diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-03-29 09:51:32 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-04-06 13:28:55 +0200 |
| commit | f09e8060b51881f9fefc0a82ec4656fb0e500ccb (patch) | |
| tree | 846ca4c513ba5c4ef5b7cc9a7796120ffeedb0fb | |
| parent | 9410ab601acccc44b15d367d965ed36ad937f313 (diff) | |
| download | gnutls-f09e8060b51881f9fefc0a82ec4656fb0e500ccb.tar.gz | |
priority: added GROUP-DH-ALL and GROUP-EC-ALL
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | doc/cha-gtls-app.texi | 4 | ||||
| -rw-r--r-- | lib/priority.c | 28 |
2 files changed, 31 insertions, 1 deletions
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 6575120756..655046c917 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1268,7 +1268,9 @@ GROUP-SECP256R1, GROUP-SECP384R1, GROUP-SECP521R1, GROUP-X25519, GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096 and GROUP-FFDHE8192. Groups include both elliptic curve groups, e.g., SECP256R1, as well as finite field groups such as FFDHE2048. Catch all which enables all groups -from NORMAL priority is GROUP-ALL. +from NORMAL priority is GROUP-ALL. The helper keywords GROUP-DH-ALL and +GROUP-EC-ALL are also available, restricting the groups to finite fields +(DH) and elliptic curves. @item Certificate type @tab The only option currently is CTYPE-X509. Catch all is CTYPE-ALL. diff --git a/lib/priority.c b/lib/priority.c index 25f7ebab37..fef7d5f9ba 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -105,6 +105,22 @@ static void _clear_given_priorities(priority_st * st, const int *list) } } +static const int _supported_groups_dh[] = { + GNUTLS_GROUP_FFDHE2048, + GNUTLS_GROUP_FFDHE3072, + GNUTLS_GROUP_FFDHE4096, + GNUTLS_GROUP_FFDHE8192, + 0 +}; + +static const int _supported_groups_ecdh[] = { + GNUTLS_GROUP_SECP256R1, + GNUTLS_GROUP_SECP384R1, + GNUTLS_GROUP_SECP521R1, + GNUTLS_GROUP_X25519, /* draft-ietf-tls-rfc4492bis */ + 0 +}; + static const int _supported_groups_normal[] = { GNUTLS_GROUP_SECP256R1, GNUTLS_GROUP_SECP384R1, @@ -1585,6 +1601,18 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, bulk_fn(&(*priority_cache)-> _supported_ecc, supported_groups_normal); + } else if (strncasecmp + (&broken_list[i][1], "GROUP-DH-ALL", + 12) == 0) { + bulk_given_fn(&(*priority_cache)-> + _supported_ecc, + _supported_groups_dh); + } else if (strncasecmp + (&broken_list[i][1], "GROUP-EC-ALL", + 12) == 0) { + bulk_given_fn(&(*priority_cache)-> + _supported_ecc, + _supported_groups_ecdh); } else { if ((algo = gnutls_group_get_id |