added comments
[gnutls:gnutls.git] / lib / algorithms / ciphersuites.c
1 /*
2  * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3  *
4  * Author: Nikos Mavrogiannopoulos
5  *
6  * This file is part of GnuTLS.
7  *
8  * The GnuTLS is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU Lesser General Public License
10  * as published by the Free Software Foundation; either version 2.1 of
11  * the License, or (at your option) any later version.
12  *
13  * This library is distributed in the hope that it will be useful, but
14  * WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16  * Lesser General Public License for more details.
17  *
18  * You should have received a copy of the GNU Lesser General Public License
19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
20  *
21  */
22
23 #include <gnutls_int.h>
24 #include <algorithms.h>
25 #include <gnutls_errors.h>
26 #include <gnutls_dh.h>
27 #include <gnutls_state.h>
28 #include <x509/common.h>
29 #include <auth/cert.h>
30 #include <auth/anon.h>
31 #include <auth/psk.h>
32
33 /* Cipher SUITES */
34 #define ENTRY( name, block_algorithm, kx_algorithm, mac_algorithm, min_version, dtls_version ) \
35         { #name, name, block_algorithm, kx_algorithm, mac_algorithm, min_version, dtls_version, GNUTLS_MAC_SHA256}
36 #define ENTRY_PRF( name, block_algorithm, kx_algorithm, mac_algorithm, min_version, dtls_version, prf ) \
37         { #name, name, block_algorithm, kx_algorithm, mac_algorithm, min_version, dtls_version, prf}
38
39 typedef struct {
40         const char *name;
41         const uint8_t id[2];
42         gnutls_cipher_algorithm_t block_algorithm;
43         gnutls_kx_algorithm_t kx_algorithm;
44         gnutls_mac_algorithm_t mac_algorithm;
45         gnutls_protocol_t min_version;  /* this cipher suite is supported
46                                          * from 'version' and above;
47                                          */
48         gnutls_protocol_t min_dtls_version;     /* DTLS min version */
49         gnutls_mac_algorithm_t prf;
50 } gnutls_cipher_suite_entry;
51
52 /* RSA with NULL cipher and MD5 MAC
53  * for test purposes.
54  */
55 #define GNUTLS_RSA_NULL_MD5 { 0x00, 0x01 }
56 #define GNUTLS_RSA_NULL_SHA1 { 0x00, 0x02 }
57 #define GNUTLS_RSA_NULL_SHA256 { 0x00, 0x3B }
58
59 /* ANONymous cipher suites.
60  */
61
62 #define GNUTLS_DH_ANON_3DES_EDE_CBC_SHA1 { 0x00, 0x1B }
63 #define GNUTLS_DH_ANON_ARCFOUR_128_MD5 { 0x00, 0x18 }
64
65  /* rfc3268: */
66 #define GNUTLS_DH_ANON_AES_128_CBC_SHA1 { 0x00, 0x34 }
67 #define GNUTLS_DH_ANON_AES_256_CBC_SHA1 { 0x00, 0x3A }
68
69 /* rfc4132 */
70 #define GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA1 { 0x00,0x46 }
71 #define GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA1 { 0x00,0x89 }
72
73 /* rfc5932 */
74 #define GNUTLS_RSA_CAMELLIA_128_CBC_SHA256     { 0x00,0xBA }
75 #define GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA256 { 0x00,0xBD }
76 #define GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 { 0x00,0xBE }
77 #define GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA256 { 0x00,0xBF }
78 #define GNUTLS_RSA_CAMELLIA_256_CBC_SHA256     { 0x00,0xC0 }
79 #define GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA256 { 0x00,0xC3 }
80 #define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 { 0x00,0xC4 }
81 #define GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA256 { 0x00,0xC5 }
82
83 /* rfc6367 */
84 #define GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 { 0xC0,0x72 }
85 #define GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 { 0xC0,0x73 }
86 #define GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256   { 0xC0,0x76 }
87 #define GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384   { 0xC0,0x77 }
88 #define GNUTLS_PSK_CAMELLIA_128_CBC_SHA256     { 0xC0,0x94 }
89 #define GNUTLS_PSK_CAMELLIA_256_CBC_SHA384     { 0xC0,0x95 }
90 #define GNUTLS_DHE_PSK_CAMELLIA_128_CBC_SHA256 { 0xC0,0x96 }
91 #define GNUTLS_DHE_PSK_CAMELLIA_256_CBC_SHA384 { 0xC0,0x97 }
92 #define GNUTLS_RSA_PSK_CAMELLIA_128_CBC_SHA256 { 0xC0,0x98 }
93 #define GNUTLS_RSA_PSK_CAMELLIA_256_CBC_SHA384 { 0xC0,0x99 }
94 #define GNUTLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256 { 0xC0,0x9A }
95 #define GNUTLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384 { 0xC0,0x9B }
96
97 #define GNUTLS_RSA_CAMELLIA_128_GCM_SHA256          { 0xC0, 0x7A }
98 #define GNUTLS_RSA_CAMELLIA_256_GCM_SHA384          { 0xC0,0x7B }
99 #define GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256      { 0xC0,0x7C }
100 #define GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384      { 0xC0,0x7D }
101 #define GNUTLS_DHE_DSS_CAMELLIA_128_GCM_SHA256      { 0xC0,0x80 }
102 #define GNUTLS_DHE_DSS_CAMELLIA_256_GCM_SHA384      { 0xC0,0x81 }
103 #define GNUTLS_DH_ANON_CAMELLIA_128_GCM_SHA256      { 0xC0,0x84 }
104 #define GNUTLS_DH_ANON_CAMELLIA_256_GCM_SHA384      { 0xC0,0x85 }
105 #define GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256  { 0xC0,0x86 }
106 #define GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384  { 0xC0,0x87 }
107 #define GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256    { 0xC0,0x8A }
108 #define GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384    { 0xC0,0x8B }
109 #define GNUTLS_PSK_CAMELLIA_128_GCM_SHA256        { 0xC0,0x8E }
110 #define GNUTLS_PSK_CAMELLIA_256_GCM_SHA384        { 0xC0,0x8F }
111 #define GNUTLS_DHE_PSK_CAMELLIA_128_GCM_SHA256    { 0xC0,0x90 }
112 #define GNUTLS_DHE_PSK_CAMELLIA_256_GCM_SHA384    { 0xC0,0x91 }
113 #define GNUTLS_RSA_PSK_CAMELLIA_128_GCM_SHA256    { 0xC0,0x92 }
114 #define GNUTLS_RSA_PSK_CAMELLIA_256_GCM_SHA384    { 0xC0,0x93 }
115
116 #define GNUTLS_DH_ANON_AES_128_CBC_SHA256 { 0x00, 0x6C }
117 #define GNUTLS_DH_ANON_AES_256_CBC_SHA256 { 0x00, 0x6D }
118
119 /* PSK (not in TLS 1.0)
120  * draft-ietf-tls-psk:
121  */
122 #define GNUTLS_PSK_ARCFOUR_128_SHA1 { 0x00, 0x8A }
123 #define GNUTLS_PSK_3DES_EDE_CBC_SHA1 { 0x00, 0x8B }
124 #define GNUTLS_PSK_AES_128_CBC_SHA1 { 0x00, 0x8C }
125 #define GNUTLS_PSK_AES_256_CBC_SHA1 { 0x00, 0x8D }
126
127 #define GNUTLS_DHE_PSK_ARCFOUR_128_SHA1 { 0x00, 0x8E }
128 #define GNUTLS_DHE_PSK_3DES_EDE_CBC_SHA1 { 0x00, 0x8F }
129 #define GNUTLS_DHE_PSK_AES_128_CBC_SHA1 { 0x00, 0x90 }
130 #define GNUTLS_DHE_PSK_AES_256_CBC_SHA1 { 0x00, 0x91 }
131
132 #define GNUTLS_RSA_PSK_ARCFOUR_128_SHA1 { 0x00, 0x92 }
133 #define GNUTLS_RSA_PSK_3DES_EDE_CBC_SHA1 { 0x00, 0x93 }
134 #define GNUTLS_RSA_PSK_AES_128_CBC_SHA1 { 0x00, 0x94 }
135 #define GNUTLS_RSA_PSK_AES_256_CBC_SHA1 { 0x00, 0x95 }
136
137 /* SRP (rfc5054)
138  */
139 #define GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1 { 0xC0, 0x1A }
140 #define GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 { 0xC0, 0x1B }
141 #define GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 { 0xC0, 0x1C }
142
143 #define GNUTLS_SRP_SHA_AES_128_CBC_SHA1 { 0xC0, 0x1D }
144 #define GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1 { 0xC0, 0x1E }
145 #define GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1 { 0xC0, 0x1F }
146
147 #define GNUTLS_SRP_SHA_AES_256_CBC_SHA1 { 0xC0, 0x20 }
