[gnutls-devel] BNF of priority strings
Jouko Orava
jouko.orava at helsinki.fi
Sat Jan 26 13:53:00 CET 2013
Hi,
As a step towards "better" priority string logic,
I built a BNF spec of the existing priority strings.
Three comments, though:
1. Since the NULL MAC string is "MAC-NULL",
it has to be specified as "MAC-MAC-NULL".
I don't know if anyone ever needs to specify it, though.
2. Commit 8d69e1bd9e61cc0b390ca987fd66ec2aad9c0d3c
states that it adds elliptic curve SECP512R1,
but it actually adds "SECP521R1". 512 != 521.
Either the comment or the code is wrong.
3. All "...-ALL" accept any extra suffix
(not containing a colon). In other words,
"CURVE-ALLISON" is the same as "CURVE-ALL",
as the "...-ALL..." are checked before the
more specific ones.
In practice, any name starting with "ALL"
is impossible to specify.
The BNF for specifying a priority string:
<priority_string> ::= <level>
| <level> { ":" <spec> }
| <spec> { ":" <spec> }
<level> ::= "NONE"
| "NORMAL"
| "PERFORMANCE"
| "SECURE128"
| "SECURE192"
| "SECURE256"
| "SUITEB128"
| "SUITEB192"
| "EXPORT"
<spec> ::= "+" <level>
| "+" <all>
| "-" <all> | "!" <all>
| "+" <cipher>
| "-" <cipher> | "!" <cipher>
| "+" <mac>
| "-" <mac> | "!" <mac>
| "+" <kx>
| "-" <kx> | "!" <kx>
| "+" "VERS-" <vers>
| "-" "VERS-" <vers> | "!" "VERS-" <vers>
| "+" "COMP-" <comp>
| "-" "COMP-" <comp> | "!" "COMP-" <comp>
| "+" "CURVE-" <curve>
| "-" "CURVE-" <curve> | "!" "CURVE-" <curve>
| "+" "CTYPE-" <ctype>
| "-" "CTYPE-" <ctype> | "!" "CTYPE-" <ctype>
| "+" "SIGN-" <sign>
| "-" "SIGN-" <sign> | "!" "SIGN-" <sign>
| "%" <special>
<all> ::= "VERS-TLS-ALL" [ <padding> ]
| "COMP-ALL" [ <padding> ]
| "CURVE-ALL" [ <padding> ]
| "CTYPE-ALL" [ <padding> ]
| "SIGN-ALL" [ <padding> ]
| "MAC-ALL" [ <padding> ]
| "CIPHER-ALL" [ <padding> ]
| "KX-ALL" [ <padding> ]
<cipher> ::= "AES-256-CBC"
| "AES-192-CBC"
| "AES-128-CBC"
| "AES-128-GCM"
| "AES-256-GCM"
| "ARCFOUR-128"
| "CAMELLIA-256-CBC"
| "CAMELLIA-192-CBC"
| "CAMELLIA-128-CBC"
| "3DES-CBC"
| "DES-CBC"
| "ARCFOUR-40"
| "RC2-40"
| "IDEA-PGP-CFB"
| "3DES-PGP-CFB"
| "CAST5-PGP-CFB"
| "BLOWFISH-PGP-CFB"
| "SAFER-SK128-PGP-CFB"
| "AES-128-PGP-CFB"
| "AES-192-PGP-CFB"
| "AES-256-PGP-CFB"
| "TWOFISH-PGP-CFB"
| "NULL"
<mac> ::= "SHA1"
| "MD5"
| "SHA256"
| "SHA384"
| "SHA512"
| "SHA224"
| "AEAD"
| "MD2"
| "RIPEMD160"
| "MAC-NULL"
<kx> ::= "ANON-DH"
| "ANON-ECDH"
| "RSA"
| "RSA-EXPORT"
| "DHE-RSA"
| "ECDHE-RSA"
| "ECDHE-ECDSA"
| "DHE-DSS"
| "SRP-DSS"
| "SRP-RSA"
| "SRP"
| "PSK"
| "DHE-PSK"
| "ECDHE-PSK"
<vers> ::= "SSL3.0"
| "TLS1.0"
| "TLS1.1"
| "TLS1.2"
| "DTLS0.9"
| "DTLS1.0"
<comp> ::= "NULL"
| "DEFLATE"
<curve> ::= "SECP192R1"
| "SECP224R1"
| "SECP256R1"
| "SECP384R1"
| "SECP521R1"
<ctype> ::= "X.509" | "X509"
| "OPENPGP"
<sign> ::= "RSA-SHA1"
| "RSA-SHA224"
| "RSA-SHA256"
| "RSA-SHA384"
| "RSA-SHA512"
| "RSA-RMD160"
| "DSA-SHA1"
| "DSA-SHA224"
| "DSA-SHA256"
| "RSA-MD5"
| "RSA-MD2"
| "ECDSA-SHA1"
| "ECDSA-SHA224"
| "ECDSA-SHA256"
| "ECDSA-SHA384"
| "ECDSA-SHA512"
| "GOST R 34.10-2001"
| "GOST R 34.10-94"
<special> ::= "COMPAT"
| "NO_EXTENSIONS"
| "STATELESS_COMPRESSION"
| "VERIFY_ALLOW_SIGN_RSA_MD5"
| "VERIFY_DISABLE_CRL_CHECKS"
| "SSL3_RECORD_VERSION"
| "LATEST_RECORD_VERSION"
| "VERIFY_ALLOW_X509_V1_CA_CRT"
| "VERIFY_DISABLE_CRL_CHECKS"
| "SSL3_RECORD_VERSION"
| "LATEST_RECORD_VERSION"
| "VERIFY_ALLOW_X509_V1_CA_CRT"
| "UNSAFE_RENEGOTIATION"
| "SAFE_RENEGOTIATION"
| "PARTIAL_RENEGOTIATION"
| "DISABLE_SAFE_RENEGOTIATION"
| "SERVER_PRECEDENCE"
| "NEW_PADDING"
<padding> ::= any number of characters except colon ':'
Regards,
Jouko Orava
More information about the Gnutls-devel
mailing list