Introduced GNUTLS_PRIORITIES_SECURITY_NORMAL and GNUTLS_PRIORITIES_SECURITY_HIGH

9 files changed, 53 insertions, 23 deletions

diff --git a/NEWS b/NEWS
index 5d6e644eac..4ffe4c4c23 100644
--- a/NEWS
+++ b/NEWS
@@ -36,7 +36,7 @@ gnutls_kx_convert_priority: ADDED
 gnutls_cipher_convert_priority: ADDED
 gnutls_certificate_type_convert_priority: ADDED
 gnutls_openpgp_key_t: RENAMED to gnutls_openpgp_crt_t
-gnutls_openpgp_key_status_t: RENAMEDS gnutls_openpgp_crt_status_t
+gnutls_openpgp_key_status_t: RENAMED to gnutls_openpgp_crt_status_t
 gnutls_openpgp_send_key: RENAMED to gnutls_openpgp_send_cert
 gnutls_openpgp_key_init: RENAMED to gnutls_openpgp_crt_init
 gnutls_openpgp_key_import: RENAMED to gnutls_openpgp_crt_import
diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c
index ea09c2f82e..5a2bc137ed 100644
--- a/doc/examples/ex-client-srp.c
+++ b/doc/examples/ex-client-srp.c
@@ -69,7 +69,7 @@ main (void)
 
   /* Set the priorities.
    */
-  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL);
   gnutls_kx_set_priority( session, kx_priorities);
 
   /* put the SRP credentials to the current session
diff --git a/doc/examples/ex-client-tlsia.c b/doc/examples/ex-client-tlsia.c
index 40a5670ad6..b546c19207 100644
--- a/doc/examples/ex-client-tlsia.c
+++ b/doc/examples/ex-client-tlsia.c
@@ -79,7 +79,7 @@ main (void)
   gnutls_init (&session, GNUTLS_CLIENT);
 
   /* Use default priorities */
-  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL);
   gnutls_kx_set_priority (session, kx_prio);
 
   /* put the anonymous and TLS/IA credentials to the current session
diff --git a/doc/examples/ex-serv-anon.c b/doc/examples/ex-serv-anon.c
index 22ca9d2933..f2e8c06977 100644
--- a/doc/examples/ex-serv-anon.c
+++ b/doc/examples/ex-serv-anon.c
@@ -44,7 +44,7 @@ initialize_tls_session (void)
   /* avoid calling all the priority functions, since the defaults
    * are adequate.
    */
-  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL);
   gnutls_kx_set_priority (session, kx_prio);
 
   gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
diff --git a/doc/examples/ex-serv-pgp.c b/doc/examples/ex-serv-pgp.c
index be79e3e980..0c9c1a4573 100644
--- a/doc/examples/ex-serv-pgp.c
+++ b/doc/examples/ex-serv-pgp.c
@@ -68,7 +68,7 @@ initialize_tls_session (void)
    */
   gnutls_set_default_priority (session);
 
-  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL);
 
   /* request client certificate if any.
    */
diff --git a/doc/examples/ex-serv-srp.c b/doc/examples/ex-serv-srp.c
index b49b965293..5458db9670 100644
--- a/doc/examples/ex-serv-srp.c
+++ b/doc/examples/ex-serv-srp.c
@@ -50,7 +50,7 @@ initialize_tls_session (void)
 
   gnutls_init (&session, GNUTLS_SERVER);
 
-  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL);
   gnutls_kx_set_priority (session, kx_priority);
 
   gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
diff --git a/doc/examples/ex-serv1.c b/doc/examples/ex-serv1.c
index b1ed81cd06..f4eac9ad39 100644
--- a/doc/examples/ex-serv1.c
+++ b/doc/examples/ex-serv1.c
@@ -50,7 +50,7 @@ initialize_tls_session (void)
    * are adequate. Depending on the needs it could also be 
    * GNUTLS_PRIORITIES_PERFORMANCE.
    */
-  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY);
+  gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY_NORMAL);
 
   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
 
diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in
index 30dda5a331..062cffd6df 100644
--- a/includes/gnutls/gnutls.h.in
+++ b/includes/gnutls/gnutls.h.in
@@ -167,9 +167,10 @@ extern "C"
 
   typedef enum 
   {
-    GNUTLS_PRIORITIES_PERFORMANCE=1,
-    GNUTLS_PRIORITIES_SECURITY=2,
-    GNUTLS_PRIORITIES_EXPORT=4
+    GNUTLS_PRIORITIES_EXPORT,
+    GNUTLS_PRIORITIES_PERFORMANCE,
+    GNUTLS_PRIORITIES_SECURITY_NORMAL,
+    GNUTLS_PRIORITIES_SECURITY_HIGH
   } gnutls_priority_flag_t;
 
   typedef enum
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 7193f10e13..5f71df270b 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -305,19 +305,31 @@ static const int kx_priority_security[] = {
 
