/**
* gnutls_priority_init:
* @priority_cache: is a #gnutls_prioritity_t structure.
* @priorities: is a string describing priorities
* @err_pos: In case of an error this will have the position in the string the error occurred
*
* Sets priorities for the ciphers, key exchange methods, macs and
* compression methods.
*
* The #priorities option allows you to specify a colon
* separated list of the cipher priorities to enable.
* Some keywords are defined to provide quick access
* to common preferences.
*
* Unless there is a special need, use the "NORMAL" keyword to
* apply a reasonable security level, or "NORMAL:%COMPAT" for compatibility.
*
* "PERFORMANCE" means all the "secure" ciphersuites are enabled,
* limited to 128 bit ciphers and sorted by terms of speed
* performance.
*
* "LEGACY" the NORMAL settings for GnuTLS 3.2.x or earlier. There is
* no verification profile set, and the allowed DH primes are considered
* weak today.
*
* "NORMAL" means all "secure" ciphersuites. The 256-bit ciphers are
* included as a fallback only. The ciphers are sorted by security
* margin.
*
* "PFS" means all "secure" ciphersuites that support perfect forward secrecy.
* The 256-bit ciphers are included as a fallback only.
* The ciphers are sorted by security margin.
*
* "SECURE128" means all "secure" ciphersuites of security level 128-bit
* or more.
*
* "SECURE192" means all "secure" ciphersuites of security level 192-bit
* or more.
*
* "SUITEB128" means all the NSA SuiteB ciphersuites with security level
* of 128.
*
* "SUITEB192" means all the NSA SuiteB ciphersuites with security level
* of 192.
*
* "EXPORT" means all ciphersuites are enabled, including the
* low-security 40 bit ciphers.
*
* "NONE" means nothing is enabled. This disables even protocols and
* compression methods.
*
* "@KEYWORD" The system administrator imposed settings. The provided keywords
* will be expanded from a configuration-time provided file - default is:
* /etc/gnutls/default-priorities. Any keywords that follow it, will
* be appended to the expanded string. If there is no system string,
* then the function will fail. The system file should be formatted
* as "KEYWORD=VALUE", e.g., "SYSTEM=NORMAL:-ARCFOUR-128".
*
* Special keywords are "!", "-" and "+".
* "!" or "-" appended with an algorithm will remove this algorithm.
* "+" appended with an algorithm will add this algorithm.
*
* Check the GnuTLS manual section "Priority strings" for detailed
* information.
*
* Examples:
*
* "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
*
* "NORMAL:-ARCFOUR-128" means normal ciphers except for ARCFOUR-128.
*
* "SECURE128:-VERS-SSL3.0:+COMP-DEFLATE" means that only secure ciphers are
* enabled, SSL3.0 is disabled, and libz compression enabled.
*
* "NONE:+VERS-TLS-ALL:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1",
*
* "NONE:+VERS-TLS-ALL:+AES-128-CBC:+ECDHE-RSA:+SHA1:+COMP-NULL:+SIGN-RSA-SHA1:+CURVE-SECP256R1",
*
* "SECURE256:+SECURE128",
*
* Note that "NORMAL:%COMPAT" is the most compatible mode.
*
* Returns: On syntax error %GNUTLS_E_INVALID_REQUEST is returned,
* %GNUTLS_E_SUCCESS on success, or an error code.
**/
int
gnutls_priority_init(gnutls_priority_t * priority_cache,
const char *priorities, const char **err_pos)
{
char *broken_list[MAX_ELEMENTS];
int broken_list_size = 0, i = 0, j;
char *darg = NULL;
unsigned ikeyword_set = 0;
int algo;
rmadd_func *fn;
bulk_rmadd_func *bulk_fn;
if (err_pos)
*err_pos = priorities;
*priority_cache =
gnutls_calloc(1, sizeof(struct gnutls_priority_st));
if (*priority_cache == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
/* for now unsafe renegotiation is default on everyone. To be removed
* when we make it the default.
*/
(*priority_cache)->sr = SR_PARTIAL;
(*priority_cache)->ssl3_record_version = 1;
(*priority_cache)->max_empty_records = DEFAULT_MAX_EMPTY_RECORDS;
if (priorities == NULL)
priorities = "NORMAL";
darg = resolve_priorities(priorities);
if (darg == NULL) {
gnutls_assert();
goto error;
}
break_list(darg, broken_list, &broken_list_size);
/* This is our default set of protocol version, certificate types and
* compression methods.
