diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-07-31 21:44:04 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-07-31 21:44:38 +0200 |
| commit | 109710ddcf2ab91b432589c17e3f8c0d2a1cfaf8 (patch) | |
| tree | c78006ded2009af8ed9660409346c84577220d81 | |
| parent | 901c1e38bcf09d66d688715ad294b24db397b770 (diff) | |
| download | gnutls-109710ddcf2ab91b432589c17e3f8c0d2a1cfaf8.tar.gz | |
Added the PFS priority string option.
| -rw-r--r-- | NEWS | 8 | ||||
| -rw-r--r-- | doc/cha-gtls-app.texi | 7 | ||||
| -rw-r--r-- | lib/gnutls_priority.c | 30 |
3 files changed, 45 insertions, 0 deletions
@@ -3,6 +3,14 @@ Copyright (C) 2000-2012 Free Software Foundation, Inc. Copyright (C) 2013 Nikos Mavrogiannopoulos See the end for copying conditions. +* Version 3.2.4 (unreleased) + +** libgnutls: Added the PFS priority string option. + +** API and ABI modifications: +No changes since last version. + + * Version 3.2.3 (released 2013-07-30) ** libgnutls: Fixes in parsing of priority strings. Patch by Stefan Buehler. diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 75d24582c8..ffe93061a5 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -878,6 +878,13 @@ Means all the known to be secure ciphersuites. The ciphers are sorted by securit margin, although the 256-bit ciphers are included as a fallback only. The message authenticity security level is of 64 bits or more. +@item PFS @tab +Means all the known to be secure ciphersuites that support perfect forward +secrecy. The ciphers are sorted by security +margin, although the 256-bit ciphers are included as a fallback only. +The message authenticity security level is of 64 bits or more. This +option is available since 3.2.4 or later. + @item SECURE128 @tab Means all known to be secure ciphersuites that offer a security level 128-bit or more and a message authenticity diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index d4a079529c..5d9f8bed38 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -311,6 +311,18 @@ static const int kx_priority_performance[] = { 0 }; +static const int kx_priority_pfs[] = { +#ifdef ENABLE_ECDHE + GNUTLS_KX_ECDHE_ECDSA, + GNUTLS_KX_ECDHE_RSA, +#endif +#ifdef ENABLE_DHE + GNUTLS_KX_DHE_RSA, + GNUTLS_KX_DHE_DSS, +#endif + 0 +}; + static const int kx_priority_suiteb[] = { GNUTLS_KX_ECDHE_ECDSA, 0 @@ -639,6 +651,7 @@ gnutls_priority_set (gnutls_session_t session, gnutls_priority_t priority) #define LEVEL_NONE "NONE" #define LEVEL_NORMAL "NORMAL" +#define LEVEL_PFS "PFS" #define LEVEL_PERFORMANCE "PERFORMANCE" #define LEVEL_SECURE128 "SECURE128" #define LEVEL_SECURE192 "SECURE192" @@ -682,6 +695,19 @@ bulk_rmadd_func *func; priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK; return 1; } + else if (strcasecmp (level, LEVEL_PFS) == 0) + { + func (&priority_cache->cipher, cipher_priority_normal); + func (&priority_cache->kx, kx_priority_pfs); + func (&priority_cache->mac, mac_priority_normal); + func (&priority_cache->sign_algo, + sign_priority_default); + func (&priority_cache->supported_ecc, supported_ecc_normal); + + if (priority_cache->level == 0) + priority_cache->level = GNUTLS_SEC_PARAM_VERY_WEAK; + return 1; + } else if (strcasecmp (level, LEVEL_SECURE256) == 0 || strcasecmp (level, LEVEL_SECURE192) == 0) { @@ -782,6 +808,10 @@ bulk_rmadd_func *func; * included as a fallback only. The ciphers are sorted by security * margin. * + * "PFS" means all "secure" ciphersuites that support perfect forward secrecy. + * The 256-bit ciphers are included as a fallback only. + * The ciphers are sorted by security margin. + * * "SECURE128" means all "secure" ciphersuites of security level 128-bit * or more. * |