148 #define GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1 { 0xC0, 0x21 }
149 #define GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1 { 0xC0, 0x22 }
150
151 /* RSA
152  */
153 #define GNUTLS_RSA_ARCFOUR_128_SHA1 { 0x00, 0x05 }
154 #define GNUTLS_RSA_ARCFOUR_128_MD5 { 0x00, 0x04 }
155 #define GNUTLS_RSA_3DES_EDE_CBC_SHA1 { 0x00, 0x0A }
156
157 /* rfc3268:
158  */
159 #define GNUTLS_RSA_AES_128_CBC_SHA1 { 0x00, 0x2F }
160 #define GNUTLS_RSA_AES_256_CBC_SHA1 { 0x00, 0x35 }
161
162 /* rfc4132 */
163 #define GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 { 0x00,0x41 }
164 #define GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x84 }
165
166 #define GNUTLS_RSA_AES_128_CBC_SHA256 { 0x00, 0x3C }
167 #define GNUTLS_RSA_AES_256_CBC_SHA256 { 0x00, 0x3D }
168
169 /* DHE DSS
170  */
171 #define GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA1 { 0x00, 0x13 }
172
173
174 /* draft-ietf-tls-56-bit-ciphersuites-01:
175  */
176 #define GNUTLS_DHE_DSS_ARCFOUR_128_SHA1 { 0x00, 0x66 }
177
178
179 /* rfc3268:
180  */
181 #define GNUTLS_DHE_DSS_AES_256_CBC_SHA1 { 0x00, 0x38 }
182 #define GNUTLS_DHE_DSS_AES_128_CBC_SHA1 { 0x00, 0x32 }
183
184 /* rfc4132 */
185 #define GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 { 0x00,0x44 }
186 #define GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 { 0x00,0x87 }
187
188 #define GNUTLS_DHE_DSS_AES_128_CBC_SHA256 { 0x00, 0x40 }
189 #define GNUTLS_DHE_DSS_AES_256_CBC_SHA256 { 0x00, 0x6A }
190
191 /* DHE RSA
192  */
193 #define GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 { 0x00, 0x16 }
194
195 /* rfc3268:
196  */
197 #define GNUTLS_DHE_RSA_AES_128_CBC_SHA1 { 0x00, 0x33 }
198 #define GNUTLS_DHE_RSA_AES_256_CBC_SHA1 { 0x00, 0x39 }
199
200 /* rfc4132 */
201 #define GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 { 0x00,0x45 }
202 #define GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 { 0x00,0x88 }
203
204 #define GNUTLS_DHE_RSA_AES_128_CBC_SHA256 { 0x00, 0x67 }
205 #define GNUTLS_DHE_RSA_AES_256_CBC_SHA256 { 0x00, 0x6B }
206
207 /* GCM: RFC5288 */
208 #define GNUTLS_RSA_AES_128_GCM_SHA256 { 0x00, 0x9C }
209 #define GNUTLS_DHE_RSA_AES_128_GCM_SHA256 {0x00,0x9E}
210 #define GNUTLS_DHE_DSS_AES_128_GCM_SHA256 {0x00,0xA2}
211 #define GNUTLS_DH_ANON_AES_128_GCM_SHA256 {0x00,0xA6}
212 #define GNUTLS_RSA_AES_256_GCM_SHA384 { 0x00, 0x9D }
213 #define GNUTLS_DHE_RSA_AES_256_GCM_SHA384 {0x00,0x9F}
214 #define GNUTLS_DHE_DSS_AES_256_GCM_SHA384 {0x00,0xA3}
215 #define GNUTLS_DH_ANON_AES_256_GCM_SHA384 {0x00,0xA7}
216
217 /* CCM: RFC6655 */
218 #define GNUTLS_RSA_AES_128_CCM { 0xC0, 0x9C }
219 #define GNUTLS_RSA_AES_256_CCM { 0xC0, 0x9D }
220 #define GNUTLS_DHE_RSA_AES_128_CCM {0xC0,0x9E}
221 #define GNUTLS_DHE_RSA_AES_256_CCM {0xC0,0x9F}
222
223 #define GNUTLS_ECDHE_ECDSA_AES_128_CCM {0xC0,0xAC}
224 #define GNUTLS_ECDHE_ECDSA_AES_256_CCM {0xC0,0xAD}
225
226 #define GNUTLS_PSK_AES_128_CCM { 0xC0, 0xA4 }
227 #define GNUTLS_PSK_AES_256_CCM { 0xC0, 0xA5 }
228 #define GNUTLS_DHE_PSK_AES_128_CCM {0xC0,0xA6}
229 #define GNUTLS_DHE_PSK_AES_256_CCM {0xC0,0xA7}
230
231
232 /* RFC 5487 */
233 /* GCM-PSK */
234 #define GNUTLS_PSK_AES_128_GCM_SHA256 { 0x00, 0xA8 }
235 #define GNUTLS_DHE_PSK_AES_128_GCM_SHA256 { 0x00, 0xAA }
236 #define GNUTLS_PSK_AES_256_GCM_SHA384 { 0x00, 0xA9 }
237 #define GNUTLS_DHE_PSK_AES_256_GCM_SHA384 { 0x00, 0xAB }
238
239 #define GNUTLS_PSK_AES_256_CBC_SHA384     { 0x00,0xAF }
240 #define GNUTLS_PSK_NULL_SHA384            { 0x00,0xB1 }
241 #define GNUTLS_DHE_PSK_AES_256_CBC_SHA384 { 0x00,0xB3 }
242 #define GNUTLS_DHE_PSK_NULL_SHA384        { 0x00,0xB5 }
243
244 #define GNUTLS_PSK_NULL_SHA1              { 0x00,0x2C }
245 #define GNUTLS_DHE_PSK_NULL_SHA1          { 0x00,0x2D }
246 #define GNUTLS_RSA_PSK_NULL_SHA1          { 0x00,0x2E }
247 #define GNUTLS_ECDHE_PSK_NULL_SHA1        { 0xC0,0x39 }
248
249 #define GNUTLS_RSA_PSK_AES_128_GCM_SHA256 { 0x00,0xAC }
250 #define GNUTLS_RSA_PSK_AES_256_GCM_SHA384 { 0x00,0xAD }
251 #define GNUTLS_RSA_PSK_AES_128_CBC_SHA256 { 0x00,0xB6 }
252 #define GNUTLS_RSA_PSK_AES_256_CBC_SHA384 { 0x00,0xB7 }
253 #define GNUTLS_RSA_PSK_NULL_SHA256        { 0x00,0xB8 }
254 #define GNUTLS_RSA_PSK_NULL_SHA384        { 0x00,0xB9 }
255
256
257 /* PSK - SHA256 HMAC */
258 #define GNUTLS_PSK_AES_128_CBC_SHA256 { 0x00, 0xAE }
259 #define GNUTLS_DHE_PSK_AES_128_CBC_SHA256 { 0x00, 0xB2 }
260
261 #define GNUTLS_PSK_NULL_SHA256 { 0x00, 0xB0 }
262 #define GNUTLS_DHE_PSK_NULL_SHA256 { 0x00, 0xB4 }
263
264 /* ECC */
265 #define GNUTLS_ECDH_ANON_NULL_SHA1 { 0xC0, 0x15 }
266 #define GNUTLS_ECDH_ANON_3DES_EDE_CBC_SHA1 { 0xC0, 0x17 }
267 #define GNUTLS_ECDH_ANON_AES_128_CBC_SHA1 { 0xC0, 0x18 }
268 #define GNUTLS_ECDH_ANON_AES_256_CBC_SHA1 { 0xC0, 0x19 }
269 #define GNUTLS_ECDH_ANON_ARCFOUR_128_SHA1 { 0xC0, 0x16 }
270
271 /* ECC-RSA */
272 #define GNUTLS_ECDHE_RSA_NULL_SHA1 { 0xC0, 0x10 }
273 #define GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 { 0xC0, 0x12 }
274 #define GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 { 0xC0, 0x13 }
275 #define GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 { 0xC0, 0x14 }
276 #define GNUTLS_ECDHE_RSA_ARCFOUR_128_SHA1 { 0xC0, 0x11 }
277
278 /* ECC-ECDSA */
279 #define GNUTLS_ECDHE_ECDSA_NULL_SHA1           { 0xC0, 0x06 }
280 #define GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1   { 0xC0, 0x08 }
281 #define GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1    { 0xC0, 0x09 }
282 #define GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1    { 0xC0, 0x0A }
283 #define GNUTLS_ECDHE_ECDSA_ARCFOUR_128_SHA1 { 0xC0, 0x07 }
284
285 /* RFC5289 */
286 /* ECC with SHA2 */
287 #define GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256     {0xC0,0x23}
288 #define GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256       {0xC0,0x27}
289 #define GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384       { 0xC0,0x28 }
290
291 /* ECC with AES-GCM */
292 #define GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256   {0xC0,0x2B}
293 #define GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256     {0xC0,0x2F}
294 #define GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384     {0xC0,0x30}
295
296 /* SuiteB */
297 #define GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384   {0xC0,0x2C}
298 #define GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384   {0xC0,0x24}
299
300
301 /* ECC with PSK */
302 #define GNUTLS_ECDHE_PSK_3DES_EDE_CBC_SHA1 { 0xC0, 0x34 }
303 #define GNUTLS_ECDHE_PSK_AES_128_CBC_SHA1 { 0xC0, 0x35 }
304 #define GNUTLS_ECDHE_PSK_AES_256_CBC_SHA1 { 0xC0, 0x36 }
305 #define GNUTLS_ECDHE_PSK_AES_128_CBC_SHA256 { 0xC0, 0x37 }
306 #define GNUTLS_ECDHE_PSK_AES_256_CBC_SHA384 { 0xC0, 0x38 }
307 #define GNUTLS_ECDHE_PSK_ARCFOUR_128_SHA1 { 0xC0, 0x33 }
308 #define GNUTLS_ECDHE_PSK_NULL_SHA256 { 0xC0, 0x3A }
309 #define GNUTLS_ECDHE_PSK_NULL_SHA384 { 0xC0, 0x3B }
310
311 #define CIPHER_SUITES_COUNT (sizeof(cs_algorithms)/sizeof(gnutls_cipher_suite_entry)-1)
312
313 /* The following is a potential list of ciphersuites. For the options to be
314  * available, the ciphers and MACs must be available to gnutls as well.
