@item Ciphers @tab
Examples are AES-128-GCM, AES-256-GCM, AES-256-CBC, GOST28147-TC26Z-CNT; see also
@ref{tab:ciphers} for more options. Catch all name is CIPHER-ALL which will add
-all the algorithms from NORMAL priority.
+all the algorithms from NORMAL priority. The shortcut for secure GOST
+algorithms is CIPHER-GOST-ALL.
@item Key exchange @tab
RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS,
PSK, DHE-PSK, ECDHE-PSK, ECDHE-RSA, ECDHE-ECDSA, VKO-GOST-12, ANON-ECDH, ANON-DH.
Catch all name is KX-ALL which will add all the algorithms from NORMAL
priority. Under TLS1.3, the DHE-PSK and ECDHE-PSK strings are equivalent
-and instruct for a Diffie-Hellman key exchange using the enabled groups.
+and instruct for a Diffie-Hellman key exchange using the enabled groups. The
+shortcut for secure GOST algorithms is KX-GOST-ALL.
@item MAC @tab
MD5, SHA1, SHA256, SHA384, GOST28147-TC26Z-IMIT, AEAD (used with
-GCM ciphers only). All algorithms from NORMAL priority can be accessed with MAC-ALL.
+GCM ciphers only). All algorithms from NORMAL priority can be accessed with
+MAC-ALL. The shortcut for secure GOST algorithms is MAC-GOST-ALL.
@item Compression algorithms @tab
COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL.
};
static const int* kx_priority_secure = _kx_priority_secure;
+static const int _kx_priority_gost[] = {
+ GNUTLS_KX_VKO_GOST_12,
+};
+static const int* kx_priority_gost = _kx_priority_gost;
+
static const int _cipher_priority_performance_default[] = {
GNUTLS_CIPHER_AES_128_GCM,
GNUTLS_CIPHER_AES_256_GCM,
static const int *cipher_priority_normal = _cipher_priority_normal_default;
static const int *mac_priority_normal = mac_priority_normal_default;
+static const int _cipher_priority_gost[] = {
+ GNUTLS_CIPHER_GOST28147_TC26Z_CNT,
+ 0
+};
+static const int *cipher_priority_gost = _cipher_priority_gost;
+
+static const int _mac_priority_gost[] = {
+ GNUTLS_MAC_GOST28147_TC26Z_IMIT,
+ 0
+};
+static const int *mac_priority_gost = _mac_priority_gost;
+
/* if called with replace the default priorities with the FIPS140 ones */
void _gnutls_priority_update_fips(void)
{
goto error;
}
} else if (c_strncasecmp
- (&broken_list[i][1], "MAC-ALL", 7) == 0) {
- bulk_fn(&(*priority_cache)->_mac,
- mac_priority_normal);
+ (&broken_list[i][1], "MAC-", 4) == 0) {
+ if (c_strncasecmp
+ (&broken_list[i][1], "MAC-ALL", 7) == 0) {
+ bulk_fn(&(*priority_cache)->_mac,
+ mac_priority_normal);
+ } else if (c_strncasecmp
+ (&broken_list[i][1], "MAC-GOST-ALL", 12) == 0) {
+ bulk_fn(&(*priority_cache)->_mac,
+ mac_priority_gost);
+ }
} else if (c_strncasecmp
- (&broken_list[i][1], "CIPHER-ALL",
- 10) == 0) {
- bulk_fn(&(*priority_cache)->_cipher,
- cipher_priority_normal);
+ (&broken_list[i][1], "CIPHER-", 7) == 0) {
+ if (c_strncasecmp
+ (&broken_list[i][1], "CIPHER-ALL", 10) == 0) {
+ bulk_fn(&(*priority_cache)->_cipher,
+ cipher_priority_normal);
+ } else if (c_strncasecmp
+ (&broken_list[i][1], "CIPHER-GOST-ALL", 15) == 0) {
+ bulk_fn(&(*priority_cache)->_cipher,
+ cipher_priority_gost);
+ }
} else if (c_strncasecmp
- (&broken_list[i][1], "KX-ALL", 6) == 0) {
- bulk_fn(&(*priority_cache)->_kx,
- kx_priority_secure);
+ (&broken_list[i][1], "KX-", 3) == 0) {
+ if (c_strncasecmp
+ (&broken_list[i][1], "KX-ALL", 6) == 0) {
+ bulk_fn(&(*priority_cache)->_kx,
+ kx_priority_secure);
+ } else if (c_strncasecmp
+ (&broken_list[i][1], "KX-GOST-ALL", 11) == 0) {
+ bulk_fn(&(*priority_cache)->_kx,
+ kx_priority_gost);
+ }
} else
goto error;
} else if (broken_list[i][0] == '%') {
server_priority = "NORMAL:+CTYPE-ALL"
":+VKO-GOST-12"
":+GROUP-GOST-ALL"