*/
if (strcasecmp(broken_list[0], LEVEL_NONE) != 0) {
_set_priority(&(*priority_cache)->protocol,
protocol_priority);
_set_priority(&(*priority_cache)->compression,
comp_priority);
_set_priority(&(*priority_cache)->cert_type,
cert_type_priority_default);
_set_priority(&(*priority_cache)->sign_algo,
sign_priority_default);
_set_priority(&(*priority_cache)->supported_ecc,
supported_ecc_normal);
i = 0;
} else {
ikeyword_set = 1;
i = 1;
}
for (; i < broken_list_size; i++) {
if (check_level(broken_list[i], *priority_cache, ikeyword_set) != 0) {
ikeyword_set = 1;
continue;
} else if (broken_list[i][0] == '!'
|| broken_list[i][0] == '+'
|| broken_list[i][0] == '-') {
if (broken_list[i][0] == '+') {
fn = prio_add;
bulk_fn = _add_priority;
} else {
fn = prio_remove;
bulk_fn = _clear_priorities;
}
if (broken_list[i][0] == '+'
&& check_level(&broken_list[i][1],
*priority_cache, 1) != 0) {
continue;
} else if ((algo =
gnutls_mac_get_id(&broken_list[i][1]))
!= GNUTLS_MAC_UNKNOWN)
fn(&(*priority_cache)->mac, algo);
else if ((algo =
gnutls_cipher_get_id(&broken_list[i][1]))
!= GNUTLS_CIPHER_UNKNOWN)
fn(&(*priority_cache)->cipher, algo);
else if ((algo =
gnutls_kx_get_id(&broken_list[i][1])) !=
GNUTLS_KX_UNKNOWN)
fn(&(*priority_cache)->kx, algo);
else if (strncasecmp
(&broken_list[i][1], "VERS-", 5) == 0) {
if (strncasecmp
(&broken_list[i][1], "VERS-TLS-ALL",
12) == 0) {
bulk_fn(&(*priority_cache)->
protocol,
protocol_priority);
} else
if (strncasecmp
(&broken_list[i][1],
"VERS-DTLS-ALL", 13) == 0) {
bulk_fn(&(*priority_cache)->
protocol,
dtls_protocol_priority);
} else {
if ((algo =
gnutls_protocol_get_id
(&broken_list[i][6])) !=
GNUTLS_VERSION_UNKNOWN)
fn(&(*priority_cache)->
protocol, algo);
else
goto error;
}
} /* now check if the element is something like -ALGO */
else if (strncasecmp
(&broken_list[i][1], "COMP-", 5) == 0) {
if (strncasecmp
(&broken_list[i][1], "COMP-ALL",
8) == 0) {
bulk_fn(&(*priority_cache)->
compression,
comp_priority);
} else {
if ((algo =
gnutls_compression_get_id
(&broken_list[i][6])) !=
GNUTLS_COMP_UNKNOWN)
fn(&(*priority_cache)->
compression, algo);
else
goto error;
}
} /* now check if the element is something like -ALGO */
else if (strncasecmp
(&broken_list[i][1], "CURVE-", 6) == 0) {
if (strncasecmp
(&broken_list[i][1], "CURVE-ALL",
9) == 0) {
bulk_fn(&(*priority_cache)->
supported_ecc,
supported_ecc_normal);
} else {
if ((algo =
_gnutls_ecc_curve_get_id
(&broken_list[i][7])) !=
GNUTLS_ECC_CURVE_INVALID)
fn(&(*priority_cache)->
supported_ecc, algo);
else
goto error;
}
} /* now check if the element is something like -ALGO */
else if (strncasecmp
(&broken_list[i][1], "CTYPE-", 6) == 0) {
if (strncasecmp
(&broken_list[i][1], "CTYPE-ALL",
9) == 0) {
bulk_fn(&(*priority_cache)->
cert_type,
cert_type_priority_all);
} else {
if ((algo =
gnutls_certificate_type_get_id
