#define CIPHER_SUITES_COUNT (sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1)
static const gnutls_cipher_suite_entry cs_algorithms[] = {
- /* DH_ANON */
- ENTRY (GNUTLS_DH_ANON_ARCFOUR_MD5,
- GNUTLS_CIPHER_ARCFOUR_128,
- GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5,
- GNUTLS_SSL3, GNUTLS_VERSION_MAX, 0),
- ENTRY (GNUTLS_DH_ANON_3DES_EDE_CBC_SHA1,
- GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH,
- GNUTLS_MAC_SHA1, GNUTLS_SSL3,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DH_ANON_AES_128_CBC_SHA1,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH,
- GNUTLS_MAC_SHA1, GNUTLS_SSL3,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DH_ANON_AES_256_CBC_SHA1,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH,
- GNUTLS_MAC_SHA1, GNUTLS_SSL3,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA1,
- GNUTLS_CIPHER_CAMELLIA_128_CBC,
- GNUTLS_KX_ANON_DH,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA1,
- GNUTLS_CIPHER_CAMELLIA_256_CBC,
- GNUTLS_KX_ANON_DH,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ /* RSA-NULL */
+ ENTRY (GNUTLS_RSA_NULL_MD5,
+ GNUTLS_CIPHER_NULL,
+ GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3,
GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DH_ANON_AES_128_CBC_SHA256,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH,
- GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
+ ENTRY (GNUTLS_RSA_NULL_SHA1,
+ GNUTLS_CIPHER_NULL,
+ GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DH_ANON_AES_256_CBC_SHA256,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH,
- GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
+ ENTRY (GNUTLS_RSA_NULL_SHA256,
+ GNUTLS_CIPHER_NULL,
+ GNUTLS_KX_RSA, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX, 1),
- /* PSK */
- ENTRY (GNUTLS_PSK_SHA_ARCFOUR_SHA1,
- GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_PSK,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ /* RSA */
+ ENTRY (GNUTLS_RSA_ARCFOUR_SHA1,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
GNUTLS_VERSION_MAX, 0),
- ENTRY (GNUTLS_PSK_SHA_3DES_EDE_CBC_SHA1,
- GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_PSK,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_PSK_SHA_AES_128_CBC_SHA1,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_PSK_SHA_AES_256_CBC_SHA1,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_PSK,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_PSK_AES_128_CBC_SHA256,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK,
- GNUTLS_MAC_SHA256, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_PSK_AES_128_GCM_SHA256,
- GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_PSK,
- GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_PSK_NULL_SHA256,
- GNUTLS_CIPHER_NULL, GNUTLS_KX_PSK,
- GNUTLS_MAC_SHA256, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
-
- /* DHE-PSK */
- ENTRY (GNUTLS_DHE_PSK_SHA_ARCFOUR_SHA1,
- GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_DHE_PSK,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ ENTRY (GNUTLS_RSA_ARCFOUR_MD5,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3,
GNUTLS_VERSION_MAX, 0),
- ENTRY (GNUTLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1,
- GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_PSK,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DHE_PSK_SHA_AES_128_CBC_SHA1,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_PSK,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DHE_PSK_SHA_AES_256_CBC_SHA1,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_PSK,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DHE_PSK_AES_128_CBC_SHA256,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_PSK,
- GNUTLS_MAC_SHA256, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DHE_PSK_AES_128_GCM_SHA256,
- GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_PSK,
- GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DHE_PSK_NULL_SHA256,
- GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK,
- GNUTLS_MAC_SHA256, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
-
- /* SRP */
- ENTRY (GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1,
- GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_SRP_SHA_AES_128_CBC_SHA1,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ ENTRY (GNUTLS_RSA_3DES_EDE_CBC_SHA1,
+ GNUTLS_CIPHER_3DES_CBC,
+ GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_SRP_SHA_AES_256_CBC_SHA1,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ ENTRY (GNUTLS_RSA_AES_128_CBC_SHA1,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA,
+ GNUTLS_MAC_SHA1, GNUTLS_SSL3,
GNUTLS_VERSION_MAX, 1),
-
- ENTRY (GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1,
- GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ ENTRY (GNUTLS_RSA_AES_256_CBC_SHA1,
+ GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA,
+ GNUTLS_MAC_SHA1, GNUTLS_SSL3,
GNUTLS_VERSION_MAX, 1),
-
- ENTRY (GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1,
- GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA,
+ ENTRY (GNUTLS_RSA_CAMELLIA_128_CBC_SHA1,
+ GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_RSA,
GNUTLS_MAC_SHA1, GNUTLS_TLS1,
GNUTLS_VERSION_MAX, 1),
-
- ENTRY (GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_DSS,
+ ENTRY (GNUTLS_RSA_CAMELLIA_256_CBC_SHA1,
+ GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA,
GNUTLS_MAC_SHA1, GNUTLS_TLS1,
GNUTLS_VERSION_MAX, 1),
-
- ENTRY (GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_RSA,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ ENTRY (GNUTLS_RSA_AES_128_CBC_SHA256,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA,
+ GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX, 1),
-
- ENTRY (GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_DSS,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ ENTRY (GNUTLS_RSA_AES_256_CBC_SHA256,
+ GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA,
+ GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX, 1),
-
- ENTRY (GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_RSA,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+/* GCM */
+ ENTRY (GNUTLS_RSA_AES_128_GCM_SHA256,
+ GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_RSA,
+ GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX, 1),
/* DHE_DSS */
+#ifdef ENABLE_DHE
ENTRY (GNUTLS_DHE_DSS_ARCFOUR_SHA1,
GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS,
GNUTLS_MAC_SHA1, GNUTLS_TLS1,
GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA,
GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX, 1),
- /* RSA-NULL */
- ENTRY (GNUTLS_RSA_NULL_MD5,
- GNUTLS_CIPHER_NULL,
- GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_RSA_NULL_SHA1,
- GNUTLS_CIPHER_NULL,
- GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_RSA_NULL_SHA256,
- GNUTLS_CIPHER_NULL,
- GNUTLS_KX_RSA, GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
- GNUTLS_VERSION_MAX, 1),
-
- /* RSA-EXPORT */
- ENTRY (GNUTLS_RSA_EXPORT_ARCFOUR_40_MD5,
- GNUTLS_CIPHER_ARCFOUR_40,
- GNUTLS_KX_RSA_EXPORT, GNUTLS_MAC_MD5,
- GNUTLS_SSL3, GNUTLS_TLS1_0, 0),
-
- /* RSA */
- ENTRY (GNUTLS_RSA_ARCFOUR_SHA1,
- GNUTLS_CIPHER_ARCFOUR_128,
- GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
- GNUTLS_VERSION_MAX, 0),
- ENTRY (GNUTLS_RSA_ARCFOUR_MD5,
- GNUTLS_CIPHER_ARCFOUR_128,
- GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3,
- GNUTLS_VERSION_MAX, 0),
- ENTRY (GNUTLS_RSA_3DES_EDE_CBC_SHA1,
- GNUTLS_CIPHER_3DES_CBC,
- GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_RSA_AES_128_CBC_SHA1,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA,
- GNUTLS_MAC_SHA1, GNUTLS_SSL3,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_RSA_AES_256_CBC_SHA1,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA,
- GNUTLS_MAC_SHA1, GNUTLS_SSL3,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_RSA_CAMELLIA_128_CBC_SHA1,
- GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_RSA,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_RSA_CAMELLIA_256_CBC_SHA1,
- GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_RSA_AES_128_CBC_SHA256,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA,
- GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_RSA_AES_256_CBC_SHA256,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA,
- GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
- GNUTLS_VERSION_MAX, 1),
-/* GCM */