315  */
316 static const gnutls_cipher_suite_entry cs_algorithms[] = {
317         /* RSA-NULL */
318         ENTRY(GNUTLS_RSA_NULL_MD5,
319               GNUTLS_CIPHER_NULL,
320               GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3,
321               GNUTLS_DTLS_VERSION_MIN),
322         ENTRY(GNUTLS_RSA_NULL_SHA1,
323               GNUTLS_CIPHER_NULL,
324               GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
325               GNUTLS_DTLS_VERSION_MIN),
326         ENTRY(GNUTLS_RSA_NULL_SHA256,
327               GNUTLS_CIPHER_NULL,
328               GNUTLS_KX_RSA, GNUTLS_MAC_SHA256, GNUTLS_TLS1,
329               GNUTLS_DTLS_VERSION_MIN),
330
331         /* RSA */
332         ENTRY(GNUTLS_RSA_ARCFOUR_128_SHA1,
333               GNUTLS_CIPHER_ARCFOUR_128,
334               GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
335               GNUTLS_VERSION_UNKNOWN),
336         ENTRY(GNUTLS_RSA_ARCFOUR_128_MD5,
337               GNUTLS_CIPHER_ARCFOUR_128,
338               GNUTLS_KX_RSA, GNUTLS_MAC_MD5, GNUTLS_SSL3,
339               GNUTLS_VERSION_UNKNOWN),
340         ENTRY(GNUTLS_RSA_3DES_EDE_CBC_SHA1,
341               GNUTLS_CIPHER_3DES_CBC,
342               GNUTLS_KX_RSA, GNUTLS_MAC_SHA1, GNUTLS_SSL3,
343               GNUTLS_DTLS_VERSION_MIN),
344         ENTRY(GNUTLS_RSA_AES_128_CBC_SHA1,
345               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA,
346               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
347               GNUTLS_DTLS_VERSION_MIN),
348         ENTRY(GNUTLS_RSA_AES_256_CBC_SHA1,
349               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA,
350               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
351               GNUTLS_DTLS_VERSION_MIN),
352
353         ENTRY(GNUTLS_RSA_CAMELLIA_128_CBC_SHA256,
354               GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_RSA,
355               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
356               GNUTLS_DTLS_VERSION_MIN),
357         ENTRY(GNUTLS_RSA_CAMELLIA_256_CBC_SHA256,
358               GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA,
359               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
360               GNUTLS_DTLS_VERSION_MIN),
361         ENTRY(GNUTLS_RSA_CAMELLIA_128_CBC_SHA1,
362               GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_RSA,
363               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
364               GNUTLS_DTLS_VERSION_MIN),
365         ENTRY(GNUTLS_RSA_CAMELLIA_256_CBC_SHA1,
366               GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA,
367               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
368               GNUTLS_DTLS_VERSION_MIN),
369         ENTRY(GNUTLS_RSA_AES_128_CBC_SHA256,
370               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA,
371               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
372               GNUTLS_DTLS_VERSION_MIN),
373         ENTRY(GNUTLS_RSA_AES_256_CBC_SHA256,
374               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA,
375               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
376               GNUTLS_DTLS_VERSION_MIN),
377 /* GCM */
378         ENTRY(GNUTLS_RSA_AES_128_GCM_SHA256,
379               GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_RSA,
380               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
381               GNUTLS_DTLS1_2),
382         ENTRY_PRF(GNUTLS_RSA_AES_256_GCM_SHA384,
383                   GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_RSA,
384                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
385                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
386         ENTRY(GNUTLS_RSA_CAMELLIA_128_GCM_SHA256,
387               GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_RSA,
388               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
389               GNUTLS_DTLS1_2),
390         ENTRY_PRF(GNUTLS_RSA_CAMELLIA_256_GCM_SHA384,
391                   GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_RSA,
392                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
393                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
394
395 /* CCM */
396         ENTRY(GNUTLS_RSA_AES_128_CCM,
397               GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_RSA,
398               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
399               GNUTLS_DTLS1_2),
400         ENTRY(GNUTLS_RSA_AES_256_CCM,
401               GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_RSA,
402               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
403               GNUTLS_DTLS1_2),
404         ENTRY(GNUTLS_DHE_RSA_AES_128_CCM,
405               GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_DHE_RSA,
406               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
407               GNUTLS_DTLS1_2),
408         ENTRY(GNUTLS_DHE_RSA_AES_256_CCM,
409               GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_DHE_RSA,
410               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
411               GNUTLS_DTLS1_2),
412
413         ENTRY(GNUTLS_ECDHE_ECDSA_AES_128_CCM,
414               GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_ECDHE_ECDSA,
415               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
416               GNUTLS_DTLS1_2),
417         ENTRY(GNUTLS_ECDHE_ECDSA_AES_256_CCM,
418               GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_ECDHE_ECDSA,
419               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
420               GNUTLS_DTLS1_2),
421
422         ENTRY(GNUTLS_PSK_AES_128_CCM,
423               GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_PSK,
424               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
425               GNUTLS_DTLS1_2),
426         ENTRY(GNUTLS_PSK_AES_256_CCM,
427               GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_PSK,
428               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
429               GNUTLS_DTLS1_2),
430         ENTRY(GNUTLS_DHE_PSK_AES_128_CCM,
431               GNUTLS_CIPHER_AES_128_CCM, GNUTLS_KX_DHE_PSK,
432               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
433               GNUTLS_DTLS1_2),
434         ENTRY(GNUTLS_DHE_PSK_AES_256_CCM,
435               GNUTLS_CIPHER_AES_256_CCM, GNUTLS_KX_DHE_PSK,
436               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
437               GNUTLS_DTLS1_2),
438
439         /* DHE_DSS */
440 #ifdef ENABLE_DHE
441         ENTRY(GNUTLS_DHE_DSS_ARCFOUR_128_SHA1,
442               GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS,
443               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
444               GNUTLS_VERSION_UNKNOWN),
445         ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA1,
446               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS,
447               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
448               GNUTLS_DTLS_VERSION_MIN),
449         ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_SHA1,
450               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS,
451               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
452               GNUTLS_DTLS_VERSION_MIN),
453         ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_SHA1,
454               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS,
455               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
456               GNUTLS_DTLS_VERSION_MIN),
457         ENTRY(GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA256,
458               GNUTLS_CIPHER_CAMELLIA_128_CBC,
459               GNUTLS_KX_DHE_DSS,
460               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
461               GNUTLS_DTLS_VERSION_MIN),
462         ENTRY(GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA256,
463               GNUTLS_CIPHER_CAMELLIA_256_CBC,
464               GNUTLS_KX_DHE_DSS,
465               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
466               GNUTLS_DTLS_VERSION_MIN),
467
468         ENTRY(GNUTLS_DHE_DSS_CAMELLIA_128_CBC_SHA1,
469               GNUTLS_CIPHER_CAMELLIA_128_CBC,
470               GNUTLS_KX_DHE_DSS,
471               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
472               GNUTLS_DTLS_VERSION_MIN),
473         ENTRY(GNUTLS_DHE_DSS_CAMELLIA_256_CBC_SHA1,
474               GNUTLS_CIPHER_CAMELLIA_256_CBC,
475               GNUTLS_KX_DHE_DSS,
476               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
477               GNUTLS_DTLS_VERSION_MIN),
478         ENTRY(GNUTLS_DHE_DSS_AES_128_CBC_SHA256,
479               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_DSS,
480               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
481               GNUTLS_DTLS_VERSION_MIN),
482         ENTRY(GNUTLS_DHE_DSS_AES_256_CBC_SHA256,
483               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS,
484               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
485               GNUTLS_DTLS_VERSION_MIN),
486 /* GCM */
487         ENTRY(GNUTLS_DHE_DSS_AES_128_GCM_SHA256,
488               GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_DSS,
489               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
490               GNUTLS_DTLS1_2),
491         ENTRY_PRF(GNUTLS_DHE_DSS_AES_256_GCM_SHA384,
492                   GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_DSS,
493                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
494                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
495         ENTRY(GNUTLS_DHE_DSS_CAMELLIA_128_GCM_SHA256,
496               GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_DHE_DSS,
497               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
498               GNUTLS_DTLS1_2),
499         ENTRY_PRF(GNUTLS_DHE_DSS_CAMELLIA_256_GCM_SHA384,
500                   GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_DHE_DSS,
501                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
502                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
503
504         /* DHE_RSA */
505         ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1,
506               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA,
507               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
508               GNUTLS_DTLS_VERSION_MIN),
509         ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_SHA1,
510               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA,
511               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
512               GNUTLS_DTLS_VERSION_MIN),
513         ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_SHA1,
514               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA,
515               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
516               GNUTLS_DTLS_VERSION_MIN),
517         ENTRY(GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256,
518               GNUTLS_CIPHER_CAMELLIA_128_CBC,
519               GNUTLS_KX_DHE_RSA,
520               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