 static const int cipher_priority_performance[] = {
   GNUTLS_CIPHER_ARCFOUR_128,
+#ifdef	ENABLE_CAMELLIA
+  GNUTLS_CIPHER_CAMELLIA_128_CBC,
+#endif
+  GNUTLS_CIPHER_AES_128_CBC,
+  GNUTLS_CIPHER_3DES_CBC,
+  /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
+  0
+};
+
+static const int cipher_priority_security_normal[] = {
   GNUTLS_CIPHER_AES_128_CBC,
 #ifdef	ENABLE_CAMELLIA
     GNUTLS_CIPHER_CAMELLIA_128_CBC,
 #endif
-  GNUTLS_CIPHER_AES_256_CBC,
   GNUTLS_CIPHER_3DES_CBC,
+  GNUTLS_CIPHER_ARCFOUR_128,
   /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
   0
 };
 
-
-static const int cipher_priority_security[] = {
+static const int cipher_priority_security_high[] = {
   GNUTLS_CIPHER_AES_256_CBC,
+#ifdef	ENABLE_CAMELLIA
+    GNUTLS_CIPHER_CAMELLIA_256_CBC,
+#endif
   GNUTLS_CIPHER_AES_128_CBC,
 #ifdef	ENABLE_CAMELLIA
     GNUTLS_CIPHER_CAMELLIA_128_CBC,
@@ -329,13 +341,12 @@ static const int cipher_priority_security[] = {
 };
 
 static const int cipher_priority_export[] = {
-  GNUTLS_CIPHER_ARCFOUR_128,
   GNUTLS_CIPHER_AES_128_CBC,
 #ifdef	ENABLE_CAMELLIA
-    GNUTLS_CIPHER_CAMELLIA_128_CBC,
+  GNUTLS_CIPHER_CAMELLIA_128_CBC,
 #endif
-  GNUTLS_CIPHER_AES_256_CBC,
   GNUTLS_CIPHER_3DES_CBC,
+  GNUTLS_CIPHER_ARCFOUR_128,
   GNUTLS_CIPHER_ARCFOUR_40,
   0
 };
@@ -381,11 +392,25 @@ static int cert_type_priority[] = {
   * The default order is:
   * Protocols: TLS 1.1, TLS 1.0, and SSL3.
   * Compression: NULL.
-  * Certificate types: X.509, OpenPGP
-  *
-  * When performance is requested the fastest ciphers and key exchange
-  * methods are used, whilst in security, the most conservative options
-  * are set.
+  * Certificate types: X.509, OpenPGP.
+  *
+  * In GNUTLS_PRIORITIES_PERFORMANCE all the "secure" ciphersuites are enabled, 
+  * limited to 128 bit ciphers and sorted by terms of speed performance.
+  * The GNUTLS_PRIORITIES_SECURITY_NORMAL flag enables all "secure" ciphersuites 
+  * limited to 128 bit ciphers and sorted by security margin.
+  * The GNUTLS_PRIORITIES_SECURITY_HIGH flag enables all "secure" ciphersuites 
+  * including 256 bit ciphers and sorted by security margin.
+  * In GNUTLS_PRIORITIES_EXPORT all the ciphersuites are enabled, including
+  * the low-security 40 bit ciphers.
+  *
+  * For key exchange algorithms when in SECURITY_NORMAL or SECURITY_HIGH levels
+  * the perfect forward secrecy algorithms take precendence of the other protocols.
+  * In all cases all the supported key exchange algorithms are enabled (except for the
+  * RSA-EXPORT which is only enabled in EXPORT level).
+  *
+  * Note that although one can select very long key sizes for symmetric algorithms, 
+  * to actually increase security the public key algorithms have to use longer key 
+  * sizes as well.
   *
   * Returns 0 on success.
   *
@@ -398,8 +423,12 @@ gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_flag_t f
     gnutls_cipher_set_priority (session, cipher_priority_performance);
     gnutls_kx_set_priority (session, kx_priority_performance);
     gnutls_mac_set_priority (session, mac_priority_performance);
-  } else if (flag == GNUTLS_PRIORITIES_SECURITY) {
-    gnutls_cipher_set_priority (session, cipher_priority_security);
+  } else if (flag == GNUTLS_PRIORITIES_SECURITY_NORMAL) {
+    gnutls_cipher_set_priority (session, cipher_priority_security_normal);
+    gnutls_kx_set_priority (session, kx_priority_security);
+    gnutls_mac_set_priority (session, mac_priority_security);
+  } else if (flag == GNUTLS_PRIORITIES_SECURITY_HIGH) {
+    gnutls_cipher_set_priority (session, cipher_priority_security_high);
     gnutls_kx_set_priority (session, kx_priority_security);
     gnutls_mac_set_priority (session, mac_priority_security);
   } else if (flag == GNUTLS_PRIORITIES_EXPORT) {