(&broken_list[i][7])) !=
GNUTLS_CRT_UNKNOWN)
fn(&(*priority_cache)->
cert_type, algo);
else
goto error;
}
} /* now check if the element is something like -ALGO */
else if (strncasecmp
(&broken_list[i][1], "SIGN-", 5) == 0) {
if (strncasecmp
(&broken_list[i][1], "SIGN-ALL",
8) == 0) {
bulk_fn(&(*priority_cache)->
sign_algo,
sign_priority_default);
} else {
if ((algo =
gnutls_sign_get_id
(&broken_list[i][6])) !=
GNUTLS_SIGN_UNKNOWN)
fn(&(*priority_cache)->
sign_algo, algo);
else
goto error;
}
} else
if (strncasecmp
(&broken_list[i][1], "MAC-ALL", 7) == 0) {
bulk_fn(&(*priority_cache)->mac,
mac_priority_normal);
} else
if (strncasecmp
(&broken_list[i][1], "CIPHER-ALL",
10) == 0) {
bulk_fn(&(*priority_cache)->cipher,
cipher_priority_normal);
} else
if (strncasecmp
(&broken_list[i][1], "KX-ALL", 6) == 0) {
bulk_fn(&(*priority_cache)->kx,
kx_priority_secure);
} else
goto error;
} else if (broken_list[i][0] == '%') {
const struct priority_options_st * o;
/* to add a new option modify
* priority_options.gperf */
o = in_word_set(&broken_list[i][1], strlen(&broken_list[i][1]));
if (o == NULL) {
goto error;
}
o->func(*priority_cache);
} else
goto error;
}
free(darg);
return 0;
error:
if (err_pos != NULL && i < broken_list_size) {
*err_pos = priorities;
for (j = 0; j < i; j++) {
(*err_pos) += strlen(broken_list[j]) + 1;
}
}
free(darg);
gnutls_free(*priority_cache);
*priority_cache = NULL;
return GNUTLS_E_INVALID_REQUEST;
}
main ( int argc, char **argv)
{
time_t r;
int a, b, c, d, e;
char time_string[100];
Parameter *PARAM;
PARAM=declare_parameter();
get_ref_time (PARAM);
argv=break_list ( argv, &argc, "=:;,");
process_command_line ( argc,argv, PARAM);
read_command_line ( argc,argv, PARAM);
fprintf ( stderr, "\nFINISHED READING PARAMETERS");
declare_dos_2 ( PARAM);
INTERACTIVE_PROMPT_SET=(PARAM->BGA)->INTERACTIVE;
if ( (PARAM->BGA)->OUTPUT_SCREEN==0)
{
(PARAM->std0)=stderr;
(PARAM->std1)=(PARAM->std2)=fopen ( "/dev/null", "w");
}
else if ( (PARAM->BGA)->OUTPUT_SCREEN==1)
{
(PARAM->std0)=(PARAM->std1)=stderr;
(PARAM->std2)=fopen ( "/dev/null", "w");
}
else if ((PARAM->BGA)->OUTPUT_SCREEN==2)
{
(PARAM->std0)=(PARAM->std1)=(PARAM->std2)=stderr;
}
time(&r);
sprintf ( time_string, "%d", (int) r);
PARAM->START=r;
if ( (PARAM->BGA)->RANDOM_SEED >0)
{addrandinit ( (unsigned long) (PARAM->BGA)->RANDOM_SEED);
if ( ((PARAM->BGA)->OUTPUT_SCREEN)==1)printf ( "\nRANDOM_SEED= %d",(PARAM->BGA)->RANDOM_SEED);
}
else if ( (PARAM->BGA)->RANDOM_SEED== -1)
{
b=0;
for ( a= strlen ( time_string)-1; a>=strlen ( time_string)-3; a--)
time_string[b++]= time_string[a];
time_string[b]='\0';
(PARAM->BGA)->RANDOM_SEED= atoi ( time_string);
addrandinit ( (unsigned long) (PARAM->BGA)->RANDOM_SEED);
fprintf ((PARAM->std1), "\nRANDOM_SEED(undet)= %d",(PARAM->BGA)->RANDOM_SEED);
}
process_param (PARAM);
input_data (PARAM);
main_do_aln (PARAM);
}
