summaryrefslogtreecommitdiff
path: root/lib/priority.c
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2015-09-21 14:25:12 +0200
committerNikos Mavrogiannopoulos <nmav@redhat.com>2015-09-21 14:25:14 +0200
commitb536a585cdceb684ccc1f9423a63676e4183f27c (patch)
treebe5b3bbbd87352397db6ed5a705f9b7ae0e57dec /lib/priority.c
parent48cdff1c093c41a37c3698d90bab36c8005ccd33 (diff)
downloadgnutls-b536a585cdceb684ccc1f9423a63676e4183f27c.tar.gz
priorities: sort algorithms by security strength unless performance is requested
That is prioritize 256-bit ciphers over 128-bit ciphers. This would protect secrecy of current data even after a PQ future.
Diffstat (limited to 'lib/priority.c')
-rw-r--r--lib/priority.c33
1 files changed, 17 insertions, 16 deletions
diff --git a/lib/priority.c b/lib/priority.c
index 51f46e3324..6b6339f0ec 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -246,16 +246,18 @@ static const int _cipher_priority_performance_default[] = {
* them over anything else.
*/
static const int _cipher_priority_normal_default[] = {
- GNUTLS_CIPHER_AES_128_GCM,
GNUTLS_CIPHER_AES_256_GCM,
- GNUTLS_CIPHER_CAMELLIA_128_GCM,
GNUTLS_CIPHER_CAMELLIA_256_GCM,
- GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_AES_256_CBC,
- GNUTLS_CIPHER_CAMELLIA_128_CBC,
GNUTLS_CIPHER_CAMELLIA_256_CBC,
- GNUTLS_CIPHER_AES_128_CCM,
GNUTLS_CIPHER_AES_256_CCM,
+
+ GNUTLS_CIPHER_AES_128_GCM,
+ GNUTLS_CIPHER_CAMELLIA_128_GCM,
+ GNUTLS_CIPHER_AES_128_CBC,
+ GNUTLS_CIPHER_CAMELLIA_128_CBC,
+ GNUTLS_CIPHER_AES_128_CCM,
+
GNUTLS_CIPHER_3DES_CBC,
0
};
@@ -272,20 +274,21 @@ static const int cipher_priority_performance_fips[] = {
};
static const int cipher_priority_normal_fips[] = {
- GNUTLS_CIPHER_AES_128_GCM,
GNUTLS_CIPHER_AES_256_GCM,
- GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_AES_256_CBC,
- GNUTLS_CIPHER_AES_128_CCM,
GNUTLS_CIPHER_AES_256_CCM,
+
+ GNUTLS_CIPHER_AES_128_GCM,
+ GNUTLS_CIPHER_AES_128_CBC,
+ GNUTLS_CIPHER_AES_128_CCM,
GNUTLS_CIPHER_3DES_CBC,
0
};
static const int _cipher_priority_suiteb128[] = {
- GNUTLS_CIPHER_AES_128_GCM,
GNUTLS_CIPHER_AES_256_GCM,
+ GNUTLS_CIPHER_AES_128_GCM,
0
};
static const int* cipher_priority_suiteb128 = _cipher_priority_suiteb128;
@@ -298,19 +301,17 @@ static const int* cipher_priority_suiteb192 = _cipher_priority_suiteb192;
static const int _cipher_priority_secure128[] = {
- GNUTLS_CIPHER_AES_128_GCM,
- GNUTLS_CIPHER_CAMELLIA_128_GCM,
-
GNUTLS_CIPHER_AES_256_GCM,
GNUTLS_CIPHER_CAMELLIA_256_GCM,
-
- GNUTLS_CIPHER_AES_128_CBC,
- GNUTLS_CIPHER_CAMELLIA_128_CBC,
GNUTLS_CIPHER_AES_256_CBC,
GNUTLS_CIPHER_CAMELLIA_256_CBC,
+ GNUTLS_CIPHER_AES_256_CCM,
+ GNUTLS_CIPHER_AES_128_GCM,
+ GNUTLS_CIPHER_CAMELLIA_128_GCM,
+ GNUTLS_CIPHER_AES_128_CBC,
+ GNUTLS_CIPHER_CAMELLIA_128_CBC,
GNUTLS_CIPHER_AES_128_CCM,
- GNUTLS_CIPHER_AES_256_CCM,
0
};
static const int *cipher_priority_secure128 = _cipher_priority_secure128;
View Lorry Controller Status