- ENTRY (GNUTLS_RSA_AES_128_GCM_SHA256,
- GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_RSA,
- GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
- GNUTLS_VERSION_MAX, 1),
ENTRY (GNUTLS_DHE_RSA_AES_128_GCM_SHA256,
GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_RSA,
GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_DSS,
GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_DH_ANON_AES_128_GCM_SHA256,
- GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ANON_DH,
- GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
- GNUTLS_VERSION_MAX, 1),
-/* ECC-ANON */
- ENTRY (GNUTLS_ECDH_ANON_NULL_SHA1,
- GNUTLS_CIPHER_NULL, GNUTLS_KX_ANON_ECDH,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_ECDH_ANON_3DES_EDE_CBC_SHA1,
- GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_ECDH,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_ECDH_ANON_AES_128_CBC_SHA1,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_ECDH,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
- GNUTLS_VERSION_MAX, 1),
- ENTRY (GNUTLS_ECDH_ANON_AES_256_CBC_SHA1,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_ECDH,
- GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
- GNUTLS_VERSION_MAX, 1),
+#endif /* DHE */
+#ifdef ENABLE_ECDHE
/* ECC-RSA */
ENTRY (GNUTLS_ECDHE_RSA_NULL_SHA1,
GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_RSA,
GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ECDHE_RSA,
GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX, 1),
+ ENTRY_PRF(GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384,
+ GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ECDHE_ECDSA,
+ GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
+ ENTRY_PRF(GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384,
+ GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ECDHE_RSA,
+ GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
+ ENTRY_PRF(GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384,
+ GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_ECDSA,
+ GNUTLS_MAC_SHA384, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
+#endif
+#ifdef ENABLE_PSK
/* ECC - PSK */
ENTRY (GNUTLS_ECDHE_PSK_3DES_EDE_CBC_SHA1,
GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ECDHE_PSK,
GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_PSK,
GNUTLS_MAC_SHA384, GNUTLS_TLS1_0,
GNUTLS_VERSION_MAX, 1, GNUTLS_MAC_SHA384),
- ENTRY_PRF(GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384,
- GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ECDHE_ECDSA,
- GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
- GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
- ENTRY_PRF(GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384,
- GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ECDHE_RSA,
- GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
- GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
- ENTRY_PRF(GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_ECDSA,
- GNUTLS_MAC_SHA384, GNUTLS_TLS1_2,
- GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
+
+ /* PSK */
+ ENTRY (GNUTLS_PSK_SHA_ARCFOUR_SHA1,
+ GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_PSK,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 0),
+ ENTRY (GNUTLS_PSK_SHA_3DES_EDE_CBC_SHA1,
+ GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_PSK,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_PSK_SHA_AES_128_CBC_SHA1,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_PSK_SHA_AES_256_CBC_SHA1,
+ GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_PSK,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_PSK_AES_128_CBC_SHA256,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK,
+ GNUTLS_MAC_SHA256, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_PSK_AES_128_GCM_SHA256,
+ GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_PSK,
+ GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_PSK_NULL_SHA256,
+ GNUTLS_CIPHER_NULL, GNUTLS_KX_PSK,
+ GNUTLS_MAC_SHA256, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+
+ /* DHE-PSK */
+ ENTRY (GNUTLS_DHE_PSK_SHA_ARCFOUR_SHA1,
+ GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_DHE_PSK,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 0),
