0, 0 }, +#ifdef ENABLE_DHE + { "DHE-PSK", GNUTLS_KX_DHE_PSK, &dhe_psk_auth_struct, + 1 /* needs DHE params */, 0 }, +#endif +#ifdef ENABLE_ECDHE + { "ECDHE-PSK", GNUTLS_KX_ECDHE_PSK, &ecdhe_psk_auth_struct, 0, 0 }, +#endif #endif #ifdef ENABLE_SRP - {"SRP-DSS", GNUTLS_KX_SRP_DSS, &srp_dss_auth_struct, 0, 0}, - {"SRP-RSA", GNUTLS_KX_SRP_RSA, &srp_rsa_auth_struct, 0, 0}, - {"SRP", GNUTLS_KX_SRP, &srp_auth_struct, 0, 0}, + { "SRP-DSS", GNUTLS_KX_SRP_DSS, &srp_dss_auth_struct, 0, 0 }, + { "SRP-RSA", GNUTLS_KX_SRP_RSA, &srp_rsa_auth_struct, 0, 0 }, + { "SRP", GNUTLS_KX_SRP, &srp_auth_struct, 0, 0 }, #endif #if defined(ENABLE_ANON) && defined(ENABLE_DHE) - {"ANON-DH", GNUTLS_KX_ANON_DH, &anon_auth_struct, 1, 0}, + { "ANON-DH", GNUTLS_KX_ANON_DH, &anon_auth_struct, 1, 0 }, #endif #if defined(ENABLE_ANON) && defined(ENABLE_ECDHE) - {"ANON-ECDH", GNUTLS_KX_ANON_ECDH, &anon_ecdh_auth_struct, 0, 0}, + { "ANON-ECDH", GNUTLS_KX_ANON_ECDH, &anon_ecdh_auth_struct, 0, 0 }, #endif #ifdef ENABLE_GOST - {"VKO-GOST-12", GNUTLS_KX_VKO_GOST_12, &vko_gost_auth_struct, 0, 0}, + { "VKO-GOST-12", GNUTLS_KX_VKO_GOST_12, &vko_gost_auth_struct, 0, 0 }, #endif /* for deprecated and legacy algorithms no longer supported, use * GNUTLS_KX_INVALID as an entry. This will make them available * as priority strings, but they will be a no-op. */ - {"RSA-EXPORT", GNUTLS_KX_INVALID, NULL, 0, 0}, - {0, 0, 0, 0, 0} + { "RSA-EXPORT", GNUTLS_KX_INVALID, NULL, 0, 0 }, + { 0, 0, 0, 0, 0 } }; -#define GNUTLS_KX_LOOP(b) \ - const gnutls_kx_algo_entry *p; \ - for(p = _gnutls_kx_algorithms; p->name != NULL; p++) { b ; } +#define GNUTLS_KX_LOOP(b) \ + const gnutls_kx_algo_entry *p; \ + for (p = _gnutls_kx_algorithms; p->name != NULL; p++) { \ + b; \ + } -#define GNUTLS_KX_ALG_LOOP(a) \ - GNUTLS_KX_LOOP( if(p->algorithm == algorithm) { a; break; } ) +#define GNUTLS_KX_ALG_LOOP(a) \ + GNUTLS_KX_LOOP(if (p->algorithm == algorithm) { \ + a; \ + break; \ + }) /* Key EXCHANGE functions */ mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm_t algorithm) @@ -147,7 +152,6 @@ mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm_t algorithm) mod_auth_st *ret = NULL; GNUTLS_KX_ALG_LOOP(ret = p->auth_struct); return ret; - } /** @@ -183,11 +187,11 @@ gnutls_kx_algorithm_t gnutls_kx_get_id(const char *name) { gnutls_kx_algorithm_t ret = GNUTLS_KX_UNKNOWN; - GNUTLS_KX_LOOP(if - (c_strcasecmp(p->name, name) == 0 - && (int)p->algorithm != GNUTLS_KX_INVALID) { - ret = p->algorithm; break;} - ) ; + GNUTLS_KX_LOOP(if (c_strcasecmp(p->name, name) == 0 && + (int)p->algorithm != GNUTLS_KX_INVALID) { + ret = p->algorithm; + break; + }); return ret; } @@ -201,8 +205,9 @@ int _gnutls_kx_get_id(const char *name) gnutls_kx_algorithm_t ret = GNUTLS_KX_UNKNOWN; GNUTLS_KX_LOOP(if (c_strcasecmp(p->name, name) == 0) { - ret = p->algorithm; break;} - ) ; + ret = p->algorithm; + break; + }); return ret; } @@ -258,9 +263,8 @@ bool _gnutls_kx_allows_false_start(gnutls_session_t session) #if defined(ENABLE_DHE) || defined(ENABLE_ANON) if (needs_dh != 0) { - bits = - gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, - GNUTLS_SEC_PARAM_HIGH); + bits = gnutls_sec_param_to_pk_bits( + GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH); /* check whether sizes are sufficient */ if (e && e->prime) { if (e->prime->size * 8 < (unsigned)bits) @@ -269,14 +273,13 @@ bool _gnutls_kx_allows_false_start(gnutls_session_t session) ret = 0; } else #endif - if (algorithm == GNUTLS_KX_ECDHE_RSA - || algorithm == GNUTLS_KX_ECDHE_ECDSA) { - bits = - gnutls_sec_param_to_pk_bits(GNUTLS_PK_EC, - GNUTLS_SEC_PARAM_HIGH); - - if (e != NULL - && gnutls_ecc_curve_get_size(e->curve) * 8 < bits) + if (algorithm == GNUTLS_KX_ECDHE_RSA || + algorithm == GNUTLS_KX_ECDHE_ECDSA) { + bits = gnutls_sec_param_to_pk_bits( + GNUTLS_PK_EC, GNUTLS_SEC_PARAM_HIGH); + + if (e != NULL && + gnutls_ecc_curve_get_size(e->curve) * 8 < bits) ret = 0; } } @@ -299,12 +302,14 @@ _gnutls_map_kx_get_cred(gnutls_kx_algorithm_t algorithm, int server) gnutls_credentials_type_t ret = -1; if (server) { GNUTLS_KX_MAP_LOOP(if (p->algorithm == algorithm) { - ret = p->server_type; break;} - ) ; + ret = p->server_type; + break; + }); } else { GNUTLS_KX_MAP_LOOP(if (p->algorithm == algorithm) { - ret = p->client_type; break;} - ) ; + ret = p->client_type; + break; + }); } return ret; diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c index 50ad49a3ba..9d1c9b8f3b 100644 --- a/lib/algorithms/mac.c +++ b/lib/algorithms/mac.c @@ -37,185 +37,189 @@ #define MAC_OID_STREEBOG_512 "1.2.643.7.1.1.4.2" static SYSTEM_CONFIG_OR_CONST mac_entry_st hash_algorithms[] = { - {.name = "SHA1", - .oid = HASH_OID_SHA1, - .mac_oid = MAC_OID_SHA1, - .id = GNUTLS_MAC_SHA1, - .output_size = 20, - .key_size = 20, - .block_size = 64}, - {.name = "MD5+SHA1", - .id = GNUTLS_MAC_MD5_SHA1, - .output_size = 36, - .key_size = 36, - .flags = GNUTLS_MAC_FLAG_PREIMAGE_INSECURE, - .block_size = 64}, - {.name = "SHA256", - .oid = HASH_OID_SHA256, - .mac_oid = MAC_OID_SHA256, - .id = GNUTLS_MAC_SHA256, - .output_size = 32, - .key_size = 32, - .block_size = 64}, - {.name = "SHA384", - .oid = HASH_OID_SHA384, - .mac_oid = MAC_OID_SHA384, - .id = GNUTLS_MAC_SHA384, - .output_size = 48, - .key_size = 48, - .block_size = 128}, - {.name = "SHA512", - .oid = HASH_OID_SHA512, - .mac_oid = MAC_OID_SHA512, - .id = GNUTLS_MAC_SHA512, - .output_size = 64, - .key_size = 64, - .block_size = 128}, - {.name = "SHA224", - .oid = HASH_OID_SHA224, - .mac_oid = MAC_OID_SHA224, - .id = GNUTLS_MAC_SHA224, - .output_size = 28, - .key_size = 28, - .block_size = 64}, - {.name = "SHA3-256", - .oid = HASH_OID_SHA3_256, - .id = GNUTLS_MAC_SHA3_256, - .output_size = 32, - .key_size = 32, - .block_size = 136}, - {.name = "SHA3-384", - .oid = HASH_OID_SHA3_384, - .id = GNUTLS_MAC_SHA3_384, - .output_size = 48, - .key_size = 48, - .block_size = 104}, - {.name = "SHA3-512", - .oid = HASH_OID_SHA3_512, - .id = GNUTLS_MAC_SHA3_512, - .output_size = 64, - .key_size = 64, - .block_size = 72}, - {.name = "SHA3-224", - .oid = HASH_OID_SHA3_224, - .id = GNUTLS_MAC_SHA3_224, - .output_size = 28, - .key_size = 28, - .block_size = 144}, - {.name = "UMAC-96", - .id = GNUTLS_MAC_UMAC_96, - .output_size = 12, - .key_size = 16, - .nonce_size = 8}, - {.name = "UMAC-128", - .id = GNUTLS_MAC_UMAC_128, - .output_size = 16, - .key_size = 16, - .nonce_size = 8}, - {.name = "AEAD", - .id = GNUTLS_MAC_AEAD, - .placeholder = 1}, - {.name = "MD5", - .oid = HASH_OID_MD5, - .id = GNUTLS_MAC_MD5, - .output_size = 16, - .key_size = 16, - .flags = GNUTLS_MAC_FLAG_PREIMAGE_INSECURE, - .block_size = 64}, - {.name = "MD2", - .oid = HASH_OID_MD2, - .flags = GNUTLS_MAC_FLAG_PREIMAGE_INSECURE, - .id = GNUTLS_MAC_MD2}, - {.name = "RIPEMD160", - .oid = HASH_OID_RMD160, - .id = GNUTLS_MAC_RMD160, - .output_size = 20, - .key_size = 20, - .block_size = 64}, - {.name = "GOSTR341194", - .oid = HASH_OID_GOST_R_3411_94, - .mac_oid = MAC_OID_GOST_R_3411_94, - .id = GNUTLS_MAC_GOSTR_94, - .output_size = 32, - .key_size = 32, - .block_size = 32, - .flags = GNUTLS_MAC_FLAG_PREIMAGE_INSECURE}, - {.name = "STREEBOG-256", - .oid = HASH_OID_STREEBOG_256, - .mac_oid = MAC_OID_STREEBOG_256, - .id = GNUTLS_MAC_STREEBOG_256, - .output_size = 32, - .key_size = 32, - .block_size = 64}, - {.name = "STREEBOG-512", - .oid = HASH_OID_STREEBOG_512, - .mac_oid = MAC_OID_STREEBOG_512, - .id = GNUTLS_MAC_STREEBOG_512, - .output_size = 64, - .key_size = 64, - .block_size = 64}, - {.name = "AES-CMAC-128", - .id = GNUTLS_MAC_AES_CMAC_128, - .output_size = 16, - .key_size = 16,}, - {.name = "AES-CMAC-256", - .id = GNUTLS_MAC_AES_CMAC_256, - .output_size = 16, - .key_size = 32}, - {.name = "AES-GMAC-128", - .id = GNUTLS_MAC_AES_GMAC_128, - .output_size = 16, - .key_size = 16, - .nonce_size = 12}, - {.name = "AES-GMAC-192", - .id = GNUTLS_MAC_AES_GMAC_192, - .output_size = 16, - .key_size = 24, - .nonce_size = 12}, - {.name = "AES-GMAC-256", - .id = GNUTLS_MAC_AES_GMAC_256, - .output_size = 16, - .key_size = 32, - .nonce_size = 12}, - {.name = "GOST28147-TC26Z-IMIT", - .id = GNUTLS_MAC_GOST28147_TC26Z_IMIT, - .output_size = 4, - .key_size = 32, - .block_size = 8, - .flags = GNUTLS_MAC_FLAG_CONTINUOUS_MAC}, - {.name = "SHAKE-128", - .oid = HASH_OID_SHAKE_128, - .id = GNUTLS_MAC_SHAKE_128, - .block_size = 168}, - {.name = "SHAKE-256", - .oid = HASH_OID_SHAKE_256, - .id = GNUTLS_MAC_SHAKE_256, - .block_size = 136}, - {.name = "OMAC-MAGMA", - .id = GNUTLS_MAC_MAGMA_OMAC, - .output_size = 8, - .key_size = 32, - .block_size = 8}, - {.name = "OMAC-KUZNYECHIK", - .id = GNUTLS_MAC_KUZNYECHIK_OMAC, - .output_size = 16, - .key_size = 32, - .block_size = 16}, - {.name = "MAC-NULL", - .id = GNUTLS_MAC_NULL}, - {0, 0, 0, 0, 0, 0, 0, 0, 0} + { .name = "SHA1", + .oid = HASH_OID_SHA1, + .mac_oid = MAC_OID_SHA1, + .id = GNUTLS_MAC_SHA1, + .output_size = 20, + .key_size = 20, + .block_size = 64 }, + { .name = "MD5+SHA1", + .id = GNUTLS_MAC_MD5_SHA1, + .output_size = 36, + .key_size = 36, + .flags = GNUTLS_MAC_FLAG_PREIMAGE_INSECURE, + .block_size = 64 }, + { .name = "SHA256", + .oid = HASH_OID_SHA256, + .mac_oid = MAC_OID_SHA256, + .id = GNUTLS_MAC_SHA256, + .output_size = 32, + .key_size = 32, + .block_size = 64 }, + { .name = "SHA384", + .oid = HASH_OID_SHA384, + .mac_oid = MAC_OID_SHA384, + .id = GNUTLS_MAC_SHA384, + .output_size = 48, + .key_size = 48, + .block_size = 128 }, + { .name = "SHA512", + .oid = HASH_OID_SHA512, + .mac_oid = MAC_OID_SHA512, + .id = GNUTLS_MAC_SHA512, + .output_size = 64, + .key_size = 64, + .block_size = 128 }, + { .name = "SHA224", + .oid = HASH_OID_SHA224, + .mac_oid = MAC_OID_SHA224, + .id = GNUTLS_MAC_SHA224, + .output_size = 28, + .key_size = 28, + .block_size = 64 }, + { .name = "SHA3-256", + .oid = HASH_OID_SHA3_256, + .id = GNUTLS_MAC_SHA3_256, + .output_size = 32, + .key_size = 32, + .block_size = 136 }, + { .name = "SHA3-384", + .oid = HASH_OID_SHA3_384, + .id = GNUTLS_MAC_SHA3_384, + .output_size = 48, + .key_size = 48, + .block_size = 104 }, + { .name = "SHA3-512", + .oid = HASH_OID_SHA3_512, + .id = GNUTLS_MAC_SHA3_512, + .output_size = 64, + .key_size = 64, + .block_size = 72 }, + { .name = "SHA3-224", + .oid = HASH_OID_SHA3_224, + .id = GNUTLS_MAC_SHA3_224, + .output_size = 28, + .key_size = 28, + .block_size = 144 }, + { .name = "UMAC-96", + .id = GNUTLS_MAC_UMAC_96, + .output_size = 12, + .key_size = 16, + .nonce_size = 8 }, + { .name = "UMAC-128", + .id = GNUTLS_MAC_UMAC_128, + .output_size = 16, + .key_size = 16, + .nonce_size = 8 }, + { .name = "AEAD", .id = GNUTLS_MAC_AEAD, .placeholder = 1 }, + { .name = "MD5", + .oid = HASH_OID_MD5, + .id = GNUTLS_MAC_MD5, + .output_size = 16, + .key_size = 16, + .flags = GNUTLS_MAC_FLAG_PREIMAGE_INSECURE, + .block_size = 64 }, + { .name = "MD2", + .oid = HASH_OID_MD2, + .flags = GNUTLS_MAC_FLAG_PREIMAGE_INSECURE, + .id = GNUTLS_MAC_MD2 }, + { .name = "RIPEMD160", + .oid = HASH_OID_RMD160, + .id = GNUTLS_MAC_RMD160, + .output_size = 20, + .key_size = 20, + .block_size = 64 }, + { .name = "GOSTR341194", + .oid = HASH_OID_GOST_R_3411_94, + .mac_oid = MAC_OID_GOST_R_3411_94, + .id = GNUTLS_MAC_GOSTR_94, + .output_size = 32, + .key_size = 32, + .block_size = 32, + .flags = GNUTLS_MAC_FLAG_PREIMAGE_INSECURE }, + { .name = "STREEBOG-256", + .oid = HASH_OID_STREEBOG_256, + .mac_oid = MAC_OID_STREEBOG_256, + .id = GNUTLS_MAC_STREEBOG_256, + .output_size = 32, + .key_size = 32, + .block_size = 64 }, + { .name = "STREEBOG-512", + .oid = HASH_OID_STREEBOG_512, + .mac_oid = MAC_OID_STREEBOG_512, + .id = GNUTLS_MAC_STREEBOG_512, + .output_size = 64, + .key_size = 64, + .block_size = 64 }, + { + .name = "AES-CMAC-128", + .id = GNUTLS_MAC_AES_CMAC_128, + .output_size = 16, + .key_size = 16, + }, + { .name = "AES-CMAC-256", + .id = GNUTLS_MAC_AES_CMAC_256, + .output_size = 16, + .key_size = 32 }, + { .name = "AES-GMAC-128", + .id = GNUTLS_MAC_AES_GMAC_128, + .output_size = 16, + .key_size = 16, + .nonce_size = 12 }, + { .name = "AES-GMAC-192", + .id = GNUTLS_MAC_AES_GMAC_192, + .output_size = 16, + .key_size = 24, + .nonce_size = 12 }, + { .name = "AES-GMAC-256", + .id = GNUTLS_MAC_AES_GMAC_256, + .output_size = 16, + .key_size = 32, + .nonce_size = 12 }, + { .name = "GOST28147-TC26Z-IMIT", + .id = GNUTLS_MAC_GOST28147_TC26Z_IMIT, + .output_size = 4, + .key_size = 32, + .block_size = 8, + .flags = GNUTLS_MAC_FLAG_CONTINUOUS_MAC }, + { .name = "SHAKE-128", + .oid = HASH_OID_SHAKE_128, + .id = GNUTLS_MAC_SHAKE_128, + .block_size = 168 }, + { .name = "SHAKE-256", + .oid = HASH_OID_SHAKE_256, + .id = GNUTLS_MAC_SHAKE_256, + .block_size = 136 }, + { .name = "OMAC-MAGMA", + .id = GNUTLS_MAC_MAGMA_OMAC, + .output_size = 8, + .key_size = 32, + .block_size = 8 }, + { .name = "OMAC-KUZNYECHIK", + .id = GNUTLS_MAC_KUZNYECHIK_OMAC, + .output_size = 16, + .key_size = 32, + .block_size = 16 }, + { .name = "MAC-NULL", .id = GNUTLS_MAC_NULL }, + { 0, 0, 0, 0, 0, 0, 0, 0, 0 } }; -#define GNUTLS_HASH_LOOP(b) \ - const mac_entry_st *p; \ - for(p = hash_algorithms; p->name != NULL; p++) { b ; } +#define GNUTLS_HASH_LOOP(b) \ + const mac_entry_st *p; \ + for (p = hash_algorithms; p->name != NULL; p++) { \ + b; \ + } -#define GNUTLS_HASH_ALG_LOOP(a) \ - GNUTLS_HASH_LOOP( if(p->id == algorithm) { a; break; } ) +#define GNUTLS_HASH_ALG_LOOP(a) \ + GNUTLS_HASH_LOOP(if (p->id == algorithm) { \ + a; \ + break; \ + }) const mac_entry_st *_gnutls_mac_to_entry(gnutls_mac_algorithm_t c) { - GNUTLS_HASH_LOOP(if (c == p->id) return p) ; + GNUTLS_HASH_LOOP(if (c == p->id) return p); return NULL; } @@ -253,8 +257,9 @@ const char *gnutls_digest_get_name(gnutls_digest_algorithm_t algorithm) const char *ret = NULL; GNUTLS_HASH_LOOP(if (algorithm == (unsigned)p->id && p->oid != NULL) { - ret = p->name; break;} - ) ; + ret = p->name; + break; + }); return ret; } @@ -273,11 +278,12 @@ gnutls_digest_algorithm_t gnutls_digest_get_id(const char *name) { gnutls_digest_algorithm_t ret = GNUTLS_DIG_UNKNOWN; - GNUTLS_HASH_LOOP(if (p->oid != NULL && c_strcasecmp(p->name, name) == 0) { - if (_gnutls_digest_exists - ((gnutls_digest_algorithm_t) p->id)) - ret = (gnutls_digest_algorithm_t) p->id; break;} - ) ; + GNUTLS_HASH_LOOP(if (p->oid != NULL && + c_strcasecmp(p->name, name) == 0) { + if (_gnutls_digest_exists((gnutls_digest_algorithm_t)p->id)) + ret = (gnutls_digest_algorithm_t)p->id; + break; + }); return ret; } @@ -289,7 +295,7 @@ int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig) mac_entry_st *p; for (p = hash_algorithms; p->name != NULL; p++) { - if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t) dig) { + if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; return 0; } @@ -307,25 +313,24 @@ void _gnutls_digest_mark_insecure_all(void) for (p = hash_algorithms; p->name != NULL; p++) { p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE | - GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; + GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; } #endif } -int -_gnutls_digest_set_secure(gnutls_digest_algorithm_t dig, unsigned int secure) +int _gnutls_digest_set_secure(gnutls_digest_algorithm_t dig, + unsigned int secure) { #ifndef DISABLE_SYSTEM_CONFIG mac_entry_st *p; for (p = hash_algorithms; p->name != NULL; p++) { - if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t) dig) { - if (! - (p->flags & - GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) { - return - gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { + if (!(p->flags & + GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) { + return gnutls_assert_val( + GNUTLS_E_INVALID_REQUEST); } if (secure) { p->flags &= ~GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; @@ -345,7 +350,7 @@ unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig) const mac_entry_st *p; for (p = hash_algorithms; p->name != NULL; p++) { - if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t) dig) { + if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { return p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE; } } @@ -358,12 +363,11 @@ bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig, unsigned flags) const mac_entry_st *p; for (p = hash_algorithms; p->name != NULL; p++) { - if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t) dig) { + if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) { return (p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE && - !(flags & - GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE - && p->flags & - GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)); + !(flags & GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE && + p->flags & + GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)); } } @@ -385,9 +389,10 @@ gnutls_mac_algorithm_t gnutls_mac_get_id(const char *name) gnutls_mac_algorithm_t ret = GNUTLS_MAC_UNKNOWN; GNUTLS_HASH_LOOP(if (c_strcasecmp(p->name, name) == 0) { - if (p->placeholder != 0 || _gnutls_mac_exists(p->id)) - ret = p->id; break;} - ) ; + if (p->placeholder != 0 || _gnutls_mac_exists(p->id)) + ret = p->id; + break; + }); return ret; } @@ -448,10 +453,9 @@ const gnutls_mac_algorithm_t *gnutls_mac_list(void) if (supported_macs[0] == 0) { int i = 0; - GNUTLS_HASH_LOOP(if - (p->placeholder != 0 - || _gnutls_mac_exists(p->id)) - supported_macs[i++] = p->id;) ; + GNUTLS_HASH_LOOP( + if (p->placeholder != 0 || _gnutls_mac_exists(p->id)) + supported_macs[i++] = p->id;); supported_macs[i++] = 0; } @@ -475,13 +479,12 @@ const gnutls_digest_algorithm_t *gnutls_digest_list(void) if (supported_digests[0] == 0) { int i = 0; - GNUTLS_HASH_LOOP(if (p->oid != NULL && (p->placeholder != 0 || - _gnutls_mac_exists - (p->id))) { - - supported_digests[i++] = - (gnutls_digest_algorithm_t) p->id;} - ) ; + GNUTLS_HASH_LOOP( + if (p->oid != NULL && (p->placeholder != 0 || + _gnutls_mac_exists(p->id))) { + supported_digests[i++] = + (gnutls_digest_algorithm_t)p->id; + }); supported_digests[i++] = 0; } @@ -502,11 +505,11 @@ const gnutls_digest_algorithm_t *gnutls_digest_list(void) gnutls_digest_algorithm_t gnutls_oid_to_digest(const char *oid) { GNUTLS_HASH_LOOP(if (p->oid && strcmp(oid, p->oid) == 0) { - if (_gnutls_digest_exists - ((gnutls_digest_algorithm_t) p->id)) { - return (gnutls_digest_algorithm_t) p->id;} - break;} - ) ; + if (_gnutls_digest_exists((gnutls_digest_algorithm_t)p->id)) { + return (gnutls_digest_algorithm_t)p->id; + } + break; + }); return GNUTLS_DIG_UNKNOWN; } @@ -525,10 +528,11 @@ gnutls_digest_algorithm_t gnutls_oid_to_digest(const char *oid) gnutls_mac_algorithm_t gnutls_oid_to_mac(const char *oid) { GNUTLS_HASH_LOOP(if (p->mac_oid && strcmp(oid, p->mac_oid) == 0) { - if (_gnutls_mac_exists(p->id)) { - return p->id;} - break;} - ) ; + if (_gnutls_mac_exists(p->id)) { + return p->id; + } + break; + }); return GNUTLS_MAC_UNKNOWN; } @@ -547,8 +551,8 @@ gnutls_mac_algorithm_t gnutls_oid_to_mac(const char *oid) const char *gnutls_digest_get_oid(gnutls_digest_algorithm_t