From f09e8060b51881f9fefc0a82ec4656fb0e500ccb Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 29 Mar 2018 09:51:32 +0200
Subject: priority: added GROUP-DH-ALL and GROUP-EC-ALL

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 doc/cha-gtls-app.texi |  4 +++-
 lib/priority.c        | 28 ++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 6575120756..655046c917 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1268,7 +1268,9 @@ GROUP-SECP256R1, GROUP-SECP384R1, GROUP-SECP521R1, GROUP-X25519,
 GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096 and GROUP-FFDHE8192.
 Groups include both elliptic curve groups, e.g., SECP256R1, as well as 
 finite field groups such as FFDHE2048. Catch all which enables all groups
-from NORMAL priority is GROUP-ALL.
+from NORMAL priority is GROUP-ALL. The helper keywords GROUP-DH-ALL and
+GROUP-EC-ALL are also available, restricting the groups to finite fields
+(DH) and elliptic curves.
 
 @item Certificate type @tab
 The only option currently is CTYPE-X509. Catch all is CTYPE-ALL.
diff --git a/lib/priority.c b/lib/priority.c
index 25f7ebab37..fef7d5f9ba 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -105,6 +105,22 @@ static void _clear_given_priorities(priority_st * st, const int *list)
 	}
 }
 
+static const int _supported_groups_dh[] = {
+	GNUTLS_GROUP_FFDHE2048,
+	GNUTLS_GROUP_FFDHE3072,
+	GNUTLS_GROUP_FFDHE4096,
+	GNUTLS_GROUP_FFDHE8192,
+	0
+};
+
+static const int _supported_groups_ecdh[] = {
+	GNUTLS_GROUP_SECP256R1,
+	GNUTLS_GROUP_SECP384R1,
+	GNUTLS_GROUP_SECP521R1,
+	GNUTLS_GROUP_X25519, /* draft-ietf-tls-rfc4492bis */
+	0
+};
+
 static const int _supported_groups_normal[] = {
 	GNUTLS_GROUP_SECP256R1,
 	GNUTLS_GROUP_SECP384R1,
@@ -1585,6 +1601,18 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 					bulk_fn(&(*priority_cache)->
 						_supported_ecc,
 						supported_groups_normal);
+				} else if (strncasecmp
+				    (&broken_list[i][1], "GROUP-DH-ALL",
+				     12) == 0) {
+					bulk_given_fn(&(*priority_cache)->
+						_supported_ecc,
+						_supported_groups_dh);
+				} else if (strncasecmp
+				    (&broken_list[i][1], "GROUP-EC-ALL",
+				     12) == 0) {
+					bulk_given_fn(&(*priority_cache)->
+						_supported_ecc,
+						_supported_groups_ecdh);
 				} else {
 					if ((algo =
 					     gnutls_group_get_id
-- 
cgit v1.2.1