521               GNUTLS_DTLS_VERSION_MIN),
522         ENTRY(GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256,
523               GNUTLS_CIPHER_CAMELLIA_256_CBC,
524               GNUTLS_KX_DHE_RSA,
525               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
526               GNUTLS_DTLS_VERSION_MIN),
527         ENTRY(GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1,
528               GNUTLS_CIPHER_CAMELLIA_128_CBC,
529               GNUTLS_KX_DHE_RSA,
530               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
531               GNUTLS_DTLS_VERSION_MIN),
532         ENTRY(GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1,
533               GNUTLS_CIPHER_CAMELLIA_256_CBC,
534               GNUTLS_KX_DHE_RSA,
535               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
536               GNUTLS_DTLS_VERSION_MIN),
537         ENTRY(GNUTLS_DHE_RSA_AES_128_CBC_SHA256,
538               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA,
539               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
540               GNUTLS_DTLS_VERSION_MIN),
541         ENTRY(GNUTLS_DHE_RSA_AES_256_CBC_SHA256,
542               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA,
543               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
544               GNUTLS_DTLS_VERSION_MIN),
545 /* GCM */
546         ENTRY(GNUTLS_DHE_RSA_AES_128_GCM_SHA256,
547               GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_RSA,
548               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
549               GNUTLS_DTLS1_2),
550         ENTRY_PRF(GNUTLS_DHE_RSA_AES_256_GCM_SHA384,
551                   GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_RSA,
552                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
553                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
554         ENTRY(GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256,
555               GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_DHE_RSA,
556               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
557               GNUTLS_DTLS1_2),
558         ENTRY_PRF(GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384,
559                   GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_DHE_RSA,
560                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
561                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
562 #endif                          /* DHE */
563 #ifdef ENABLE_ECDHE
564 /* ECC-RSA */
565         ENTRY(GNUTLS_ECDHE_RSA_NULL_SHA1,
566               GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_RSA,
567               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
568               GNUTLS_DTLS_VERSION_MIN),
569         ENTRY(GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1,
570               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ECDHE_RSA,
571               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
572               GNUTLS_DTLS_VERSION_MIN),
573         ENTRY(GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1,
574               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_RSA,
575               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
576               GNUTLS_DTLS_VERSION_MIN),
577         ENTRY(GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1,
578               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_RSA,
579               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
580               GNUTLS_DTLS_VERSION_MIN),
581         ENTRY_PRF(GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384,
582                   GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_RSA,
583                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
584                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
585         ENTRY(GNUTLS_ECDHE_RSA_ARCFOUR_128_SHA1,
586               GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_ECDHE_RSA,
587               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
588               GNUTLS_VERSION_UNKNOWN),
589         ENTRY(GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256,
590               GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_ECDHE_RSA,
591               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
592               GNUTLS_DTLS_VERSION_MIN),
593         ENTRY_PRF(GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384,
594                   GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_ECDHE_RSA,
595                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
596                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
597
598         /* ECDHE-ECDSA */
599         ENTRY(GNUTLS_ECDHE_ECDSA_NULL_SHA1,
600               GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_ECDSA,
601               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
602               GNUTLS_DTLS_VERSION_MIN),
603         ENTRY(GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1,
604               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ECDHE_ECDSA,
605               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
606               GNUTLS_DTLS_VERSION_MIN),
607         ENTRY(GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1,
608               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_ECDSA,
609               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
610               GNUTLS_DTLS_VERSION_MIN),
611         ENTRY(GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1,
612               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_ECDSA,
613               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
614               GNUTLS_DTLS_VERSION_MIN),
615         ENTRY(GNUTLS_ECDHE_ECDSA_ARCFOUR_128_SHA1,
616               GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_ECDHE_ECDSA,
617               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
618               GNUTLS_VERSION_UNKNOWN),
619         ENTRY(GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256,
620               GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_ECDHE_ECDSA,
621               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
622               GNUTLS_DTLS_VERSION_MIN),
623         ENTRY_PRF(GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384,
624                   GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_ECDHE_ECDSA,
625                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
626                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
627
628         /* More ECC */
629
630         ENTRY(GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256,
631               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_ECDSA,
632               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
633               GNUTLS_DTLS_VERSION_MIN),
634         ENTRY(GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256,
635               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_RSA,
636               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
637               GNUTLS_DTLS_VERSION_MIN),
638         ENTRY(GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256,
639               GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_ECDHE_ECDSA,
640               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
641               GNUTLS_DTLS1_2),
642         ENTRY_PRF(GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384,
643                   GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_ECDHE_ECDSA,
644                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
645                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
646         ENTRY(GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256,
647               GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ECDHE_ECDSA,
648               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
649               GNUTLS_DTLS1_2),
650         ENTRY_PRF(GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384,
651                   GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ECDHE_ECDSA,
652                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
653                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
654         ENTRY(GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256,
655               GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ECDHE_RSA,
656               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
657               GNUTLS_DTLS1_2),
658         ENTRY_PRF(GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384,
659                   GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ECDHE_RSA,
660                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
661                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
662         ENTRY_PRF(GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384,
663                   GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_ECDSA,
664                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
665                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
666
667         ENTRY(GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256,
668               GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_ECDHE_RSA,
669               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
670               GNUTLS_DTLS1_2),
671         ENTRY_PRF(GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384,
672                   GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_ECDHE_RSA,
673                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
674                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
675 #endif
676 #ifdef ENABLE_PSK
677         /* ECC - PSK */
678         ENTRY(GNUTLS_ECDHE_PSK_3DES_EDE_CBC_SHA1,
679               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ECDHE_PSK,
680               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
681               GNUTLS_DTLS_VERSION_MIN),
682         ENTRY(GNUTLS_ECDHE_PSK_AES_128_CBC_SHA1,
683               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_PSK,
684               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
685               GNUTLS_DTLS_VERSION_MIN),
686         ENTRY(GNUTLS_ECDHE_PSK_AES_256_CBC_SHA1,
687               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_PSK,
688               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
689               GNUTLS_DTLS_VERSION_MIN),
690         ENTRY(GNUTLS_ECDHE_PSK_AES_128_CBC_SHA256,
691               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ECDHE_PSK,
692               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
693               GNUTLS_DTLS_VERSION_MIN),
694         ENTRY_PRF(GNUTLS_ECDHE_PSK_AES_256_CBC_SHA384,
695                   GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ECDHE_PSK,
696                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
697                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
698         ENTRY(GNUTLS_ECDHE_PSK_ARCFOUR_128_SHA1,
