diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2007-10-24 21:43:40 +0300 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2007-10-24 21:43:40 +0300 |
commit | e3b8eea08c24fd71a66669f4e7424d2636c9aaca (patch) | |
tree | 6a156526a2ef573d6da9098c9a4087927b93e600 | |
parent | 74200139866f14efc4cbabeec8c6698982327296 (diff) | |
download | gnutls-e3b8eea08c24fd71a66669f4e7424d2636c9aaca.tar.gz |
Introduced GNUTLS_PRIORITIES_SECURITY_NORMAL and GNUTLS_PRIORITIES_SECURITY_HIGH
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | doc/examples/ex-client-srp.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-client-tlsia.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv-anon.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv-pgp.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv-srp.c | 2 | ||||
-rw-r--r-- | doc/examples/ex-serv1.c | 2 | ||||
-rw-r--r-- | includes/gnutls/gnutls.h.in | 7 | ||||
-rw-r--r-- | lib/gnutls_priority.c | 55 |
9 files changed, 53 insertions, 23 deletions
@@ -36,7 +36,7 @@ gnutls_kx_convert_priority: ADDED gnutls_cipher_convert_priority: ADDED gnutls_certificate_type_convert_priority: ADDED gnutls_openpgp_key_t: RENAMED to gnutls_openpgp_crt_t -gnutls_openpgp_key_status_t: RENAMEDS gnutls_openpgp_crt_status_t +gnutls_openpgp_key_status_t: RENAMED to gnutls_openpgp_crt_status_t gnutls_openpgp_send_key: RENAMED to gnutls_openpgp_send_cert gnutls_openpgp_key_init: RENAMED to gnutls_openpgp_crt_init gnutls_openpgp_key_import: RENAMED to gnutls_openpgp_crt_import diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c index ea09c2f82e..5a2bc137ed 100644 --- a/doc/examples/ex-client-srp.c +++ b/doc/examples/ex-client-srp.c @@ -69,7 +69,7 @@ main (void) /* Set the priorities. */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); gnutls_kx_set_priority( session, kx_priorities); /* put the SRP credentials to the current session diff --git a/doc/examples/ex-client-tlsia.c b/doc/examples/ex-client-tlsia.c index 40a5670ad6..b546c19207 100644 --- a/doc/examples/ex-client-tlsia.c +++ b/doc/examples/ex-client-tlsia.c @@ -79,7 +79,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); gnutls_kx_set_priority (session, kx_prio); /* put the anonymous and TLS/IA credentials to the current session diff --git a/doc/examples/ex-serv-anon.c b/doc/examples/ex-serv-anon.c index 22ca9d2933..f2e8c06977 100644 --- a/doc/examples/ex-serv-anon.c +++ b/doc/examples/ex-serv-anon.c @@ -44,7 +44,7 @@ initialize_tls_session (void) /* avoid calling all the priority functions, since the defaults * are adequate. */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); diff --git a/doc/examples/ex-serv-pgp.c b/doc/examples/ex-serv-pgp.c index be79e3e980..0c9c1a4573 100644 --- a/doc/examples/ex-serv-pgp.c +++ b/doc/examples/ex-serv-pgp.c @@ -68,7 +68,7 @@ initialize_tls_session (void) */ gnutls_set_default_priority (session); - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); /* request client certificate if any. */ diff --git a/doc/examples/ex-serv-srp.c b/doc/examples/ex-serv-srp.c index b49b965293..5458db9670 100644 --- a/doc/examples/ex-serv-srp.c +++ b/doc/examples/ex-serv-srp.c @@ -50,7 +50,7 @@ initialize_tls_session (void) gnutls_init (&session, GNUTLS_SERVER); - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); gnutls_kx_set_priority (session, kx_priority); gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); diff --git a/doc/examples/ex-serv1.c b/doc/examples/ex-serv1.c index b1ed81cd06..f4eac9ad39 100644 --- a/doc/examples/ex-serv1.c +++ b/doc/examples/ex-serv1.c @@ -50,7 +50,7 @@ initialize_tls_session (void) * are adequate. Depending on the needs it could also be * GNUTLS_PRIORITIES_PERFORMANCE. */ - gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in index 30dda5a331..062cffd6df 100644 --- a/includes/gnutls/gnutls.h.in +++ b/includes/gnutls/gnutls.h.in @@ -167,9 +167,10 @@ extern "C" typedef enum { - GNUTLS_PRIORITIES_PERFORMANCE=1, - GNUTLS_PRIORITIES_SECURITY=2, - GNUTLS_PRIORITIES_EXPORT=4 + GNUTLS_PRIORITIES_EXPORT, + GNUTLS_PRIORITIES_PERFORMANCE, + GNUTLS_PRIORITIES_SECURITY_NORMAL, + GNUTLS_PRIORITIES_SECURITY_HIGH } gnutls_priority_flag_t; typedef enum diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 7193f10e13..5f71df270b 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -305,19 +305,31 @@ static const int kx_priority_security[] = { static const int cipher_priority_performance[] = { GNUTLS_CIPHER_ARCFOUR_128, +#ifdef ENABLE_CAMELLIA + GNUTLS_CIPHER_CAMELLIA_128_CBC, +#endif + GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_3DES_CBC, + /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ + 0 +}; + +static const int cipher_priority_security_normal[] = { GNUTLS_CIPHER_AES_128_CBC, #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_128_CBC, #endif - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_ARCFOUR_128, /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ 0 }; - -static const int cipher_priority_security[] = { +static const int cipher_priority_security_high[] = { GNUTLS_CIPHER_AES_256_CBC, +#ifdef ENABLE_CAMELLIA + GNUTLS_CIPHER_CAMELLIA_256_CBC, +#endif GNUTLS_CIPHER_AES_128_CBC, #ifdef ENABLE_CAMELLIA GNUTLS_CIPHER_CAMELLIA_128_CBC, @@ -329,13 +341,12 @@ static const int cipher_priority_security[] = { }; static const int cipher_priority_export[] = { - GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_AES_128_CBC, #ifdef ENABLE_CAMELLIA - GNUTLS_CIPHER_CAMELLIA_128_CBC, + GNUTLS_CIPHER_CAMELLIA_128_CBC, #endif - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_ARCFOUR_40, 0 }; @@ -381,11 +392,25 @@ static int cert_type_priority[] = { * The default order is: * Protocols: TLS 1.1, TLS 1.0, and SSL3. * Compression: NULL. - * Certificate types: X.509, OpenPGP - * - * When performance is requested the fastest ciphers and key exchange - * methods are used, whilst in security, the most conservative options - * are set. + * Certificate types: X.509, OpenPGP. + * + * In GNUTLS_PRIORITIES_PERFORMANCE all the "secure" ciphersuites are enabled, + * limited to 128 bit ciphers and sorted by terms of speed performance. + * The GNUTLS_PRIORITIES_SECURITY_NORMAL flag enables all "secure" ciphersuites + * limited to 128 bit ciphers and sorted by security margin. + * The GNUTLS_PRIORITIES_SECURITY_HIGH flag enables all "secure" ciphersuites + * including 256 bit ciphers and sorted by security margin. + * In GNUTLS_PRIORITIES_EXPORT all the ciphersuites are enabled, including + * the low-security 40 bit ciphers. + * + * For key exchange algorithms when in SECURITY_NORMAL or SECURITY_HIGH levels + * the perfect forward secrecy algorithms take precendence of the other protocols. + * In all cases all the supported key exchange algorithms are enabled (except for the + * RSA-EXPORT which is only enabled in EXPORT level). + * + * Note that although one can select very long key sizes for symmetric algorithms, + * to actually increase security the public key algorithms have to use longer key + * sizes as well. * * Returns 0 on success. * @@ -398,8 +423,12 @@ gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_flag_t f gnutls_cipher_set_priority (session, cipher_priority_performance); gnutls_kx_set_priority (session, kx_priority_performance); gnutls_mac_set_priority (session, mac_priority_performance); - } else if (flag == GNUTLS_PRIORITIES_SECURITY) { - gnutls_cipher_set_priority (session, cipher_priority_security); + } else if (flag == GNUTLS_PRIORITIES_SECURITY_NORMAL) { + gnutls_cipher_set_priority (session, cipher_priority_security_normal); + gnutls_kx_set_priority (session, kx_priority_security); + gnutls_mac_set_priority (session, mac_priority_security); + } else if (flag == GNUTLS_PRIORITIES_SECURITY_HIGH) { + gnutls_cipher_set_priority (session, cipher_priority_security_high); gnutls_kx_set_priority (session, kx_priority_security); gnutls_mac_set_priority (session, mac_priority_security); } else if (flag == GNUTLS_PRIORITIES_EXPORT) { |