diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-07-31 21:44:04 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-08-03 09:54:34 +0200 |
commit | 00c99a10f6858e578480f4f3071cde6a20b29f15 (patch) | |
tree | 64d53e195d93eaee65bd35a18ef32671ee0a8f17 | |
parent | 3ba3a89e21bcc15a2aa2b838b016cf5815833bfc (diff) | |
download | gnutls-00c99a10f6858e578480f4f3071cde6a20b29f15.tar.gz |
Added the PFS priority string option.
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | doc/cha-gtls-app.texi | 7 | ||||
-rw-r--r-- | lib/gnutls_priority.c | 30 |
3 files changed, 39 insertions, 0 deletions
@@ -4,6 +4,8 @@ See the end for copying conditions. * Version 3.1.14 (unreleased) +** libgnutls: Added the PFS priority string option. + ** libgnutls: Fixes in gnutls_record_send_range(). Report and initial fix by Alfredo Pironti. diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 9d30160299..d32e0f41bd 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -873,6 +873,13 @@ Means all the known to be secure ciphersuites. The ciphers are sorted by securit margin, although the 256-bit ciphers are included as a fallback only. The message authenticity security level is of 64 bits or more. +@item PFS @tab +Means all the known to be secure ciphersuites that support perfect forward +secrecy. The ciphers are sorted by security +margin, although the 256-bit ciphers are included as a fallback only. +The message authenticity security level is of 64 bits or more. This +option is available since 3.2.4 or later. + @item SECURE128 @tab Means all known to be secure ciphersuites that offer a security level 128-bit or more and a message authenticity diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 369ef4b623..0630a46a05 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -309,6 +309,18 @@ static const int kx_priority_performance[] = { 0 }; +static const int kx_priority_pfs[] = { +#ifdef ENABLE_ECDHE + GNUTLS_KX_ECDHE_ECDSA, + GNUTLS_KX_ECDHE_RSA, +#endif +#ifdef ENABLE_DHE + GNUTLS_KX_DHE_RSA, + GNUTLS_KX_DHE_DSS, +#endif + 0 +}; + static const int kx_priority_suiteb[] = { GNUTLS_KX_ECDHE_ECDSA, 0 @@ -641,6 +653,7 @@ gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority) #define LEVEL_NONE "NONE" #define LEVEL_NORMAL "NORMAL" +#define LEVEL_PFS "PFS" #define LEVEL_PERFORMANCE "PERFORMANCE" #define LEVEL_SECURE128 "SECURE128" #define LEVEL_SECURE192 "SECURE192" @@ -684,6 +697,19 @@ bulk_rmadd_func *func; priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK; return 1; } + else if (strcasecmp (level, LEVEL_PFS) == 0) + { + func (&priority_cache->cipher, cipher_priority_normal); + func (&priority_cache->kx, kx_priority_pfs); + func (&priority_cache->mac, mac_priority_normal); + func (&priority_cache->sign_algo, + sign_priority_default); + func (&priority_cache->supported_ecc, supported_ecc_normal); + + if (priority_cache->level == 0) + priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK; + return 1; + } else if (strcasecmp (level, LEVEL_SECURE256) == 0 || strcasecmp (level, LEVEL_SECURE192) == 0) { @@ -784,6 +810,10 @@ bulk_rmadd_func *func; * included as a fallback only. The ciphers are sorted by security * margin. * + * "PFS" means all "secure" ciphersuites that support perfect forward secrecy. + * The 256-bit ciphers are included as a fallback only. + * The ciphers are sorted by security margin. + * * "SECURE128" means all "secure" ciphersuites of security level 128-bit * or more. * |