diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-09-21 14:25:12 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-09-21 14:25:14 +0200 |
commit | b536a585cdceb684ccc1f9423a63676e4183f27c (patch) | |
tree | be5b3bbbd87352397db6ed5a705f9b7ae0e57dec /lib/priority.c | |
parent | 48cdff1c093c41a37c3698d90bab36c8005ccd33 (diff) | |
download | gnutls-b536a585cdceb684ccc1f9423a63676e4183f27c.tar.gz |
priorities: sort algorithms by security strength unless performance is requested
That is prioritize 256-bit ciphers over 128-bit ciphers. This would protect
secrecy of current data even after a PQ future.
Diffstat (limited to 'lib/priority.c')
-rw-r--r-- | lib/priority.c | 33 |
1 files changed, 17 insertions, 16 deletions
diff --git a/lib/priority.c b/lib/priority.c index 51f46e3324..6b6339f0ec 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -246,16 +246,18 @@ static const int _cipher_priority_performance_default[] = { * them over anything else. */ static const int _cipher_priority_normal_default[] = { - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_CIPHER_AES_256_GCM, - GNUTLS_CIPHER_CAMELLIA_128_GCM, GNUTLS_CIPHER_CAMELLIA_256_GCM, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC, - GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_CAMELLIA_256_CBC, - GNUTLS_CIPHER_AES_128_CCM, GNUTLS_CIPHER_AES_256_CCM, + + GNUTLS_CIPHER_AES_128_GCM, + GNUTLS_CIPHER_CAMELLIA_128_GCM, + GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_CAMELLIA_128_CBC, + GNUTLS_CIPHER_AES_128_CCM, + GNUTLS_CIPHER_3DES_CBC, 0 }; @@ -272,20 +274,21 @@ static const int cipher_priority_performance_fips[] = { }; static const int cipher_priority_normal_fips[] = { - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_CIPHER_AES_256_GCM, - GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC, - GNUTLS_CIPHER_AES_128_CCM, GNUTLS_CIPHER_AES_256_CCM, + + GNUTLS_CIPHER_AES_128_GCM, + GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_AES_128_CCM, GNUTLS_CIPHER_3DES_CBC, 0 }; static const int _cipher_priority_suiteb128[] = { - GNUTLS_CIPHER_AES_128_GCM, GNUTLS_CIPHER_AES_256_GCM, + GNUTLS_CIPHER_AES_128_GCM, 0 }; static const int* cipher_priority_suiteb128 = _cipher_priority_suiteb128; @@ -298,19 +301,17 @@ static const int* cipher_priority_suiteb192 = _cipher_priority_suiteb192; static const int _cipher_priority_secure128[] = { - GNUTLS_CIPHER_AES_128_GCM, - GNUTLS_CIPHER_CAMELLIA_128_GCM, - GNUTLS_CIPHER_AES_256_GCM, GNUTLS_CIPHER_CAMELLIA_256_GCM, - - GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_CAMELLIA_256_CBC, + GNUTLS_CIPHER_AES_256_CCM, + GNUTLS_CIPHER_AES_128_GCM, + GNUTLS_CIPHER_CAMELLIA_128_GCM, + GNUTLS_CIPHER_AES_128_CBC, + GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_AES_128_CCM, - GNUTLS_CIPHER_AES_256_CCM, 0 }; static const int *cipher_priority_secure128 = _cipher_priority_secure128; |