diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-11-27 22:01:10 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-11-27 22:01:10 +0000 |
| commit | 7e4e985890c61e79391ccf34d8a6f0ff4f7e7fb7 (patch) | |
| tree | df115ed38e935563f03140b724b4f6d3adcd7e7f | |
| parent | 2c39ed5e0101593043a4656e22c95c219b29ca8c (diff) | |
| download | gnutls-7e4e985890c61e79391ccf34d8a6f0ff4f7e7fb7.tar.gz | |
Removed the TWOFISH cipher. Documented the supported ciphersuites.
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | doc/tex/Makefile.am | 3 | ||||
| -rw-r--r-- | doc/tex/appendix.tex | 2 | ||||
| -rw-r--r-- | doc/tex/ciphers.tex | 5 | ||||
| -rw-r--r-- | doc/tex/ciphersuites.tex | 8 | ||||
| -rw-r--r-- | doc/tex/supported_ciphersuites.tex | 69 | ||||
| -rw-r--r-- | lib/gnutls.h.in.in | 3 | ||||
| -rw-r--r-- | lib/gnutls_algorithms.c | 31 | ||||
| -rw-r--r-- | lib/gnutls_cipher_int.c | 3 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 3 | ||||
| -rw-r--r-- | lib/gnutls_state.c | 3 |
11 files changed, 82 insertions, 49 deletions
@@ -4,6 +4,7 @@ Version 0.9.99 - Exported the gnutls_x509_privkey_sign_data(), gnutls_x509_privkey_verify_data() and gnutls_x509_crt_verify_data(). - Some fixes in the openpgp authentication. +- Removed the Twofish cipher. Version 0.9.98 (16/11/2003) - The openssl compatibility layer was moved to gnutls-openssl diff --git a/doc/tex/Makefile.am b/doc/tex/Makefile.am index 741d8944b0..ddac1639d7 100644 --- a/doc/tex/Makefile.am +++ b/doc/tex/Makefile.am @@ -19,7 +19,8 @@ TEX_OBJECTS = gnutls.tex ../../lib/gnutls-api.tex fdl.tex ../../lib/x509/x509-ap appendix.tex x509cert.xml.tex pgpcert.xml.tex \ programs.tex library.tex certificate.tex record_weaknesses.tex \ tlsintro.tex compression.tex $(EXAMPLE_OBJECTS) preface.tex \ - tls_extensions.tex srp.tex preparation.tex callbacks.tex + tls_extensions.tex srp.tex preparation.tex callbacks.tex \ + supported_ciphersuites.tex gnutls.html: build_api_pgp build_api_lib build_api_x509 build_api_extra $(TEX_OBJECTS) -latex2html gnutls.tex -no_navigation -split 0 \ diff --git a/doc/tex/appendix.tex b/doc/tex/appendix.tex index f1204fa88c..d25a7c61c2 100644 --- a/doc/tex/appendix.tex +++ b/doc/tex/appendix.tex @@ -17,3 +17,5 @@ functions: \input{pgpcert.xml} \input{error_codes} + +\input{supported_ciphersuites} diff --git a/doc/tex/ciphers.tex b/doc/tex/ciphers.tex index d1ed592256..3e2f6f66e0 100644 --- a/doc/tex/ciphers.tex +++ b/doc/tex/ciphers.tex @@ -34,11 +34,6 @@ the old DES algorithm. Has supported in TLS. \\ \hline -TWOFISH\_CBC & TWOFISH is a block cipher algorithm by Counterpane. Has -128 bits block size and is used in CBC mode. This algorithm is not -part of TLS. It is a \gnutls{} extension. -\\ -\hline \end{tabular} \caption{Supported cipher algorithms} \label{fig:ciphers} diff --git a/doc/tex/ciphersuites.tex b/doc/tex/ciphersuites.tex index 9c6805fc90..979cfb4479 100644 --- a/doc/tex/ciphersuites.tex +++ b/doc/tex/ciphersuites.tex @@ -21,9 +21,11 @@ available cipher suite. Do not enable ciphers and algorithms that you consider w The priority functions, dicussed above, allow the application layer to enable and set priorities on the individual ciphers. It may imply that all combinations of ciphersuites are allowed, but this is not true. For several reasons, not discussed here, some combinations -were not defined in the \tls{} protocol. -\gnutls{} may even decide to remove some of the valid