diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-05-05 11:01:29 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-05-06 10:08:55 +0200 |
| commit | f4ab2c829663ee485e503fdaeaa80a832c49bc9b (patch) | |
| tree | 6ecdca152f5d793ed19e51079f25067905fb8d55 | |
| parent | 876bdee73ea30d6340c19b5acf7bcca55bc1778c (diff) | |
| download | gnutls-f4ab2c829663ee485e503fdaeaa80a832c49bc9b.tar.gz | |
priorities: when without AES acceleration prefer stream ciphers (i.e., CHACHA20)
| -rw-r--r-- | lib/accelerated/x86/x86-common.c | 7 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 1 | ||||
| -rw-r--r-- | lib/priority.c | 38 |
3 files changed, 41 insertions, 5 deletions
diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c index 371d025ad9..78ccb235b2 100644 --- a/lib/accelerated/x86/x86-common.c +++ b/lib/accelerated/x86/x86-common.c @@ -103,6 +103,7 @@ static void capabilities_to_intel_cpuid(unsigned capabilities) ("SSSE3 acceleration requested but not available\n"); } } + if (capabilities & INTEL_PCLMUL) { if (b & bit_PCLMUL) { _gnutls_x86_cpuid_s[1] |= bit_PCLMUL; @@ -111,6 +112,7 @@ static void capabilities_to_intel_cpuid(unsigned capabilities) ("PCLMUL acceleration requested but not available\n"); } } + } static unsigned check_optimized_aes(void) @@ -275,7 +277,10 @@ void register_x86_padlock_crypto(unsigned capabilities) gnutls_assert(); } #endif + } else { + _gnutls_priority_update_non_aesni(); } + #ifdef HAVE_LIBNETTLE phe = check_phe(edx); @@ -644,6 +649,8 @@ void register_x86_intel_crypto(unsigned capabilities) gnutls_assert(); } } + } else { + _gnutls_priority_update_non_aesni(); } return; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index fd899461cd..74225378d9 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1068,6 +1068,7 @@ inline static unsigned get_num_version(gnutls_session_t session) } void _gnutls_priority_update_fips(void); +void _gnutls_priority_update_non_aesni(void); #define timespec_sub_ms _gnutls_timespec_sub_ms unsigned int diff --git a/lib/priority.c b/lib/priority.c index 4934e3af15..31710c4e02 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -31,6 +31,7 @@ #include <gnutls/x509.h> #include <c-ctype.h> #include <extensions.h> +#include "fips.h" #define MAX_ELEMENTS 64 @@ -232,14 +233,30 @@ static const int _cipher_priority_performance_default[] = { GNUTLS_CIPHER_AES_128_GCM, GNUTLS_CIPHER_AES_256_GCM, GNUTLS_CIPHER_CHACHA20_POLY1305, + GNUTLS_CIPHER_AES_128_CCM, + GNUTLS_CIPHER_AES_256_CCM, GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_CAMELLIA_256_CBC, + GNUTLS_CIPHER_3DES_CBC, + 0 +}; + +static const int _cipher_priority_performance_no_aesni[] = { + GNUTLS_CIPHER_CHACHA20_POLY1305, + GNUTLS_CIPHER_AES_128_GCM, + GNUTLS_CIPHER_AES_256_GCM, GNUTLS_CIPHER_AES_128_CCM, GNUTLS_CIPHER_AES_256_CCM, + GNUTLS_CIPHER_CAMELLIA_128_GCM, + GNUTLS_CIPHER_CAMELLIA_256_GCM, + GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_CIPHER_CAMELLIA_128_CBC, + GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_CIPHER_3DES_CBC, 0 }; @@ -251,16 +268,17 @@ static const int _cipher_priority_normal_default[] = { GNUTLS_CIPHER_AES_256_GCM, GNUTLS_CIPHER_CAMELLIA_256_GCM, GNUTLS_CIPHER_CHACHA20_POLY1305, + GNUTLS_CIPHER_AES_256_CCM, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_CAMELLIA_256_CBC, - GNUTLS_CIPHER_AES_256_CCM, GNUTLS_CIPHER_AES_128_GCM, GNUTLS_CIPHER_CAMELLIA_128_GCM, + GNUTLS_CIPHER_AES_128_CCM, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_CAMELLIA_128_CBC, - GNUTLS_CIPHER_AES_128_CCM, GNUTLS_CIPHER_3DES_CBC, 0 @@ -268,19 +286,20 @@ static const int _cipher_priority_normal_default[] = { static const int cipher_priority_performance_fips[] = { GNUTLS_CIPHER_AES_128_GCM, + GNUTLS_CIPHER_AES_128_CCM, GNUTLS_CIPHER_AES_256_GCM, + GNUTLS_CIPHER_AES_256_CCM, + GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC, - GNUTLS_CIPHER_AES_128_CCM, - GNUTLS_CIPHER_AES_256_CCM, GNUTLS_CIPHER_3DES_CBC, 0 }; static const int cipher_priority_normal_fips[] = { GNUTLS_CIPHER_AES_256_GCM, - GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_256_CCM, + GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_GCM, GNUTLS_CIPHER_AES_128_CBC, @@ -418,6 +437,15 @@ void _gnutls_priority_update_fips(void) mac_priority_normal = mac_priority_normal_fips; } +void _gnutls_priority_update_non_aesni(void) +{ + /* if we have no AES acceleration in performance mode + * prefer fast stream ciphers */ + if (_gnutls_fips_mode_enabled() == 0) { + cipher_priority_performance = _cipher_priority_performance_no_aesni; + } +} + static const int _mac_priority_suiteb[] = { GNUTLS_MAC_AEAD, 0 |