algorithm) { GNUTLS_HASH_LOOP(if (algorithm == (unsigned)p->id && p->oid != NULL) { - return p->oid;} - ) ; + return p->oid; + }); return NULL; } diff --git a/lib/algorithms/protocols.c b/lib/algorithms/protocols.c index d3f5398857..947cf09473 100644 --- a/lib/algorithms/protocols.c +++ b/lib/algorithms/protocols.c @@ -29,133 +29,133 @@ /* TLS Versions */ static SYSTEM_CONFIG_OR_CONST version_entry_st sup_versions[] = { - {.name = "SSL3.0", - .id = GNUTLS_SSL3, - .age = 0, - .major = 3, - .minor = 0, - .transport = GNUTLS_STREAM, + { .name = "SSL3.0", + .id = GNUTLS_SSL3, + .age = 0, + .major = 3, + .minor = 0, + .transport = GNUTLS_STREAM, #ifdef ENABLE_SSL3 - .supported = 1, + .supported = 1, #endif - .explicit_iv = 0, - .extensions = 0, - .selectable_sighash = 0, - .selectable_prf = 0, - .obsolete = 1, - .only_extension = 0, - .tls_sig_sem = SIG_SEM_PRE_TLS12, - .false_start = 0}, - {.name = "TLS1.0", - .id = GNUTLS_TLS1, - .age = 1, - .major = 3, - .minor = 1, - .transport = GNUTLS_STREAM, - .supported = 1, - .explicit_iv = 0, - .extensions = 1, - .selectable_sighash = 0, - .selectable_prf = 0, - .obsolete = 0, - .only_extension = 0, - .tls_sig_sem = SIG_SEM_PRE_TLS12, - .false_start = 0}, - {.name = "TLS1.1", - .id = GNUTLS_TLS1_1, - .age = 2, - .major = 3, - .minor = 2, - .transport = GNUTLS_STREAM, - .supported = 1, - .explicit_iv = 1, - .extensions = 1, - .selectable_sighash = 0, - .selectable_prf = 0, - .obsolete = 0, - .only_extension = 0, - .tls_sig_sem = SIG_SEM_PRE_TLS12, - .false_start = 0}, - {.name = "TLS1.2", - .id = GNUTLS_TLS1_2, - .age = 3, - .major = 3, - .minor = 3, - .transport = GNUTLS_STREAM, - .supported = 1, - .explicit_iv = 1, - .extensions = 1, - .selectable_sighash = 1, - .selectable_prf = 1, - .obsolete = 0, - .only_extension = 0, - .tls_sig_sem = SIG_SEM_PRE_TLS12, - .false_start = 1}, - {.name = "TLS1.3", - .id = GNUTLS_TLS1_3, - .age = 5, - .major = 3, - .minor = 4, - .transport = GNUTLS_STREAM, - .supported = 1, - .explicit_iv = 0, - .extensions = 1, - .selectable_sighash = 1, - .selectable_prf = 1, - .tls13_sem = 1, - .obsolete = 0, - .only_extension = 1, - .post_handshake_auth = 1, - .multi_ocsp = 1, - .key_shares = 1, - .false_start = 0, /* doesn't make sense */ - .tls_sig_sem = SIG_SEM_TLS13}, - {.name = "DTLS0.9", /* Cisco AnyConnect (based on about OpenSSL 0.9.8e) */ - .id = GNUTLS_DTLS0_9, - .age = 200, - .major = 1, - .minor = 0, - .transport = GNUTLS_DGRAM, - .supported = 1, - .explicit_iv = 1, - .extensions = 1, - .selectable_sighash = 0, - .selectable_prf = 0, - .obsolete = 0, - .only_extension = 0, - .tls_sig_sem = SIG_SEM_PRE_TLS12, - .false_start = 0}, - {.name = "DTLS1.0", - .id = GNUTLS_DTLS1_0, - .age = 201, - .major = 254, - .minor = 255, - .transport = GNUTLS_DGRAM, - .supported = 1, - .explicit_iv = 1, - .extensions = 1, - .selectable_sighash = 0, - .selectable_prf = 0, - .obsolete = 0, - .only_extension = 0, - .tls_sig_sem = SIG_SEM_PRE_TLS12, - .false_start = 0}, - {.name = "DTLS1.2", - .id = GNUTLS_DTLS1_2, - .age = 202, - .major = 254, - .minor = 253, - .transport = GNUTLS_DGRAM, - .supported = 1, - .explicit_iv = 1, - .extensions = 1, - .selectable_sighash = 1, - .selectable_prf = 1, - .obsolete = 0, - .only_extension = 0, - .tls_sig_sem = SIG_SEM_PRE_TLS12, - .false_start = 1}, - {0, 0, 0, 0, 0} + .explicit_iv = 0, + .extensions = 0, + .selectable_sighash = 0, + .selectable_prf = 0, + .obsolete = 1, + .only_extension = 0, + .tls_sig_sem = SIG_SEM_PRE_TLS12, + .false_start = 0 }, + { .name = "TLS1.0", + .id = GNUTLS_TLS1, + .age = 1, + .major = 3, + .minor = 1, + .transport = GNUTLS_STREAM, + .supported = 1, + .explicit_iv = 0, + .extensions = 1, + .selectable_sighash = 0, + .selectable_prf = 0, + .obsolete = 0, + .only_extension = 0, + .tls_sig_sem = SIG_SEM_PRE_TLS12, + .false_start = 0 }, + { .name = "TLS1.1", + .id = GNUTLS_TLS1_1, + .age = 2, + .major = 3, + .minor = 2, + .transport = GNUTLS_STREAM, + .supported = 1, + .explicit_iv = 1, + .extensions = 1, + .selectable_sighash = 0, + .selectable_prf = 0, + .obsolete = 0, + .only_extension = 0, + .tls_sig_sem = SIG_SEM_PRE_TLS12, + .false_start = 0 }, + { .name = "TLS1.2", + .id = GNUTLS_TLS1_2, + .age = 3, + .major = 3, + .minor = 3, + .transport = GNUTLS_STREAM, + .supported = 1, + .explicit_iv = 1, + .extensions = 1, + .selectable_sighash = 1, + .selectable_prf = 1, + .obsolete = 0, + .only_extension = 0, + .tls_sig_sem = SIG_SEM_PRE_TLS12, + .false_start = 1 }, + { .name = "TLS1.3", + .id = GNUTLS_TLS1_3, + .age = 5, + .major = 3, + .minor = 4, + .transport = GNUTLS_STREAM, + .supported = 1, + .explicit_iv = 0, + .extensions = 1, + .selectable_sighash = 1, + .selectable_prf = 1, + .tls13_sem = 1, + .obsolete = 0, + .only_extension = 1, + .post_handshake_auth = 1, + .multi_ocsp = 1, + .key_shares = 1, + .false_start = 0, /* doesn't make sense */ + .tls_sig_sem = SIG_SEM_TLS13 }, + { .name = "DTLS0.9", /* Cisco AnyConnect (based on about OpenSSL 0.9.8e) */ + .id = GNUTLS_DTLS0_9, + .age = 200, + .major = 1, + .minor = 0, + .transport = GNUTLS_DGRAM, + .supported = 1, + .explicit_iv = 1, + .extensions = 1, + .selectable_sighash = 0, + .selectable_prf = 0, + .obsolete = 0, + .only_extension = 0, + .tls_sig_sem = SIG_SEM_PRE_TLS12, + .false_start = 0 }, + { .name = "DTLS1.0", + .id = GNUTLS_DTLS1_0, + .age = 201, + .major = 254, + .minor = 255, + .transport = GNUTLS_DGRAM, + .supported = 1, + .explicit_iv = 1, + .extensions = 1, + .selectable_sighash = 0, + .selectable_prf = 0, + .obsolete = 0, + .only_extension = 0, + .tls_sig_sem = SIG_SEM_PRE_TLS12, + .false_start = 0 }, + { .name = "DTLS1.2", + .id = GNUTLS_DTLS1_2, + .age = 202, + .major = 254, + .minor = 253, + .transport = GNUTLS_DGRAM, + .supported = 1, + .explicit_iv = 1, + .extensions = 1, + .selectable_sighash = 1, + .selectable_prf = 1, + .obsolete = 0, + .only_extension = 0, + .tls_sig_sem = SIG_SEM_PRE_TLS12, + .false_start = 1 }, + { 0, 0, 0, 0, 0 } }; const version_entry_st *version_to_entry(gnutls_protocol_t version) @@ -179,12 +179,11 @@ const version_entry_st *nversion_to_entry(uint8_t major, uint8_t minor) return NULL; } -static int -version_is_valid_for_session(gnutls_session_t session, - const version_entry_st * v) +static int version_is_valid_for_session(gnutls_session_t session, + const version_entry_st *v) { - if (!v->supported - && !(v->supported_revertible && _gnutls_allowlisting_mode())) + if (!v->supported && + !(v->supported_revertible && _gnutls_allowlisting_mode())) return 0; if (v->transport != session->internals.transport) return 0; @@ -219,8 +218,8 @@ void _gnutls_version_mark_disabled_all(void) #endif } -int -_gnutls_protocol_set_enabled(gnutls_protocol_t version, unsigned int enabled) +int _gnutls_protocol_set_enabled(gnutls_protocol_t version, + unsigned int enabled) { #ifndef DISABLE_SYSTEM_CONFIG version_entry_st *p; @@ -228,8 +227,8 @@ _gnutls_protocol_set_enabled(gnutls_protocol_t version, unsigned int enabled) for (p = sup_versions; p->name != NULL; p++) if (p->id == version) { if (!p->supported_revertible) { - return - gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + return gnutls_assert_val( + GNUTLS_E_INVALID_REQUEST); } p->supported = enabled; return 0; @@ -239,8 +238,8 @@ _gnutls_protocol_set_enabled(gnutls_protocol_t version, unsigned int enabled) } /* Return the priority of the provided version number */ -int -_gnutls_version_priority(gnutls_session_t session, gnutls_protocol_t version) +int _gnutls_version_priority(gnutls_session_t session, + gnutls_protocol_t version) { unsigned int i; @@ -265,7 +264,7 @@ const version_entry_st *_gnutls_version_lowest(gnutls_session_t session) for (i = 0; i < session->internals.priorities->protocol.num_priorities; i++) { cur_prot = - session->internals.priorities->protocol.priorities[i]; + session->internals.priorities->protocol.priorities[i]; v = version_to_entry(cur_prot); if (v != NULL && version_is_valid_for_session(session, v)) { @@ -302,7 +301,7 @@ const version_entry_st *_gnutls_version_max(gnutls_session_t session) for (i = 0; i < session->internals.priorities->protocol.num_priorities; i++) { cur_prot = - session->internals.priorities->protocol.priorities[i]; + session->internals.priorities->protocol.priorities[i]; for (p = sup_versions; p->name != NULL; p++) { if (p->id == cur_prot) { @@ -310,18 +309,17 @@ const version_entry_st *_gnutls_version_max(gnutls_session_t session) if (p->obsolete != 0) break; #endif - if (!p->supported - && !(p->supported_revertible - && _gnutls_allowlisting_mode())) + if (!p->supported && + !(p->supported_revertible && + _gnutls_allowlisting_mode())) break; if (p->transport != session->internals.transport) break; - if (p->tls13_sem - && (session-> - internals.flags & INT_FLAG_NO_TLS13)) + if (p->tls13_sem && (session->internals.flags & + INT_FLAG_NO_TLS13)) break; if (max == NULL || cur_prot > max->id) { @@ -356,7 +354,7 @@ const version_entry_st *_gnutls_legacy_version_max(gnutls_session_t session) * error code. It will return GNUTLS_E_UNSUPPORTED_VERSION_PACKET * if there is no version >= TLS 1.3. */ -int _gnutls_write_supported_versions(gnutls_session_t session, uint8_t * buffer, +int _gnutls_write_supported_versions(gnutls_session_t session, uint8_t *buffer, ssize_t buffer_size) { gnutls_protocol_t cur_prot; @@ -368,16 +366,16 @@ int _gnutls_write_supported_versions(gnutls_session_t session, uint8_t * buffer, for (i = 0; i < session->internals.priorities->protocol.num_priorities; i++) { cur_prot = - session->internals.priorities->protocol.priorities[i]; + session->internals.priorities->protocol.priorities[i]; for (p = sup_versions; p->name != NULL; p++) { if (p->id == cur_prot) { if (p->obsolete != 0) break; - if (!p->supported - && !