699               GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_ECDHE_PSK,
700               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
701               GNUTLS_VERSION_UNKNOWN),
702         ENTRY(GNUTLS_ECDHE_PSK_NULL_SHA1,
703               GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_PSK,
704               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
705               GNUTLS_DTLS_VERSION_MIN),
706         ENTRY(GNUTLS_ECDHE_PSK_NULL_SHA256,
707               GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_PSK,
708               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
709               GNUTLS_DTLS_VERSION_MIN),
710         ENTRY_PRF(GNUTLS_ECDHE_PSK_NULL_SHA384,
711                   GNUTLS_CIPHER_NULL, GNUTLS_KX_ECDHE_PSK,
712                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
713                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
714         ENTRY(GNUTLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256,
715               GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_ECDHE_PSK,
716               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
717               GNUTLS_DTLS_VERSION_MIN),
718         ENTRY_PRF(GNUTLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384,
719                   GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_ECDHE_PSK,
720                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
721                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
722
723         /* PSK */
724         ENTRY(GNUTLS_PSK_ARCFOUR_128_SHA1,
725               GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_PSK,
726               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
727               GNUTLS_VERSION_UNKNOWN),
728         ENTRY(GNUTLS_PSK_3DES_EDE_CBC_SHA1,
729               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_PSK,
730               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
731               GNUTLS_DTLS_VERSION_MIN),
732         ENTRY(GNUTLS_PSK_AES_128_CBC_SHA1,
733               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK,
734               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
735               GNUTLS_DTLS_VERSION_MIN),
736         ENTRY(GNUTLS_PSK_AES_256_CBC_SHA1,
737               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_PSK,
738               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
739               GNUTLS_DTLS_VERSION_MIN),
740         ENTRY(GNUTLS_PSK_AES_128_CBC_SHA256,
741               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_PSK,
742               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
743               GNUTLS_DTLS_VERSION_MIN),
744         ENTRY_PRF(GNUTLS_PSK_AES_256_GCM_SHA384,
745                   GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_PSK,
746                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
747                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
748         ENTRY(GNUTLS_PSK_CAMELLIA_128_GCM_SHA256,
749               GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_PSK,
750               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
751               GNUTLS_DTLS1_2),
752         ENTRY_PRF(GNUTLS_PSK_CAMELLIA_256_GCM_SHA384,
753                   GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_PSK,
754                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
755                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
756
757
758         ENTRY(GNUTLS_PSK_AES_128_GCM_SHA256,
759               GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_PSK,
760               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
761               GNUTLS_DTLS1_2),
762         ENTRY(GNUTLS_PSK_NULL_SHA1,
763               GNUTLS_CIPHER_NULL, GNUTLS_KX_PSK,
764               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
765               GNUTLS_DTLS_VERSION_MIN),
766         ENTRY(GNUTLS_PSK_NULL_SHA256,
767               GNUTLS_CIPHER_NULL, GNUTLS_KX_PSK,
768               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
769               GNUTLS_DTLS_VERSION_MIN),
770         ENTRY(GNUTLS_PSK_CAMELLIA_128_CBC_SHA256,
771               GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_PSK,
772               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
773               GNUTLS_DTLS_VERSION_MIN),
774         ENTRY_PRF(GNUTLS_PSK_CAMELLIA_256_CBC_SHA384,
775                   GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_PSK,
776                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
777                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
778
779         ENTRY_PRF(GNUTLS_PSK_AES_256_CBC_SHA384,
780                   GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_PSK,
781                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
782                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
783         ENTRY_PRF(GNUTLS_PSK_NULL_SHA384,
784                   GNUTLS_CIPHER_NULL, GNUTLS_KX_PSK,
785                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
786                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
787
788         /* RSA-PSK */
789         ENTRY(GNUTLS_RSA_PSK_ARCFOUR_128_SHA1,
790               GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_RSA_PSK,
791               GNUTLS_MAC_SHA1, GNUTLS_TLS1,
792               GNUTLS_VERSION_UNKNOWN),
793         ENTRY(GNUTLS_RSA_PSK_3DES_EDE_CBC_SHA1,
794               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_RSA_PSK,
795               GNUTLS_MAC_SHA1, GNUTLS_TLS1,
796               GNUTLS_DTLS_VERSION_MIN),
797         ENTRY(GNUTLS_RSA_PSK_AES_128_CBC_SHA1,
798               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA_PSK,
799               GNUTLS_MAC_SHA1, GNUTLS_TLS1,
800               GNUTLS_DTLS_VERSION_MIN),
801         ENTRY(GNUTLS_RSA_PSK_AES_256_CBC_SHA1,
802               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA_PSK,
803               GNUTLS_MAC_SHA1, GNUTLS_TLS1,
804               GNUTLS_DTLS_VERSION_MIN),
805         ENTRY(GNUTLS_RSA_PSK_CAMELLIA_128_GCM_SHA256,
806               GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_RSA_PSK,
807               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
808               GNUTLS_DTLS1_2),
809         ENTRY_PRF(GNUTLS_RSA_PSK_CAMELLIA_256_GCM_SHA384,
810                   GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_RSA_PSK,
811                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
812                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
813
814
815         ENTRY(GNUTLS_RSA_PSK_AES_128_GCM_SHA256,
816               GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_RSA_PSK,
817               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
818               GNUTLS_DTLS1_2),
819         ENTRY(GNUTLS_RSA_PSK_AES_128_CBC_SHA256,
820               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA_PSK,
821               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
822               GNUTLS_DTLS_VERSION_MIN),
823         ENTRY(GNUTLS_RSA_PSK_NULL_SHA1,
824               GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA_PSK,
825               GNUTLS_MAC_SHA1, GNUTLS_TLS1,
826               GNUTLS_DTLS_VERSION_MIN),
827         ENTRY(GNUTLS_RSA_PSK_NULL_SHA256,
828               GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA_PSK,
829               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
830               GNUTLS_DTLS_VERSION_MIN),
831         ENTRY_PRF(GNUTLS_RSA_PSK_AES_256_GCM_SHA384,
832                   GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_RSA_PSK,
833                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
834                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
835         ENTRY_PRF(GNUTLS_RSA_PSK_AES_256_CBC_SHA384,
836                   GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA_PSK,
837                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
838                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
839         ENTRY_PRF(GNUTLS_RSA_PSK_NULL_SHA384,
840                   GNUTLS_CIPHER_NULL, GNUTLS_KX_RSA_PSK,
841                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
842                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
843         ENTRY(GNUTLS_RSA_PSK_CAMELLIA_128_CBC_SHA256,
844               GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_RSA_PSK,
845               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
846               GNUTLS_DTLS_VERSION_MIN),
847         ENTRY_PRF(GNUTLS_RSA_PSK_CAMELLIA_256_CBC_SHA384,
848                   GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_RSA_PSK,
849                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
850                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
851
852
853         /* DHE-PSK */
854         ENTRY(GNUTLS_DHE_PSK_ARCFOUR_128_SHA1,
855               GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_DHE_PSK,
856               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
857               GNUTLS_VERSION_UNKNOWN),
858         ENTRY(GNUTLS_DHE_PSK_3DES_EDE_CBC_SHA1,
859               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_PSK,
860               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
861               GNUTLS_DTLS_VERSION_MIN),
862         ENTRY(GNUTLS_DHE_PSK_AES_128_CBC_SHA1,
863               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_PSK,
864               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
865               GNUTLS_DTLS_VERSION_MIN),
866         ENTRY(GNUTLS_DHE_PSK_AES_256_CBC_SHA1,
867               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_PSK,
868               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
869               GNUTLS_DTLS_VERSION_MIN),
870         ENTRY(GNUTLS_DHE_PSK_AES_128_CBC_SHA256,
871               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_PSK,
872               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
873               GNUTLS_DTLS_VERSION_MIN),
874         ENTRY(GNUTLS_DHE_PSK_AES_128_GCM_SHA256,
875               GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_DHE_PSK,
876               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
877               GNUTLS_DTLS1_2),
878         ENTRY(GNUTLS_DHE_PSK_NULL_SHA1,
879               GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK,
880               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
881               GNUTLS_DTLS_VERSION_MIN),
882         ENTRY(GNUTLS_DHE_PSK_NULL_SHA256,
883               GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK,
884               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
885               GNUTLS_DTLS_VERSION_MIN),
886         ENTRY_PRF(GNUTLS_DHE_PSK_NULL_SHA384,
887                   GNUTLS_CIPHER_NULL, GNUTLS_KX_DHE_PSK,
888                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
889                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
890         ENTRY_PRF(GNUTLS_DHE_PSK_AES_256_CBC_SHA384,
