diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-10-15 18:20:38 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-10-15 18:21:36 +0200 |
| commit | b237b37d4d17ee4f98629aae9d72aec87f434cb8 (patch) | |
| tree | c076ed68c24fbb9ff0c482c0088dbf108b34edb8 /lib/algorithms | |
| parent | 38e396f3247cb56174f6807a96ba5c8a62df7f3b (diff) | |
| download | gnutls-b237b37d4d17ee4f98629aae9d72aec87f434cb8.tar.gz | |
Tolerate priority strings with names of legacy ciphers and key exchanges
That enables better backwards compatibility with old applications
which disable or enable algorithms which no longer are supported.
Relates #44
Diffstat (limited to 'lib/algorithms')
| -rw-r--r-- | lib/algorithms/ciphers.c | 13 | ||||
| -rw-r--r-- | lib/algorithms/kx.c | 19 |
2 files changed, 27 insertions, 5 deletions
diff --git a/lib/algorithms/ciphers.c b/lib/algorithms/ciphers.c index 1c5529c507..e69f54f38f 100644 --- a/lib/algorithms/ciphers.c +++ b/lib/algorithms/ciphers.c @@ -31,7 +31,9 @@ * View first: "The order of encryption and authentication for * protecting communications" by Hugo Krawczyk - CRYPTO 2001 * - * Make sure to update MAX_CIPHER_BLOCK_SIZE and MAX_CIPHER_KEY_SIZE as well. + * On update, make sure to update MAX_CIPHER_BLOCK_SIZE and MAX_CIPHER_KEY_SIZE + * as well. If any ciphers are removed, modify the is_legacy() functions + * in priority.c. */ static const cipher_entry_st algorithms[] = { { .name = "AES-256-CBC", @@ -229,13 +231,14 @@ const cipher_entry_st *cipher_to_entry(gnutls_cipher_algorithm_t c) return NULL; } -const cipher_entry_st * cipher_name_to_entry(const char *name) +/* Returns cipher entry even for ciphers that are not supported, + * but are listed (e.g., deprecated ciphers). + */ +const cipher_entry_st *cipher_name_to_entry(const char *name) { GNUTLS_CIPHER_LOOP( if (strcasecmp(p->name, name) == 0) { - if (p->id == GNUTLS_CIPHER_NULL || _gnutls_cipher_exists(p->id)) - return p; - break; + return p; } ); diff --git a/lib/algorithms/kx.c b/lib/algorithms/kx.c index 6373f930a0..9f83a6074a 100644 --- a/lib/algorithms/kx.c +++ b/lib/algorithms/kx.c @@ -124,6 +124,7 @@ static const gnutls_kx_algo_entry _gnutls_kx_algorithms[] = { {"ECDHE-PSK", GNUTLS_KX_ECDHE_PSK, &ecdhe_psk_auth_struct, 0, GNUTLS_PK_UNKNOWN}, #endif #endif + {"RSA-EXPORT", GNUTLS_KX_INVALID, NULL, 0, GNUTLS_PK_UNKNOWN}, {0, 0, 0, 0, 0} }; @@ -191,6 +192,24 @@ gnutls_kx_algorithm_t gnutls_kx_get_id(const char *name) gnutls_kx_algorithm_t ret = GNUTLS_KX_UNKNOWN; GNUTLS_KX_LOOP( + if (strcasecmp(p->name, name) == 0 && p->algorithm != GNUTLS_KX_INVALID) { + ret = p->algorithm; + break; + } + ); + + return ret; +} + +/* As with gnutls_kx_get_id(), but it returns all known + * key exchange algorithms (even legacy), with GNUTLS_KX_INVALID + * value. + */ +int _gnutls_kx_get_id(const char *name) +{ + gnutls_kx_algorithm_t ret = GNUTLS_KX_UNKNOWN; + + GNUTLS_KX_LOOP( if (strcasecmp(p->name, name) == 0) { ret = p->algorithm; break; |