(p->supported_revertible - && _gnutls_allowlisting_mode())) + if (!p->supported && + !(p->supported_revertible && + _gnutls_allowlisting_mode())) break; if (p->transport != @@ -388,9 +386,9 @@ int _gnutls_write_supported_versions(gnutls_session_t session, uint8_t * buffer, at_least_one_new = 1; if (buffer_size > 2) { - _gnutls_debug_log - ("Advertizing version %d.%d\n", - (int)p->major, (int)p->minor); + _gnutls_debug_log( + "Advertizing version %d.%d\n", + (int)p->major, (int)p->minor); buffer[0] = p->major; buffer[1] = p->minor; written_bytes += 2; @@ -407,7 +405,7 @@ int _gnutls_write_supported_versions(gnutls_session_t session, uint8_t * buffer, } } - finish: +finish: if (written_bytes == 0) return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); @@ -425,7 +423,8 @@ unsigned _gnutls_version_is_too_high(gnutls_session_t session, uint8_t major, const version_entry_st *e; e = _gnutls_legacy_version_max(session); - if (e == NULL) /* we don't know; but that means something is unconfigured */ + if (e == + NULL) /* we don't know; but that means something is unconfigured */ return 1; if (e->transport == GNUTLS_DGRAM) { @@ -552,9 +551,8 @@ gnutls_protocol_t _gnutls_version_get(uint8_t major, uint8_t minor) /* Version Functions */ -int -_gnutls_nversion_is_supported(gnutls_session_t session, - unsigned char major, unsigned char minor) +int _gnutls_nversion_is_supported(gnutls_session_t session, unsigned char major, + unsigned char minor) { const version_entry_st *p; int version = 0; @@ -565,13 +563,12 @@ _gnutls_nversion_is_supported(gnutls_session_t session, if (p->obsolete != 0) return 0; #endif - if (p->tls13_sem - && (session->internals.flags & INT_FLAG_NO_TLS13)) + if (p->tls13_sem && + (session->internals.flags & INT_FLAG_NO_TLS13)) return 0; - if (!p->supported - && !(p->supported_revertible - && _gnutls_allowlisting_mode())) + if (!p->supported && !(p->supported_revertible && + _gnutls_allowlisting_mode())) return 0; if (p->transport != session->internals.transport) @@ -586,7 +583,7 @@ _gnutls_nversion_is_supported(gnutls_session_t session, return 0; if (_gnutls_version_priority(session, version) < 0) - return 0; /* disabled by the user */ + return 0; /* disabled by the user */ else return 1; } diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c index 010fabd7d5..77c947510f 100644 --- a/lib/algorithms/publickey.c +++ b/lib/algorithms/publickey.c @@ -30,7 +30,8 @@ typedef struct { gnutls_kx_algorithm_t kx_algorithm; gnutls_pk_algorithm_t pk_algorithm; - enum encipher_type encipher_type; /* CIPHER_ENCRYPT if this algorithm is to be used + enum encipher_type + encipher_type; /* CIPHER_ENCRYPT if this algorithm is to be used * for encryption, CIPHER_SIGN if signature only, * CIPHER_IGN if this does not apply at all. * @@ -45,60 +46,60 @@ typedef struct { * use GNUTLS_KX_RSA or GNUTLS_KX_DHE_RSA. */ static const gnutls_pk_map pk_mappings[] = { - {GNUTLS_KX_RSA, GNUTLS_PK_RSA, CIPHER_ENCRYPT}, - {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_SRP_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_ECDHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN}, - {GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EC, CIPHER_SIGN}, - {GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EDDSA_ED25519, CIPHER_SIGN}, - {GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EDDSA_ED448, CIPHER_SIGN}, - {GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, - {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA_PSS, CIPHER_SIGN}, - {GNUTLS_KX_ECDHE_RSA, GNUTLS_PK_RSA_PSS, CIPHER_SIGN}, - {GNUTLS_KX_SRP_DSS, GNUTLS_PK_DSA, CIPHER_SIGN}, - {GNUTLS_KX_RSA_PSK, GNUTLS_PK_RSA, CIPHER_ENCRYPT}, - {GNUTLS_KX_VKO_GOST_12, GNUTLS_PK_GOST_01, CIPHER_SIGN}, - {GNUTLS_KX_VKO_GOST_12, GNUTLS_PK_GOST_12_256, CIPHER_SIGN}, - {GNUTLS_KX_VKO_GOST_12, GNUTLS_PK_GOST_12_512, CIPHER_SIGN}, - {0, 0, 0} + { GNUTLS_KX_RSA, GNUTLS_PK_RSA, CIPHER_ENCRYPT }, + { GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN }, + { GNUTLS_KX_SRP_RSA, GNUTLS_PK_RSA, CIPHER_SIGN }, + { GNUTLS_KX_ECDHE_RSA, GNUTLS_PK_RSA, CIPHER_SIGN }, + { GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EC, CIPHER_SIGN }, + { GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EDDSA_ED25519, CIPHER_SIGN }, + { GNUTLS_KX_ECDHE_ECDSA, GNUTLS_PK_EDDSA_ED448, CIPHER_SIGN }, + { GNUTLS_KX_DHE_DSS, GNUTLS_PK_DSA, CIPHER_SIGN }, + { GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA_PSS, CIPHER_SIGN }, + { GNUTLS_KX_ECDHE_RSA, GNUTLS_PK_RSA_PSS, CIPHER_SIGN }, + { GNUTLS_KX_SRP_DSS, GNUTLS_PK_DSA, CIPHER_SIGN }, + { GNUTLS_KX_RSA_PSK, GNUTLS_PK_RSA, CIPHER_ENCRYPT }, + { GNUTLS_KX_VKO_GOST_12, GNUTLS_PK_GOST_01, CIPHER_SIGN }, + { GNUTLS_KX_VKO_GOST_12, GNUTLS_PK_GOST_12_256, CIPHER_SIGN }, + { GNUTLS_KX_VKO_GOST_12, GNUTLS_PK_GOST_12_512, CIPHER_SIGN }, + { 0, 0, 0 } }; -#define GNUTLS_PK_MAP_LOOP(b) \ - const gnutls_pk_map *p; \ - for(p = pk_mappings; p->kx_algorithm != 0; p++) { b } +#define GNUTLS_PK_MAP_LOOP(b) \ + const gnutls_pk_map *p; \ + for (p = pk_mappings; p->kx_algorithm != 0; p++) { \ + b \ + } -#define GNUTLS_PK_MAP_ALG_LOOP(a) \ - GNUTLS_PK_MAP_LOOP( if(p->kx_algorithm == kx_algorithm) { a; break; }) +#define GNUTLS_PK_MAP_ALG_LOOP(a) \ + GNUTLS_PK_MAP_LOOP(if (p->kx_algorithm == kx_algorithm) { \ + a; \ + break; \ + }) -unsigned -_gnutls_kx_supports_pk(gnutls_kx_algorithm_t kx_algorithm, - gnutls_pk_algorithm_t pk_algorithm) +unsigned _gnutls_kx_supports_pk(gnutls_kx_algorithm_t kx_algorithm, + gnutls_pk_algorithm_t pk_algorithm) { - GNUTLS_PK_MAP_LOOP(if - (p->kx_algorithm == kx_algorithm - && p->pk_algorithm == pk_algorithm) { - return 1;} - ) - return 0; + GNUTLS_PK_MAP_LOOP(if (p->kx_algorithm == kx_algorithm && + p->pk_algorithm == pk_algorithm) { return 1; }) + return 0; } -unsigned -_gnutls_kx_supports_pk_usage(gnutls_kx_algorithm_t kx_algorithm, - gnutls_pk_algorithm_t pk_algorithm, - unsigned int key_usage) +unsigned _gnutls_kx_supports_pk_usage(gnutls_kx_algorithm_t kx_algorithm, + gnutls_pk_algorithm_t pk_algorithm, + unsigned int key_usage) { const gnutls_pk_map *p; for (p = pk_mappings; p->kx_algorithm != 0; p++) { - if (p->kx_algorithm == kx_algorithm - && p->pk_algorithm == pk_algorithm) { + if (p->kx_algorithm == kx_algorithm && + p->pk_algorithm == pk_algorithm) { if (key_usage == 0) return 1; - else if (p->encipher_type == CIPHER_SIGN - && (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) + else if (p->encipher_type == CIPHER_SIGN && + (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) return 1; - else if (p->encipher_type == CIPHER_ENCRYPT - && (key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) + else if (p->encipher_type == CIPHER_ENCRYPT && + (key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) return 1; else return 0; @@ -114,63 +115,103 @@ struct gnutls_pk_entry { const char *name; const char *oid; gnutls_pk_algorithm_t id; - gnutls_ecc_curve_t curve; /* to map PK to specific OID, we need to know the curve for EdDSA */ - bool no_prehashed; /* non-zero if the algorithm cannot sign pre-hashed data */ + gnutls_ecc_curve_t + curve; /* to map PK to specific OID, we need to know the curve for EdDSA */ + bool no_prehashed; /* non-zero if the algorithm cannot sign pre-hashed data */ }; typedef struct gnutls_pk_entry gnutls_pk_entry; static const gnutls_pk_entry pk_algorithms[] = { /* having duplicate entries is ok, as long as the one * we want to return OID from is first */ - {.name = "RSA",.oid = PK_PKIX1_RSA_OID,.id = GNUTLS_PK_RSA, - .curve = GNUTLS_ECC_CURVE_INVALID}, - {.name = "RSA-PSS",.oid = PK_PKIX1_RSA_PSS_OID,.id = GNUTLS_PK_RSA_PSS, - .curve = GNUTLS_ECC_CURVE_INVALID}, - {.name = "RSA (X.509)",.oid = PK_X509_RSA_OID,.id = GNUTLS_PK_RSA, - .curve = GNUTLS_ECC_CURVE_INVALID}, /* some certificates use this OID for RSA */ - {.name = "RSA-MD5",.oid = SIG_RSA_MD5_OID,.id = GNUTLS_PK_RSA, - .curve = GNUTLS_ECC_CURVE_INVALID}, /* some other broken certificates set RSA with MD5 as an indicator of RSA */ - {.name = "RSA-SHA1",.oid = SIG_RSA_SHA1_OID,.id = GNUTLS_PK_RSA, - .curve = GNUTLS_ECC_CURVE_INVALID}, /* some other broken certificates set RSA with SHA1 as an indicator of RSA */ - {.name = "RSA-SHA1",.oid = ISO_SIG_RSA_SHA1_OID,.id = GNUTLS_PK_RSA, - .curve = GNUTLS_ECC_CURVE_INVALID}, /* some other broken certificates set RSA with SHA1 as an indicator of RSA */ - {.name = "DSA",.oid = PK_DSA_OID,.id = GNUTLS_PK_DSA, - .curve = GNUTLS_ECC_CURVE_INVALID}, - {.name = "GOST R 34.10-2012-512",.oid = PK_GOST_R3410_2012_512_OID,.id = - GNUTLS_PK_GOST_12_512, - .curve = GNUTLS_ECC_CURVE_INVALID}, - {.name = "GOST R 34.10-2012-256",.oid = PK_GOST_R3410_2012_256_OID,.id = - GNUTLS_PK_GOST_12_256, - .curve = GNUTLS_ECC_CURVE_INVALID}, - {.name = "GOST R 34.10-2001",.oid = PK_GOST_R3410_2001_OID,.id = - GNUTLS_PK_GOST_01, - .curve = GNUTLS_ECC_CURVE_INVALID}, - {.name = "GOST R 34.10-94",.oid = PK_GOST_R3410_94_OID,.id = - GNUTLS_PK_UNKNOWN, - .curve = GNUTLS_ECC_CURVE_INVALID}, - {.name = "EC/ECDSA",.oid = "1.2.840.10045.2.1",.id = GNUTLS_PK_ECDSA, - .curve = GNUTLS_ECC_CURVE_INVALID}, - {.name = "EdDSA (Ed25519)",.oid = SIG_EDDSA_SHA512_OID,.id = - GNUTLS_PK_EDDSA_ED25519, - .curve = GNUTLS_ECC_CURVE_ED25519,.no_prehashed = 1}, - {.name = "EdDSA (Ed448)",.oid = SIG_ED448_OID,.id = - GNUTLS_PK_EDDSA_ED448, - .curve = GNUTLS_ECC_CURVE_ED448,.no_prehashed = 1}, - {.name = "DH",.oid = NULL,.id = GNUTLS_PK_DH, - .curve = GNUTLS_ECC_CURVE_INVALID}, - {.name = "ECDH (X25519)",.oid = ECDH_X25519_OID,.id = - GNUTLS_PK_ECDH_X25519, - .curve = GNUTLS_ECC_CURVE_X25519}, - {.name = "ECDH (X448)",.oid = ECDH_X448_OID,.id = GNUTLS_PK_ECDH_X448, - .curve = GNUTLS_ECC_CURVE_X448}, - {.name = "UNKNOWN",.oid = NULL,.id = GNUTLS_PK_UNKNOWN, - .curve = GNUTLS_ECC_CURVE_INVALID}, - {0, 0, 0, 0} + { .name = "RSA", + .oid = PK_PKIX1_RSA_OID, + .id = GNUTLS_PK_RSA, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { .name = "RSA-PSS", + .oid = PK_PKIX1_RSA_PSS_OID, + .id = GNUTLS_PK_RSA_PSS, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { .name = "RSA (X.509)", + .oid = PK_X509_RSA_OID, + .id = GNUTLS_PK_RSA, + .curve = + GNUTLS_ECC_CURVE_INVALID }, /* some certificates use this OID for RSA */ + { .name = "RSA-MD5", + .oid = SIG_RSA_MD5_OID, + .id = GNUTLS_PK_RSA, + .curve = + GNUTLS_ECC_CURVE_INVALID }, /* some other broken certificates set RSA with MD5 as an indicator of RSA */ + { .name = "RSA-SHA1", + .oid = SIG_RSA_SHA1_OID, + .id = GNUTLS_PK_RSA, + .curve = + GNUTLS_ECC_CURVE_INVALID }, /* some other broken certificates set RSA with SHA1 as an indicator of RSA */ + { .name = "RSA-SHA1", + .oid = ISO_SIG_RSA_SHA1_OID, + .id = GNUTLS_PK_RSA, + .curve = + GNUTLS_ECC_CURVE_INVALID }, /* some other broken certificates set RSA with SHA1 as an indicator of RSA */ + { .name = "DSA", + .oid = PK_DSA_OID, + .id = GNUTLS_PK_DSA, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { .name = "GOST R 34.10-2012-512", + .oid = PK_GOST_R3410_2012_512_OID, + .id = GNUTLS_PK_GOST_12_512, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { .name = "GOST R 34.10-2012-256", + .oid = PK_GOST_R3410_2012_256_OID, + .id = GNUTLS_PK_GOST_12_256, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { .name = "GOST R 34.10-2001", + .oid = PK_GOST_R3410_2001_OID, + .id = GNUTLS_PK_GOST_01, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { .name = "GOST R 34.10-94", + .oid = PK_GOST_R3410_94_OID, + .id = GNUTLS_PK_UNKNOWN, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { .name = "EC/ECDSA", + .oid = "1.2.840.10045.2.1", + .id = GNUTLS_PK_ECDSA, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { .name = "EdDSA (Ed25519)", + .oid = SIG_EDDSA_SHA512_OID, + .id = GNUTLS_PK_EDDSA_ED25519, + .curve = GNUTLS_ECC_CURVE_ED25519, + .no_prehashed = 1 }, + { .name = "EdDSA (Ed448)", + .oid = SIG_ED448_OID, + .id = GNUTLS_PK_EDDSA_ED448, + .curve = GNUTLS_ECC_CURVE_ED448, + .no_prehashed = 1 }, + { .name = "DH", + .oid = NULL, + .id = GNUTLS_PK_DH, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { .name = "ECDH (X25519)", + .oid = ECDH_X25519_OID, + .id = GNUTLS_PK_ECDH_X25519, + .curve = GNUTLS_ECC_CURVE_X25519 }, + { .name = "ECDH (X448)", + .oid = ECDH_X448_OID, + .id = GNUTLS_PK_ECDH_X448, + .curve = GNUTLS_ECC_CURVE_X448 }, + { .name = "UNKNOWN", + .oid = NULL, + .id = GNUTLS_PK_UNKNOWN, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { 0, 0, 0, 0 } }; -#define GNUTLS_PK_LOOP(b) \ - { const gnutls_pk_entry *p; \ - for(p = pk_algorithms; p->name != NULL; p++) { b ; } } +#define GNUTLS_PK_LOOP(b) \ + { \ + const gnutls_pk_entry *p; \ + for (p = pk_algorithms; p->name != NULL; p++) { \ + b; \ + } \ + } /** * gnutls_pk_algorithm_get_name: @@ -186,8 +227,9 @@ const char *gnutls_pk_algorithm_get_name(gnutls_pk_algorithm_t algorithm) const char *ret = NULL; GNUTLS_PK_LOOP(if (p->id == algorithm) { - ret = p->name; break;} - ) ; + ret = p->name; + break; + }); return ret; } @@ -211,11 +253,12 @@ const gnutls_pk_algorithm_t *gnutls_pk_list(void) if (supported_pks[0] == 0) { int i = 0; - GNUTLS_PK_LOOP(if (p->id != GNUTLS_PK_UNKNOWN && - supported_pks[i > 0 ? (i - 1) : 0] != p->id - && _gnutls_pk_exists(p->id)) { - supported_pks[i++] = p->id;} - ) ; + GNUTLS_PK_LOOP( + if (p->id != GNUTLS_PK_UNKNOWN && + supported_pks[i > 0 ? (i - 1) : 0] != p->id && + _gnutls_pk_exists(p->id)) { + supported_pks[i++] = p->id; + }); supported_pks[i++] = 0; } @@ -361,7 +404,7 @@ const char *gnutls_pk_get_oid(gnutls_pk_algorithm_t algorithm) * Since: 3.6.0 -*/ gnutls_pk_algorithm_t _gnutls_oid_to_pk_and_curve(const char *oid, - gnutls_ecc_curve_t * curve) + gnutls_ecc_curve_t *curve) { gnutls_pk_algorithm_t ret = GNUTLS_PK_UNKNOWN; const gnutls_pk_entry *p; @@ -389,8 +432,7 @@ enum encipher_type _gnutls_kx_encipher_type(gnutls_kx_algorithm_t kx_algorithm) { int ret = CIPHER_IGN; GNUTLS_PK_MAP_ALG_LOOP(ret = p->encipher_type) - return ret; - + return ret; } bool _gnutls_pk_are_compat(gnutls_pk_algorithm_t pk1, gnutls_pk_algorithm_t pk2) diff --git a/lib/algorithms/secparams.c b/lib/algorithms/secparams.c index 60fa9d38f5..a1268bbc78 100644 --- a/lib/algorithms/secparams.c +++ b/lib/algorithms/secparams.c @@ -28,34 +28,35 @@ typedef struct { const char *name; gnutls_sec_param_t sec_param; - unsigned int bits; /* security level */ - unsigned int pk_bits; /* DH, RSA, SRP */ - unsigned int dsa_bits; /* bits for DSA. Handled differently since + unsigned int bits; /* security level */ + unsigned int pk_bits; /* DH, RSA, SRP */ + unsigned int dsa_bits; /* bits for DSA. Handled differently since * choice of key size in DSA is political. */ - unsigned int subgroup_bits; /* subgroup bits */ - unsigned int ecc_bits; /* bits for ECC keys */ + unsigned int subgroup_bits; /* subgroup bits */ + unsigned int ecc_bits; /* bits for ECC keys */ } gnutls_sec_params_entry; static const gnutls_sec_params_entry sec_params[] = { - {"Insecure", GNUTLS_SEC_PARAM_INSECURE, 0, 0, 0, 0, 0}, - {"Export", GNUTLS_SEC_PARAM_EXPORT, 42, 512, 0, 84, 0}, - {"Very weak", GNUTLS_SEC_PARAM_VERY_WEAK, 64, 767, 0, 128, 0}, - {"Weak", GNUTLS_SEC_PARAM_WEAK, 72, 1008, 1008, 160, 160}, + { "Insecure", GNUTLS_SEC_PARAM_INSECURE, 0, 0, 0, 0, 0 }, + { "Export", GNUTLS_SEC_PARAM_EXPORT, 42, 512, 0, 84, 0 }, + { "Very weak", GNUTLS_SEC_PARAM_VERY_WEAK, 64, 767, 0, 128, 0 }, + { "Weak", GNUTLS_SEC_PARAM_WEAK, 72, 1008, 1008, 160, 160 }, #ifdef ENABLE_FIPS140 - {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1024, 1024, 160, 160}, - {"Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1024, 1024, 192, 192}, - {"Medium", GNUTLS_SEC_PARAM_MEDIUM, 112, 2048, 2048, 224, 224}, - {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3072, 3072, 256, 256}, + { "Low", GNUTLS_SEC_PARAM_LOW, 80, 1024, 1024, 160, 160 }, + { "Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1024, 1024, 192, 192 }, + { "Medium", GNUTLS_SEC_PARAM_MEDIUM, 112, 2048, 2048, 224, 224 }, + { "High", GNUTLS_SEC_PARAM_HIGH, 128, 3072, 3072, 256, 256 }, #else - {"Low", GNUTLS_SEC_PARAM_LOW, 80, 1024, 1024, 160, 160}, /* ENISA-LEGACY */ - {"Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1776, 2048, 192, 192}, - {"Medium", GNUTLS_SEC_PARAM_MEDIUM, 112, 2048, 2048, 256, 224}, - {"High", GNUTLS_SEC_PARAM_HIGH, 128, 3072, 3072, 256, 256}, + { "Low", GNUTLS_SEC_PARAM_LOW, 80, 1024, 1024, 160, + 160 }, /* ENISA-LEGACY */ + { "Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1776, 2048, 192, 192 }, + { "Medium", GNUTLS_SEC_PARAM_MEDIUM, 112, 2048, 2048, 256, 224 }, + { "High", GNUTLS_SEC_PARAM_HIGH, 128, 3072, 3072, 256, 256 }, #endif - {"Ultra", GNUTLS_SEC_PARAM_ULTRA, 192, 8192, 8192, 384, 384}, - {"Future", GNUTLS_SEC_PARAM_FUTURE, 256, 15360, 15360, 512, 512}, - {NULL, 0, 0, 0, 0, 0} + { "Ultra", GNUTLS_SEC_PARAM_ULTRA, 192, 8192, 8192, 384, 384 }, + { "Future", GNUTLS_SEC_PARAM_FUTURE, 256, 15360, 15360, 512, 512 }, + { NULL, 0, 0, 0, 0, 0 } }; /** @@ -73,9 +74,8 @@ static const gnutls_sec_params_entry sec_params[] = { * * Since: 2.12.0 **/ -unsigned int -gnutls_sec_param_to_pk_bits(gnutls_pk_algorithm_t algo, - gnutls_sec_param_t param) +unsigned int gnutls_sec_param_to_pk_bits(gnutls_pk_algorithm_t algo, + gnutls_sec_param_t param) { unsigned int ret = 0; const gnutls_sec_params_entry *p; @@ -201,8 +201,8 @@ const char *gnutls_sec_param_get_name(gnutls_sec_param_t param) * * Since: 2.12.0 **/ -gnutls_sec_param_t -gnutls_pk_bits_to_sec_param(gnutls_pk_algorithm_t algo, unsigned int bits) +gnutls_sec_param_t gnutls_pk_bits_to_sec_param(gnutls_pk_algorithm_t algo, + unsigned int bits) { gnutls_sec_param_t ret = GNUTLS_SEC_PARAM_INSECURE; const gnutls_sec_params_entry *p; diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c index 7f0e6ae934..9e1356dfd7 100644 --- a/lib/algorithms/sign.c +++ b/lib/algorithms/sign.c @@ -33,109 +33,110 @@ */ #ifdef ALLOW_SHA1 -# define SHA1_SECURE_VAL _SECURE +#define SHA1_SECURE_VAL _SECURE #else -# define SHA1_SECURE_VAL _INSECURE_FOR_CERTS +#define SHA1_SECURE_VAL _INSECURE_FOR_CERTS #endif static SYSTEM_CONFIG_OR_CONST gnutls_sign_entry_st sign_algorithms[] = { /* RSA-PKCS#1 1.5: must be before PSS, * so that gnutls_pk_to_sign() will return * these first for backwards compatibility. */ - {.name = "RSA-SHA256", - .oid = SIG_RSA_SHA256_OID, - .id = GNUTLS_SIGN_RSA_SHA256, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA256, - .aid = {{4, 1}, SIG_SEM_DEFAULT}}, - {.name = "RSA-SHA384", - .oid = SIG_RSA_SHA384_OID, - .id = GNUTLS_SIGN_RSA_SHA384, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA384, - .aid = {{5, 1}, SIG_SEM_DEFAULT}}, - {.name = "RSA-SHA512", - .oid = SIG_RSA_SHA512_OID, - .id = GNUTLS_SIGN_RSA_SHA512, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA512, - .aid = {{6, 1}, SIG_SEM_DEFAULT}}, + { .name = "RSA-SHA256", + .oid = SIG_RSA_SHA256_OID, + .id = GNUTLS_SIGN_RSA_SHA256, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA256, + .aid = { { 4, 1 }, SIG_SEM_DEFAULT } }, + { .name = "RSA-SHA384", + .oid = SIG_RSA_SHA384_OID, + .id = GNUTLS_SIGN_RSA_SHA384, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA384, + .aid = { { 5, 1 }, SIG_SEM_DEFAULT } }, + { .name = "RSA-SHA512", + .oid = SIG_RSA_SHA512_OID, + .id = GNUTLS_SIGN_RSA_SHA512, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA512, + .aid = { { 6, 1 }, SIG_SEM_DEFAULT } }, /* RSA-PSS */ - {.name = "RSA-PSS-SHA256", - .oid = PK_PKIX1_RSA_PSS_OID, - .id = GNUTLS_SIGN_RSA_PSS_SHA256, - .pk = GNUTLS_PK_RSA_PSS, - .priv_pk = GNUTLS_PK_RSA, /* PKCS#11 doesn't separate RSA from RSA-PSS privkeys */ - .hash = GNUTLS_DIG_SHA256, - .flags = GNUTLS_SIGN_FLAG_TLS13_OK, - .aid = {{8, 9}, SIG_SEM_DEFAULT}}, - {.name = "RSA-PSS-RSAE-SHA256", - .oid = PK_PKIX1_RSA_PSS_OID, - .id = GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, - .pk = GNUTLS_PK_RSA_PSS, - .cert_pk = GNUTLS_PK_RSA, - .priv_pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA256, - .flags = GNUTLS_SIGN_FLAG_TLS13_OK, - .aid = {{8, 4}, SIG_SEM_DEFAULT}}, - {.name = "RSA-PSS-SHA384", - .oid = PK_PKIX1_RSA_PSS_OID, - .id = GNUTLS_SIGN_RSA_PSS_SHA384, - .pk = GNUTLS_PK_RSA_PSS, - .priv_pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA384, - .flags = GNUTLS_SIGN_FLAG_TLS13_OK, - .aid = {{8, 0x0A}, SIG_SEM_DEFAULT}}, - {.name = "RSA-PSS-RSAE-SHA384", - .oid = PK_PKIX1_RSA_PSS_OID, - .id = GNUTLS_SIGN_RSA_PSS_RSAE_SHA384, - .pk = GNUTLS_PK_RSA_PSS, - .cert_pk = GNUTLS_PK_RSA, - .priv_pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA384, - .flags = GNUTLS_SIGN_FLAG_TLS13_OK, - .aid = {{8, 5}, SIG_SEM_DEFAULT}}, - {.name = "RSA-PSS-SHA512", - .oid = PK_PKIX1_RSA_PSS_OID, - .id = GNUTLS_SIGN_RSA_PSS_SHA512, - .pk = GNUTLS_PK_RSA_PSS, - .priv_pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA512, - .flags = GNUTLS_SIGN_FLAG_TLS13_OK, - .aid = {{8, 0x0B}, SIG_SEM_DEFAULT}}, - {.name = "RSA-PSS-RSAE-SHA512", - .oid = PK_PKIX1_RSA_PSS_OID, - .id = GNUTLS_SIGN_RSA_PSS_RSAE_SHA512, - .pk = GNUTLS_PK_RSA_PSS, - .cert_pk = GNUTLS_PK_RSA, - .priv_pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA512, - .flags = GNUTLS_SIGN_FLAG_TLS13_OK, - .aid = {{8, 6}, SIG_SEM_DEFAULT}}, + { .name = "RSA-PSS-SHA256", + .oid = PK_PKIX1_RSA_PSS_OID, + .id = GNUTLS_SIGN_RSA_PSS_SHA256, + .pk = GNUTLS_PK_RSA_PSS, + .priv_pk = + GNUTLS_PK_RSA, /* PKCS#11 doesn't separate RSA from RSA-PSS privkeys */ + .hash = GNUTLS_DIG_SHA256, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = { { 8, 9 }, SIG_SEM_DEFAULT } }, + { .name = "RSA-PSS-RSAE-SHA256", + .oid = PK_PKIX1_RSA_PSS_OID, + .id = GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, + .pk = GNUTLS_PK_RSA_PSS, + .cert_pk = GNUTLS_PK_RSA, + .priv_pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA256, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = { { 8, 4 }, SIG_SEM_DEFAULT } }, + { .name = "RSA-PSS-SHA384", + .oid = PK_PKIX1_RSA_PSS_OID, + .id = GNUTLS_SIGN_RSA_PSS_SHA384, + .pk = GNUTLS_PK_RSA_PSS, + .priv_pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA384, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = { { 8, 0x0A }, SIG_SEM_DEFAULT } }, + { .name = "RSA-PSS-RSAE-SHA384", + .oid = PK_PKIX1_RSA_PSS_OID, + .id = GNUTLS_SIGN_RSA_PSS_RSAE_SHA384, + .pk = GNUTLS_PK_RSA_PSS, + .cert_pk = GNUTLS_PK_RSA, + .priv_pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA384, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = { { 8, 5 }, SIG_SEM_DEFAULT } }, + { .name = "RSA-PSS-SHA512", + .oid = PK_PKIX1_RSA_PSS_OID, + .id = GNUTLS_SIGN_RSA_PSS_SHA512, + .pk = GNUTLS_PK_RSA_PSS, + .priv_pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA512, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = { { 8, 0x0B }, SIG_SEM_DEFAULT } }, + { .name = "RSA-PSS-RSAE-SHA512", + .oid = PK_PKIX1_RSA_PSS_OID, + .id = GNUTLS_SIGN_RSA_PSS_RSAE_SHA512, + .pk = GNUTLS_PK_RSA_PSS, + .cert_pk = GNUTLS_PK_RSA, + .priv_pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA512, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = { { 8, 6 }, SIG_SEM_DEFAULT } }, /* Ed25519: The hash algorithm here is set to be SHA512, although that is * an internal detail of Ed25519; we set it, because CMS/PKCS#7 requires * that mapping. */ - {.name = "EdDSA-Ed25519", - .oid = SIG_EDDSA_SHA512_OID, - .id = GNUTLS_SIGN_EDDSA_ED25519, - .pk = GNUTLS_PK_EDDSA_ED25519, - .hash = GNUTLS_DIG_SHA512, - .flags = GNUTLS_SIGN_FLAG_TLS13_OK, - .aid = {{8, 7}, SIG_SEM_DEFAULT}}, + { .name = "EdDSA-Ed25519", + .oid = SIG_EDDSA_SHA512_OID, + .id = GNUTLS_SIGN_EDDSA_ED25519, + .pk = GNUTLS_PK_EDDSA_ED25519, + .hash = GNUTLS_DIG_SHA512, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = { { 8, 7 }, SIG_SEM_DEFAULT } }, /* Ed448: The hash algorithm here is set to be SHAKE256, although that is * an internal detail of Ed448; we set it, because CMS/PKCS#7 requires * that mapping. */ - {.name = "EdDSA-Ed448", - .oid = SIG_ED448_OID, - .id = GNUTLS_SIGN_EDDSA_ED448, - .pk = GNUTLS_PK_EDDSA_ED448, - .hash = GNUTLS_DIG_SHAKE_256, - .flags = GNUTLS_SIGN_FLAG_TLS13_OK, - .aid = {{8, 8}, SIG_SEM_DEFAULT}, - .hash_output_size = 114}, + { .name = "EdDSA-Ed448", + .oid = SIG_ED448_OID, + .id = GNUTLS_SIGN_EDDSA_ED448, + .pk = GNUTLS_PK_EDDSA_ED448, + .hash = GNUTLS_DIG_SHAKE_256, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = { { 8, 8 }, SIG_SEM_DEFAULT }, + .hash_output_size = 114 }, /* ECDSA */ /* The following three signature algorithms @@ -147,277 +148,282 @@ static SYSTEM_CONFIG_OR_CONST gnutls_sign_entry_st sign_algorithms[] = { * as an alias to them. */ /* we have intentionally the ECDSA-SHAXXX algorithms first * so that gnutls_pk_to_sign() will return these. */ - {.name = "ECDSA-SHA256", - .oid = "1.2.840.10045.4.3.2", - .id = GNUTLS_SIGN_ECDSA_SHA256, - .pk = GNUTLS_PK_ECDSA, - .hash = GNUTLS_DIG_SHA256, - .aid = {{4, 3}, SIG_SEM_PRE_TLS12}}, - {.name = "ECDSA-SHA384", - .oid = "1.2.840.10045.4.3.3", - .id = GNUTLS_SIGN_ECDSA_SHA384, - .pk = GNUTLS_PK_ECDSA, - .hash = GNUTLS_DIG_SHA384, - .aid = {{5, 3}, SIG_SEM_PRE_TLS12}}, - {.name = "ECDSA-SHA512", - .oid = "1.2.840.10045.4.3.4", - .id = GNUTLS_SIGN_ECDSA_SHA512, - .pk = GNUTLS_PK_ECDSA, - .hash = GNUTLS_DIG_SHA512, - .aid = {{6, 3}, SIG_SEM_PRE_TLS12}}, - - {.name = "ECDSA-SECP256R1-SHA256", - .id = GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, - .pk = GNUTLS_PK_ECDSA, - .curve = GNUTLS_ECC_CURVE_SECP256R1, - .hash = GNUTLS_DIG_SHA256, - .flags = GNUTLS_SIGN_FLAG_TLS13_OK, - .aid = {{4, 3}, SIG_SEM_TLS13}}, - {.name = "ECDSA-SECP384R1-SHA384", - .id = GNUTLS_SIGN_ECDSA_SECP384R1_SHA384, - .pk = GNUTLS_PK_ECDSA, - .curve = GNUTLS_ECC_CURVE_SECP384R1, - .hash = GNUTLS_DIG_SHA384, - .flags = GNUTLS_SIGN_FLAG_TLS13_OK, - .aid = {{5, 3}, SIG_SEM_TLS13}}, - {.name = "ECDSA-SECP521R1-SHA512", - .id = GNUTLS_SIGN_ECDSA_SECP521R1_SHA512, - .pk = GNUTLS_PK_ECDSA, - .curve = GNUTLS_ECC_CURVE_SECP521R1, - .hash = GNUTLS_DIG_SHA512, - .flags = GNUTLS_SIGN_FLAG_TLS13_OK, - .aid = {{6, 3}, SIG_SEM_TLS13}}, + { .name = "ECDSA-SHA256", + .oid = "1.2.840.10045.4.3.2", + .id = GNUTLS_SIGN_ECDSA_SHA256, + .pk = GNUTLS_PK_ECDSA, + .hash = GNUTLS_DIG_SHA256, + .aid = { { 4, 3 }, SIG_SEM_PRE_TLS12 } }, + { .name = "ECDSA-SHA384", + .oid = "1.2.840.10045.4.3.3", + .id = GNUTLS_SIGN_ECDSA_SHA384, + .pk = GNUTLS_PK_ECDSA, + .hash = GNUTLS_DIG_SHA384, + .aid = { { 5, 3 }, SIG_SEM_PRE_TLS12 } }, + { .name = "ECDSA-SHA512", + .oid = "1.2.840.10045.4.3.4", + .id = GNUTLS_SIGN_ECDSA_SHA512, + .pk = GNUTLS_PK_ECDSA, + .hash = GNUTLS_DIG_SHA512, + .aid = { { 6, 3 }, SIG_SEM_PRE_TLS12 } }, + + { .name = "ECDSA-SECP256R1-SHA256", + .id = GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, + .pk = GNUTLS_PK_ECDSA, + .curve = GNUTLS_ECC_CURVE_SECP256R1, + .hash = GNUTLS_DIG_SHA256, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = { { 4, 3 }, SIG_SEM_TLS13 } }, + { .name = "ECDSA-SECP384R1-SHA384", + .id = GNUTLS_SIGN_ECDSA_SECP384R1_SHA384, + .pk = GNUTLS_PK_ECDSA, + .curve = GNUTLS_ECC_CURVE_SECP384R1, + .hash = GNUTLS_DIG_SHA384, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = { { 5, 3 }, SIG_SEM_TLS13 } }, + { .name = "ECDSA-SECP521R1-SHA512", + .id = GNUTLS_SIGN_ECDSA_SECP521R1_SHA512, + .pk = GNUTLS_PK_ECDSA, + .curve = GNUTLS_ECC_CURVE_SECP521R1, + .hash = GNUTLS_DIG_SHA512, + .flags = GNUTLS_SIGN_FLAG_TLS13_OK, + .aid = { { 6, 3 }, SIG_SEM_TLS13 } }, /* ECDSA-SHA3 */ - {.name = "ECDSA-SHA3-224", - .oid = SIG_ECDSA_SHA3_224_OID, - .id = GNUTLS_SIGN_ECDSA_SHA3_224, - .pk = GNUTLS_PK_EC, - .hash = GNUTLS_DIG_SHA3_224, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "ECDSA-SHA3-256", - .oid = SIG_ECDSA_SHA3_256_OID, - .id = GNUTLS_SIGN_ECDSA_SHA3_256, - .pk = GNUTLS_PK_EC, - .hash = GNUTLS_DIG_SHA3_256, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "ECDSA-SHA3-384", - .oid = SIG_ECDSA_SHA3_384_OID, - .id = GNUTLS_SIGN_ECDSA_SHA3_384, - .pk = GNUTLS_PK_EC, - .hash = GNUTLS_DIG_SHA3_384, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "ECDSA-SHA3-512", - .oid = SIG_ECDSA_SHA3_512_OID, - .id = GNUTLS_SIGN_ECDSA_SHA3_512, - .pk = GNUTLS_PK_EC, - .hash = GNUTLS_DIG_SHA3_512, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "RSA-SHA3-224", - .oid = SIG_RSA_SHA3_224_OID, - .id = GNUTLS_SIGN_RSA_SHA3_224, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA3_224, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "RSA-SHA3-256", - .oid = SIG_RSA_SHA3_256_OID, - .id = GNUTLS_SIGN_RSA_SHA3_256, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA3_256, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "RSA-SHA3-384", - .oid = SIG_RSA_SHA3_384_OID, - .id = GNUTLS_SIGN_RSA_SHA3_384, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA3_384, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "RSA-SHA3-512", - .oid = SIG_RSA_SHA3_512_OID, - .id = GNUTLS_SIGN_RSA_SHA3_512, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA3_512, - .aid = TLS_SIGN_AID_UNKNOWN}, + { .name = "ECDSA-SHA3-224", + .oid = SIG_ECDSA_SHA3_224_OID, + .id = GNUTLS_SIGN_ECDSA_SHA3_224, + .pk = GNUTLS_PK_EC, + .hash = GNUTLS_DIG_SHA3_224, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "ECDSA-SHA3-256", + .oid = SIG_ECDSA_SHA3_256_OID, + .id = GNUTLS_SIGN_ECDSA_SHA3_256, + .pk = GNUTLS_PK_EC, + .hash = GNUTLS_DIG_SHA3_256, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "ECDSA-SHA3-384", + .oid = SIG_ECDSA_SHA3_384_OID, + .id = GNUTLS_SIGN_ECDSA_SHA3_384, + .pk = GNUTLS_PK_EC, + .hash = GNUTLS_DIG_SHA3_384, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "ECDSA-SHA3-512", + .oid = SIG_ECDSA_SHA3_512_OID, + .id = GNUTLS_SIGN_ECDSA_SHA3_512, + .pk = GNUTLS_PK_EC, + .hash = GNUTLS_DIG_SHA3_512, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "RSA-SHA3-224", + .oid = SIG_RSA_SHA3_224_OID, + .id = GNUTLS_SIGN_RSA_SHA3_224, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA3_224, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "RSA-SHA3-256", + .oid = SIG_RSA_SHA3_256_OID, + .id = GNUTLS_SIGN_RSA_SHA3_256, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA3_256, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "RSA-SHA3-384", + .oid = SIG_RSA_SHA3_384_OID, + .id = GNUTLS_SIGN_RSA_SHA3_384, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA3_384, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "RSA-SHA3-512", + .oid = SIG_RSA_SHA3_512_OID, + .id = GNUTLS_SIGN_RSA_SHA3_512, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA3_512, + .aid = TLS_SIGN_AID_UNKNOWN }, /* DSA-SHA3 */ - {.name = "DSA-SHA3-224", - .oid = SIG_DSA_SHA3_224_OID, - .id = GNUTLS_SIGN_DSA_SHA3_224, - .pk = GNUTLS_PK_DSA, - .hash = GNUTLS_DIG_SHA3_224, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "DSA-SHA3-256", - .oid = SIG_DSA_SHA3_256_OID, - .id = GNUTLS_SIGN_DSA_SHA3_256, - .pk = GNUTLS_PK_DSA, - .hash = GNUTLS_DIG_SHA3_256, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "DSA-SHA3-384", - .oid = SIG_DSA_SHA3_384_OID, - .id = GNUTLS_SIGN_DSA_SHA3_384, - .pk = GNUTLS_PK_DSA, - .hash = GNUTLS_DIG_SHA3_384, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "DSA-SHA3-512", - .oid = SIG_DSA_SHA3_512_OID, - .id = GNUTLS_SIGN_DSA_SHA3_512, - .pk = GNUTLS_PK_DSA, - .hash = GNUTLS_DIG_SHA3_512, - .aid = TLS_SIGN_AID_UNKNOWN}, + { .name = "DSA-SHA3-224", + .oid = SIG_DSA_SHA3_224_OID, + .id = GNUTLS_SIGN_DSA_SHA3_224, + .pk = GNUTLS_PK_DSA, + .hash = GNUTLS_DIG_SHA3_224, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "DSA-SHA3-256", + .oid = SIG_DSA_SHA3_256_OID, + .id = GNUTLS_SIGN_DSA_SHA3_256, + .pk = GNUTLS_PK_DSA, + .hash = GNUTLS_DIG_SHA3_256, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "DSA-SHA3-384", + .oid = SIG_DSA_SHA3_384_OID, + .id = GNUTLS_SIGN_DSA_SHA3_384, + .pk = GNUTLS_PK_DSA, + .hash = GNUTLS_DIG_SHA3_384, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "DSA-SHA3-512", + .oid = SIG_DSA_SHA3_512_OID, + .id = GNUTLS_SIGN_DSA_SHA3_512, + .pk = GNUTLS_PK_DSA, + .hash = GNUTLS_DIG_SHA3_512, + .aid = TLS_SIGN_AID_UNKNOWN }, /* legacy */ - {.name = "RSA-RAW", - .oid = NULL, - .id = GNUTLS_SIGN_RSA_RAW, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_UNKNOWN, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "RSA-SHA1", - .oid = SIG_RSA_SHA1_OID, - .id = GNUTLS_SIGN_RSA_SHA1, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA1, - .slevel = SHA1_SECURE_VAL, - .aid = {{2, 1}, SIG_SEM_DEFAULT}}, - {.name = "RSA-SHA1", - .oid = ISO_SIG_RSA_SHA1_OID, - .id = GNUTLS_SIGN_RSA_SHA1, - .pk = GNUTLS_PK_RSA, - .slevel = SHA1_SECURE_VAL, - .hash = GNUTLS_DIG_SHA1, - .aid = {{2, 1}, SIG_SEM_DEFAULT}}, - {.name = "RSA-SHA224", - .oid = SIG_RSA_SHA224_OID, - .id = GNUTLS_SIGN_RSA_SHA224, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_SHA224, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "RSA-RMD160", - .oid = SIG_RSA_RMD160_OID, - .id = GNUTLS_SIGN_RSA_RMD160, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_RMD160, - .slevel = _INSECURE_FOR_CERTS, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "DSA-SHA1", - .oid = SIG_DSA_SHA1_OID, - .id = GNUTLS_SIGN_DSA_SHA1, - .pk = GNUTLS_PK_DSA, - .slevel = SHA1_SECURE_VAL, - .hash = GNUTLS_DIG_SHA1, - .aid = {{2, 2}, SIG_SEM_PRE_TLS12}}, - {.name = "DSA-SHA1", - .oid = "1.3.14.3.2.27", - .id = GNUTLS_SIGN_DSA_SHA1, - .pk = GNUTLS_PK_DSA, - .hash = GNUTLS_DIG_SHA1, - .slevel = SHA1_SECURE_VAL, - .aid = {{2, 2}, SIG_SEM_PRE_TLS12}}, - {.name = "DSA-SHA224", - .oid = SIG_DSA_SHA224_OID, - .id = GNUTLS_SIGN_DSA_SHA224, - .pk = GNUTLS_PK_DSA, - .hash = GNUTLS_DIG_SHA224, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "DSA-SHA256", - .oid = SIG_DSA_SHA256_OID, - .id = GNUTLS_SIGN_DSA_SHA256, - .pk = GNUTLS_PK_DSA, - .hash = GNUTLS_DIG_SHA256, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "RSA-MD5", - .oid = SIG_RSA_MD5_OID, - .id = GNUTLS_SIGN_RSA_MD5, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_MD5, - .slevel = _INSECURE, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "RSA-MD5", - .oid = "1.3.14.3.2.25", - .id = GNUTLS_SIGN_RSA_MD5, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_MD5, - .slevel = _INSECURE, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "RSA-MD2", - .oid = SIG_RSA_MD2_OID, - .id = GNUTLS_SIGN_RSA_MD2, - .pk = GNUTLS_PK_RSA, - .hash = GNUTLS_DIG_MD2, - .slevel = _INSECURE, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "ECDSA-SHA1", - .oid = "1.2.840.10045.4.1", - .id = GNUTLS_SIGN_ECDSA_SHA1, - .pk = GNUTLS_PK_EC, - .slevel = SHA1_SECURE_VAL, - .hash = GNUTLS_DIG_SHA1, - .aid = {{2, 3}, SIG_SEM_DEFAULT}}, - {.name = "ECDSA-SHA224", - .oid = "1.2.840.10045.4.3.1", - .id = GNUTLS_SIGN_ECDSA_SHA224, - .pk = GNUTLS_PK_EC, - .hash = GNUTLS_DIG_SHA224, - .aid = TLS_SIGN_AID_UNKNOWN}, + { .name = "RSA-RAW", + .oid = NULL, + .id = GNUTLS_SIGN_RSA_RAW, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_UNKNOWN, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "RSA-SHA1", + .oid = SIG_RSA_SHA1_OID, + .id = GNUTLS_SIGN_RSA_SHA1, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA1, + .slevel = SHA1_SECURE_VAL, + .aid = { { 2, 1 }, SIG_SEM_DEFAULT } }, + { .name = "RSA-SHA1", + .oid = ISO_SIG_RSA_SHA1_OID, + .id = GNUTLS_SIGN_RSA_SHA1, + .pk = GNUTLS_PK_RSA, + .slevel = SHA1_SECURE_VAL, + .hash = GNUTLS_DIG_SHA1, + .aid = { { 2, 1 }, SIG_SEM_DEFAULT } }, + { .name = "RSA-SHA224", + .oid = SIG_RSA_SHA224_OID, + .id = GNUTLS_SIGN_RSA_SHA224, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_SHA224, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "RSA-RMD160", + .oid = SIG_RSA_RMD160_OID, + .id = GNUTLS_SIGN_RSA_RMD160, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_RMD160, + .slevel = _INSECURE_FOR_CERTS, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "DSA-SHA1", + .oid = SIG_DSA_SHA1_OID, + .id = GNUTLS_SIGN_DSA_SHA1, + .pk = GNUTLS_PK_DSA, + .slevel = SHA1_SECURE_VAL, + .hash = GNUTLS_DIG_SHA1, + .aid = { { 2, 2 }, SIG_SEM_PRE_TLS12 } }, + { .name = "DSA-SHA1", + .oid = "1.3.14.3.2.27", + .id = GNUTLS_SIGN_DSA_SHA1, + .pk = GNUTLS_PK_DSA, + .hash = GNUTLS_DIG_SHA1, + .slevel = SHA1_SECURE_VAL, + .aid = { { 2, 2 }, SIG_SEM_PRE_TLS12 } }, + { .name = "DSA-SHA224", + .oid = SIG_DSA_SHA224_OID, + .id = GNUTLS_SIGN_DSA_SHA224, + .pk = GNUTLS_PK_DSA, + .hash = GNUTLS_DIG_SHA224, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "DSA-SHA256", + .oid = SIG_DSA_SHA256_OID, + .id = GNUTLS_SIGN_DSA_SHA256, + .pk = GNUTLS_PK_DSA, + .hash = GNUTLS_DIG_SHA256, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "RSA-MD5", + .oid = SIG_RSA_MD5_OID, + .id = GNUTLS_SIGN_RSA_MD5, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_MD5, + .slevel = _INSECURE, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "RSA-MD5", + .oid = "1.3.14.3.2.25", + .id = GNUTLS_SIGN_RSA_MD5, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_MD5, + .slevel = _INSECURE, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "RSA-MD2", + .oid = SIG_RSA_MD2_OID, + .id = GNUTLS_SIGN_RSA_MD2, + .pk = GNUTLS_PK_RSA, + .hash = GNUTLS_DIG_MD2, + .slevel = _INSECURE, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "ECDSA-SHA1", + .oid = "1.2.840.10045.4.1", + .id = GNUTLS_SIGN_ECDSA_SHA1, + .pk = GNUTLS_PK_EC, + .slevel = SHA1_SECURE_VAL, + .hash = GNUTLS_DIG_SHA1, + .aid = { { 2, 3 }, SIG_SEM_DEFAULT } }, + { .name = "ECDSA-SHA224", + .oid = "1.2.840.10045.4.3.1", + .id = GNUTLS_SIGN_ECDSA_SHA224, + .pk = GNUTLS_PK_EC, + .hash = GNUTLS_DIG_SHA224, + .aid = TLS_SIGN_AID_UNKNOWN }, /* GOST R 34.10-2012-512 */ - {.name = "GOSTR341012-512", - .oid = SIG_GOST_R3410_2012_512_OID, - .id = GNUTLS_SIGN_GOST_512, - .pk = GNUTLS_PK_GOST_12_512, - .hash = GNUTLS_DIG_STREEBOG_512, - .flags = GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE, - .aid = {{8, 65}, SIG_SEM_PRE_TLS12}}, + { .name = "GOSTR341012-512", + .oid = SIG_GOST_R3410_2012_512_OID, + .id = GNUTLS_SIGN_GOST_512, + .pk = GNUTLS_PK_GOST_12_512, + .hash = GNUTLS_DIG_STREEBOG_512, + .flags = GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE, + .aid = { { 8, 65 }, SIG_SEM_PRE_TLS12 } }, /* GOST R 34.10-2012-256 */ - {.name = "GOSTR341012-256", - .oid = SIG_GOST_R3410_2012_256_OID, - .id = GNUTLS_SIGN_GOST_256, - .pk = GNUTLS_PK_GOST_12_256, - .hash = GNUTLS_DIG_STREEBOG_256, - .flags = GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE, - .aid = {{8, 64}, SIG_SEM_PRE_TLS12}}, + { .name = "GOSTR341012-256", + .oid = SIG_GOST_R3410_2012_256_OID, + .id = GNUTLS_SIGN_GOST_256, + .pk = GNUTLS_PK_GOST_12_256, + .hash = GNUTLS_DIG_STREEBOG_256, + .flags = GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE, + .aid = { { 8, 64 }, SIG_SEM_PRE_TLS12 } }, /* GOST R 34.10-2001 */ - {.name = "GOSTR341001", - .oid = SIG_GOST_R3410_2001_OID, - .id = GNUTLS_SIGN_GOST_94, - .pk = GNUTLS_PK_GOST_01, - .hash = GNUTLS_DIG_GOSTR_94, - .flags = GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE, - .aid = TLS_SIGN_AID_UNKNOWN}, + { .name = "GOSTR341001", + .oid = SIG_GOST_R3410_2001_OID, + .id = GNUTLS_SIGN_GOST_94, + .pk = GNUTLS_PK_GOST_01, + .hash = GNUTLS_DIG_GOSTR_94, + .flags = GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE, + .aid = TLS_SIGN_AID_UNKNOWN }, /* GOST R 34.10-94 */ - {.name = "GOSTR341094", - .oid = SIG_GOST_R3410_94_OID, - .id = 0, - .pk = 0, - .hash = 0, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "DSA-SHA384", - .oid = SIG_DSA_SHA384_OID, - .id = GNUTLS_SIGN_DSA_SHA384, - .pk = GNUTLS_PK_DSA, - .hash = GNUTLS_DIG_SHA384, - .aid = TLS_SIGN_AID_UNKNOWN}, - {.name = "DSA-SHA512", - .oid = SIG_DSA_SHA512_OID, - .id = GNUTLS_SIGN_DSA_SHA512, - .pk = GNUTLS_PK_DSA, - .hash = GNUTLS_DIG_SHA512, - .aid = TLS_SIGN_AID_UNKNOWN}, - - {.name = 0, - .oid = 0, - .id = 0, - .pk = 0, - .hash = 0, - .aid = TLS_SIGN_AID_UNKNOWN} + { .name = "GOSTR341094", + .oid = SIG_GOST_R3410_94_OID, + .id = 0, + .pk = 0, + .hash = 0, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "DSA-SHA384", + .oid = SIG_DSA_SHA384_OID, + .id = GNUTLS_SIGN_DSA_SHA384, + .pk = GNUTLS_PK_DSA, + .hash = GNUTLS_DIG_SHA384, + .aid = TLS_SIGN_AID_UNKNOWN }, + { .name = "DSA-SHA512", + .oid = SIG_DSA_SHA512_OID, + .id = GNUTLS_SIGN_DSA_SHA512, + .pk = GNUTLS_PK_DSA, + .hash = GNUTLS_DIG_SHA512, + .aid = TLS_SIGN_AID_UNKNOWN }, + + { .name = 0, + .oid = 0, + .id = 0, + .pk = 0, + .hash = 0, + .aid = TLS_SIGN_AID_UNKNOWN } }; -#define GNUTLS_SIGN_LOOP(b) \ - do { \ - const gnutls_sign_entry_st *p; \ - for(p = sign_algorithms; p->name != NULL; p++) { b ; } \ - } while (0) +#define GNUTLS_SIGN_LOOP(b) \ + do { \ + const gnutls_sign_entry_st *p; \ + for (p = sign_algorithms; p->name != NULL; p++) { \ + b; \ + } \ + } while (0) -#define GNUTLS_SIGN_ALG_LOOP(a) \ - GNUTLS_SIGN_LOOP( if(p->id && p->id == sign) { a; break; } ) +#define GNUTLS_SIGN_ALG_LOOP(a) \ + GNUTLS_SIGN_LOOP(if (p->id && p->id == sign) { \ + a; \ + break; \ + }) /** * gnutls_sign_get_name: @@ -450,24 +456,23 @@ unsigned gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm) return gnutls_sign_is_secure2(algorithm, 0); } -bool _gnutls_sign_is_secure2(const gnutls_sign_entry_st * se, - unsigned int flags) +bool _gnutls_sign_is_secure2(const gnutls_sign_entry_st *se, unsigned int flags) { if (se->hash != GNUTLS_DIG_UNKNOWN && - _gnutls_digest_is_insecure2(se->hash, - flags & - GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE - ? - GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE - : 0)) { + _gnutls_digest_is_insecure2( + se->hash, + flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE ? + GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE : + 0)) { return gnutls_assert_val(false); } return (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS ? - se->slevel == _SECURE : - (se->slevel == _SECURE || se->slevel == _INSECURE_FOR_CERTS)) || - (flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE && - se->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE); + se->slevel == _SECURE : + (se->slevel == _SECURE || + se->slevel == _INSECURE_FOR_CERTS)) || + (flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE && + se->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE); } /* This is only called by cfg_apply in priority.c, in blocklisting mode. */ @@ -505,18 +510,18 @@ void _gnutls_sign_mark_insecure_all(hash_security_level_t level) #endif } -int -_gnutls_sign_set_secure(gnutls_sign_algorithm_t sign, - hash_security_level_t slevel) +int _gnutls_sign_set_secure(gnutls_sign_algorithm_t sign, + hash_security_level_t slevel) { #ifndef DISABLE_SYSTEM_CONFIG gnutls_sign_entry_st *p; for (p = sign_algorithms; p->name != NULL; p++) { if (p->id && p->id == sign) { - if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) { - return - gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + if (!(p->flags & + GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) { + return gnutls_assert_val( + GNUTLS_E_INVALID_REQUEST); } p->slevel = slevel; return 0; @@ -563,13 +568,13 @@ const gnutls_sign_algorithm_t *gnutls_sign_list(void) int i = 0; GNUTLS_SIGN_LOOP( - /* list all algorithms, but not duplicates */ - if (supported_sign[i] != p->id && - _gnutls_pk_sign_exists(p->id)) { - assert(i + 1 < MAX_ALGOS); - supported_sign[i++] = p->id; - supported_sign[i + 1] = 0;} - ) ; + /* list all algorithms, but not duplicates */ + if (supported_sign[i] != p->id && + _gnutls_pk_sign_exists(p->id)) { + assert(i + 1 < MAX_ALGOS); + supported_sign[i++] = p->id; + supported_sign[i + 1] = 0; + }); } return supported_sign; @@ -589,18 +594,16 @@ gnutls_sign_algorithm_t gnutls_sign_get_id(const char *name) gnutls_sign_algorithm_t ret = GNUTLS_SIGN_UNKNOWN; GNUTLS_SIGN_LOOP(if (c_strcasecmp(p->name, name) == 0) { - ret = p->id; break;} - ) ; + ret = p->id; + break; + }); return ret; - } const gnutls_sign_entry_st *_gnutls_oid_to_sign_entry(const char *oid) { - GNUTLS_SIGN_LOOP(if (p->oid && strcmp(oid, p->oid) == 0) { - return p;} - ) ; + GNUTLS_SIGN_LOOP(if (p->oid && strcmp(oid, p->oid) == 0) { return p; }); return NULL; } @@ -627,13 +630,11 @@ gnutls_sign_algorithm_t gnutls_oid_to_sign(const char *oid) return se->id; } -const gnutls_sign_entry_st *_gnutls_pk_to_sign_entry(gnutls_pk_algorithm_t pk, - gnutls_digest_algorithm_t - hash) +const gnutls_sign_entry_st * +_gnutls_pk_to_sign_entry(gnutls_pk_algorithm_t pk, + gnutls_digest_algorithm_t hash) { - GNUTLS_SIGN_LOOP(if (pk == p->pk && hash == p->hash) { - return p;} - ) ; + GNUTLS_SIGN_LOOP(if (pk == p->pk && hash == p->hash) { return p; }); return NULL; } @@ -648,8 +649,8 @@ const gnutls_sign_entry_st *_gnutls_pk_to_sign_entry(gnutls_pk_algorithm_t pk, * * Returns: return a #gnutls_sign_algorithm_t value, or %GNUTLS_SIGN_UNKNOWN on error. **/ -gnutls_sign_algorithm_t -gnutls_pk_to_sign(gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash) +gnutls_sign_algorithm_t gnutls_pk_to_sign(gnutls_pk_algorithm_t pk, + gnutls_digest_algorithm_t hash) { const gnutls_sign_entry_st *e; @@ -735,9 +736,8 @@ gnutls_pk_algorithm_t gnutls_sign_get_pk_algorithm(gnutls_sign_algorithm_t sign) * * Returns: return non-zero when the provided algorithms are compatible. **/ -unsigned -gnutls_sign_supports_pk_algorithm(gnutls_sign_algorithm_t sign, - gnutls_pk_algorithm_t pk) +unsigned gnutls_sign_supports_pk_algorithm(gnutls_sign_algorithm_t sign, + gnutls_pk_algorithm_t pk) { const gnutls_sign_entry_st *p; unsigned r; @@ -753,20 +753,19 @@ gnutls_sign_supports_pk_algorithm(gnutls_sign_algorithm_t sign, return 0; } -gnutls_sign_algorithm_t -_gnutls_tls_aid_to_sign(uint8_t id0, uint8_t id1, const version_entry_st * ver) +gnutls_sign_algorithm_t _gnutls_tls_aid_to_sign(uint8_t id0, uint8_t id1, + const version_entry_st *ver) { gnutls_sign_algorithm_t ret = GNUTLS_SIGN_UNKNOWN; if (id0 == 255 && id1 == 255) return ret; - GNUTLS_SIGN_LOOP(if (p->aid.id[0] == id0 && - p->aid.id[1] == id1 && + GNUTLS_SIGN_LOOP(if (p->aid.id[0] == id0 && p->aid.id[1] == id1 && ((p->aid.tls_sem & ver->tls_sig_sem) != 0)) { - - ret = p->id; break;} - ) ; + ret = p->id; + break; + }); return ret; } @@ -794,32 +793,26 @@ const gnutls_sign_entry_st *_gnutls_sign_to_entry(gnutls_sign_algorithm_t sign) return ret; } -const gnutls_sign_entry_st *_gnutls_tls_aid_to_sign_entry(uint8_t id0, - uint8_t id1, - const version_entry_st - * ver) +const gnutls_sign_entry_st * +_gnutls_tls_aid_to_sign_entry(uint8_t id0, uint8_t id1, + const version_entry_st *ver) { if (id0 == 255 && id1 == 255) return NULL; - GNUTLS_SIGN_LOOP(if (p->aid.id[0] == id0 && - p->aid.id[1] == id1 && - ((p->aid.tls_sem & ver->tls_sig_sem) != 0)) { - - return p;} - ) ; + GNUTLS_SIGN_LOOP( + if (p->aid.id[0] == id0 && p->aid.id[1] == id1 && + ((p->aid.tls_sem & ver->tls_sig_sem) != 0)) { return p; }); return NULL; } -const gnutls_sign_entry_st - * _gnutls13_sign_get_compatible_with_privkey(gnutls_privkey_t privkey) +const gnutls_sign_entry_st * +_gnutls13_sign_get_compatible_with_privkey(gnutls_privkey_t privkey) { GNUTLS_SIGN_LOOP(if ((p->flags & GNUTLS_SIGN_FLAG_TLS13_OK) && - _gnutls_privkey_compatible_with_sig(privkey, - p->id)) { - return p;} - ) ; + _gnutls_privkey_compatible_with_sig( + privkey, p->id)) { return p; }); return NULL; } |