891                   GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_PSK,
892                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
893                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
894         ENTRY_PRF(GNUTLS_DHE_PSK_AES_256_GCM_SHA384,
895                   GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_DHE_PSK,
896                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
897                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
898         ENTRY(GNUTLS_DHE_PSK_CAMELLIA_128_CBC_SHA256,
899               GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_KX_DHE_PSK,
900               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
901               GNUTLS_DTLS_VERSION_MIN),
902         ENTRY_PRF(GNUTLS_DHE_PSK_CAMELLIA_256_CBC_SHA384,
903                   GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_KX_DHE_PSK,
904                   GNUTLS_MAC_SHA384, GNUTLS_TLS1,
905                   GNUTLS_DTLS_VERSION_MIN, GNUTLS_MAC_SHA384),
906         ENTRY(GNUTLS_DHE_PSK_CAMELLIA_128_GCM_SHA256,
907               GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_DHE_PSK,
908               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
909               GNUTLS_DTLS1_2),
910         ENTRY_PRF(GNUTLS_DHE_PSK_CAMELLIA_256_GCM_SHA384,
911                   GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_DHE_PSK,
912                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
913                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
914 #endif
915 #ifdef ENABLE_ANON
916         /* DH_ANON */
917         ENTRY(GNUTLS_DH_ANON_ARCFOUR_128_MD5,
918               GNUTLS_CIPHER_ARCFOUR_128,
919               GNUTLS_KX_ANON_DH, GNUTLS_MAC_MD5,
920               GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN),
921         ENTRY(GNUTLS_DH_ANON_3DES_EDE_CBC_SHA1,
922               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_DH,
923               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
924               GNUTLS_DTLS_VERSION_MIN),
925         ENTRY(GNUTLS_DH_ANON_AES_128_CBC_SHA1,
926               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH,
927               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
928               GNUTLS_DTLS_VERSION_MIN),
929         ENTRY(GNUTLS_DH_ANON_AES_256_CBC_SHA1,
930               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH,
931               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
932               GNUTLS_DTLS_VERSION_MIN),
933         ENTRY(GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA256,
934               GNUTLS_CIPHER_CAMELLIA_128_CBC,
935               GNUTLS_KX_ANON_DH,
936               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
937               GNUTLS_DTLS_VERSION_MIN),
938         ENTRY(GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA256,
939               GNUTLS_CIPHER_CAMELLIA_256_CBC,
940               GNUTLS_KX_ANON_DH,
941               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
942               GNUTLS_DTLS_VERSION_MIN),
943         ENTRY(GNUTLS_DH_ANON_CAMELLIA_128_CBC_SHA1,
944               GNUTLS_CIPHER_CAMELLIA_128_CBC,
945               GNUTLS_KX_ANON_DH,
946               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
947               GNUTLS_DTLS_VERSION_MIN),
948         ENTRY(GNUTLS_DH_ANON_CAMELLIA_256_CBC_SHA1,
949               GNUTLS_CIPHER_CAMELLIA_256_CBC,
950               GNUTLS_KX_ANON_DH,
951               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
952               GNUTLS_DTLS_VERSION_MIN),
953         ENTRY(GNUTLS_DH_ANON_AES_128_CBC_SHA256,
954               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_DH,
955               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
956               GNUTLS_DTLS_VERSION_MIN),
957         ENTRY(GNUTLS_DH_ANON_AES_256_CBC_SHA256,
958               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH,
959               GNUTLS_MAC_SHA256, GNUTLS_TLS1,
960               GNUTLS_DTLS_VERSION_MIN),
961         ENTRY(GNUTLS_DH_ANON_AES_128_GCM_SHA256,
962               GNUTLS_CIPHER_AES_128_GCM, GNUTLS_KX_ANON_DH,
963               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
964               GNUTLS_DTLS1_2),
965         ENTRY_PRF(GNUTLS_DH_ANON_AES_256_GCM_SHA384,
966                   GNUTLS_CIPHER_AES_256_GCM, GNUTLS_KX_ANON_DH,
967                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
968                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
969         ENTRY(GNUTLS_DH_ANON_CAMELLIA_128_GCM_SHA256,
970               GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_KX_ANON_DH,
971               GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
972               GNUTLS_DTLS1_2),
973         ENTRY_PRF(GNUTLS_DH_ANON_CAMELLIA_256_GCM_SHA384,
974                   GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_KX_ANON_DH,
975                   GNUTLS_MAC_AEAD, GNUTLS_TLS1_2,
976                   GNUTLS_DTLS1_2, GNUTLS_MAC_SHA384),
977
978 /* ECC-ANON */
979         ENTRY(GNUTLS_ECDH_ANON_NULL_SHA1,
980               GNUTLS_CIPHER_NULL, GNUTLS_KX_ANON_ECDH,
981               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
982               GNUTLS_DTLS_VERSION_MIN),
983         ENTRY(GNUTLS_ECDH_ANON_3DES_EDE_CBC_SHA1,
984               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_ANON_ECDH,
985               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
986               GNUTLS_DTLS_VERSION_MIN),
987         ENTRY(GNUTLS_ECDH_ANON_AES_128_CBC_SHA1,
988               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_ANON_ECDH,
989               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
990               GNUTLS_DTLS_VERSION_MIN),
991         ENTRY(GNUTLS_ECDH_ANON_AES_256_CBC_SHA1,
992               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_ECDH,
993               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
994               GNUTLS_DTLS_VERSION_MIN),
995         ENTRY(GNUTLS_ECDH_ANON_ARCFOUR_128_SHA1,
996               GNUTLS_CIPHER_ARCFOUR, GNUTLS_KX_ANON_ECDH,
997               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
998               GNUTLS_VERSION_UNKNOWN),
999 #endif
1000 #ifdef ENABLE_SRP
1001         /* SRP */
1002         ENTRY(GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA1,
1003               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP,
1004               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
1005               GNUTLS_DTLS_VERSION_MIN),
1006         ENTRY(GNUTLS_SRP_SHA_AES_128_CBC_SHA1,
1007               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP,
1008               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
1009               GNUTLS_DTLS_VERSION_MIN),
1010         ENTRY(GNUTLS_SRP_SHA_AES_256_CBC_SHA1,
1011               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP,
1012               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
1013               GNUTLS_DTLS_VERSION_MIN),
1014
1015         ENTRY(GNUTLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1,
1016               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_DSS,
1017               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
1018               GNUTLS_DTLS_VERSION_MIN),
1019
1020         ENTRY(GNUTLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1,
1021               GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP_RSA,
1022               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
1023               GNUTLS_DTLS_VERSION_MIN),
1024
1025         ENTRY(GNUTLS_SRP_SHA_DSS_AES_128_CBC_SHA1,
1026               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_DSS,
1027               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
1028               GNUTLS_DTLS_VERSION_MIN),
1029
1030         ENTRY(GNUTLS_SRP_SHA_RSA_AES_128_CBC_SHA1,
1031               GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_SRP_RSA,
1032               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
1033               GNUTLS_DTLS_VERSION_MIN),
1034
1035         ENTRY(GNUTLS_SRP_SHA_DSS_AES_256_CBC_SHA1,
1036               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_DSS,
1037               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
1038               GNUTLS_DTLS_VERSION_MIN),
1039
1040         ENTRY(GNUTLS_SRP_SHA_RSA_AES_256_CBC_SHA1,
1041               GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_SRP_RSA,
1042               GNUTLS_MAC_SHA1, GNUTLS_SSL3,
1043               GNUTLS_DTLS_VERSION_MIN),
1044 #endif
1045         {0, {0, 0}, 0, 0, 0, 0, 0, 0}
1046 };
1047
1048 #define CIPHER_SUITE_LOOP(b) { \
1049         const gnutls_cipher_suite_entry *p; \
1050                 for(p = cs_algorithms; p->name != NULL; p++) { b ; } }
1051
1052 #define CIPHER_SUITE_ALG_LOOP(a, suite) \
1053         CIPHER_SUITE_LOOP( if( (p->id[0] == suite[0]) && (p->id[1] == suite[1])) { a; break; } )
1054
1055
1056 /* Cipher Suite's functions */
1057 const cipher_entry_st *_gnutls_cipher_suite_get_cipher_algo(const uint8_t
1058                                                             suite[2])
1059 {
1060         int ret = 0;
1061         CIPHER_SUITE_ALG_LOOP(ret = p->block_algorithm, suite);
1062         return cipher_to_entry(ret);
1063 }
1064
1065 gnutls_kx_algorithm_t
1066 _gnutls_cipher_suite_get_kx_algo(const uint8_t suite[2])
1067 {
1068         int ret = 0;
1069
1070         CIPHER_SUITE_ALG_LOOP(ret = p->kx_algorithm, suite);
1071         return ret;
1072
1073 }
1074
1075 gnutls_mac_algorithm_t _gnutls_cipher_suite_get_prf(const uint8_t suite[2])
1076 {
1077         int ret = 0;
1078
1079         CIPHER_SUITE_ALG_LOOP(ret = p->prf, suite);
1080         return ret;
1081
1082 }
1083
1084 const mac_entry_st *_gnutls_cipher_suite_get_mac_algo(const uint8_t
1085                                                       suite[2])
1086 {                               /* In bytes */
1087         int ret = 0;
1088         CIPHER_SUITE_ALG_LOOP(ret = p->mac_algorithm, suite);
1089         return mac_to_entry(ret);
1090
1091 }
1092
1093 const char *_gnutls_cipher_suite_get_name(const uint8_t suite[2])
1094 {
1095         const char *ret = NULL;
1096
1097         /* avoid prefix */
1098         CIPHER_SUITE_ALG_LOOP(ret = p->name + sizeof("GNUTLS_") - 1, suite);
1099
1100         return ret;
1101 }
1102
1103
1104 static const gnutls_cipher_suite_entry
1105     *cipher_suite_get(gnutls_kx_algorithm_t kx_algorithm,
1106                       gnutls_cipher_algorithm_t cipher_algorithm,
1107                       gnutls_mac_algorithm_t mac_algorithm)
1108 {
1109         const gnutls_cipher_suite_entry *ret = NULL;
1110
1111         CIPHER_SUITE_LOOP(
1112                 if (kx_algorithm == p->kx_algorithm &&
1113                               cipher_algorithm == p->block_algorithm
1114                               && mac_algorithm == p->mac_algorithm) {
1115                         ret = p; 
1116                         break;
1117                 }
1118         );
1119
1120         return ret;
1121 }
1122
1123 /* Returns 1 if the given KX has not the corresponding parameters
1124  * (DH or RSA) set up. Otherwise returns 0.