- ":+GOST28147-TC26Z-CNT"
- ":+GOST28147-TC26Z-IMIT"
+ ":+CIPHER-GOST-ALL"
+ ":+MAC-GOST-ALL"
":+SIGN-GOST-ALL";
- const char *gost_client_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL";
+ const char *gost_client_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL";
try_with_key("TLS 1.2 with gost12 256 no-cli-cert (ctype X.509)", gost_client_prio, GNUTLS_KX_VKO_GOST_12, GNUTLS_SIGN_GOST_256, GNUTLS_SIGN_UNKNOWN,
&server_ca3_gost12_256_cert, &server_ca3_gost12_256_key, NULL, NULL, 0, GNUTLS_CRT_X509, GNUTLS_CRT_UNKNOWN);
try_with_key("TLS 1.2 with gost12 256 ask cli-cert (ctype X.509)", gost_client_prio, GNUTLS_KX_VKO_GOST_12, GNUTLS_SIGN_GOST_256, GNUTLS_SIGN_UNKNOWN,
.client_ret = GNUTLS_E_AGAIN,
.server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
},
{
.name = "TLS 1.2 VKO-GOST-12 with cred but no cert",
.server_ret = GNUTLS_E_NO_CIPHER_SUITES,
.have_cert_cred = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
},
{
.name = "TLS 1.2 VKO-GOST-12 with cred but no GOST cert",
.have_rsa_sign_cert = 1,
.have_rsa_decrypt_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
},
{
.name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-256 cert",
.have_cert_cred = 1,
.have_gost12_256_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
},
{
.name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert",
.have_cert_cred = 1,
.have_gost12_512_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
},
{
.name = "TLS 1.2 VKO-GOST-12 with cred and multiple certs",
.have_gost12_256_cert = 1,
.have_gost12_512_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
},
{
.name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-256 cert client lacking signature algs (like SChannel)",
.have_cert_cred = 1,
.have_gost12_256_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
- .client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+VERS-TLS1.2:+SIGN-RSA-SHA256"
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+ .client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+VERS-TLS1.2:+SIGN-RSA-SHA256"
},
{
.name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert client lacking signature algs (like SChannel)",
.have_cert_cred = 1,
.have_gost12_512_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
- .client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+VERS-TLS1.2:+SIGN-RSA-SHA256"
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+ .client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+VERS-TLS1.2:+SIGN-RSA-SHA256"
},
#endif
};
.have_cert_cred = 1,
.have_gost12_256_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
.exp_version = GNUTLS_TLS1_2,
},
{
.have_cert_cred = 1,
.have_gost12_512_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
.exp_version = GNUTLS_TLS1_2,
},
{
.have_cert_cred = 1,
.have_gost12_256_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
.exp_version = GNUTLS_TLS1_2,
},
{
.have_cert_cred = 1,
.have_gost12_512_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
.exp_version = GNUTLS_TLS1_2,
},
/* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST
.have_cert_cred = 1,
.have_gost12_256_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
.exp_version = GNUTLS_TLS1_2,
},
{
.have_cert_cred = 1,
.have_gost12_512_cert = 1,
.not_on_fips = 1,
- .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
- .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
+ .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
+ .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
.exp_version = GNUTLS_TLS1_2,
},
#endif
projects / thirdparty / gnutls.git / commitdiff
