diff options
author | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2020-01-12 12:38:20 +0000 |
---|---|---|
committer | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2020-01-12 12:38:20 +0000 |
commit | 0b2ceb2e945be38e8e64bd6ed7cdddca1ed0ac0b (patch) | |
tree | f8feeaceb3a8f2978503fbc2298a8b172787e9c2 /doc | |
parent | e87834cb2524553085819b3c6e493bf3b608ab44 (diff) | |
parent | 6dd2e52ed063f6355bbed195df8a38ebf3f712f3 (diff) | |
download | gnutls-0b2ceb2e945be38e8e64bd6ed7cdddca1ed0ac0b.tar.gz |
Merge branch 'gost-priorities' into 'master'
Extend GOST priority settings and documentation
See merge request gnutls/gnutls!1160
Diffstat (limited to 'doc')
-rw-r--r-- | doc/cha-gtls-app.texi | 24 | ||||
-rw-r--r-- | doc/cha-intro-tls.texi | 11 |
2 files changed, 28 insertions, 7 deletions
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 969aa5c86f..75ac509e34 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1422,20 +1422,23 @@ appended with an algorithm will add this algorithm. @multitable @columnfractions .20 .70 @headitem Type @tab Keywords @item Ciphers @tab -Examples are AES-128-GCM, AES-256-GCM, AES-256-CBC; see also +Examples are AES-128-GCM, AES-256-GCM, AES-256-CBC, GOST28147-TC26Z-CNT; see also @ref{tab:ciphers} for more options. Catch all name is CIPHER-ALL which will add -all the algorithms from NORMAL priority. +all the algorithms from NORMAL priority. The shortcut for secure GOST +algorithms is CIPHER-GOST-ALL. @item Key exchange @tab RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS, -PSK, DHE-PSK, ECDHE-PSK, ECDHE-RSA, ECDHE-ECDSA, ANON-ECDH, ANON-DH. The +PSK, DHE-PSK, ECDHE-PSK, ECDHE-RSA, ECDHE-ECDSA, VKO-GOST-12, ANON-ECDH, ANON-DH. Catch all name is KX-ALL which will add all the algorithms from NORMAL priority. Under TLS1.3, the DHE-PSK and ECDHE-PSK strings are equivalent -and instruct for a Diffie-Hellman key exchange using the enabled groups. +and instruct for a Diffie-Hellman key exchange using the enabled groups. The +shortcut for secure GOST algorithms is KX-GOST-ALL. @item MAC @tab -MD5, SHA1, SHA256, SHA384, AEAD (used with -GCM ciphers only). All algorithms from NORMAL priority can be accessed with MAC-ALL. +MD5, SHA1, SHA256, SHA384, GOST28147-TC26Z-IMIT, AEAD (used with +GCM ciphers only). All algorithms from NORMAL priority can be accessed with +MAC-ALL. The shortcut for secure GOST algorithms is MAC-GOST-ALL. @item Compression algorithms @tab COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL. @@ -1452,8 +1455,10 @@ SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-DSA-SHA1, SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-ECDSA-SHA1, SIGN-ECDSA-SHA224, SIGN-ECDSA-SHA256, SIGN-ECDSA-SHA384, SIGN-ECDSA-SHA512, -SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-SHA512. +SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-SHA512, +SIGN-GOSTR341001, SIGN-GOSTR341012-256, SIGN-GOSTR341012-512. Catch all which enables all algorithms from NORMAL priority is SIGN-ALL. +Shortcut which enables secure GOST algorithms is SIGN-GOST-ALL. This option is only considered for TLS 1.2 and later. @item Groups @tab @@ -1485,6 +1490,11 @@ CTYPE-CLI-RAWPK, CTYPE-SRV-RAWPK can be used to specialize on client or server; catch all is CTYPE-CLI-ALL and CTYPE-SRV-ALL. The type 'X509' is aliased to 'X.509' for legacy reasons. +@item Generic @tab +The keyword GOST is a shortcut for secure GOST algorithms (MACs, ciphers, +KXes, groups and signatures). For example the following string will enable all +TLS 1.2 GOST ciphersuites: 'NONE:+VERS-TLS1.2:+GOST'. + @end multitable @caption{The supported algorithm keywords in priority strings.} @end float diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi index b95abc6b81..6600fe9890 100644 --- a/doc/cha-intro-tls.texi +++ b/doc/cha-intro-tls.texi @@ -179,6 +179,12 @@ ARCFOUR-128 is a compatible algorithm with RSA's RC4 algorithm, which is conside secret. It is a considered to be broken, and is only used for compatibility purposed. For this reason it is not enabled by default. +@item GOST28147-TC26Z-CNT @tab +Legacy (stream) @tab +TLS 1.2 @tab +This is a 64-bit block cipher GOST 28147-89 with TC26Z S-Box working in CNT +mode. It is one of the approved ciphers in Russia. It is not enabled by default. + @item NULL @tab Legacy (stream) @tab TLS 1.0, TLS 1.1, TLS 1.2 @tab @@ -211,6 +217,11 @@ An HMAC based on SHA2-256. Outputs 256 bits of data. @item MAC-SHA384 @tab An HMAC based on SHA2-384. Outputs 384 bits of data. +@item GOST28147-TC26Z-IMIT @tab +This is a 64-bit block cipher GOST 28147-89 with TC26Z S-Box working in special +MAC mode called Imitovstavks. It is one of the approved MAC algorithms in +Russia. Outputs 32 bits of data. It is not enabled by default. + @item MAC-AEAD @tab This indicates that an authenticated encryption algorithm, such as GCM, is in use. |