1125  */
1126 inline static int
1127 check_server_params(gnutls_session_t session,
1128                     gnutls_kx_algorithm_t kx,
1129                     gnutls_kx_algorithm_t * alg, int alg_size)
1130 {
1131         int cred_type;
1132         gnutls_dh_params_t dh_params = NULL;
1133         int j;
1134
1135         cred_type = _gnutls_map_kx_get_cred(kx, 1);
1136
1137         /* Read the Diffie-Hellman parameters, if any.
1138          */
1139         if (cred_type == GNUTLS_CRD_CERTIFICATE) {
1140                 int delete;
1141                 gnutls_certificate_credentials_t x509_cred =
1142                     (gnutls_certificate_credentials_t)
1143                     _gnutls_get_cred(session, cred_type);
1144
1145                 if (x509_cred != NULL) {
1146                         dh_params =
1147                             _gnutls_get_dh_params(x509_cred->dh_params,
1148                                                   x509_cred->params_func,
1149                                                   session);
1150                 }
1151
1152                 /* Check also if the certificate supports the
1153                  * KX method.
1154                  */
1155                 delete = 1;
1156                 for (j = 0; j < alg_size; j++) {
1157                         if (alg[j] == kx) {
1158                                 delete = 0;
1159                                 break;
1160                         }
1161                 }
1162
1163                 if (delete == 1)
1164                         return 1;
1165
1166 #ifdef ENABLE_ANON
1167         } else if (cred_type == GNUTLS_CRD_ANON) {
1168                 gnutls_anon_server_credentials_t anon_cred =
1169                     (gnutls_anon_server_credentials_t)
1170                     _gnutls_get_cred(session, cred_type);
1171
1172                 if (anon_cred != NULL) {
1173                         dh_params =
1174                             _gnutls_get_dh_params(anon_cred->dh_params,
1175                                                   anon_cred->params_func,
1176                                                   session);
1177                 }
1178 #endif
1179 #ifdef ENABLE_PSK
1180         } else if (cred_type == GNUTLS_CRD_PSK) {
1181                 gnutls_psk_server_credentials_t psk_cred =
1182                     (gnutls_psk_server_credentials_t)
1183                     _gnutls_get_cred(session, cred_type);
1184
1185                 if (psk_cred != NULL) {
1186                         dh_params =
1187                             _gnutls_get_dh_params(psk_cred->dh_params,
1188                                                   psk_cred->params_func,
1189                                                   session);
1190                 }
1191 #endif
1192         } else
1193                 return 0;       /* no need for params */
1194
1195         /* If the key exchange method needs DH params,
1196          * but they are not set then remove it.
1197          */
1198         if (_gnutls_kx_needs_dh_params(kx) != 0) {
1199                 /* needs DH params. */
1200                 if (_gnutls_dh_params_to_mpi(dh_params) == NULL) {
1201                         gnutls_assert();
1202                         return 1;
1203                 }
1204         }
1205
1206         return 0;
1207 }
1208
1209 /* This function will remove algorithms that are not supported by
1210  * the requested authentication method. We remove an algorithm if
1211  * we have a certificate with keyUsage bits set.
1212  *
1213  * This does a more elaborate check than gnutls_supported_ciphersuites(),
1214  * by checking certificates etc.
1215  */
1216 int
1217 _gnutls_remove_unwanted_ciphersuites(gnutls_session_t session,
1218                              uint8_t * cipher_suites,
1219                              int cipher_suites_size,
1220                              gnutls_pk_algorithm_t * pk_algos,
1221                              size_t pk_algos_size)
1222 {
1223
1224         int ret = 0;
1225         gnutls_certificate_credentials_t cert_cred;
1226         gnutls_kx_algorithm_t kx;
1227         int server =
1228             session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
1229         gnutls_kx_algorithm_t alg[MAX_ALGOS];
1230         int alg_size = MAX_ALGOS;
1231         uint8_t new_list[cipher_suites_size]; /* it's safe to use that size because it's provided by _gnutls_supported_ciphersuites() */
1232         int i, new_list_size = 0;
1233         const gnutls_cipher_suite_entry *entry;
1234         const uint8_t *cp;
1235
1236         /* if we should use a specific certificate, 
1237          * we should remove all algorithms that are not supported
1238          * by that certificate and are on the same authentication
1239          * method (CERTIFICATE).
1240          */
1241         cert_cred =
1242             (gnutls_certificate_credentials_t) _gnutls_get_cred(session,
1243                                                                 GNUTLS_CRD_CERTIFICATE);
1244
1245         /* If there are certificate credentials, find an appropriate certificate
1246          * or disable them;
1247          */
1248         if (session->security_parameters.entity == GNUTLS_SERVER
1249             && cert_cred != NULL && pk_algos_size > 0) {
1250                 ret =
1251                     _gnutls_server_select_cert(session, pk_algos,
1252                                                pk_algos_size);
1253                 if (ret < 0) {
1254                         gnutls_assert();
1255                         _gnutls_debug_log
1256                             ("Could not find an appropriate certificate: %s\n",
1257                              gnutls_strerror(ret));
1258                 }
1259         }
1260
1261         /* get all the key exchange algorithms that are 
1262          * supported by the X509 certificate parameters.
1263          */
1264         if ((ret =
1265              _gnutls_selected_cert_supported_kx(session, alg,
1266                                                 &alg_size)) < 0) {
1267                 gnutls_assert();
1268                 return ret;
1269         }
1270
1271         /* now remove ciphersuites based on the KX algorithm
1272          */
1273         for (i = 0; i < cipher_suites_size; i += 2) {
1274                 entry = NULL;
1275                 cp = &cipher_suites[i];
1276
1277                 CIPHER_SUITE_ALG_LOOP(entry = p, cp);
1278
1279                 if (entry == NULL)
1280                         continue;
1281                 
1282                 /* finds the key exchange algorithm in
1283                  * the ciphersuite
1284                  */
1285                 kx = entry->kx_algorithm;
1286
1287                 /* if it is defined but had no credentials 
1288                  */
1289                 if (!session->internals.premaster_set &&
1290                     _gnutls_get_kx_cred(session, kx) == NULL) {
1291                         continue;
1292                 } else {
1293                         if (server && check_server_params(session, kx, alg,
1294                                                           alg_size) != 0)
1295                                 continue;
1296                 }
1297
1298                 /* If we have not agreed to a common curve with the peer don't bother
1299                  * negotiating ECDH.
1300                  */
1301                 if (server != 0 && _gnutls_kx_is_ecc(kx)) {
1302                         if (_gnutls_session_ecc_curve_get(session) ==
1303                             GNUTLS_ECC_CURVE_INVALID) {
1304                                 continue;
1305                         }
1306                 }
1307
1308                 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
1309                    (see cred_mappings in gnutls_algorithms.c), but it also
1310                    requires a SRP credential.  Don't use SRP kx unless we have a
1311                    SRP credential too.  */
1312                 if (kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS) {
1313                         if (!_gnutls_get_cred
1314                             (session, GNUTLS_CRD_SRP)) {
1315                                 continue;
1316                         }
1317                 }
1318
1319                 _gnutls_handshake_log
1320                             ("HSK[%p]: Keeping ciphersuite: %s (%.2X.%.2X)\n",
1321                              session, entry->name,
1322                              cipher_suites[i], cipher_suites[i + 1]);
1323
1324                 memcpy(&new_list[new_list_size], &cipher_suites[i], 2);
1325                 new_list_size += 2;
1326         }
1327
1328         if (new_list_size == 0) {
1329                 return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
1330         }
1331
1332         memcpy(cipher_suites, new_list, new_list_size);
1333
1334         return new_list_size;
1335 }
1336
1337
1338 /**
1339  * gnutls_cipher_suite_get_name:
1340  * @kx_algorithm: is a Key exchange algorithm
1341  * @cipher_algorithm: is a cipher algorithm
1342  * @mac_algorithm: is a MAC algorithm
1343  *
1344  * Note that the full cipher suite name must be prepended by TLS or
1345  * SSL depending of the protocol in use.
1346  *
1347  * Returns: a string that contains the name of a TLS cipher suite,
1348  * specified by the given algorithms, or %NULL.
