{"AES-256-CBC", GNUTLS_CIPHER_AES_256_CBC, 16, 32, CIPHER_BLOCK, 16, 0, 0},
{"AES-192-CBC", GNUTLS_CIPHER_AES_192_CBC, 16, 24, CIPHER_BLOCK, 16, 0, 0},
{"AES-128-CBC", GNUTLS_CIPHER_AES_128_CBC, 16, 16, CIPHER_BLOCK, 16, 0, 0},
- {"AES-128-GCM", GNUTLS_CIPHER_AES_128_GCM, 16, 16, CIPHER_STREAM, 4, 0, 1},
+ {"AES-128-GCM", GNUTLS_CIPHER_AES_128_GCM, 16, 16, CIPHER_STREAM, AEAD_IMPLICIT_DATA_SIZE, 0, 1},
{"3DES-CBC", GNUTLS_CIPHER_3DES_CBC, 8, 24, CIPHER_BLOCK, 8, 0, 0},
{"DES-CBC", GNUTLS_CIPHER_DES_CBC, 8, 8, CIPHER_BLOCK, 8, 0, 0},
{"ARCFOUR-128", GNUTLS_CIPHER_ARCFOUR_128, 1, 16, CIPHER_STREAM, 0, 0, 0},
/* GCM: RFC5288 */
#define GNUTLS_RSA_AES_128_GCM_SHA256 { 0x00, 0x9C }
+#define GNUTLS_DHE_RSA_WITH_AES_128_GCM_SHA256 {0x00,0x9E}
+#define GNUTLS_DHE_DSS_WITH_AES_128_GCM_SHA256 {0x00,0xA2}
+#define GNUTLS_DH_ANON_WITH_AES_128_GCM_SHA256 {0x00,0xA6}
/* Safe renegotiation */
GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_RSA,
GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX),
+ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_RSA,
+ GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX),
+ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+ GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_DSS,
+ GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX),
+ GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_DH_ANON_WITH_AES_128_GCM_SHA256,
+ GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ANON_DH,
+ GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX),
/* Renegotiation hack */
GNUTLS_CIPHER_SUITE_ENTRY (GNUTLS_RENEGO_PROTECTION_REQUEST,
GNUTLS_CIPHER_UNKNOWN, GNUTLS_KX_UNKNOWN,
GNUTLS_MAC_UNKNOWN, GNUTLS_SSL3,
GNUTLS_VERSION_MAX),
+
{0, {{0, 0}}, 0, 0, 0, 0, 0}
};
int
_gnutls_version_has_selectable_prf (gnutls_protocol_t version)
{
- return version == GNUTLS_TLS1_2;
+ switch (version)
+ {
+ case GNUTLS_TLS1_1:
+ case GNUTLS_TLS1_0:
+ case GNUTLS_SSL3:
+ return 0;
+ default:
+ return 1;
+ }
}
/* This function determines if the version specified has selectable
int
_gnutls_version_has_selectable_sighash (gnutls_protocol_t version)
{
- return version == GNUTLS_TLS1_2;
+ switch (version)
+ {
+ case GNUTLS_TLS1_1:
+ case GNUTLS_TLS1_0:
+ case GNUTLS_SSL3:
+ return 0;
+ default:
+ return 1;
+ }
}
/* This function determines if the version specified has support for
{
switch (version)
{
- case GNUTLS_TLS1_0:
- case GNUTLS_TLS1_1:
- case GNUTLS_TLS1_2:
- return 1;
- default:
+ case GNUTLS_SSL3:
return 0;
+ default:
+ /* Versions after TLS 1.0 are required to handle extensions.
+ * SSL 3.0 also required extensions to be ignored, but
+ * some earlier draft didn't.
+ */
+ return 1;
}
}
{
switch (version)
{
- case GNUTLS_TLS1_1:
- case GNUTLS_TLS1_2:
- return 1;
- default:
+ case GNUTLS_TLS1_0:
+ case GNUTLS_SSL3:
return 0;
+ default:
+ /* All versions after TLS 1.1 have explicit IV */
+ return 1;
}
}
{
switch (version)
{
- case GNUTLS_TLS1_0:
- case GNUTLS_TLS1_1:
- case GNUTLS_TLS1_2:
- return 1;
- default:
+ case GNUTLS_SSL3:
return 0;
+ default:
+ return 1;
}
}