mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm_t algorithm);
int _gnutls_kx_is_ok(gnutls_kx_algorithm_t algorithm);
+int _gnutls_kx_get_id(const char *name);
+
/* Type to KX mappings. */
gnutls_kx_algorithm_t _gnutls_map_kx_get_kx(gnutls_credentials_type_t type,
int server);
* View first: "The order of encryption and authentication for
* protecting communications" by Hugo Krawczyk - CRYPTO 2001
*
- * Make sure to update MAX_CIPHER_BLOCK_SIZE and MAX_CIPHER_KEY_SIZE as well.
+ * On update, make sure to update MAX_CIPHER_BLOCK_SIZE and MAX_CIPHER_KEY_SIZE
+ * as well. If any ciphers are removed, modify the is_legacy() functions
+ * in priority.c.
*/
static const cipher_entry_st algorithms[] = {
{ .name = "AES-256-CBC",
return NULL;
}
-const cipher_entry_st * cipher_name_to_entry(const char *name)
+/* Returns cipher entry even for ciphers that are not supported,
+ * but are listed (e.g., deprecated ciphers).
+ */
+const cipher_entry_st *cipher_name_to_entry(const char *name)
{
GNUTLS_CIPHER_LOOP(
if (strcasecmp(p->name, name) == 0) {
- if (p->id == GNUTLS_CIPHER_NULL || _gnutls_cipher_exists(p->id))
- return p;
- break;
+ return p;
}
);
{"ECDHE-PSK", GNUTLS_KX_ECDHE_PSK, &ecdhe_psk_auth_struct, 0, GNUTLS_PK_UNKNOWN},
#endif
#endif
+ {"RSA-EXPORT", GNUTLS_KX_INVALID, NULL, 0, GNUTLS_PK_UNKNOWN},
{0, 0, 0, 0, 0}
};
{
gnutls_kx_algorithm_t ret = GNUTLS_KX_UNKNOWN;
+ GNUTLS_KX_LOOP(
+ if (strcasecmp(p->name, name) == 0 && p->algorithm != GNUTLS_KX_INVALID) {
+ ret = p->algorithm;
+ break;
+ }
+ );
+
+ return ret;
+}
+
+/* As with gnutls_kx_get_id(), but it returns all known
+ * key exchange algorithms (even legacy), with GNUTLS_KX_INVALID
+ * value.
+ */
+int _gnutls_kx_get_id(const char *name)
+{
+ gnutls_kx_algorithm_t ret = GNUTLS_KX_UNKNOWN;
+
GNUTLS_KX_LOOP(
if (strcasecmp(p->name, name) == 0) {
ret = p->algorithm;
#define GNUTLS_POINTER_TO_INT(_) ((int) GNUTLS_POINTER_TO_INT_CAST (_))
#define GNUTLS_INT_TO_POINTER(_) ((void*) GNUTLS_POINTER_TO_INT_CAST (_))
+#define GNUTLS_KX_INVALID (-1)
+
typedef struct {
uint8_t pint[3];
} uint24;
continue;
} else if ((algo =
gnutls_mac_get_id(&broken_list[i][1]))
- != GNUTLS_MAC_UNKNOWN)
+ != GNUTLS_MAC_UNKNOWN) {
fn(&(*priority_cache)->mac, algo);
- else if ((centry = cipher_name_to_entry(&broken_list[i][1])) != NULL) {
- fn(&(*priority_cache)->cipher, centry->id);
- if (centry->type == CIPHER_BLOCK)
- (*priority_cache)->have_cbc = 1;
+ } else if ((centry = cipher_name_to_entry(&broken_list[i][1])) != NULL) {
+ if (_gnutls_cipher_exists(centry->id)) {
+ fn(&(*priority_cache)->cipher, centry->id);
+ if (centry->type == CIPHER_BLOCK)
+ (*priority_cache)->have_cbc = 1;
+ }
} else if ((algo =
- gnutls_kx_get_id(&broken_list[i][1])) !=
- GNUTLS_KX_UNKNOWN)
- fn(&(*priority_cache)->kx, algo);
- else if (strncasecmp
+ _gnutls_kx_get_id(&broken_list[i][1])) !=
+ GNUTLS_KX_UNKNOWN) {
+ if (algo != GNUTLS_KX_INVALID)
+ fn(&(*priority_cache)->kx, algo);
+ } else if (strncasecmp
(&broken_list[i][1], "VERS-", 5) == 0) {
if (strncasecmp
(&broken_list[i][1], "VERS-TLS-ALL",
projects / thirdparty / gnutls.git / commitdiff