+ ENTRY (GNUTLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1,
+ GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_PSK,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DHE_PSK_SHA_AES_128_CBC_SHA1,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_PSK,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DHE_PSK_SHA_AES_256_CBC_SHA1,
+ GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_PSK,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DHE_PSK_AES_128_CBC_SHA256,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_PSK,
+ GNUTLS_MAC_SHA256, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DHE_PSK_AES_128_GCM_SHA256,
+ GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_PSK,
+ GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DHE_PSK_NULL_SHA256,
+ GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK,
+ GNUTLS_MAC_SHA256, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+
ENTRY_PRF(GNUTLS_PSK_WITH_AES_256_GCM_SHA384,
GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_PSK,
GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_PSK,
GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
GNUTLS_VERSION_MAX, 1, GNUTLS_DIG_SHA384),
+#endif
+#ifdef ENABLE_ANON
+ /* DH_ANON */
+ ENTRY (GNUTLS_DH_ANON_ARCFOUR_MD5,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5,
+ GNUTLS_SSL3, GNUTLS_VERSION_MAX, 0),
+ ENTRY (GNUTLS_DH_ANON_3DES_EDE_CBC_SHA1,
+ GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH,
+ GNUTLS_MAC_SHA1, GNUTLS_SSL3,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DH_ANON_AES_128_CBC_SHA1,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH,
+ GNUTLS_MAC_SHA1, GNUTLS_SSL3,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DH_ANON_AES_256_CBC_SHA1,
+ GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH,
+ GNUTLS_MAC_SHA1, GNUTLS_SSL3,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA1,
+ GNUTLS_CIPHER_CAMELLIA_128_CBC,
+ GNUTLS_KX_ANON_DH,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA1,
+ GNUTLS_CIPHER_CAMELLIA_256_CBC,
+ GNUTLS_KX_ANON_DH,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DH_ANON_AES_128_CBC_SHA256,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH,
+ GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DH_ANON_AES_256_CBC_SHA256,
+ GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH,
+ GNUTLS_MAC_SHA256, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_DH_ANON_AES_128_GCM_SHA256,
+ GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ANON_DH,
+ GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
+ GNUTLS_VERSION_MAX, 1),
+/* ECC-ANON */
+ ENTRY (GNUTLS_ECDH_ANON_NULL_SHA1,
+ GNUTLS_CIPHER_NULL, GNUTLS_KX_ANON_ECDH,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_ECDH_ANON_3DES_EDE_CBC_SHA1,
+ GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_ECDH,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_ECDH_ANON_AES_128_CBC_SHA1,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_ECDH,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_ECDH_ANON_AES_256_CBC_SHA1,
+ GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_ECDH,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1_0,
+ GNUTLS_VERSION_MAX, 1),
+#endif
+#ifdef ENABLE_SRP
+ /* SRP */
+ ENTRY (GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1,
+ GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_SRP_SHA_AES_128_CBC_SHA1,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+ ENTRY (GNUTLS_SRP_SHA_AES_256_CBC_SHA1,
+ GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+
+ ENTRY (GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1,
+ GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+
+ ENTRY (GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1,
+ GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+
+ ENTRY (GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_DSS,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+
+ ENTRY (GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1,
+ GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_RSA,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+
+ ENTRY (GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1,
+ GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_DSS,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+
+ ENTRY (GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1,
+ GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_RSA,
+ GNUTLS_MAC_SHA1, GNUTLS_TLS1,
+ GNUTLS_VERSION_MAX, 1),
+#endif
+#ifdef ENABLE_RSA_EXPORT
+ /* RSA-EXPORT */
+ ENTRY (GNUTLS_RSA_EXPORT_ARCFOUR_40_MD5,
+ GNUTLS_CIPHER_ARCFOUR_40,
+ GNUTLS_KX_RSA_EXPORT, GNUTLS_MAC_MD5,
+ GNUTLS_SSL3, GNUTLS_TLS1_0, 0),
+#endif
{0, {0, 0}, 0, 0, 0, 0, 0, 0}
};
#include <gnutls_x509.h>
#include <gnutls_state.h>
#include <auth/dh_common.h>
-#include <auth/ecdh_common.h>
+#include <auth/ecdhe.h>
static int gen_dhe_server_kx (gnutls_session_t, gnutls_buffer_st*);
static int proc_dhe_server_kx (gnutls_session_t, uint8_t *, size_t);
static int proc_dhe_client_kx (gnutls_session_t, uint8_t *, size_t);
-const mod_auth_st ecdhe_ecdsa_auth_struct = {
- "ECDHE_ECDSA",
- _gnutls_gen_cert_server_crt,
- _gnutls_gen_cert_client_crt,
- gen_dhe_server_kx,
- _gnutls_gen_ecdh_common_client_kx, /* This is the only difference */
- _gnutls_gen_cert_client_crt_vrfy,
- _gnutls_gen_cert_server_cert_req,
-
- _gnutls_proc_crt,
- _gnutls_proc_crt,
- proc_dhe_server_kx,
- proc_dhe_client_kx,
- _gnutls_proc_cert_client_crt_vrfy,
- _gnutls_proc_cert_cert_req
-};
-
-const mod_auth_st ecdhe_rsa_auth_struct = {
- "ECDHE_RSA",
- _gnutls_gen_cert_server_crt,
- _gnutls_gen_cert_client_crt,
- gen_dhe_server_kx,
- _gnutls_gen_ecdh_common_client_kx, /* This is the only difference */
- _gnutls_gen_cert_client_crt_vrfy,
- _gnutls_gen_cert_server_cert_req,
-
- _gnutls_proc_crt,
- _gnutls_proc_crt,
- proc_dhe_server_kx,
- proc_dhe_client_kx,
- _gnutls_proc_cert_client_crt_vrfy,
- _gnutls_proc_cert_cert_req
-};
+#ifdef ENABLE_DHE
const mod_auth_st dhe_rsa_auth_struct = {
"DHE_RSA",
_gnutls_proc_cert_cert_req /* proc server cert request */
};
+#endif
static int
gen_dhe_server_kx (gnutls_session_t session, gnutls_buffer_st* data)
{
bigint_t g, p;
const bigint_t *mpis;
- int ret = 0, data_size;
- gnutls_pcert_st *apr_cert_list;
- gnutls_privkey_t apr_pkey;
- int apr_cert_list_length;
- gnutls_datum_t signature = { NULL, 0 }, ddata;
+ int ret = 0;
gnutls_certificate_credentials_t cred;
gnutls_dh_params_t dh_params;
- gnutls_sign_algorithm_t sign_algo;
- gnutls_protocol_t ver = gnutls_protocol_get_version (session);
cred = (gnutls_certificate_credentials_t)
_gnutls_get_cred (session, GNUTLS_CRD_CERTIFICATE, NULL);
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
- /* find the appropriate certificate */
- if ((ret =
- _gnutls_get_selected_cert (session, &apr_cert_list,
- &apr_cert_list_length, &apr_pkey)) < 0)
- {
- gnutls_assert ();
- return ret;
- }
if ((ret = _gnutls_auth_info_set (session, GNUTLS_CRD_CERTIFICATE,
sizeof (cert_auth_info_st), 0)) < 0)
return ret;
}
- if (!_gnutls_session_is_ecc (session))
+ dh_params =
+ _gnutls_get_dh_params (cred->dh_params, cred->params_func, session);
+ mpis = _gnutls_dh_params_to_mpi (dh_params);
+ if (mpis == NULL)
{
- dh_params =
- _gnutls_get_dh_params (cred->dh_params, cred->params_func, session);
- mpis = _gnutls_dh_params_to_mpi (dh_params);
- if (mpis == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_NO_TEMPORARY_DH_PARAMS;
- }
-
- p = mpis[0];
- g = mpis[1];
+ gnutls_assert ();
+ return GNUTLS_E_NO_TEMPORARY_DH_PARAMS;
+ }
- _gnutls_dh_set_group (session, g, p);
+ p = mpis[0];
+ g = mpis[1];
- ret = _gnutls_dh_common_print_server_kx (session, g, p, dh_params->q_bits, data);
- }
- else
- {
- ret = _gnutls_ecdh_common_print_server_kx (session, data, _gnutls_session_ecc_curve_get(session));
- }
+ _gnutls_dh_set_group (session, g, p);
+ ret = _gnutls_dh_common_print_server_kx (session, g, p, dh_params->q_bits, data);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
- data_size = ret;
/* Generate the signature. */
-
- ddata.data = data->data;
- ddata.size = data->length;
-
- if (apr_cert_list_length > 0)
- {
- if ((ret =
- _gnutls_handshake_sign_data (session, &apr_cert_list[0],
- apr_pkey, &ddata, &signature,
- &sign_algo)) < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
- }
- else
- {
- gnutls_assert ();
- ret = data_size; /* do not put a signature - ILLEGAL! */
