summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorDmitry Eremin-Solenikov <dbaryshkov@gmail.com>2020-01-12 12:38:20 +0000
committerDmitry Eremin-Solenikov <dbaryshkov@gmail.com>2020-01-12 12:38:20 +0000
commit0b2ceb2e945be38e8e64bd6ed7cdddca1ed0ac0b (patch)
treef8feeaceb3a8f2978503fbc2298a8b172787e9c2 /doc
parente87834cb2524553085819b3c6e493bf3b608ab44 (diff)
parent6dd2e52ed063f6355bbed195df8a38ebf3f712f3 (diff)
downloadgnutls-0b2ceb2e945be38e8e64bd6ed7cdddca1ed0ac0b.tar.gz
Merge branch 'gost-priorities' into 'master'
Extend GOST priority settings and documentation See merge request gnutls/gnutls!1160
Diffstat (limited to 'doc')
-rw-r--r--doc/cha-gtls-app.texi24
-rw-r--r--doc/cha-intro-tls.texi11
2 files changed, 28 insertions, 7 deletions
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 969aa5c86f..75ac509e34 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1422,20 +1422,23 @@ appended with an algorithm will add this algorithm.
@multitable @columnfractions .20 .70
@headitem Type @tab Keywords
@item Ciphers @tab
-Examples are AES-128-GCM, AES-256-GCM, AES-256-CBC; see also
+Examples are AES-128-GCM, AES-256-GCM, AES-256-CBC, GOST28147-TC26Z-CNT; see also
@ref{tab:ciphers} for more options. Catch all name is CIPHER-ALL which will add
-all the algorithms from NORMAL priority.
+all the algorithms from NORMAL priority. The shortcut for secure GOST
+algorithms is CIPHER-GOST-ALL.
@item Key exchange @tab
RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS,
-PSK, DHE-PSK, ECDHE-PSK, ECDHE-RSA, ECDHE-ECDSA, ANON-ECDH, ANON-DH. The
+PSK, DHE-PSK, ECDHE-PSK, ECDHE-RSA, ECDHE-ECDSA, VKO-GOST-12, ANON-ECDH, ANON-DH.
Catch all name is KX-ALL which will add all the algorithms from NORMAL
priority. Under TLS1.3, the DHE-PSK and ECDHE-PSK strings are equivalent
-and instruct for a Diffie-Hellman key exchange using the enabled groups.
+and instruct for a Diffie-Hellman key exchange using the enabled groups. The
+shortcut for secure GOST algorithms is KX-GOST-ALL.
@item MAC @tab
-MD5, SHA1, SHA256, SHA384, AEAD (used with
-GCM ciphers only). All algorithms from NORMAL priority can be accessed with MAC-ALL.
+MD5, SHA1, SHA256, SHA384, GOST28147-TC26Z-IMIT, AEAD (used with
+GCM ciphers only). All algorithms from NORMAL priority can be accessed with
+MAC-ALL. The shortcut for secure GOST algorithms is MAC-GOST-ALL.
@item Compression algorithms @tab
COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL.
@@ -1452,8 +1455,10 @@ SIGN-RSA-SHA1, SIGN-RSA-SHA224,
SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-DSA-SHA1,
SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-ECDSA-SHA1,
SIGN-ECDSA-SHA224, SIGN-ECDSA-SHA256, SIGN-ECDSA-SHA384, SIGN-ECDSA-SHA512,
-SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-SHA512.
+SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-SHA512,
+SIGN-GOSTR341001, SIGN-GOSTR341012-256, SIGN-GOSTR341012-512.
Catch all which enables all algorithms from NORMAL priority is SIGN-ALL.
+Shortcut which enables secure GOST algorithms is SIGN-GOST-ALL.
This option is only considered for TLS 1.2 and later.
@item Groups @tab
@@ -1485,6 +1490,11 @@ CTYPE-CLI-RAWPK, CTYPE-SRV-RAWPK can be used to specialize on client or server;
catch all is CTYPE-CLI-ALL and CTYPE-SRV-ALL. The type 'X509' is aliased to 'X.509'
for legacy reasons.
+@item Generic @tab
+The keyword GOST is a shortcut for secure GOST algorithms (MACs, ciphers,
+KXes, groups and signatures). For example the following string will enable all
+TLS 1.2 GOST ciphersuites: 'NONE:+VERS-TLS1.2:+GOST'.
+
@end multitable
@caption{The supported algorithm keywords in priority strings.}
@end float
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index b95abc6b81..6600fe9890 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -179,6 +179,12 @@ ARCFOUR-128 is a compatible algorithm with RSA's RC4 algorithm, which is conside
secret. It is a considered to be broken, and is only used for compatibility
purposed. For this reason it is not enabled by default.
+@item GOST28147-TC26Z-CNT @tab
+Legacy (stream) @tab
+TLS 1.2 @tab
+This is a 64-bit block cipher GOST 28147-89 with TC26Z S-Box working in CNT
+mode. It is one of the approved ciphers in Russia. It is not enabled by default.
+
@item NULL @tab
Legacy (stream) @tab
TLS 1.0, TLS 1.1, TLS 1.2 @tab
@@ -211,6 +217,11 @@ An HMAC based on SHA2-256. Outputs 256 bits of data.
@item MAC-SHA384 @tab
An HMAC based on SHA2-384. Outputs 384 bits of data.
+@item GOST28147-TC26Z-IMIT @tab
+This is a 64-bit block cipher GOST 28147-89 with TC26Z S-Box working in special
+MAC mode called Imitovstavks. It is one of the approved MAC algorithms in
+Russia. Outputs 32 bits of data. It is not enabled by default.
+
@item MAC-AEAD @tab
This indicates that an authenticated encryption algorithm, such as
GCM, is in use.