1349  **/
1350 const char *gnutls_cipher_suite_get_name(gnutls_kx_algorithm_t
1351                                          kx_algorithm,
1352                                          gnutls_cipher_algorithm_t
1353                                          cipher_algorithm,
1354                                          gnutls_mac_algorithm_t
1355                                          mac_algorithm)
1356 {
1357         const gnutls_cipher_suite_entry *ce;
1358
1359         ce = cipher_suite_get(kx_algorithm, cipher_algorithm,
1360                               mac_algorithm);
1361         if (ce == NULL)
1362                 return NULL;
1363         else
1364                 return ce->name + sizeof("GNUTLS_") - 1;
1365 }
1366
1367 /*-
1368  * _gnutls_cipher_suite_get_id:
1369  * @kx_algorithm: is a Key exchange algorithm
1370  * @cipher_algorithm: is a cipher algorithm
1371  * @mac_algorithm: is a MAC algorithm
1372  * @suite: The id to be returned
1373  *
1374  * It fills @suite with the ID of the ciphersuite of the provided parameters.
1375  *
1376  * Returns: 0 on success or a negative error code otherwise.
1377  -*/
1378 int
1379 _gnutls_cipher_suite_get_id(gnutls_kx_algorithm_t kx_algorithm,
1380                             gnutls_cipher_algorithm_t cipher_algorithm,
1381                             gnutls_mac_algorithm_t mac_algorithm,
1382                             uint8_t suite[2])
1383 {
1384         const gnutls_cipher_suite_entry *ce;
1385
1386         ce = cipher_suite_get(kx_algorithm, cipher_algorithm,
1387                               mac_algorithm);
1388         if (ce == NULL)
1389                 return GNUTLS_E_INVALID_REQUEST;
1390         else {
1391                 suite[0] = ce->id[0];
1392                 suite[1] = ce->id[1];
1393         }
1394         return 0;
1395 }
1396
1397 /**
1398  * gnutls_cipher_suite_info:
1399  * @idx: index of cipher suite to get information about, starts on 0.
1400  * @cs_id: output buffer with room for 2 bytes, indicating cipher suite value
1401  * @kx: output variable indicating key exchange algorithm, or %NULL.
1402  * @cipher: output variable indicating cipher, or %NULL.
1403  * @mac: output variable indicating MAC algorithm, or %NULL.
1404  * @min_version: output variable indicating TLS protocol version, or %NULL.
1405  *
1406  * Get information about supported cipher suites.  Use the function
1407  * iteratively to get information about all supported cipher suites.
1408  * Call with idx=0 to get information about first cipher suite, then
1409  * idx=1 and so on until the function returns NULL.
1410  *
1411  * Returns: the name of @idx cipher suite, and set the information
1412  * about the cipher suite in the output variables.  If @idx is out of
1413  * bounds, %NULL is returned.
1414  **/
1415 const char *gnutls_cipher_suite_info(size_t idx,
1416                                      unsigned char *cs_id,
1417                                      gnutls_kx_algorithm_t * kx,
1418                                      gnutls_cipher_algorithm_t * cipher,
1419                                      gnutls_mac_algorithm_t * mac,
1420                                      gnutls_protocol_t * min_version)
1421 {
1422         if (idx >= CIPHER_SUITES_COUNT)
1423                 return NULL;
1424
1425         if (cs_id)
1426                 memcpy(cs_id, cs_algorithms[idx].id, 2);
1427         if (kx)
1428                 *kx = cs_algorithms[idx].kx_algorithm;
1429         if (cipher)
1430                 *cipher = cs_algorithms[idx].block_algorithm;
1431         if (mac)
1432                 *mac = cs_algorithms[idx].mac_algorithm;
1433         if (min_version)
1434                 *min_version = cs_algorithms[idx].min_version;
1435
1436         return cs_algorithms[idx].name + sizeof("GNU") - 1;
1437 }
1438
1439
1440 static inline int _gnutls_cipher_suite_is_ok(const uint8_t suite[2])
1441 {
1442         size_t ret;
1443         const char *name = NULL;
1444
1445         CIPHER_SUITE_ALG_LOOP(name = p->name, suite);
1446         if (name != NULL)
1447                 ret = 0;
1448         else
1449                 ret = 1;
1450         return ret;
1451
1452 }
1453
1454 /*-
1455  * _gnutls_supported_ciphersuites: 
1456  * @session: a TLS session
1457  * @cipher_suites: Where the ciphersuites will be stored (2bytes each)
1458  * @max_cipher_suite_size: the maximum size of the @cipher_suites buffer.
1459  *
1460  * Returns the supported ciphersuites by this session (based on priorities)
1461  * sorted by order of preference.
1462  *
1463  * Returns the size of the @cipher_suites buffer, or a negative value on error.
1464  *
1465  -*/
1466 int
1467 _gnutls_supported_ciphersuites(gnutls_session_t session,
1468                                uint8_t * cipher_suites,
1469                                unsigned int max_cipher_suite_size)
1470 {
1471
1472         unsigned int i, ret_count, j, z, k = 0;
1473         const gnutls_cipher_suite_entry *ce;
1474         const version_entry_st *version = get_version(session);
1475         unsigned int is_dtls = IS_DTLS(session);
1476
1477         if (version == NULL)
1478                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1479
1480         for (i = 0; i < session->internals.priorities.kx.algorithms; i++)
1481                 for (j = 0;
1482                      j < session->internals.priorities.cipher.algorithms;
1483                      j++)
1484                         for (z = 0;
1485                              z <
1486                              session->internals.priorities.mac.algorithms;
1487                              z++) {
1488                                 ce = cipher_suite_get(session->internals.
1489                                                       priorities.kx.
1490                                                       priority[i],
1491                                                       session->internals.
1492                                                       priorities.cipher.
1493                                                       priority[j],
1494                                                       session->internals.
1495                                                       priorities.mac.
1496                                                       priority[z]);
1497
1498                                 if (ce == NULL)
1499                                         continue;
1500
1501                                 if (is_dtls) {
1502                                         if (version->id < ce->min_dtls_version)
1503                                                 continue;
1504                                 } else {
1505                                         if (version->id < ce->min_version)
1506                                                 continue;
1507                                 }
1508
1509                                 if (k + 2 > max_cipher_suite_size)
1510                                         return
1511                                             gnutls_assert_val
1512                                             (GNUTLS_E_INTERNAL_ERROR);
1513
1514                                 memcpy(&cipher_suites[k], ce->id, 2);
1515                                 k += 2;
1516                         }
1517
1518         ret_count = k;
1519
1520         /* This function can no longer return 0 cipher suites.
1521          * It returns an error code instead.
1522          */
1523         if (ret_count == 0) {
1524                 gnutls_assert();
1525                 return GNUTLS_E_NO_CIPHER_SUITES;
1526         }
1527         return ret_count;
1528 }
1529
1530 /**
1531  * gnutls_priority_get_cipher_suite:
1532  * @pcache: is a #gnutls_prioritity_t structure.
1533  * @idx: is an index number.
1534  * @sidx: internal index of cipher suite to get information about.
1535  *
1536  * Provides the internal ciphersuite index to be used with
1537  * gnutls_cipher_suite_info(). The index @idx provided is an 
1538  * index kept at the priorities structure. It might be that a valid
1539  * priorities index does not correspond to a ciphersuite and in 
1540  * that case %GNUTLS_E_UNKNOWN_CIPHER_SUITE will be returned. 
1541  * Once the last available index is crossed then 
1542  * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
1543  *
1544  * Returns: On success it returns %GNUTLS_E_SUCCESS (0), or a negative error value otherwise.
1545  **/
1546 int
1547 gnutls_priority_get_cipher_suite_index(gnutls_priority_t pcache,
1548                                        unsigned int idx,
1549                                        unsigned int *sidx)
1550 {
1551         int mac_idx, cipher_idx, kx_idx;
1552         unsigned int i;
1553         unsigned int total =
1554             pcache->mac.algorithms * pcache->cipher.algorithms *
1555             pcache->kx.algorithms;
1556
1557         if (idx >= total)
1558                 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
1559
1560         mac_idx = idx % pcache->mac.algorithms;
1561
1562         idx /= pcache->mac.algorithms;
1563         cipher_idx = idx % pcache->cipher.algorithms;
1564
1565         idx /= pcache->cipher.algorithms;
1566         kx_idx = idx % pcache->kx.algorithms;
1567
1568         for (i = 0; i < CIPHER_SUITES_COUNT; i++) {
1569                 if (cs_algorithms[i].kx_algorithm ==
1570                     pcache->kx.priority[kx_idx]
1571                     && cs_algorithms[i].block_algorithm ==
1572                     pcache->cipher.priority[cipher_idx]
1573                     && cs_algorithms[i].mac_algorithm ==
1574                     pcache->mac.priority[mac_idx]) {
1575                         *sidx = i;
1576                         return 0;
1577                 }
1578         }
1579         return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1580 }