- goto cleanup;
- }
-
- if (_gnutls_version_has_selectable_sighash (ver))
- {
- const sign_algorithm_st *aid;
- uint8_t p[2];
-
- if (sign_algo == GNUTLS_SIGN_UNKNOWN)
- {
- ret = GNUTLS_E_UNKNOWN_ALGORITHM;
- goto cleanup;
- }
-
- aid = _gnutls_sign_to_tls_aid (sign_algo);
- if (aid == NULL)
- {
- gnutls_assert();
- ret = GNUTLS_E_UNKNOWN_ALGORITHM;
- goto cleanup;
- }
-
- p[0] = aid->hash_algorithm;
- p[1] = aid->sign_algorithm;
-
- ret = _gnutls_buffer_append_data(data, p, 2);
- if (ret < 0)
- {
- gnutls_assert();
- goto cleanup;
- }
- }
-
- ret = _gnutls_buffer_append_data_prefix(data, 16, signature.data, signature.size);
- if (ret < 0)
- {
- gnutls_assert();
- }
-
- ret = data->length;
-
-cleanup:
- _gnutls_free_datum (&signature);
- return ret;
-
+ return _gnutls_gen_dhe_signature(session, data, data->data, data->length);
}
+
static int
proc_dhe_server_kx (gnutls_session_t session, uint8_t * data,
size_t _data_size)
{
- int sigsize;
- uint8_t *sigdata;
- gnutls_datum_t vparams, signature;
- int ret;
- cert_auth_info_t info = _gnutls_get_auth_info (session);
- ssize_t data_size = _data_size;
- gnutls_pcert_st peer_cert;
- gnutls_sign_algorithm_t sign_algo = GNUTLS_SIGN_UNKNOWN;
- gnutls_protocol_t ver = gnutls_protocol_get_version (session);
-
- if (info == NULL || info->ncerts == 0)
- {
- gnutls_assert ();
- /* we need this in order to get peer's certificate */
- return GNUTLS_E_INTERNAL_ERROR;
- }
-
- if (!_gnutls_session_is_ecc (session))
- ret = _gnutls_proc_dh_common_server_kx (session, data, _data_size);
- else
- ret = _gnutls_proc_ecdh_common_server_kx (session, data, _data_size);
+gnutls_datum_t vdata;
+int ret;
+ ret = _gnutls_proc_dh_common_server_kx(session, data, _data_size);
if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- /* VERIFY SIGNATURE */
-
- vparams.size = ret;
- vparams.data = data;
-
- sigdata = &data[vparams.size];
- if (_gnutls_version_has_selectable_sighash (ver))
- {
- sign_algorithm_st aid;
-
- DECR_LEN (data_size, 1);
- aid.hash_algorithm = *sigdata++;
- DECR_LEN (data_size, 1);
- aid.sign_algorithm = *sigdata++;
- sign_algo = _gnutls_tls_aid_to_sign (&aid);
- if (sign_algo == GNUTLS_SIGN_UNKNOWN)
- {
- _gnutls_debug_log("unknown signature %d.%d\n", aid.sign_algorithm, aid.hash_algorithm);
- gnutls_assert ();
- return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
- }
- }
- DECR_LEN (data_size, 2);
- sigsize = _gnutls_read_uint16 (sigdata);
- sigdata += 2;
-
- DECR_LEN (data_size, sigsize);
- signature.data = sigdata;
- signature.size = sigsize;
-
- if ((ret =
- _gnutls_get_auth_info_pcert (&peer_cert,
- session->security_parameters.cert_type,
- info)) < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- ret =
- _gnutls_handshake_verify_data (session, &peer_cert, &vparams, &signature,
- sign_algo);
+ return gnutls_assert_val(ret);
- gnutls_pcert_deinit (&peer_cert);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
+ vdata.data = data;
+ vdata.size = ret;
- return ret;
+ return _gnutls_proc_dhe_signature(session, data+ret, _data_size-ret, &vdata);
}
-
static int
proc_dhe_client_kx (gnutls_session_t session, uint8_t * data,
size_t _data_size)
{
gnutls_certificate_credentials_t cred;
- int ret;
bigint_t p, g;
const bigint_t *mpis;
gnutls_dh_params_t dh_params;
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
- if (!_gnutls_session_is_ecc (session))
- {
- dh_params =
- _gnutls_get_dh_params (cred->dh_params, cred->params_func, session);
- mpis = _gnutls_dh_params_to_mpi (dh_params);
- if (mpis == NULL)
- return gnutls_assert_val(GNUTLS_E_NO_TEMPORARY_DH_PARAMS);
-
- p = mpis[0];
- g = mpis[1];
-
- ret = _gnutls_proc_dh_common_client_kx (session, data, _data_size, g, p, NULL);
- }
- else
- ret = _gnutls_proc_ecdh_common_client_kx (session, data, _data_size,
- _gnutls_session_ecc_curve_get(session), NULL);
+ dh_params =
+ _gnutls_get_dh_params (cred->dh_params, cred->params_func, session);
+ mpis = _gnutls_dh_params_to_mpi (dh_params);
+ if (mpis == NULL)
+ return gnutls_assert_val(GNUTLS_E_NO_TEMPORARY_DH_PARAMS);
- return ret;
+ p = mpis[0];
+ g = mpis[1];
+ return _gnutls_proc_dh_common_client_kx (session, data, _data_size, g, p, NULL);
}