ones. This behaviour depends on the -key parameters. For example keys marked as sign-only, will not be able to +were not defined in the \tls{} protocol. The supported ciphersuites are shown +in appendix \ref{ap:ciphersuites} on page \pageref{ap:ciphersuites}. +\gnutls{} will disable ciphersuites that are not compatible with the key, or +the enabled authentication methods. +For example keys marked as sign-only, will not be able to access the plain RSA ciphersuites, but only the DHE\_RSA ones. \addvspace{1.5cm} diff --git a/doc/tex/supported_ciphersuites.tex b/doc/tex/supported_ciphersuites.tex new file mode 100644 index 0000000000..0bf7209c7e --- /dev/null +++ b/doc/tex/supported_ciphersuites.tex @@ -0,0 +1,69 @@ +\chapter{All the supported ciphersuites in \gnutls{}\index{Ciphersuites}}\label{ap:ciphersuites} +\begin{center} +\tablefirsthead{% +\hline +\multicolumn{1}{|c}{Cipher suite} & +\multicolumn{1}{|c|}{TLS value} & +\multicolumn{1}{c|}{defined at} \\ +\hline} +\tablehead{% +\hline +\multicolumn{3}{|l|}{\small\sl continued from previous page}\\ +\hline +\multicolumn{1}{|c}{Cipher suite} & +\multicolumn{1}{|c|}{TLS value} & +\multicolumn{1}{c|}{defined at} \\ +\hline} +\tabletail{% +\hline +\multicolumn{3}{|r|}{\small\sl continued on next page}\\ +\hline} +\tablelasttail{\hline} +\bottomcaption{The ciphersuites table} + + +\begin{supertabular}{|l|l|l|} +{\small{TLS\_RSA\_NULL\_MD5}} & 0x00 0x01 & RFC2246 \\ +{\small{TLS\_ANON\_DH\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x1B & RFC2246\\ +{\small{TLS\_ANON\_DH\_ARCFOUR\_MD5}} & 0x00 0x18 & RFC2246 \\ +{\small{TLS\_ANON\_DH\_AES\_128\_CBC\_SHA}} & 0x00 0x34 & RFC2246 \\ +{\small{TLS\_ANON\_DH\_AES\_256\_CBC\_SHA}} & 0x00 0x3A & RFC2246 \\ +{\small{TLS\_RSA\_ARCFOUR\_SHA}} & 0x00 0x05 & RFC2246 \\ +{\small{TLS\_RSA\_ARCFOUR\_MD5}} & 0x00 0x04 & RFC2246 \\ +{\small{TLS\_RSA\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x0A & RFC2246 \\ +{\small{TLS\_RSA\_EXPORT\_ARCFOUR\_40\_MD5}} & 0x00 0x03 & RFC2246 \\ +{\small{TLS\_DHE\_DSS\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x13 & RFC2246 \\ +{\small{TLS\_DHE\_RSA\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x16 & RFC2246 \\ + +{\small{TLS\_RSA\_AES\_128\_CBC\_SHA}} & 0x00 0x2F & RFC3268 \\ +{\small{TLS\_RSA\_AES\_128\_CBC\_SHA}} & 0x00 0x35 & RFC3268 \\ +{\small{TLS\_DHE\_DSS\_AES\_256\_CBC\_SHA}} & 0x00 0x38 & RFC3268 \\ +{\small{TLS\_DHE\_DSS\_AES\_128\_CBC\_SHA}} & 0x00 0x32 & RFC3268 \\ +{\small{TLS\_DHE\_RSA\_AES\_256\_CBC\_SHA}} & 0x00 0x39 & RFC3268 \\ +{\small{TLS\_DHE\_RSA\_AES\_128\_CBC\_SHA}} & 0x00 0x33 & RFC3268 \\ + +{\small{TLS\_SRP\_SHA\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x50 & draft-ietf-tls-srp \\ +{\small{TLS\_SRP\_SHA\_AES\_128\_CBC\_SHA}} & 0x00 0x53 & draft-ietf-tls-srp \\ +{\small{TLS\_SRP\_SHA\_AES\_256\_CBC\_SHA}} & 0x00 0x56 & draft-ietf-tls-srp \\ +{\small{TLS\_SRP\_SHA\_RSA\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x51 & draft-ietf-tls-srp \\ +{\small{TLS\_SRP\_SHA\_DSS\_3DES\_EDE\_CBC\_SHA}} & 0x00 0x52 & draft-ietf-tls-srp \\ +{\small{TLS\_SRP\_SHA\_RSA\_AES\_128\_CBC\_SHA}} & 0x00 0x54 & draft-ietf-tls-srp \\ +{\small{TLS\_SRP\_SHA\_DSS\_AES\_128\_CBC\_SHA}} & 0x00 0x55 & draft-ietf-tls-srp \\ +{\small{TLS\_SRP\_SHA\_RSA\_AES\_256\_CBC\_SHA}} & 0x00 0x57 & draft-ietf-tls-srp \\ +{\small{TLS\_SRP\_SHA\_DSS\_AES\_256\_CBC\_SHA}} & 0x00 0x58 & draft-ietf-tls-srp \\ + +{\small{TLS\_DHE\_DSS\_3DES\_EDE\_CBC\_RMD}} & 0x00 0x72 & draft-ietf-tls-openpgp-keys \\ +{\small{TLS\_DHE\_RSA\_3DES\_EDE\_CBC\_RMD}} & 0x00 0x77 & draft-ietf-tls-openpgp-keys \\ +{\small{TLS\_DHE\_DSS\_AES\_256\_CBC\_RMD}} & 0x00 0x73 & draft-ietf-tls-openpgp-keys \\ +{\small{TLS\_DHE\_DSS\_AES\_128\_CBC\_RMD}} & 0x00 0x74 & draft-ietf-tls-openpgp-keys \\ +{\small{TLS\_DHE\_RSA\_AES\_128\_CBC\_RMD}} & 0x00 0x78 & draft-ietf-tls-openpgp-keys \\ +{\small{TLS\_DHE\_RSA\_AES\_256\_CBC\_RMD}} & 0x00 0x79 & draft-ietf-tls-openpgp-keys \\ +{\small{TLS\_RSA\_3DES\_EDE\_CBC\_RMD}} & 0x00 0x7C & draft-ietf-tls-openpgp-keys \\ +{\small{TLS\_RSA\_AES\_128\_CBC\_RMD}} & 0x00 0x7D & draft-ietf-tls-openpgp-keys \\ +{\small{TLS\_RSA\_AES\_256\_CBC\_RMD}} & 0x00 0x7E & draft-ietf-tls-openpgp-keys \\ + +{\small{TLS\_DHE\_DSS\_ARCFOUR\_SHA}} & 0x00 0x66 & draft-ietf-tls-56-bit-ciphersuites \\ + +\end{supertabular} + +\end{center} diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index 07b7ec4803..b2f768f397 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -61,8 +61,7 @@ extern "C" { typedef enum gnutls_cipher_algorithm { GNUTLS_CIPHER_NULL=1, GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_TWOFISH_128_CBC, GNUTLS_CIPHER_AES_256_CBC, - GNUTLS_CIPHER_ARCFOUR_40 + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40 } gnutls_cipher_algorithm; typedef enum gnutls_kx_algorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index 4d02e14fe0..eb55209b68 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -136,7 +136,6 @@ static const gnutls_cipher_entry algorithms[] = { {"3DES 168 CBC", GNUTLS_CIPHER_3DES_CBC, 8, 24, CIPHER_BLOCK, 8, 0 }, {"AES 128 CBC", GNUTLS_CIPHER_AES_128_CBC, 16, 16, CIPHER_BLOCK, 16, 0 }, {"AES 256 CBC", GNUTLS_CIPHER_AES_256_CBC, 16, 32, CIPHER_BLOCK, 16, 0 }, - {"TWOFISH 128 CBC", GNUTLS_CIPHER_TWOFISH_128_CBC, 16, 16, CIPHER_BLOCK, 16, 0 }, {"ARCFOUR 128", GNUTLS_CIPHER_ARCFOUR_128, 1, 16, CIPHER_STREAM, 0, 0 }, {"ARCFOUR 40", GNUTLS_CIPHER_ARCFOUR_40, 1, 5, CIPHER_STREAM, 0, 1 }, {"RC2 40", GNUTLS_CIPHER_RC2_40_CBC, 8, 5, CIPHER_BLOCK, 8, 1 }, @@ -271,9 +270,6 @@ typedef struct { /* rfc3268: */ #define GNUTLS_ANON_DH_AES_128_CBC_SHA { 0x00, 0x34 } #define GNUTLS_ANON_DH_AES_256_CBC_SHA { 0x00, 0x3A } -/* gnutls private extensions: */ -#define GNUTLS_ANON_DH_TWOFISH_128_CBC_SHA { 0xFF, 0x50 } /* gnutls */ - /** SRP (not in TLS 1.0) ** draft-ietf-tls-srp-02: @@ -304,22 +300,12 @@ typedef struct { #define GNUTLS_RSA_AES_128_CBC_SHA { 0x00, 0x2F } #define GNUTLS_RSA_AES_256_CBC_SHA { 0x00, 0x35 } -/* gnutls private extensions: - */ -#define GNUTLS_RSA_TWOFISH_128_CBC_SHA { 0xFF, 0x51 } /* gnutls */ - - /** DHE DSS **/ #define GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA { 0x00, 0x13 } -/* gnutls private extensions: - */ -#define GNUTLS_DHE_DSS_TWOFISH_128_CBC_SHA { 0xFF, 0x54 } - - /* draft-ietf-tls-openpgp-keys-04: */ #define GNUTLS_DHE_DSS_3DES_EDE_CBC_RMD { 0x00, 0x72 } @@ -347,10 +333,6 @@ typedef struct { **/ #define GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA { 0x00, 0x16 } -/* gnutls private extensions: - */ -#define GNUTLS_DHE_RSA_TWOFISH_128_CBC_SHA { 0xFF, 0x55 } /* gnutls */ - /* rfc3268: */ #define GNUTLS_DHE_RSA_AES_128_CBC_SHA { 0x00, 0x33 } @@ -372,10 +354,6 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_AES_256_CBC_SHA, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_ANON_DH, GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_ANON_DH_TWOFISH_128_CBC_SHA, - GNUTLS_CIPHER_TWOFISH_128_CBC, GNUTLS_KX_ANON_DH, - GNUTLS_MAC_SHA, GNUTLS_TLS1), - /* SRP */ GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_SRP_SHA_3DES_EDE_CBC_SHA, GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_SRP, @@ -415,9 +393,6 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_ARCFOUR_SHA, GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_KX_DHE_DSS, GNUTLS_MAC_SHA, GNUTLS_TLS1), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_TWOFISH_128_CBC_SHA, - GNUTLS_CIPHER_TWOFISH_128_CBC, GNUTLS_KX_DHE_DSS, - GNUTLS_MAC_SHA, GNUTLS_TLS1), GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_DSS_3DES_EDE_CBC_SHA, GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_DSS, GNUTLS_MAC_SHA, GNUTLS_SSL3), @@ -437,9 +412,6 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_DSS, GNUTLS_MAC_RMD160, GNUTLS_TLS1), /* DHE_RSA */ - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_TWOFISH_128_CBC_SHA, - GNUTLS_CIPHER_TWOFISH_128_CBC, GNUTLS_KX_DHE_RSA, - GNUTLS_MAC_SHA, GNUTLS_TLS1), GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA, GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA, GNUTLS_SSL3), @@ -482,9 +454,6 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_AES_256_CBC_SHA, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA, GNUTLS_SSL3), - GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_TWOFISH_128_CBC_SHA, - GNUTLS_CIPHER_TWOFISH_128_CBC, GNUTLS_KX_RSA, - GNUTLS_MAC_SHA, GNUTLS_TLS1), GNUTLS_CIPHER_SUITE_ENTRY(GNUTLS_RSA_3DES_EDE_CBC_RMD, GNUTLS_CIPHER_3DES_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_RMD160, GNUTLS_TLS1), diff --git a/lib/gnutls_cipher_int.c b/lib/gnutls_cipher_int.c index 9e649d65a6..caddcebcd6 100644 --- a/lib/gnutls_cipher_int.c +++ b/lib/gnutls_cipher_int.c @@ -40,9 +40,6 @@ gcry_error_t err = GPG_ERR_GENERAL; /* doesn't matter */ case GNUTLS_CIPHER_AES_256_CBC: err = gcry_cipher_open(&ret, GCRY_CIPHER_RIJNDAEL256, GCRY_CIPHER_MODE_CBC, 0); break; - case GNUTLS_CIPHER_TWOFISH_128_CBC: - err = gcry_cipher_open(&ret, GCRY_CIPHER_TWOFISH, GCRY_CIPHER_MODE_CBC, 0); - break; case GNUTLS_CIPHER_3DES_CBC: err = gcry_cipher_open(&ret, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_CBC, 0); break; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 8f7aa0dc5a..1022e31c36 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -164,8 +164,7 @@ typedef struct { typedef enum gnutls_cipher_algorithm { GNUTLS_CIPHER_NULL=1, GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_TWOFISH_128_CBC, GNUTLS_CIPHER_AES_256_CBC, - GNUTLS_CIPHER_ARCFOUR_40, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40, GNUTLS_CIPHER_RC2_40_CBC=90, GNUTLS_CIPHER_DES_CBC } gnutls_cipher_algorithm; diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 773d899370..5b0f8e18ab 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -534,8 +534,7 @@ void gnutls_record_set_cbc_protection(gnutls_session session, int prot) * advertized nor used. * * Unless this function is called with the option to allow (1), then - * no compression algorithms, like ZLIB, and encryption algorithms, - * like TWOFISH, will be available. This is because these algorithms + * no compression algorithms, like LZO. That is because these algorithms * are not yet defined in any RFC or even internet draft. * * Enabling the private ciphersuites when talking to other than gnutls |